Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Disaster recovery and business continuity plan of chocolate manufacturing company



Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and activities can be defined as a disaster.

Companies can experience many different threats to their mission critical systems such as fires, floods, lightning storms and humidity to disgruntled employees, hackers, human error, power failures and viruses. A disaster can happen at any time and it is vital to be prepared in the event that one occurs.


To be prepared for a business interruption, the organization must have a carefully crafted and comprehensive plan that describes risks, impacts, and step-by-step recovery strategies for critical business processes in various disaster and emergency scenarios. Without a plan, the team will be flying blind when an interruption occurs. The plan provides the necessary tools to mitigate interruptions and resume operations as quickly as possible, greatly facilitating decision-making and taking action when there is scant time and stress levels are elevated.


Using the information in the risk assessment to create effective recovery strategies for critical processes in all departments, incorporating these strategies into a comprehensive business continuity plan, and encouraging ownership of the plan across the organization, and ultimately, achieving the highest resiliency possible with limited resources.


Create the recovery strategies department-by-department, process-by-process. This allows each department to focus on strategies specifically relevant to their critical processes without extraneous information from other departments. Do the same for your business continuity plan, writing smaller plans by department. Also, use a template to document your recovery strategies to ensure process consistency across the organization. Finally, have plans reviewed and approved by department heads and distributed to all employees to encourage ownership and pride in the plan.


Each department in the organization will have a comprehensive action plan for business continuity outlining the steps to take to recover vital processes in various emergency scenarios. All employees will have their own copy of the plan, ready to use immediately when a disruption occurs. Employees will take ownership of the organization's business continuity effort and this effort will be further ingrained in the organization's corporate culture.



The Chocolate Company since inception in 1990 has been largely responsible for satisfying the country's demand for Chocolates and Sugar Confectionery. Situated at Rusayl Industrial Estates in Muscat, Sultanate of Oman, the plant has various lines producing a wide range of confectionery like Éclairs, Toffees, Fudges, Caramels, Hard Boiled Candy and Enrobed Chocolates. These products are available in attractive packaging and premium Gift Boxes making them ideal for gifting as well as for own consumption. Most of the packaging in the Gift Pack segment has been carefully selected to ensure its enduring utility, thereby giving our valued customers an added benefit. The confectionery is produced by experienced personnel under stringent quality control and hygiene standards. State-of-the-art manufacturing facilities ensure products of international quality. The company in its relentless pursuit of quality obtained HACCP Certification in April, 2004.

The Company, through its uncompromising stand on quality and competitive pricing, has successfully penetrated countries all over the Gulf, the African continent, Asia, Australia, New Zealand, Canada, South Africa, USA and the UK.

The principal business processes involved are

Today, manufacturing sector companies like chocolate manufacturing operates in increasingly complex, competitive and global markets. The ability to manage risks across geographies, products, assets, customer segments and functional departments is of paramount importance. The inability to manage these risks can cause irreparable damages.

Chocolate company will always face the likelihood of being impacted by uncertain or adverse future events. These uncertainties will have an impact on a company's ability to generate capital and shareholders returns. The company Board expects that management will not only look at where the company may be exposed to risk, but also how these risks can be managed to influence favorable business outcomes.


Risk Management Methodology followed by the chocolate company

The risk management methodology at the chocolate company encompass the scope of risks to be managed, the process/systems and procedures to manage risk and the roles and responsibilities of individuals involved in risk management. The framework is comprehensive enough to capture all risks that the company is exposed to and have flexibility to accommodate any change in business activities.

The chocolate company's effective risk management methodology includes

A. Risk Policy Framework

The following fundamental principles should be considered by the company to develop and implement a proactive risk management program and help them to identify any potential areas of concern:

  1. Acceptance of a risk management framework: A formal risk management framework is needed at this company, to guide the integration of risk management into the company's day to day operations.
  2. Corporate governance and risk: At this company,corporate governance is the prime responsibility of the Board of Directors and the General Manager. It combines legal duties with responsibilities to improve and monitor the performance of the company.
  3. Establish the risk response strategy: Following the agreement on the risk assessment rankings in all functional departments, management action will need to be taken to reduce the risk levels where they have been deemed unacceptably high or alternatively remove constraints where they are preventing the business from pursuing opportunities.
  4. Assigning responsibility for risk management change process: It is important for the company to ensure that the daily operation of the business supports this strategy and that the staff understands the proposed changes.
  5. Re-sourcing: Risk management is the responsibility of all levels of management.
  6. Communication and training: Implementing a communication and training program is important to introduce the concept of risk management.
  7. Monitoring of risk management process: To ensure that risk responses gaps are filled and that the risk responses continue to operate effectively and remain appropriate in light of changing conditions.

B. Identification of Various Risks of The Company

While drafting this Risk management Policy, the primary risk exposures at the company X that are identified is provided below, which are inclusive but not exhaustive and it will be the responsibility of the Risk Management Committee to review these on a periodic basis.

I. Market Risks

It is the risk that the value of the company will be adversely affected by movements in market rates or prices, foreign exchange rates, national & global fluctuations, credit spreads and/or commodity prices resulting in a loss to earnings and capital.

The market risks identified at this chocolate company are as follows

II. Operational Risks

The operational risks identified at chocolate company are as follows

III. Reputation Risks

These are risks arising from negative public opinion resulting from failures of process, strategy or corporate governance.

The Reputation risks identified at this company are as follows

IV. Credit Risks

Non receipt of receivables or delay in receipts is the credit risks attributable to the company.

These may be identified as

V. Liquidity Risks

The possibility is that the company will be unable to fund present and future financial obligations.

These may be identified as

VI. Strategic Risks

Risk those are arising from adverse business decisions or the improper implementation of such decisions.

These may be identified as follows

C. Risk Prioritizing and Impact Assessment

Risk Prioritizing

To adequately capture institutions risk exposure, risk measurement should represent aggregate exposure of the company to both risk type and business line and encompass short run as well as long run impact on it. To the maximum possible extent the company should establish systems / models that quantify their risk profile. However, in some risk categories, quantification is quite difficult and complex. Wherever it is not possible to quantify risks, qualitative measures should be adopted to capture those risks.

The company should utilize a Risk Matrix to evaluate the level of risks which are identified in the Company. The Risk Matrix is formed by assessing the probability of the risk, the severity of the risk, and the quality of control that exists specific to those risks. Scoring is attributed for each the three parameters namely probability, severity and Internal control. The aggregate score is computed and ranking of the risks is ascertained.

Company's Risk Matrix using the above method is shown in Annexure I

ii.Impact Assessment

The company being a medium scale manufacturing unit should focus on the manageable risks like Operational risks, Liquidity risks and Strategic risks. Market risks, Credit risks and Reputation risks though an integral part of risk management may not need detailed impact assessment at this stage unless the probability of such factors seem to be out of proportions in time to come. Impact assessment of the Operational risks, liquidity risks and strategic risks at the company termed herein as Manageable risks, can be assessed as follows

Risk associated with any event has two components, loss severity and loss probability. Loss, in itself consists of expected and unexpected components. The unexpected loss component could be severe or catastrophic. Usually, expected losses are adjusted for in pricing or in reserve allocation. Unexpected losses require capital allocation. Given that operational risk, liquidity and strategic risk events are most often subject to internal control, any manageable risk system that passively measures these risks would clearly be inadequate.

Once risk factors are identified as likely causes of the Risk losses, mitigating steps need to be initiated. While quantification would indicate risk magnitude and capital charges, it may not by itself suggest mitigating steps. This makes it advisable for the company to combine qualitative and quantitative approaches to manageable Risk.

The broad steps involved here would be:

Qualitative Approaches

Qualitative approaches involve

Critical Self-Assessment: (CSA):

This is one of the common qualitative bottom-up approaches where line managers of the company can critically analyze their business processes given specific scenarios to identify potential risks and gaps in their risk management processes. Tools like questionnaires, checklists and workshops are used to help the managers analyze the risk profile of their business units. The key idea behind this method is that businesses managers of this company are in the best position identify and manage the Operational Risks pertaining to their business units.

Risk Audit

Employing the services of external (or internal) auditors to review the business processes of a business unit is another approach. This process not only helps identify risks but also helps put in place the oversight organization for the manageable risks.

Key Risk Indicators (KRI)

Using the KRI approach the company can blend the qualitative and quantitative aspects of Operational Risk management. Factors that have predictive value and that can be easily measured with minimum time lag can serve as risk indicators. Some risk indicators inherently carry risk related information, for instance, indicators like sales volumes, order size, etc. Others are indirect indicators, for instance, production budgets, production lifecycle, performance appraisal etc. Key indicators are identified from several potential factors and are tracked over time. The predictive capabilities of the indicators are tested through regression analysis on historical loss data and indicator measurements. Based on such analysis, the set of indicators of the company being tracked can be modified suitably. Over time, as the model gets refined, the set of indicators can provide early warning signals for operational losses.

D. Management of the risks

Managing Market Risks: The chocolate company may be exposed to Market Risk in variety of ways as described earlier such as environmental issues, export orders, future contracts, Price competition, customer profile and marine transportation risks. Besides, market risk may also arise from activities categorized as off-balance sheet item.

To mitigate this risk the company has taken the following steps:

Managing Operational Risks: Being a chocolate manufacturing company, it deals with the retail market. The most important risks are those of Operational risks. Operational risk is associated with human error, system failures and inadequate procedures and controls. It is the risk of loss arising from the potential that inadequate information system; technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems may result in unexpected losses or reputation problems.

Raw Materials

Country of import


Dubai/ local



Milk Powder


Vegetable Fat



Sri Lanka

Coco Powder


Whey Powder


Packing Materials


The storage policies currently are

Raw Materials - Glucose

Stored In godown

Raw Materials- others

Stored in godown

Packing Materials - Gift Tins, Cartoons

Stored In godown

Packing Materials - Wrapper, Bags. Gift Boxes

Stored in godown

Finished Products

Stored in godown

The company can keeps the entire inventory in closed warehouses.

The company needs have a Manpower Accidents and Injury Policy to cover the possibility of injury or death of manpower within the factory premises.

Managing Reputation Risks

Reputation of the company may also get hamper in various situations some of which are

Contamination-hygiene: Being in the Food sector the company should take utmost precaution to avoid any sort of contamination in its products which will reach to the general mass. The company should take precaution for the quality of the raw material and packing material that is required for the entire production process and the stocking procedure.

The company can follow the following policy:

Managing Credit Risks:

The company should mitigate this risk in the following manner:

The company should take the following steps:

To counter this company should maintain small stocks with such shops and should have a regular but frequent collection system.

Marketing department of the company should perform the following functions:

Managing Liquidity Risks

Liquidity risk is medium risk for this company. It arises when the cushion provided by the liquid assets are not sufficient enough to meet its obligation. The company's current Net Worth condition, though improved in the recent years is still not conducive to attract bankers and so the company has a medium range risk of not attaining its working capital requirements or for Capex decisions especially when it is in its growth path. Liquidity risks at the company arise due to Cash flow & working capital gaps, Capex requirements and Cost overruns.

Some early warning indicators provided below, that may not necessarily always lead to liquidity problem for the company; however these have potential to ignite such a problem. Consequently management needs to watch carefully such indicators and exercise further scrutiny/analysis wherever it deems appropriate.

Examples of such internal indicators are:

An effective liquidity risk management would include systems to identify measure, monitor and control its liquidity exposures. Management should be able to accurately identify and quantify the primary sources of the company liquidity risk in a timely manner. To properly identify the sources, management should understand both existing as well as future risk that it can be exposed.

Key elements of an effective risk management process should include an efficient MIS, systems to measure, monitor and control existing as well as future liquidity risks and reporting them to senior management. An effective management information system (MIS) is essential for sound liquidity management decisions. Information should be readily available for day-to-day liquidity management and risk control, as well as during times of stress. Data should be appropriately consolidated, comprehensive yet succinct, focused, and available in a timely manner.

An effective measurement and monitoring system is essential for adequate management of liquidity risk. Consequently intends to institute systems that will enable it to capture liquidity risk ahead of time, so that appropriate remedial measures could be prompted to avoid any significant losses. Some commonly used liquidity measurement and monitoring techniques are:

Managing Strategic Risks

These are risks arising from adverse business decisions or the improper implementation of such decisions.

The company should introduce

Risk monitoring

An effective monitoring process is essential for adequately managing all the identified risks. The Risk management Committee need to establish a program to

It is essential that

Risk Reporting

The company is currently setting up a Risk Reporting system. The Reporting system will ensure that information is received by the appropriate people, on a timely basis, in a form and format that will aid in the monitoring and control of the business. The reporting process will include information such as

The company has an information system that is fairly accurate, informative and timely to ensure dissemination of information to management to support compliance with board policy. Reporting of risk measures will be regular and will clearly compare current exposures to policy limits. Further past forecast or risk estimates will be compared with actual results to identify any shortcomings in risk measurement techniques. The board on regular basis needs to review these reports. While the types of reports for board and senior management could vary depending upon overall risk profile of the company, at a minimum following reports will be prepared

Risk Control.

The company's internal control structure will ensure the effectiveness of process relating to comprehensive risk management. Establishing and maintaining an effective system of controls including the enforcement of official lines of authority and appropriate segregation of duties, is one of the management's most important responsibilities. Persons responsible for risk monitoring and control procedures should be independent of the functions they review. Key elements of internal control process include internal audit and review and an effective risk limit structure.

Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. The company will have policies, processes and procedures to control or mitigate material risks. The company will assess the feasibility of alternative risk limitation and control strategies and should adjust their risk profile using appropriate strategies, in light of their overall risk appetite and profile. Control activities will be an integral part of the regular activities of the company to ensure effectiveness of the risk control mechanism.


The company may look forward for the following benefits by implementing a robust Risk management policy as enumerated in this guideline


In today's business environment information technology (IT) resources, including data, are some of the most important assets owned by organizations. Earthquakes, cyclones, hurricanes, floods, hackers, computer viruses, sabotage and terrorist attacks are disasters that threaten these assets. Organizations need to be prepared for and be able to respond to these attacks.

The chocolate manufacturing company should now focus to gear up its systems and processes so that it can sustain the growth pattern quite efficiently and effectively. One such tool is that it can have a well designed information system with the help of the latest technology. Information Technology is responsible for providing methods and processes to protect company data, systems software and computing resources. Like all processes, systems and technology, the Information technology system and process of any organization should be guided by the rules and regulations by which its existence and functioning can be safeguarded. Using the latest technology the company can




The company should have a formal user registration and de- registration procedure for granting access to all multi-user information systems and services. The registration process needs to include


Operating System Access Control

Security facilities at the operating system level should be used to restrict access to computer resources. These facilities are capable of performing the following tasks

Application Access Control



When not in use, paper and computer media should be stored in suitable locked cabinets and/ or other forms of secured furniture, especially outside working hours.




Switches: LAN equipment, routers and switches should be kept in secure areas.. Access to switches should be restricted to IT Department staffs only. Other staffs and contractors requiring access to switches should notify to the IT department in advance so that necessary supervision can be arranged.

Workstations:Users must logout their workstations when they leave their workstations for any length of time. Alternatively, Windows workstations may be locked.






Permanent connections to the internet should be via the means of a firewall (Sonic) to regulate network traffic





Four levels of Security Requirements- associated with various types of Hardware- are identified and detailed below



Security Level 1

Basic security requirement for all types of computer equipments.


Security Level 2

Applicable only if the total replacement value of Hardware is less than 0RIAL 2000 per room or area.


Security Level 3

Applicable only if the total replacement value of this Hardware is between RIAL 2000 and 4,000 per room or area.


Security Level 4

Applicable only if the total replacement value of this Hardware is in excess of RIAL 4,000 per room or area.


The required physical security table is given in ANNEXTURE III


The human resources (HR) department is a key player in all of these issues, so the company should be certain that the HR department can deliver core services during a crisis, as well as to monitor and report on the locations of displaced workers.

Human capital resiliency can be defined as an organization's ability to respond and adapt rapidly to threats posed to its workforce. Organizations that can build resiliency into their human capital are more likely to protect their most valuable resources and maintain continuous operations in the event of a crisis. Many forward-thinking companies are already considering the impact of short-term interruptions in normal business activities and identifying appropriate actions to sustain vital business processes in the event of a crisis. They are also looking at long-term trends, such as changes in workforce demographics.

Human capital risks in crisis situation

In a crisis, many organizations need to be challenged to safeguard and support employees while continuing to deliver the services needed to keep the business operational and revenue flowing. Three primary areas in which human capital risks associated with crises can be grouped, as shown by the following graphic:

Human capital risks associated with crisis situations

Ability to attend work

Ability to deliver critical internal services

Ability to maintain business operations

Present status of the company

At present the company follows a policy of maintaining optimum staff strength for its requirements. Accordingly all personnel are considered important for organizational functioning. However there are certain key positions in the Company which are considered to be critical for successful operations. These key positions are those that may be difficult to fill at short notice if the incumbents suddenly leave. This could be so for reasons like technical knowledge or expertise required for those positions or due the leadership attributes necessary.

The General Manager in consultation with Departmental Heads should carry out a periodic analysis to identify these critical positions in the company. This analysis shall also be placed before the Board for their approval

At present, the critical positions identified are

The Company should prepare special Contingency plans for succession to these positions in case of extended absence or departure of the existing incumbent. The elements of these contingency plans shall include


The Company should follow the following steps to improve the human capital resiliency methodology:

A. Determination of Strategic Goals and Future Plans

The Company should undertake periodic exercises to revisit its critical short and medium term strategic goals and the various initiatives required for attaining these goals. The goals should arrive at on a collective basis by the entire management of the Company after a well-deliberated SWOT analysis and using other appropriate management tools. The exercise should be carried out under the guidance of the General Manger. Once the short and medium term goals of the Company have been determined, based on this analysis, the management team under the guidance of the General Manager shall also decide on the initiatives to be undertaken to reach these goals.

B. Study of the external and internal environmental factors

External Factors:

The Company should carry out regular analysis of the external business environment so far as it relates to the functioning of the Company. This analysis should be carried out by the heads of the respective Departments in the Company who are responsible for various functional areas. The analysis should be particularly focus on the emerging opportunities and threats the Company faces and shall typically include such areas as competitor analysis, new product development, new technical knowhow available, market trends, price patterns, and expected changes in customer preferences and profile. The findings of departmental heads shall be placed before the General Manager every quarter or earlier if circumstances so justify.

Internal Factors:

The Company should also carry out regular assessment of the internal factors in the Company in regard to staff and related matters, productivity, steps to improve operating efficiencies and waste reduction. Such assessment should be made by the respective departmental heads and placed before the General Manager every quarter or earlier should the need arise.

C. Identify and prioritize succession problems

The Succession Management Committee is responsible for gathering information to identify succession management problems, evaluate their criticality and select those issues that will be addressed first.

Key positions are positions that include responsibility for performing mission-critical work that is necessary for an organization to achieve its business goals. Key positions include responsibility for planning, designing, delivering or managing the flow of essential services. A vacancy of over 2 months in a key position would have a negative impact on the delivery of services because of the criticality of the work. Employees who possess knowledge/skills that are crucial and unique often fill key positions. These unique skills and knowledge are critical to the success of the unit/organization and are not found in other employees' positions in that role. The Planning Committee should establish a working definition of a key position using the above information. Likewise, a working definition needs to be developed for hard-to-fill positions. Positions are typically hard to fill if they are characterized by shortages of trained workers and high wages relative to State pay scales. These factors often lead to extended recruitment and reposting periods and, sometimes, an inability to fill a position.

The chocolate company should follow a policy of maintaining optimum staff strength for its requirements. Accordingly all personnel are considered important for organizational functioning. However there are certain key positions in the Company which are considered to be critical for successful operations. These key positions are those that may be difficult to fill at short notice if the incumbents suddenly leave. This could be so for reasons like technical knowledge or expertise required for those positions or due the leadership attributes necessary.

The General Manager in consultation with Departmental Heads should carry out a periodic analysis to identify these critical positions in the company. This analysis shall also be placed before the Board for their approval.

D. Planning the staffing requirements based strategic goals

Based on the strategic goals as finalized by the Board, the staffing requirements in the short and medium term will be decided by the General Manger, as the head of the Personnel & Administration department, in consultation with the Finance and Administration Manager. Other staff related matters such as management of the talent pool of existing employees, management hierarchy and reporting structure will also be reviewed. While planning the staffing pattern due care shall be taken to ensure that all existing laws and regulations of the Sultanate of Oman are complied with including the stipulations regarding the employment of Omani nationals.

E. Reviewing the roles and skills of key personnel

While deciding on the staffing pattern the General Manager along with the concerned Managers shall review the roles and identify the skill sets which would be required by key personnel to ensure their effective functioning. An analysis would also be made of the existing job profiles and skills presently available in the Company. A skill gap analysis would be carried out as an adjunct to this exercise to identify the shortcomings in the Company in relation to its needs. The skill gap analysis will be undertaken for various segments of the employees as follows:

The purpose of the skill gap analysis will be to identify the existing shortfalls of the employees in relation to the requirement of leadership and other soft skills as also work skills. Once the skill gap analysis has been carried out, the General Manager, in consultation with the concerned Managers shall decide on the remedial measures to be adopted to meet the existing shortcomings.

F. Need based Recruitment of Personnel

While recruiting personnel externally the Company has a policy of identifying the requisite skills required for the positions to be filled up and in the case of Managers and other key personnel the recruitment has to be approved by the Audit Committee. The Company also has an open policy of recruitment and appoints personnel after considering multiple applicants for each position, and after undertaking detailed evaluation. The Company is thus able to secure best available personnel to meet its needs. Also the Company prior to external recruitment tries to locate suitable employees from within the Company.

After recruitment the new recruit generally undergoes an induction process to familiarize him with the Company's working, and is on probation for a period of 3 months to enable the Company to judge whether he has or can pick up the requisite skills for effectively handling responsibilities assigned to him.

G. Policies on emergency recruitments at Senior Management level

The Company should have a policy of filling up vacancies at the Senior Management level by promoting or replacing by existing employees as far as possible. However it may not always be possible to source talent from within the organization for a particular position, and recruitment from outside may be the only option.

In such a case, the primary objective to be kept in mind would be whether the new recruit would have the core technical competencies required for the position as also the leadership qualities and other traits for effective functioning. Also the recruit should be able to adapt quickly to the work environment of the Company. To this end, the Personnel Department, under the guidance of the General Manager, should compile job profiles for each Senior Management other key positions. They shall simultaneously identify the skill sets including leadership and other soft skills required for each position.

This information should be discussed with the Audit Committee and reviewed from time to time. As and when an emergency recruitment has to be made, applicants shall be screened for the requisite skill sets. Also the Company shall follow an open policy of recruitment with multiple applicants and all such recruitments shall be approved by the Audit Committee. This process will ensure that the company employs the best available personnel.


In line with the legislative requirements in the Sultanate of Oman for progressive Omanisation of the workforce, the Company should adopt a conscious policy of employing Omani nationals at all levels as far as practicable. The Company shall give preference in employment to Omani nationals.

It shall also provide suitable training and continuously develop local talent available in the Company so that they can acquire the relevant skills for effective functioning in the assigned jobs. The Company shall also provide for promotional opportunities for deserving Omani employees so that they can progress in the organization and take up roles at the senior management level in course of time.

The progress of Omanisation in the Company shall be reviewed by the Board at periodic intervals.

H. Identification of Training and Development needs

The Company should consciously follow an ongoing system of identifying and addressing any deficiencies in skills that may exist at various levels of employees to enable them to carry out their existing responsibilities as also to shoulder higher responsibilities should the need arise. The company can therefore always have at its disposal a trained pool of manpower from which it can choose personnel for most of the key positions should they fall vacant.

The Company should strive to impart appropriate training to its employees depending on the deficiencies in the skills of personnel as may be ascertained from the skill gap assessment carried out for its personnel. This training can be in-house or external depending on the nature of training to be imparted. The training process shall also take into account the special needs of employees at various levels:

In house training

The Company shall have a system of basic on the job training at various levels to familiarize employees with the work skills required for carrying out their assigned functions. This will include as follows

For workers

For field staff

For administrative staff

For Junior Management and Supervisory Staff

For shop floor personnel

For others

The in house training process should primarily be restricted to the above category of employees. New recruits at the senior management level would be familiarized with the working systems and procedures in the Company during their induction. The Company, should the need arise, may involve specialists in the respective areas in the training process. Special attention shall be paid to training Omani nationals so as to impart the requisite job specific skills and equip them for higher responsibilities in due course.

External Training

The Company should provide training opportunities to its Senior Managerial personnel through external sources as and when required. The Senior Managers in the Company shall also be expected to attend seminars, workshops and other external training programs to advance their knowledge and expertise in their functional areas. They should also be expected to participate in external training programs to enhance their general management skills. The General Manager shall be the authority for sanctioning such external training. The purpose of such training would be to equip the Senior Managers to discharge their functions more effectively and also help them to assimilate skills that may be required to shoulder higher responsibilities.

External training programs would generally be restricted to Senior Management level only. However should staff at the junior management or supervisory levels display exceptional ability or performance, they can be nominated by the respective Departmental Heads for external training and such training can be sanctioned by the General Manger at his discretion.

The primary rationale for having a training schedule in place is to impart to employees the ability to discharge their functions effectively, and also create a talent pool in the organization equipped to accept additional or higher responsibilities should the need arise.

I. Identify strategies and programs to increase the competency level of employees

The following are examples of developmental activities:

J. Performance Appraisal

The Company should periodically (at least once a year) carry out a Performance Appraisal of all its employees. The Performance Appraisal should be carried out on the basis of benchmarks of performance set out in advance. These benchmarks should be periodically reviewed to ascertain their relevance for the functioning of the Company. The performance benchmarks should be finalized by the General Manager as the head of the Personnel & Administration Department, in consultation with the concerned Managers. The performance benchmarks should also be approved by the Audit Committee. The performance benchmarks should include such items as the competence of the employee at the job assigned to him, leadership qualities and other abilities that can enable him to take higher responsibility, commitment to the organization, innovative ability, etc.

The Performance Appraisal should be carried out in the first instance by

The Performance Appraisal should be preserved as an employee record so that the performance profile and progress of an employee can be monitored. Based on the periodic appraisal exercise, the Company should identify exceptional employees for higher responsibilities, promotion, and other rewards and incentives.

The Company should strive to keep the appraisal process objective as far as possible. The Company should also counsel employees whose performance has declined sharply.

K. Promotion and other incentives

Based on the performance of an employee, the Company may consider granting increments in salary or performance linked bonuses or other incentives to him. Such increments or bonuses will be decided by the General Manager after discussions with the Audit Committee or other designated members of the Board In case of exceptional performance of the employee concerned over a period of time, the Company may decide to grant the employee a promotion to the next higher level. Such promotions shall be decided by the General Manager in consultation with Audit Committee or other designated members of the Board.

L. Evaluation & Review of the Succession Planning Process

The Company should carry out a periodical evaluation of the succession plan process. The review will primarily focus on the following areas-



The readiness of a company in reacting to contingencies such as terrorism, the avian flu pandemic, killer tsunami waves, etc. is dependent on how actively involved its management is in embracing its business continuity plan. Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and activities can be defined as a disaster.

At present disaster recovery has stretched to incorporate all scenarios necessary to ensure the successful running of critical systems during an emergency and include the long-term recovery of the business. Business continuity provides an alternative and most rigorous approach for an organization to develop its response to service interruption. It concentrates on the impact of an incident rather than its cause and, crucially, on its duration. It tries to identify the point in time where an interruption becomes intolerable. Issues such as data protection, human resource concerns, vital records, telecommunications, risk management, security, environmental concerns, product recovery and the business premises are all documented in a disaster recovery plan/business continuity plan.

A requirement of the business continuity planning process is to instigate a “risk reduction programme”. This will ensure that company threats are identified and assessed accordingly. After having identified the risks, “managing” them within the business recovery timeline should be a straightforward process.

Wikipedia describes Business Continuity planning as “an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted criticalfunctions within a predetermined time after a disaster or extended disruption.

Thus Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are integral parts of corporate governance policy and risk mitigation policy which addresses the most serious concern of any stakeholder in the organization with respect to the ability of the business to survive the most distressing circumstances. A well conceived business continuity plan would be a holistic one which identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. The key to the entire planning exercise is preparedness.

The BCP would essentially include two elements


Following are the phases of a business continuity planning:

A. Project initiation

The principal critical activity required prior to the establishment of a BCP is obtaining senior management approval and support. Having obtained management approval, the initial phase of the BCP will include establishment of the BCP objectives and requirements of the plan. A business continuity steering committee would normally be established. This committee is likely to be made up of senior staff within the organization that has the relevant strategic view of the company's operation. It is important that they also have nominated deputies who are suitably briefed and have an in-depth knowledge of the BCP process.

B. Risk assessment/business impact

Principal objectives of phase two is to relate to data gathering and review of alternative courses of action. The collation and evaluation of this information will then allow senior management to make decisions on the critical aspects of the core business. Having identified the risks a business impact analysis should then be carried out identifies this as a key step in protecting an organization. It identifies some of the minimum objectives as being

C. Design and development of the BCP

Principal issues to be addressed at this stage include

D. Creation of the business continuity Plan

This phase deals principally with the creation of the BCP. The key issues to be addressed include:

E. Testing and exercising BCP

In order to establish the effectiveness of BCP it is essential to implement a regular testing and exercise programme. The key activities

F. Maintenance and updating

Having established the need for testing and the degree of probability that a substantial number of plans will fail following the testing exercise, it is essential that the lessons learned and shortfalls documented are incorporated into the plans. The key issues to be addressed are


As two of the principal focus areas of the Company's business are on its customers and investors, it is important to protect and salvage resources connected to these areas first. In any crisis it is most important to retain the customers' loyalty which means that the Company's products should be always available in the market. It is also important to retain the confidence of investors which entails communicating with them at regular intervals especially in times of crisis. The Company also needs to protect and preserve requisite financial and other records for the purposes of business and those required in terms of applicable laws and other regulations. The principal resources required for business continuity would be the following



A major part of the disaster recovery planning process is the assessment of the potential risks to the organization which could result in the disasters or the emergency situations themselves. It is necessary to consider all the possible incident types as well as the impact each may have on the organization's ability to continue to deliver its normal business services.

The following list of potential events has been considered with individual risk profiles


Overall Risk Profile

Affecting physical business processes

Earthquake, Fires, Floods and tornado


Utility outages


Raw material shortages and failure of supply lines


Distribution system failures including customer defaults, and sudden loss of market demand


Devaluation / currency fluctuations


Transportation and logistical disruptions


Technological obsolescence


Key employee attrition and Labour disputes


Major theft/burglary/bribery



Overall Risk Profile/Impact

Critical equipment failure, internal power failure and sabotage


Affecting IT infrastructure



An overview of the various mitigation steps to be taken for the various threats as perceived by the company is listed below:

A. Earthquake, Fires, Floods and tornado (Risk Profile: Medium)

Mitigation steps:

B. Utility outages (Risk Profile: Medium)

Disruption in electrical and water supplies could happen even without any major natural disaster. To protect against any unforeseen disruption in utility supplies, adequate arrangements for standby supplies have to be made.

Mitigation steps



Adequate storage/overhead tanks/ underground reservoirs for production process, drinking and sanitation

C. Raw material shortages and failure of supply lines (Risk Profile: Medium)

In case of likely extended disruption in supplies or raw material shortages, the production processes may suffer leading to adverse impact on the business.

Mitigation steps

D. Distribution system failures including customer defaults, and sudden loss of market demand (Risk Profile: Medium)

In case of a likely extended disruption in distribution system or a sudden fall in market demand, the company's products may disappear from outlets, affect the company's credibility with customers in turn impacting business revenue.

Mitigation steps

E. Devaluation or currency fluctuations (Risk Profile: High)

Currency fluctuations are an important factor since the company depends to a large extent on imports for raw materials and exports a significant part of its production.

Mitigation steps

F. Transportation and logistical disruptions (Risk Profile: High)

For an extended disruption in transportation and logistical arrangements in its supply lines and distribution arrangements, the company would have to fall back on alternative methods to handle the crisis.

Mitigation steps

G. Key employee attrition and Labour disputes (Profile: Medium)

The departure/absence for an extended period, of key employees and labour disputes are ever- present threats in any organization.

Mitigation steps

H. Critical equipment failure, internal power failure and sabotage (Risk Profile; High)

Since the company uses a continuous manufacturing process, even minor disruptions in the operations can be considered to adversely affect the financial performance of the company.

Mitigation steps

I. Major theft/burglary/bribery (Risk Profile: Medium)

Mitigation steps



A disaster recovery is a response to a declared disaster. A disaster recovery plan describes how an organization has to deal with a potential disaster.




The chocolate manufacturing company should have a site strategy from where it can carry on operations. In case the disaster denies it can access to its manufacturing and other facilities, and an operational back up strategy of operating procedures to be followed in the interim period till all facilities are restored.

Site Strategy

Back up Strategy for carrying on physical business processes

The basic steps for all activities like distribution and marketing, Production, Finance, Administration and other functions would be

IT Resources

It is desirable that the profit-seeking activities of a business including the IT operations are not interrupted in the event of a disaster, secondary storage media (usually removable hard disks or DVDs) are used to store programs and associated data for backup purposes. These hard disks or other secondary storage media are stored in or more physical facilities (referred to as off site libraries) based on availability of use and perceived business interruption risk. It is the off site librarian's responsibility to maintain a perpetual inventory of the contents of these libraries, to control access to library media, and to rotate media between various libraries as applicable. The General Manager and the Finance Managers residence can be treated as the offsite library for this purpose.

Both data and software files should be backed up on a periodic basis.



Operating procedure

Application data files, control instructions, operating system manuals and special procedures

System and Program Documentation

Flowcharts, program source code listings, program logic descriptions, special job control language statements, error conditions and user manuals

Special Procedures

Any procedures or instructions that are out of the ordinary such as exception processing, variations in processing and emergency processing.

Input Source Documents output Documents

Duplicate copies, photocopies, microfilm reports or summaries required for auditing, historical analysis, performance of vital work, satisfaction of legal requirements of expediting insurance claims.

Business Continuity Plan

A copy of the correct plan for reference.

The following table shows the documentation to be backed up and stored off site

More from UK Essays