Business Continuity Management – How to steer your company through the crisis

Whether a company becomes the target of a cyber attack or operations are interrupted because its own workforce or that of a supplier is absent due to illness, there are a variety of scenarios that challenge a company’s emergency and crisis management. Effective business continuity management enables companies to prepare for crises and, in particular, to clarify in advance legal issues that regularly arise in crisis management. In the following, we would like to draw your attention to some useful crisis prevention measures and their legal implications, and present practical approaches to solving them.

• Identify which business processes are mandatory for the operation and existence of the company (so-called business impact analysis). In addition to the workforce, it can also be the timely fulfillment of delivery obligations of one of your suppliers, the functionality of your IT system or even the energy supply for your production facilities. Evaluate how long you could do without the critical business processes without putting your company’s existence at immediate risk. Find out at what point it becomes “critical” for the existence of your company and evaluate this criticality, because your actions should be based on this. For example, you will have to react differently to the loss of fifty percent of your workforce than you would if “only” five percent of your employees were absent. You will take different measures in the event of a power failure than in the event of the complete destruction of your production facility by fire.

• Develop strategies for dealing with the potential failure of an entire division or business process. In doing so, also identify fallback and resupply opportunities and establish restart procedures.

If supply bottlenecks are to be feared in the short term, supply chains must be structured as far as possible to withstand crises. First and foremost, this means that companies should immediately look for alternative providers. However, it should be borne in mind to check the existing contracts to see whether exclusivity agreements, special termination rights or contractual penalties make it more difficult to commission new suppliers or represent an economic risk.

Coordinate with your works council at an early stage on measures requiring co-determination that may have to be implemented in the event of a crisis. From a business perspective, it may be appropriate in individual cases to introduce short-time working, assign employees to other tasks or temporarily change the contractually agreed place of work (e.g. home office). It is true that negotiations between the employer and the works council are reluctant to deal with scenarios that seem unlikely to occur. However, experience also shows that negotiations are made considerably more difficult when there is immediate pressure to act and events in the company are happening at the same time.

• Establish contingency plans that mirror your strategies. Once the crisis has occurred, it will generally be too late to develop a concept, examine the legal implications and communicate them within the company. Make sure your emergency plan is clearly understood and manageable. In the event of a crisis, defined processes provide security and structure.
• Crisis management, as a core component of risk management, is the responsibility of management. It must maintain an appropriate business continuity management (BCM) system for crisis situations in order to fulfill its statutory organizational obligations. In doing so, you must be able to answer the following questions:

• • How do you ensure monitoring of crisis risk and occurrence?
  • How is management reporting done and who is responsible for it?
  • By whom is the competent and timely assessment of the situation carried out?
  • How and by whom are concrete options for action developed?
  • How do you ensure that management decisions are always based on sufficient information?
  • Who monitors the implementation of these decisions and by what means?
  • How and by whom is internal and external crisis communication carried out?
  • What are your legal notification and reporting obligations (e.g. data protection or capital market law) and who is responsible for fulfilling them in a crisis?

Responsibilities and roles must be assigned clearly, without overlap and without gaps. The responsible employees must be carefully selected in advance according to competence and instructed on the emergency concepts. Only in this way can a BCM system meet the requirements of a legally effective delegation.

• In the event of an emergency, form a crisis team (Business Continuity Committee) that includes internal and external representatives with all the necessary competencies. The required competencies result from the specific crisis. Expertise in human resources, IT and communications will be required on a regular basis.

• Regularly check whether your business impact analysis is still up to date and whether your contingency plans and crisis management organizational structure work in an emergency. Weaknesses are to be analyzed and eliminated.

• As management, make sure that your crisis management decisions do not leave you open to legal challenge. Always exercise their business judgment in the crisis and in preparation for it without discretionary error.