Whether a company has invested a lot or a little in its business continuity plan (BCP), it shows when a crisis or disruption transpires. Those with practiced procedures in place to protect the company are able to respond, reset, and rebound more effectively, while those caught off-guard may suffer the consequences long after the incident is over.
Today Sasha Kalb, Vice President, Risk, Compliance, and Environmental Social Governance at American Express Global Business Travel (GBT) who is based in Hong Kong, shares some thoughts on what to consider when building a BCP program and how we’ve employed our own to manage the current situation.
Q. Why should companies prioritize BCP?
A. Big or small, business interruptions arise all the time and we have to have policies and procedures in place to continue servicing businesses and keep our clients and employees safe. If you don’t, you may face a business shutdown, unnecessary costs, or risk to human health and safety every time you encounter an issue.
Q. Why is it important to have a BCP that outlines how to protect traveling employees?
A. Responding in a crisis is particularly important in a travel situation because people are far from their homes. Employees expect their employers to take care of them, particularly in situations where their health or safety is at risk.
In a large-scale crisis, you are almost guaranteed to face a situation where your employees are all over a nation or the globe, so you should know where they’re traveling as a start. You need to be able to contact them to make sure they’re safe and have an open channel of communication. You need to warn them if they’re in danger and be able to contact their families or supervisors. You should link up with a travel management company that can rebook their flights proactively, rebook their train or car, or extend a hotel stay if they won’t be able to get out of the city.
Q. What is one of the most important things a company can do when devising a BCP?
A.Set goals that are consistent with the corporate culture and then build your plan down from that. In a time of crisis, it’s very easy to deviate from a corporate culture, whatever your culture may be. Once you do that, you potentially can lose the supportive employee base, your grounding, and customer focus, and it can be very difficult to get back on track.
Q. What has been the focus of GBT’s BCP goals regarding the current situation?
A. We’ve been looking at this in two ways: internal safety and client management. So making sure we keep our employees safe and making sure that we have business continuity for our clients. Both are equally important.
Q. How has GBT kept employees safe in this climate?
In Asia, we had a head start, obviously because the virus started here. We began assessing what remote capabilities we had: Do we have to order people to work from home? What is the minimum number of staff we need in the office? Should we have them on a rotating basis to enforce social distancing?
We also looked at what we need to do to ensure the safety of office-based employees: Do we have sufficient protective gear if masks are required? Do we have hand sanitizer? Can we move people away from each other if they are sitting close to each other? Can we move desks or people to different floors?
We started doing temperature checks in some offices as well as health declarations to know if people were traveling.
As soon as it looked like the virus was beginning to spread beyond China, we took what we’d already done there to other offices proactively. Once we had the goals set and the pattern drawn up in Greater China, it became more straightforward as to how we could carry that to other regions.
Q. How has GBT’s BCP focused on servicing clients during this pandemic?
On the client side, we did the same thing. We started taking this list we developed in China and sent it around the globe, because client service was our other equally primary goal: estimating what the call and service volumes would be. Do we have enough employees working remotely or in the office to support them? Are we providing our clients with sufficient information?
Initially, we were sending out information by email to clients, but then as the pandemic grew, we created a webpage, essentially a central repository to house all the information our clients were requesting. We designated teams to follow the sun and update the information, such as carrier bans, flight cancellations, and government mandates, on a daily basis.
Q. From a cybersecurity perspective, it can be risky for employees to work from home. What safeguards has GBT taken to protect against data threats?
We have very strict controls about how employees can work at home. When people work remotely, it’s predicated on the fact that they work on an encrypted GBT device unless otherwise approved by the Chief Information Security Office. Employees also all connect through GBT’s VPN (virtual private network) with controls built in. They cannot print anywhere but in an office environment.
We’ve also sent out additional messages to the entire employee base from our information security officer saying, “here’s what you have to be aware of,” since there are a lot of fraud schemes and phishing attacks being made in this pandemic. This is in addition to our mandatory annual online training on privacy and cybersecurity.
Q. How much business continuity planning is there throughout the year?
A. Well, a lot. We have a very robust incident management response (IMR) program that was designed years ago based on three tiers: local, regional, and global. For each category, we have a designated team that will handle the incident, named by function so individuals know they’re on it. We train everybody on a biannual basis. We do tabletop exercises and also randomly send out texts as a test to “dial into the dedicated IMR hotline now.” So we do a lot of testing and training around our program.
When we set an IMR, we assign a level – a low, medium, or serious threat. Level One is the most serious.
For this pandemic, we’ve been operating under Level One since January 27. Because this has been such a strange, unprecedented time, we have had to be a little bit more nimble with the IMR, but the basic structure has not changed. Having lived this since January 27, I see how helpful it is to have this prepopulated framework to rely on.
Q. What makes GBT’s IMR program so strong?
A. People are so well versed in the program. Many people have had attended IMR training for years so they are familiar with the language and practice. So once we had to invoke, the cadence was not unusual. It was practiced and learned. People knew who the designated leader was and why they were participating. I think that has set our program aside as a well-working one.
Q. How has being a bank holding company helped the compliance program?
A. Because we are a bank holding company and are beholden to regulators, we have a standard of rigor and control that we apply to compliance generally. Because we have applied that same standard of rigor and control to our IMR planning and training, when it came to invoking what is hopefully the biggest incident that any of us will ever see globally, we were ready. The standard was high and it worked.
Q. What is one last thing you want to emphasize to company leaders?
A. You don’t really think a crisis is going to occur until it does. When we were asking people to join IMR trainings, in the back of everyone’s mind perhaps was, “Is this really necessary?” Then all of a sudden, it wasn’t just necessary. It was mission critical. Without good planning, it’s very difficult to pivot in a crisis. So if crisis management has not been at the forefront before, it really should be added to the risk roster for most organizations.