Disaster Recovery and Business Continuity Plan of Chocolate Manufacturing Company

INTRODUCTION

SITUATION

Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and activities can be defined as a disaster.

Companies can experience many different threats to their mission critical systems such as fires, floods, lightning storms and humidity to disgruntled employees, hackers, human error, power failures and viruses. A disaster can happen at any time and it is vital to be prepared in the event that one occurs.

NEED

To be prepared for a business interruption, the organization must have a carefully crafted and comprehensive plan that describes risks, impacts, and step-by-step recovery strategies for critical business processes in various disaster and emergency scenarios. Without a plan, the team will be flying blind when an interruption occurs. The plan provides the necessary tools to mitigate interruptions and resume operations as quickly as possible, greatly facilitating decision-making and taking action when there is scant time and stress levels are elevated.

CHALLENGE

Using the information in the risk assessment to create effective recovery strategies for critical processes in all departments, incorporating these strategies into a comprehensive business continuity plan, and encouraging ownership of the plan across the organization, and ultimately, achieving the highest resiliency possible with limited resources.

SOLUTION

Create the recovery strategies department-by-department, process-by-process. This allows each department to focus on strategies specifically relevant to their critical processes without extraneous information from other departments. Do the same for your business continuity plan, writing smaller plans by department. Also, use a template to document your recovery strategies to ensure process consistency across the organization. Finally, have plans reviewed and approved by department heads and distributed to all employees to encourage ownership and pride in the plan.

RESULT

Each department in the organization will have a comprehensive action plan for business continuity outlining the steps to take to recover vital processes in various emergency scenarios. All employees will have their own copy of the plan, ready to use immediately when a disruption occurs. Employees will take ownership of the organization's business continuity effort and this effort will be further ingrained in the organization's corporate culture.

CHOCOLATE MANUFACTURING COMPANY

AN OVERVIEW

The Chocolate Company since inception in 1990 has been largely responsible for satisfying the country's demand for Chocolates and Sugar Confectionery. Situated at Rusayl Industrial Estates in Muscat, Sultanate of Oman, the plant has various lines producing a wide range of confectionery like Éclairs, Toffees, Fudges, Caramels, Hard Boiled Candy and Enrobed Chocolates. These products are available in attractive packaging and premium Gift Boxes making them ideal for gifting as well as for own consumption. Most of the packaging in the Gift Pack segment has been carefully selected to ensure its enduring utility, thereby giving our valued customers an added benefit. The confectionery is produced by experienced personnel under stringent quality control and hygiene standards. State-of-the-art manufacturing facilities ensure products of international quality. The company in its relentless pursuit of quality obtained HACCP Certification in April, 2004.

The Company, through its uncompromising stand on quality and competitive pricing, has successfully penetrated countries all over the Gulf, the African continent, Asia, Australia, New Zealand, Canada, South Africa, USA and the UK.

The principal business processes involved are

• Procurement of raw materials and consumables.
• Production and Quality control.
• Distribution and marketing.
• Inventory Management.
• Pricing and cost control.
• Feedback from consumers and redressal systems.
• Publicity and promotional activities.
• Recruitment and HR.
• Finance & Administration.
• Corporate communications and public relations.
• Legal and secretarial matters.
• Investor relations.
• Maintenance of equipment and other assets.
• Capital expenditure for equipment and other purposes.
• IT systems and telecommunications.
• Transportation and Logistics.

Today, manufacturing sector companies like chocolate manufacturing operates in increasingly complex, competitive and global markets. The ability to manage risks across geographies, products, assets, customer segments and functional departments is of paramount importance. The inability to manage these risks can cause irreparable damages.

Chocolate company will always face the likelihood of being impacted by uncertain or adverse future events. These uncertainties will have an impact on a company's ability to generate capital and shareholders returns. The company Board expects that management will not only look at where the company may be exposed to risk, but also how these risks can be managed to influence favorable business outcomes.

RISK AND RISK MANAGEMENT

Risk Management Methodology followed by the chocolate company

The risk management methodology at the chocolate company encompass the scope of risks to be managed, the process/systems and procedures to manage risk and the roles and responsibilities of individuals involved in risk management. The framework is comprehensive enough to capture all risks that the company is exposed to and have flexibility to accommodate any change in business activities.

The chocolate company's effective risk management methodology includes

• Risk Policy framework.
• Identification of risks.
• Measurement and Impact Assessment.
• Management of the risks.
• Monitoring Reporting and Control.

A. Risk Policy Framework

The following fundamental principles should be considered by the company to develop and implement a proactive risk management program and help them to identify any potential areas of concern:

1. Acceptance of a risk management framework: A formal risk management framework is needed at this company, to guide the integration of risk management into the company's day to day operations.
2. Corporate governance and risk: At this company,corporate governance is the prime responsibility of the Board of Directors and the General Manager. It combines legal duties with responsibilities to improve and monitor the performance of the company.
3. Establish the risk response strategy: Following the agreement on the risk assessment rankings in all functional departments, management action will need to be taken to reduce the risk levels where they have been deemed unacceptably high or alternatively remove constraints where they are preventing the business from pursuing opportunities.
4. Assigning responsibility for risk management change process: It is important for the company to ensure that the daily operation of the business supports this strategy and that the staff understands the proposed changes.
5. Re-sourcing: Risk management is the responsibility of all levels of management.
6. Communication and training: Implementing a communication and training program is important to introduce the concept of risk management.
7. Monitoring of risk management process: To ensure that risk responses gaps are filled and that the risk responses continue to operate effectively and remain appropriate in light of changing conditions.

B. Identification of Various Risks of The Company

While drafting this Risk management Policy, the primary risk exposures at the company X that are identified is provided below, which are inclusive but not exhaustive and it will be the responsibility of the Risk Management Committee to review these on a periodic basis.

I. Market Risks

It is the risk that the value of the company will be adversely affected by movements in market rates or prices, foreign exchange rates, national & global fluctuations, credit spreads and/or commodity prices resulting in a loss to earnings and capital.

The market risks identified at this chocolate company are as follows

• Government Policy risks
• Product Risks
• Environmental risks
• Volatility of export orders
• Price Competition in the local & export market
• Currency fluctuation for export orders

II. Operational Risks

The operational risks identified at chocolate company are as follows

• Fire & Allied Risks
• Machinery breakdown/ obsolescence
• Volatility of Raw material & Packing material prices
• Quality/ Ageing risks of Raw material/ Packing material
• Delivery risk of Suppliers
• Loss of data & information- IT security
• Manpower Availability risks
• Accidents
• Inventory carrying risk

III. Reputation Risks

These are risks arising from negative public opinion resulting from failures of process, strategy or corporate governance.

The Reputation risks identified at this company are as follows

• Contamination-hygiene
• Product expiry/Shelf life
• Corporate Governance

IV. Credit Risks

Non receipt of receivables or delay in receipts is the credit risks attributable to the company.

These may be identified as

• Payment risk from customers-local
• Payment risk from Customers- export
• Security from customers
• Advance to Suppliers

V. Liquidity Risks

The possibility is that the company will be unable to fund present and future financial obligations.

These may be identified as

• Cash flow & working capital management
• CAPEX decisions
• Cost overruns

VI. Strategic Risks

Risk those are arising from adverse business decisions or the improper implementation of such decisions.

These may be identified as follows

• Business Plan forecasts.
• Attrition of key people.

C. Risk Prioritizing and Impact Assessment

Risk Prioritizing

To adequately capture institutions risk exposure, risk measurement should represent aggregate exposure of the company to both risk type and business line and encompass short run as well as long run impact on it. To the maximum possible extent the company should establish systems / models that quantify their risk profile. However, in some risk categories, quantification is quite difficult and complex. Wherever it is not possible to quantify risks, qualitative measures should be adopted to capture those risks.

The company should utilize a Risk Matrix to evaluate the level of risks which are identified in the Company. The Risk Matrix is formed by assessing the probability of the risk, the severity of the risk, and the quality of control that exists specific to those risks. Scoring is attributed for each the three parameters namely probability, severity and Internal control. The aggregate score is computed and ranking of the risks is ascertained.

• The probability of the impact occurring is arranged ranging from low to high. Scores assigned as 4 for High, 2 for medium and 1 for low.
• Severity of the Risk is assessed as High, Medium and low based on the experience and normal prudence. Scores assigned as 4 for High, 2 for medium and 1 for low.
• Quality of Internal control is also similarly categorized as high, medium and low. The scores assigned in the reverse order since the better the existing control the lower is the impact and vice-versa. So scores here can be assigned as 4 for Low, 2 for Medium and 1 for High.
• Aggregate Score was thereafter computed after adding the individual scores for each parameter.

Company's Risk Matrix using the above method is shown in Annexure I

ii.Impact Assessment

The company being a medium scale manufacturing unit should focus on the manageable risks like Operational risks, Liquidity risks and Strategic risks. Market risks, Credit risks and Reputation risks though an integral part of risk management may not need detailed impact assessment at this stage unless the probability of such factors seem to be out of proportions in time to come. Impact assessment of the Operational risks, liquidity risks and strategic risks at the company termed herein as Manageable risks, can be assessed as follows

Risk associated with any event has two components, loss severity and loss probability. Loss, in itself consists of expected and unexpected components. The unexpected loss component could be severe or catastrophic. Usually, expected losses are adjusted for in pricing or in reserve allocation. Unexpected losses require capital allocation. Given that operational risk, liquidity and strategic risk events are most often subject to internal control, any manageable risk system that passively measures these risks would clearly be inadequate.

Once risk factors are identified as likely causes of the Risk losses, mitigating steps need to be initiated. While quantification would indicate risk magnitude and capital charges, it may not by itself suggest mitigating steps. This makes it advisable for the company to combine qualitative and quantitative approaches to manageable Risk.

The broad steps involved here would be:

• determine the types of operational losses that could occur
• identify the causal risk factors
• estimate the size and likelihood of losses
• Mitigate associated risks

Qualitative Approaches

Qualitative approaches involve

• Audits,
• Self-assessments
• Expert / collective judgment.

Critical Self-Assessment: (CSA):

This is one of the common qualitative bottom-up approaches where line managers of the company can critically analyze their business processes given specific scenarios to identify potential risks and gaps in their risk management processes. Tools like questionnaires, checklists and workshops are used to help the managers analyze the risk profile of their business units. The key idea behind this method is that businesses managers of this company are in the best position identify and manage the Operational Risks pertaining to their business units.

Risk Audit

Employing the services of external (or internal) auditors to review the business processes of a business unit is another approach. This process not only helps identify risks but also helps put in place the oversight organization for the manageable risks.

Key Risk Indicators (KRI)

Using the KRI approach the company can blend the qualitative and quantitative aspects of Operational Risk management. Factors that have predictive value and that can be easily measured with minimum time lag can serve as risk indicators. Some risk indicators inherently carry risk related information, for instance, indicators like sales volumes, order size, etc. Others are indirect indicators, for instance, production budgets, production lifecycle, performance appraisal etc. Key indicators are identified from several potential factors and are tracked over time. The predictive capabilities of the indicators are tested through regression analysis on historical loss data and indicator measurements. Based on such analysis, the set of indicators of the company being tracked can be modified suitably. Over time, as the model gets refined, the set of indicators can provide early warning signals for operational losses.

D. Management of the risks

Managing Market Risks: The chocolate company may be exposed to Market Risk in variety of ways as described earlier such as environmental issues, export orders, future contracts, Price competition, customer profile and marine transportation risks. Besides, market risk may also arise from activities categorized as off-balance sheet item.

• Government Policy Risks: Change in government policies, tax rates, introduction of new tax regimes, reduction or abolition of incentives etc carry risk to any entity in terms of its costing and pricing. In the short and medium term the company does not perceive any major risk in this segment, however the management has to be aware of any forthcoming changes that the government might envisage. Should there be any drastic change in Government policies that would affect its profitability especially in case of exports; the Company has contingency plans for producing at an alternative location outside Oman.
• Product Risks: Since the product is that of food item the company has to be 100% careful to maintain the product quality, product specification, pack sizes, contents in each pack etc. Producing lesser or poor quality products and not as per specification is a risk which company X needs to constantly be aware off. To mitigate such risks the company X should
• develop a well defined production policy
• develop a well defined Quality control and checks policy
• develop a well defined storage and Distribution policy
• Environmental risks: The company does not use and generate hazardous substances in its manufacturing operations. Hence the chances that the company may in future are subject to liabilities relating to the investigation and clean-up of contaminated areas is negligible. However the company should have a laid down policy of disposal of waste at pre-designed disposal points mainly for the rejected, expired and damaged items of raw materials, finished products and packing materials.
• Volatility of export orders: Some customers and sectors served by the company are directly dependent on general economic development, competition and frequent fluctuations in demand for their products. The prices for these products are, in part, dependent on the prevailing relationship between supply and demand. Possible price fluctuations are therefore apt to have a direct influence on each customer's working capital management decisions, with subsequent influence on the customer's Order Intake. This may lead to volatility in the development of Order Intake of the company. The company has a policy of geographically diversifying its customer base, as also expanding the customer base in each export market, so that transfer to less volatile locations can be made in short notice.
• Price Competition in the local & export market: The Company does business in very competitive local and export markets. In spite of the competition the company has a 70% market share in the local market and its export business is expanding.Both these local and export markets in which it competes are highly fragmented, with a few large, international manufacturers competing against each other and against a high number of smaller, local companies. Sometimes new entrants or existing players suddenly lower their prices to get rid of the company's products. This has, in some cases, adversely impacted sales margins realized by certain of company's products.

To mitigate this risk the company has taken the following steps:

• Maintaining complete information of its Competitors with respect to their latest technological developments, market strategies, new investments, management changes etc.
• Has developed emergency alternative plans to introduce different product ranges with minimal structural changes with similar or lower prices.
• Currency fluctuation for export orders:The Company exports its products to a large number of countries like Canada, USA, Australia, African countries, and the Middle East. Almost all export orders of the company are fixed in US dollars. Since Omani Rail is pegged with US Dollars, the fluctuation of the currencies in would have negligible impact on the export realizations at company X. Company X has a policy of booking export orders in terms of US dollars to avoid the risk of currency fluctuations.

Managing Operational Risks: Being a chocolate manufacturing company, it deals with the retail market. The most important risks are those of Operational risks. Operational risk is associated with human error, system failures and inadequate procedures and controls. It is the risk of loss arising from the potential that inadequate information system; technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems may result in unexpected losses or reputation problems.

• Fire & Allied risks: These are general risks applicable to almost all establishments. This includes Material damage to the company's property due to Fire & lightning, Earthquake, Third party impact, Accidental damage, explosion, riot & strike, storm & tempest, burst pipes, Own Vehicle impact, malicious damage, and theft. The company should take necessary steps in mitigating such risks by taking

“Property All Risks Insurance Policy”

“Loss of profit insurance cover”

• Machinery breakdown/ obsolescence: This risk identified is a major risk element as the company has been established two decades earlier by using imported refurbished Plant

and machinery. Though most of the machinery is in running condition as of now the chances of spare part obsolescence is quite high in a majority of such machines. The physical status and the possible mitigation for major machinery can be shown in ANNEXTURE II

• Volatility of Raw Material/ Packing Material prices: The Company faces a medium level risk in its Raw material & Packing material prices. The main raw materials at are Sugar, Glucose, Milk Powder, vegetable fat, coconut, coco & whey powders. The packing material required is Wrappers, Bags, Gift boxes, Gift Tins and cartoons. Other than a few packing materials almost all of the raw materials and packing materials are imported as shown below

Raw Materials	Country of import
Sugar	Dubai/ local
Glucose	Germany/Thailand
Milk Powder	India/Australia
Vegetable Fat	Malaysia
Coconut	Sri Lanka
Coco Powder	Malaysia
Whey Powder	Australia
Packing Materials	Dubai/India/Local

• Quality risk Raw material & Packing material: This is a medium sized risk and the company should take reasonable care to mitigate such risks. Since the majority of the raw materials and packing materials are imported by the company, the purchase committee should implementing a stringent policy of
• Should have a multiple suppliers from the same country or region.
• Should have proper Quality checks for each Consignment while receiving delivery.
• Should have a stringent penalty clause on variation of specifications in the agreements with suppliers.
• Delivery risk of Suppliers: This is major risk element at the company because of the fact that in most cases purchases are imported and made through Letter of Credits. Non Delivery or delayed delivery in such purchases may affect the performance of the company. The company is implementing proper penalty clauses in the purchase agreement for delayed and/ or non-delivery of the ordered items.
• Transporting risks: In case of local sales, the company transports the products mostly through its own personnel. The company therefore, takes a general Transit Insurance policy covering accidents and theft.
• Inventory carrying risk: Inventory Carrying risks are of three types:
• Storage risk
• Overstocking & under stocking risk
• Expiry risk
• Storage risk

The storage policies currently are

Raw Materials - Glucose	Stored In godown
Raw Materials- others	Stored in godown
Packing Materials - Gift Tins, Cartoons	Stored In godown
Packing Materials - Wrapper, Bags. Gift Boxes	Stored in godown
Finished Products	Stored in godown

The company can keeps the entire inventory in closed warehouses.

• Over-stocking & Under-stocking: The company can maintain a good optimized production planning system in correlation with its sales plan so that it can have a optimum stocking policy. The current production plan is quite satisfactory and hence the risk is low to medium. But the company is mostly dependent on Export market, the volatility of export orders may lead to overstocking or under-stocking of inventory.
• Expiry risks: This risk is low to medium. Expiry risks of inventory can be mitigated by proper planning of Sales, Purchase, Production and Distribution. The Storekeeper needs to maintain up-to-date records. A system is being implemented to provide on-line information about the stock position i.e. the quantity in stock, Re-order period, Ordering level and the Expiry dates of each of the Raw material, packing material and finished stocks to the Sales, Production and Purchase department so that immediate action can be taken by the respective departments.
• Manpower Availability risks: There is a shortage of skilled manpower in Oman. This is however met with the expatriate staff employed mainly from the sub-continent. The company therefore faces a medium risk in terms of availability of skilled manpower. The company can met unskilled manpower availability with the local Omani population and also from expatriate staff. The gap of skilled labor availability is likely to increase and therefore the costs also increase. To mitigate such risks, the company can develop long term strategy to invest in higher capacity production machines so that the requirement of manpower is kept low.
• Accidents: The Company can face a chance of accidents at the factory, however the accident risks at the company is low, as it does not deal with hazardous material and the production processes are not complex. However the company may face risks from mechanical or electrical installations which can't be entirely ruled out. So the company needs to take the following steps:
• By providing ELCB (Electric Leakage Circuit Breakers) in all electrical circuits and ACB's for the main transformers
• By providing Hot masks to the manpower
• Having a good machinery breakdown policy
• Constant monitoring of the gas line leakages

The company needs have a Manpower Accidents and Injury Policy to cover the possibility of injury or death of manpower within the factory premises.

Managing Reputation Risks

Reputation of the company may also get hamper in various situations some of which are

Contamination-hygiene: Being in the Food sector the company should take utmost precaution to avoid any sort of contamination in its products which will reach to the general mass. The company should take precaution for the quality of the raw material and packing material that is required for the entire production process and the stocking procedure.

The company can follow the following policy:

• Stringent Quality control checks of Raw materials and packing materials
• Stringent Quality checks of the entire production process
• Maintaining Hygiene standards of the Government of Oman both in production and stocking.
• Sample testing at each stage
• Have a third Party damage policy insurance coverage owing to contamination
• Product expiry/Shelf life risks: This is again a very vital risk to the company as it is in the Food sector. The Government of Oman is very stringent in its laws to avoid expired products to be sold to the general public. So the company should take utmost care to avoid this risk by
• providing a stringent Distribution policy of its finished products
• Checks and controls before distribution of products.
• Monitoring distributed products on a daily basis
• Attributing Responsibility to a Senior Personnel for the management
• Corporate Governance: Corporate Governance Policies and Procedures manual are already in place at the company. Hence the risk associated with it is low. The management has to ensure proper compliance of the policies already undertaken to avoid any risk of reputation arising out of non-compliance of corporate governance.

Managing Credit Risks:

• Credibility Risk of Customers: The Company should develop a credit policy based on regions, volume and credibility ranking of the parties.
• Export: The Company exports to a wide range of countries. The contacts of customers are mainly through visits and through mail. It is initially very difficult to assess the credibility of the customers abroad. The risk element is therefore medium and high.

The company should mitigate this risk in the following manner:

• The company should back up the export orders by Letter of Credit from the parties.
• In case L/C mode is not practicable, the company can ask for advance payments or Security deposit, or post dated cheques which will cover the entire order taken prior to effecting delivery of the goods.
• The company currently did not enter into any distribution agreement with any export party and deals with parties on a case to case basis The Company can set up a network of distributors for handling exports sales as far as practicable. The company can also set up more than one distributor; in each region/country, so that price advantage can be achieved through minimal risk. The company should select distributors with proven track record, and the distributorship agreement should be through a internationally binding legal contract.
• Local: Local sales are affected by the company mainly to retail customers like supermarkets and hypermarkets, small shops and to two distributors in the interior.

The company should take the following steps:

• Sale to all hypermarkets and supermarkets where the volumes are above a certain limit are, as far as possible, affected by means of an annual contract with all modalities and terms and conditions clearly laid out.
• For single shop outlets, the company may face the risk of shop closing down and non-payment or delayed payment.

To counter this company should maintain small stocks with such shops and should have a regular but frequent collection system.

• In case of distributors the company should have legally binding distribution agreements.
• Limit setting: An important element of credit risk management is to establish exposure limits for each single customer and distributors. The company is in the process of developing its limit structure. The size of the limits shall be based on the credit strength of the customer, genuine requirement of credit, economic conditions and the customer's risk tolerance. Credit limits shall be reviewed regularly at least annually or more frequently if the customer's credit quality deteriorates. All requests of increase in credit limits should be substantiated.
• Credit Administration: Ongoing administration of the credit portfolio is an essential part of the credit process.

Marketing department of the company should perform the following functions:

• The Marketing department should take the responsibility to ensure completeness of documentation (Sale agreements, guarantees, delivery etc) in accordance with approved terms and conditions. Outstanding documents should be tracked and followed up to ensure execution and receipt.
• The customers should be communicated ahead of time as and when the payment becomes due. Any exceptions such as non-payment or late payment should be tagged and communicated to the management. Proper records and updates should also be made after receipt.
• The Marketing department should devise procedural guidelines and standards for maintenance of credit files. The credit files not only include all correspondence with the customer but should also contain sufficient information necessary to assess financial health of the customer and its repayment performance.
• Credit risk rating of Customers individual Credit exposure at the company. An internal rating framework is being formulated to facilitate such aspects as Customer selection, assessing credit limits and frequency and intensity of monitoring

Managing Liquidity Risks

Liquidity risk is medium risk for this company. It arises when the cushion provided by the liquid assets are not sufficient enough to meet its obligation. The company's current Net Worth condition, though improved in the recent years is still not conducive to attract bankers and so the company has a medium range risk of not attaining its working capital requirements or for Capex decisions especially when it is in its growth path. Liquidity risks at the company arise due to Cash flow & working capital gaps, Capex requirements and Cost overruns.

Some early warning indicators provided below, that may not necessarily always lead to liquidity problem for the company; however these have potential to ignite such a problem. Consequently management needs to watch carefully such indicators and exercise further scrutiny/analysis wherever it deems appropriate.

Examples of such internal indicators are:

• A negative trend or significantly increased risk in any area or product line.
• Concentrations in either assets or liabilities.
• Deterioration in quality of products.
• A decline in earnings performance or projections.
• A large size of off-balance sheet exposure.
• Deteriorating third party evaluation about the company

An effective liquidity risk management would include systems to identify measure, monitor and control its liquidity exposures. Management should be able to accurately identify and quantify the primary sources of the company liquidity risk in a timely manner. To properly identify the sources, management should understand both existing as well as future risk that it can be exposed.

Key elements of an effective risk management process should include an efficient MIS, systems to measure, monitor and control existing as well as future liquidity risks and reporting them to senior management. An effective management information system (MIS) is essential for sound liquidity management decisions. Information should be readily available for day-to-day liquidity management and risk control, as well as during times of stress. Data should be appropriately consolidated, comprehensive yet succinct, focused, and available in a timely manner.

An effective measurement and monitoring system is essential for adequate management of liquidity risk. Consequently intends to institute systems that will enable it to capture liquidity risk ahead of time, so that appropriate remedial measures could be prompted to avoid any significant losses. Some commonly used liquidity measurement and monitoring techniques are:

• Contingency Funding Plans: In order to develop a comprehensive liquidity risk management framework, the company should have way out plans for stress scenarios. A CFP is a projection of future cash flows and funding sources of the company representing management's best estimate of balance sheet changes that may result from a liquidity event. A CFP can provide a useful framework for managing liquidity risk both short term and in the long term. Further it helps ensure that a financial institution can prudently and efficiently manage routine and extraordinary fluctuations in liquidity.
• Cash Flow Projections: At the basic level the company may utilize flow measures to determine their cash position. A cash flow projection estimates company's inflows and outflows and thus net deficit or surplus (GAP) over a time horizon.
• Liquidity Ratios and Limits: The Company may use a variety of ratios to quantify liquidity. These ratios can also be used to create limits for liquidity management. However, such ratios would be meaningless unless used regularly and interpreted taking into account qualitative factors.
• Internal Controls: In order to have effective implementation of policies and procedures, the company should institute review process that should ensure the compliance of various procedures and limits prescribed by senior management.

Managing Strategic Risks

These are risks arising from adverse business decisions or the improper implementation of such decisions.

• Business Plan forecasts: Risks arising out of insufficient and ineffective Business plans may severely affect the performance of the company. The company is presently formulating a detailed Business Plan covering all functions of the company like Marketing, Production, Purchase, and Financing based on the following:
• A detailed Financial Model which will have all components and assumptions, the basis for the projections of the Business plan for the following year.
• The financial model would bring out the Sensitivity and Risk analysis of the company's under various projected scenarios.
• The Business Plan will be finalized based on the most optimal solution,
• The Business Plan will be broken up functionally and periodically preferably monthly.
• Actual Monthly Variance analysis of the Business Plan with the actual's should form part of the MIS and management action.
• Attrition of key people: Key management personnel are assets of the company. Large attrition rates can affect the company severely in the short and medium term. The company should take effective steps to retain and key management personnel. The company should need to arise to replace key personnel; the company is in the process of implementing a succession plan so that adverse effects on business are suitably mitigated.

The company should introduce

• Performance based incentive and promotion schemes so that the right candidates are rewarded
• Congenial working atmosphere by introducing TQM or other management techniques to enhance capabilities of existing management staff.
• .Monitoring, Reporting & Control

Risk monitoring

An effective monitoring process is essential for adequately managing all the identified risks. The Risk management Committee need to establish a program to

• Monitor assessment of the exposure to all types of operational risk faced by the company;
• Assess the quality and appropriateness of mitigating actions, including the extent to which identifiable risks can be transferred outside the company; and
• Ensure that adequate controls and systems are in place to identify and address problems before they become major concerns.

It is essential that

• Responsibility for the monitoring and controlling of all types of risks should be with the Risk Management Committee;
• The Committee should ensure that an agreed definition of all types of risks together with a mechanism for monitoring, assessing and reporting is designed and implemented;
• This mechanism should be appropriate to the scale of risk and activity undertaken.
• Risk metrics or “Key Risk Indicators” (KRIs) should be established for all types of risks to ensure the escalation of significant risk issues to appropriate management levels. KRIs are most easily established during the risk assessment phase. Regular reviews should be carried out by internal audit, or other qualified parties, to analyze the control environment and test the effectiveness of implemented controls, thereby ensuring business operations are conducted in a controlled manner.

Risk Reporting

The company is currently setting up a Risk Reporting system. The Reporting system will ensure that information is received by the appropriate people, on a timely basis, in a form and format that will aid in the monitoring and control of the business. The reporting process will include information such as

• The critical risks facing, or potentially facing, the company;
• Risk events and issues together with intended remedial actions;
• The effectiveness of actions taken;
• Details of plans formulated to address any exposures where appropriate;
• Areas of stress where crystallization of the risks is imminent; and
• The status of steps taken to address the risks.

The company has an information system that is fairly accurate, informative and timely to ensure dissemination of information to management to support compliance with board policy. Reporting of risk measures will be regular and will clearly compare current exposures to policy limits. Further past forecast or risk estimates will be compared with actual results to identify any shortcomings in risk measurement techniques. The board on regular basis needs to review these reports. While the types of reports for board and senior management could vary depending upon overall risk profile of the company, at a minimum following reports will be prepared

• Summaries of the company's aggregate risk exposure for each type of risk identified
• Reports demonstrating the company's compliance with policies and limits
• Summaries of finding of risk reviews of risk policies, procedures and the adequacy of risk measurement system including any findings of internal/external auditors or consultants

Risk Control.

The company's internal control structure will ensure the effectiveness of process relating to comprehensive risk management. Establishing and maintaining an effective system of controls including the enforcement of official lines of authority and appropriate segregation of duties, is one of the management's most important responsibilities. Persons responsible for risk monitoring and control procedures should be independent of the functions they review. Key elements of internal control process include internal audit and review and an effective risk limit structure.

Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. The company will have policies, processes and procedures to control or mitigate material risks. The company will assess the feasibility of alternative risk limitation and control strategies and should adjust their risk profile using appropriate strategies, in light of their overall risk appetite and profile. Control activities will be an integral part of the regular activities of the company to ensure effectiveness of the risk control mechanism.

BENEFITS

The company may look forward for the following benefits by implementing a robust Risk management policy as enumerated in this guideline

• Improves corporate experience and general communication
• Leads to a common understanding and improved team spirit
• Helps develop the staff to assess risks
• Demonstrates a responsible approach to customers
• Provides a fresh view of the personnel issues in the company
• Focuses management attention on the real and most important issues
• Identifies and allocates responsibility to the best risk owner
• Enables a more objective comparison of alternatives
• Allows a more meaningful assessment of contingencies
• Increases the likelihood of the company to adhere to its Business Plans

ASSET AND ASSET MANAGEMENT

In today's business environment information technology (IT) resources, including data, are some of the most important assets owned by organizations. Earthquakes, cyclones, hurricanes, floods, hackers, computer viruses, sabotage and terrorist attacks are disasters that threaten these assets. Organizations need to be prepared for and be able to respond to these attacks.

The chocolate manufacturing company should now focus to gear up its systems and processes so that it can sustain the growth pattern quite efficiently and effectively. One such tool is that it can have a well designed information system with the help of the latest technology. Information Technology is responsible for providing methods and processes to protect company data, systems software and computing resources. Like all processes, systems and technology, the Information technology system and process of any organization should be guided by the rules and regulations by which its existence and functioning can be safeguarded. Using the latest technology the company can

• maximizes their productive benefit to the Company
• protects the Company's confidential and proprietary information
• protect the Company from exposure to liability for unauthorized acts

CURRENT STATUS OF THE COMPANY

• The company at present has an IT executive to look after the IT functions of the company. The IT executive reports to the Finance Manager.
• The maintenance of the IT hardware (except the server) is done in house and through vendors under supervision of the IT executive. The ERP system installed i.e. Focus RT is under Annual Maintenance contract.
• Networking of all computers at the Factory cum office building of SOO is established through a Local Area Network (LAN) which was professionally installed by a local company. There are four switches one with 20 ports, one with 16 ports and the other two with 8 and 4 ports respectively.
• There is a Central Server of Dell-Poweredge (Rack server)-210-19627having PE2950 III Quad Core Xenon X5460, 3.16 GHZ, 2x6 MB,133 MHz's, 4 GB RAM, 17” LCD Dell Wide.The Operating system is SBS, Microsoft Small Business Server Premium, 2003, OEM with 5 Users Cal. (including Win Server 2003, Exchange 2003, SQL 2000, ISA 2000 etc. It has an APC 2.2. KVA UPS with standby time of 25 minutes and an anti-virus software- Symantec Antivirus endpoint protection 11.0 IN LIC.
• There is no separate Server room but is kept is a separate enclosure in the accounts department which is kept under lock and key. The air-conditioning of the room can provide sufficient cooling required for the server.
• The company currently has 18 PC's, 6 Laptop computers and 8 Printers plus a Bar coding system. 6 PCs have Intel core 2 Duo processors, one with Intel Celeron 200 GHZ, 10 with Pentium 4 and onw eith Pentium 3 processors. All have 1 GB RAM.
• All the PC's and Laptops have Windows XP SP2, OS and MS Office 2003 installed.
• The ERP installed is Focus RT which has applications including Finance. Payroll, S & D and Inventory. There is no separate Production software..
• Internet connectivity is through ADSL broad band connection. There area routers installed from which all PCs and server is connected.
• The company is currently envisaging shifting to expand its business and so have one separate Factory building in the Rusayl area plus two branch offices in the city. The IT system is to be extended in those areas in similar lines. After expansion SOO shall go for a leased line for internet connectivity.

MAJOR IT POLICIES TO BE ADOPTED BY THE COMPANY

• Responsibilities to be adopted by the finance manager are
• Adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local access media, or remotely.
• To ensure the continued availability of data and programs to all authorized members of staffs.
• To ensure integrity of all data and configuration controls
• Access to information and business processes need to be controlled on the basis of business and security requirements. A formal procedure needs to be in place to control the allocation of access rights to information systems and services. The procedure needs to cover all stages in the life cycle of user access, from the initial registration of new users to the formal de-registration of users who no longer require access to information system and services.
• The company can separate the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services
• Internet and other external service access are restricted to authorized personnel only.
• Access to sensitive data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
• Only authorized and licensed software may be installed and installation only to be performed by I.T. Department staff (in absence the Finance department). In the event of unauthorized software being discovered, it will be removed from the workstation immediately
• Systems should be monitored to detect deviation from access control policy and record monitored events to provide evidence in case of security incidents
• All CD/DVD drives and removable media from external sources must be virus checked before they are used within the organization
• Passwords must consist of a mixture of at least 8 alphanumeric characters and must be changed every 60 days and must be unique
• Workstation configurations may only be changed with the approval of the I.T. Department staff
• The physical security of computer equipment will conform to recognized loss prevention guidelines.
• Back- up copies of business information and software should be taken regularly. Adequate back- up facilities should be provided to ensure that all essential business information and software can be recovered following a media failure
• Security requirements will be identified and agreed prior to the development of information systems
• Appropriate controls and audit trails or activity logs will be designed into application system, including user written applications. These should include the validation of input data, internal processing and output data

USER REGISTRATION PROCEDURE TO BE FOLLOWED BY THE COMPANY

The company should have a formal user registration and de- registration procedure for granting access to all multi-user information systems and services. The registration process needs to include

• Using unique user IDs, so that users can be linked to and made responsible for their actions.
• Checking that the user has authorization from the system owner for the use of the information system or service. Separate approval for access rights from management may be appropriate.
• Checking that the level of access granted is appropriate to the business purpose and does not compromise segregation of duties.
• Ensuring service providers do not provide access until authorization procedure is completed.
• Maintaining a record of all persons registered to use the service
• Immediately removing access rights of users who have changed jobs or left the organization. Periodically checking for, and removing, redundant user IDs and accounts.
• Including conditions in staff contracts and service contracts that specify sanctions if unauthorized access is attempted by staffs and service agents.
• Privileges should be allocated to individuals on a need- to - use basis and on an event- by event basis, i.e., the minimum requirement for the functional role only when needed.

LOGICAL ACCESS AND PASSWORD SECURITY

Operating System Access Control

Security facilities at the operating system level should be used to restrict access to computer resources. These facilities are capable of performing the following tasks

• Identifying and verifying the identity and if necessary, the terminal or location of each authorized user.
• Recording successful and failed system access
• Providing appropriate means for authentication through a quality password policy where applicable, restricting the connection time of the user

Application Access Control

• Users should be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
• Users requiring access to systems must make a written application on the forms provided by the IT Department where possible, no one person will have full rights to any system. The IT Department will control network/ server passwords and system passwords will be assigned by the system administrator in the end- user department. The IT executive will be responsible for maintaining the data integrity of the end- user's department's data and for determining end- user access rights.

PASSWORD SECURITY METHODOLOGY TO BE FOLLOWED BY THE COMPANY

• Access to network/ servers and systems to be done by individual username and password.
• Usernames and passwords should not be shared by users.
• Usernames and passwords should not be written down.
• Usernames may consist of initials and surnames.
• All users need to have an alphanumeric password of at least 8 characters.
• Intruder detection will be implemented wherever possible. The user account should be locked after three incorrect attempts.
• Network/ server supervisor passwords and system supervisor passwords to be stored in secure location in case of an emergency or disaster, for example, a fire safe in the IT Department.
• Auditing to be implemented on all systems to record login attempts / failures, successful logins and changes made to all systems.
• Use of login username on Server systems and the administrator username on Windows is to be kept at a minimum.
• Access to network/ server's to be restricted to normal working hours. Users requiring access outside normal working hours will request such access in writing on the forms provided by the IT Department.

CLEAR DESK AND CLEAR SCREEN POLICY

When not in use, paper and computer media should be stored in suitable locked cabinets and/ or other forms of secured furniture, especially outside working hours.

• Sensitive and critical business information should be locked away (ideally in a fire resistant safe or cabinet) when not required, especially when the office is vacated.
• PC's and computer terminals and printers should not be left logged on when unattended and should be protected by key locks, passwords or other controls when not in use.
• Incoming and outgoing mail points and unattended fax and telex machines should be protected
• Sensitive or classified information, when printed, should be cleared from printers immediately.

INFORMATION BACK-UP

• The company should maintain all working files of all PCs to be under separate folders in the public server. The IT department should be responsible to keep the backups of all files including system and database files in the server.
• A minimum level of back- up information, together with accurate and complete records of the back- up copies and document restoration procedures, should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.
• Backup should be taken automatically on a daily basis in workstations other than the server.
• Every week three sets of backups should be taken by the IT department and hand over the same to the General Manager, Finance manager and any other person as decided by the General Manager, who should carry the backup hard drives outside the office location on the same day.
• Back up information should be given an appropriate level of physical and environmental protection consistent with the policies applied at the main site.
• Back up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.
• Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.

SERVER SPECIFIC SECURITY

• The company should have a separate specific suite to accommodate the Servers. The Computer suite should
• Contain an adequate air conditioning system to provide a stable operating environment to reduce the risk of system crashes due to component failure.
• No water, rain water or drainage pipes should run within or above the computer suite to reduce the risk of flooding.
• The floor within the computer suite should be a raised false floor to allow computer cables to run beneath the floor and reduce the risk of damage to computer equipment in the case of flooding.
• Power points should be raised from the floor to allow the smooth shutdown of the computer systems in case of flooding.
• UPS should be provided to the computer suite to help protect the computer systems in the case of a mains power failure.
• Access to the Servers should be restricted to IT Department staff.
• All contractors working within the computer suite should be supervised at all times and the IT Department should be notified of their presence and provided with details of all work to be carried out, at least 48 hours in advance of its commencement.
• The operating system should be kept up to date and patched on a regular basis
• Servers should be checked daily for viruses
• Servers should be locked in a secured room
• Users possessing the Admin/ Administrator/ root rights should be limited to trained members of the IT Department staffs only
• Use of Admin/ Administrator/ root accounts should be kept to a minimum.
• Assigning security equivalences that give one user the same access rights as another user should be avoided where possible.
• User's access to data and applications should be limited by the access control features.
• The system auditing facilities should be enabled
• Users must logout or lock their workstations when they leave their workstations for any length of time
• All unused workstations must be switched off outside working hours
• All accounts should be assigned with a password of a minimum of 8 characters
• Users should change their passwords every 60 days
• Unique passwords should be used
• The number of grace logins should be limited to 3
• The number of concurrent connections should be limited to 1
• Network login time restrictions should be enforced preventing users from logging in to the network outside normal working hours

LAN SECURITY

Switches: LAN equipment, routers and switches should be kept in secure areas.. Access to switches should be restricted to IT Department staffs only. Other staffs and contractors requiring access to switches should notify to the IT department in advance so that necessary supervision can be arranged.

Workstations:Users must logout their workstations when they leave their workstations for any length of time. Alternatively, Windows workstations may be locked.

WIRING

• All network wiring should be fully documented
• All unused network points should be de- activated when not in use
• All network cables should be periodically scanned and readings recorded for future reference
• Users should not place or store any items on top of network cabling
• Redundant cabling schemes should be used whenever possible.

SERVERS

• All servers should be kept securely under lock and key
• Access to the system console and server disk/ tape drives should be restricted to authorized IT Department staff only.

ELECTRICAL SECURITY

• All servers should be fitted with UPS' s that also condition the power supply
• All routers, switches and other critical network equipment should also be fitted with UPS' s
• In the event of a mains power failure, the UPS's should have sufficient power to keep the network and servers running until the generator take over.
• Software should be installed on all servers to implement an orderly shutdown in the event of a total power failure.
• All UPS's should be tested periodically.

INVENTORY MANAGEMENT

• The IT Department should keep a full inventory of all computer equipment and software in use throughout the company
• Computer hardware and software audits should be carried out periodically via the use of a desktop inventory package. These audits should be used to track unauthorized copies of software and unauthorized changes to hardware and software configurations

TCP/IP & INTERNET SECURITY

Permanent connections to the internet should be via the means of a firewall (Sonic) to regulate network traffic

• Permanent connections to other external networks, for offsite processing, etc should be done via the means of a firewall to regulate network traffic
• All incoming e-mails should be scanned by the organization's e-mail content scanner

VIRUS PROTECTION

• The I.T. Department should have up to date virus scanning software for scanning and removal of suspected viruses. Corporate file- servers will be protected with virus scanning software.
• Workstations should be protected by virus- scanning software. All workstation and server anti- virus software should be regularly updated with the latest anti- virus patches by the I.T. Department.
• No removable media like CD/DVD/Pen/flash drives that is brought in from outside the organization should not be used until it is scanned. New commercial software should be scanned before it is installed as it occasionally contains viruses.
• All systems should be built from original, clean master copies, whose write protection has always been in place. Only original master copies should be used until virus scanning has taken place
• All removable media containing executable software (software with .EXE and .COM extensions) should be right protected wherever possible
• All demonstrations by vendors should be run on their machines and not the organization's.
• Where there is a business need for third party access, a risk assessment should be carried out to determine the security implications and control requirements. These controls should be agreed and defined in the contract with the third party, including allowance for designation of other eligible participants and conditions for their access.
• Shareware should not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware, it must be thoroughly scanned before use.
• To enable data to be recovered in the event of a virus outbreak, regular back-ups should be taken by the I.T. Department.
• Management should strongly endorse the Organization's anti- virus policies. Users should be kept informed of current procedures and policies, including latest amendments. In the event of a possible virus infection, the user must inform the I.T. Department immediately. The I.T. Department should then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it

SEGREGATION OF DEVELOPMENT AND OPERATIONAL FACILITIES TO BE ADOPTED BY THE COMPANY

• Development and operational software should, where possible, run on different computer processors, or in different domains and directories.
• Development and testing activities should be separated as far as possible.

SYSTEM DEVELOPMENT, MAINTENANCE AND ACQUISITION

• Checks should be applied to the input of business transactions, standing data and parameter tables. The controls required should depend on the nature of application and the business impact of any corruption of data
• Message authentication should be considered for applications where there is a security requirement to protect the integrity of message content (e.g. Electronic Fund Transfer, contracts/ proposals with high importance or other similar electronic data exchanges). An assessment of security risk will be carried out to determine if message authentication is required and to identify the most appropriate method of implementation.
• Restrictions to changes in software package
• Buying programs should be done only from reputable vendors
• Buying programs in source code (where possible) so that the code can be verified using evaluated products
• Inspecting all source codes before operational use controlling access to, and modification of, codes once installed

PHYSICAL SECURITY AND CONTROL OF EXTERNAL ACCESS

Four levels of Security Requirements- associated with various types of Hardware- are identified and detailed below

LEVELS OF SECURITY REQUIREMENTS

1	Security Level 1	Basic security requirement for all types of computer equipments.
2	Security Level 2	Applicable only if the total replacement value of Hardware is less than 0RIAL 2000 per room or area.
3	Security Level 3	Applicable only if the total replacement value of this Hardware is between RIAL 2000 and 4,000 per room or area.
4	Security Level 4	Applicable only if the total replacement value of this Hardware is in excess of RIAL 4,000 per room or area.

REQUIRED PHYSICAL SECURITY

The required physical security table is given in ANNEXTURE III

HUMAN CAPITAL RESILIENCE —A NEW AREA OF FOCUS

The human resources (HR) department is a key player in all of these issues, so the company should be certain that the HR department can deliver core services during a crisis, as well as to monitor and report on the locations of displaced workers.

Human capital resiliency can be defined as an organization's ability to respond and adapt rapidly to threats posed to its workforce. Organizations that can build resiliency into their human capital are more likely to protect their most valuable resources and maintain continuous operations in the event of a crisis. Many forward-thinking companies are already considering the impact of short-term interruptions in normal business activities and identifying appropriate actions to sustain vital business processes in the event of a crisis. They are also looking at long-term trends, such as changes in workforce demographics.

Human capital risks in crisis situation

In a crisis, many organizations need to be challenged to safeguard and support employees while continuing to deliver the services needed to keep the business operational and revenue flowing. Three primary areas in which human capital risks associated with crises can be grouped, as shown by the following graphic:

Human capital risks associated with crisis situations

Ability to attend work

• Health and safety concerns: It's not a matter of if, but to what degree, employee attendance will be affected because of health and safety concerns during a disaster. Even employees who are not directly affected by a disaster may need to miss work to look after the health and safety of family members who are affected. In the event of a pandemic, attendance may be disrupted over longer periods of time. Also, if employees have lost or been displaced from their homes, they will need to spend time finding new housing and some may even need to move to new locations.
• Transportation: Employees who are willing and able to work through a crisis may simply not be able to get to their work location. Public transportation systems may be disrupted, as occurred during Hurricane Katrina, or international travel restrictions could be in force, as occurred during the SARS outbreak. Even smaller-scale disasters, such as transit strikes and blizzards, can significantly impact employees' ability to get to work.
• Trauma:Employee shock and grief can also lead to increased absenteeism, as well as to higher turnover and reduced productivity. Proactive counseling may be required to help employees confront emergent issues — and enable them to address the crisis more rapidly, so they can focus on their work and tackle disaster recovery activities.

Ability to deliver critical internal services

• Communications:Mobile phone, landline and other communications networks can be destroyed or become dysfunctional in a disaster, making it difficult to locate employees and share critical information with them. Further, if your offices or other facilities are unsafe to use or inaccessible to some individuals, employees who are used to working at the same location at the same time will find it more difficult to collaborate and tap into their existing social networks. Given the need for close coordination during a crisis situation, the inability to bring people together can significantly hamper the rapid decision-making needed during recovery efforts. Without normal communication channels, maintaining business relationships with customers and business partners may also be difficult.
• Payroll: Maintaining payroll is both essential and challenging during and following a crisis. If your payroll system is inaccessible, funds are limited or the staff members who are responsible for payroll are absent, it's going to be difficult to pay employees in a timely manner. Employees may also need disaster relief funding, which requires coordination from a variety of sources.

Ability to maintain business operations

• Employee tracking:Limited access to critical personnel data, such as emergency contact information, user IDs and passwords, and individual skill sets, can affect your organization's ability to resume operations after a crisis. If your organization cannot determine which employees have been impacted by the crisis or how, it will be difficult for decision makers to determine the company's next steps. Recovery efforts can be further hampered if your organization cannot locate key personnel or access core business systems, or has not identified or arranged for potential replacement workers.
• Succession and training: Many times, organizational leaders are incapacitated or unavailable during or after a disaster. If your company has not engaged in formal succession planning, individuals at all levels may be forced to take on leadership roles or increased responsibilities with little or no preparation. Staffing issues can also emerge as a reduced workforce tries to cope with the demands of an increased workload. Skill gaps can also become a problem as workers try to carry out new jobs for which they have little training. In addition, crises may require changes in employee locations and schedules that are difficult to coordinate ina fast-changing environment.

Present status of the company

At present the company follows a policy of maintaining optimum staff strength for its requirements. Accordingly all personnel are considered important for organizational functioning. However there are certain key positions in the Company which are considered to be critical for successful operations. These key positions are those that may be difficult to fill at short notice if the incumbents suddenly leave. This could be so for reasons like technical knowledge or expertise required for those positions or due the leadership attributes necessary.

The General Manager in consultation with Departmental Heads should carry out a periodic analysis to identify these critical positions in the company. This analysis shall also be placed before the Board for their approval

At present, the critical positions identified are

• General Manager
• All Departmental Heads- Production Manager, Finance & administration Manager, Export Manager, National Sales Manager.
• Production Supervisors
• Maintenance Supervisors

The Company should prepare special Contingency plans for succession to these positions in case of extended absence or departure of the existing incumbent. The elements of these contingency plans shall include

• provisions for emergency replacement,
• developing in house talent for replacement from within the organization,
• proper documentation of all plant operating procedures,
• Documenting all other procedures and systems in the Company etc.

METHODOLOGY TO BE FOLLOWED FOR IMPROVEMENT OF HUMAN CAPITAL RESILIENCY

The Company should follow the following steps to improve the human capital resiliency methodology:

• Determine the strategic goals and future plans of the Company
• Study the external and internal environment factors
• Identify and prioritize succession problems and determine critical functions and skills which are essential for the company
• Plan the staffing requirements based on these goals and plans taking into account the internal and external environmental factors
• Reviewing the roles of key personnel
• Need based recruitment
• Identify and evaluate training needs of existing positions
• Analyze and address the gaps revealed by the planning process
• Identifying the developmental needs of employees to fill leadership and skill gaps
• Ensure awareness of all key employees about their career paths and the roles they are being developed to fill
• Training people for skills and positions that are required by the company
• Identify strategies and programs to increase the competency level of employees
• Identifying top performers in all departments and ensuring their satisfactory placement and advancement
• Regular and periodical reviewing and checking of succession planning process

A. Determination of Strategic Goals and Future Plans

The Company should undertake periodic exercises to revisit its critical short and medium term strategic goals and the various initiatives required for attaining these goals. The goals should arrive at on a collective basis by the entire management of the Company after a well-deliberated SWOT analysis and using other appropriate management tools. The exercise should be carried out under the guidance of the General Manger. Once the short and medium term goals of the Company have been determined, based on this analysis, the management team under the guidance of the General Manager shall also decide on the initiatives to be undertaken to reach these goals.

B. Study of the external and internal environmental factors

External Factors:

The Company should carry out regular analysis of the external business environment so far as it relates to the functioning of the Company. This analysis should be carried out by the heads of the respective Departments in the Company who are responsible for various functional areas. The analysis should be particularly focus on the emerging opportunities and threats the Company faces and shall typically include such areas as competitor analysis, new product development, new technical knowhow available, market trends, price patterns, and expected changes in customer preferences and profile. The findings of departmental heads shall be placed before the General Manager every quarter or earlier if circumstances so justify.

Internal Factors:

The Company should also carry out regular assessment of the internal factors in the Company in regard to staff and related matters, productivity, steps to improve operating efficiencies and waste reduction. Such assessment should be made by the respective departmental heads and placed before the General Manager every quarter or earlier should the need arise.

C. Identify and prioritize succession problems

The Succession Management Committee is responsible for gathering information to identify succession management problems, evaluate their criticality and select those issues that will be addressed first.

Key positions are positions that include responsibility for performing mission-critical work that is necessary for an organization to achieve its business goals. Key positions include responsibility for planning, designing, delivering or managing the flow of essential services. A vacancy of over 2 months in a key position would have a negative impact on the delivery of services because of the criticality of the work. Employees who possess knowledge/skills that are crucial and unique often fill key positions. These unique skills and knowledge are critical to the success of the unit/organization and are not found in other employees' positions in that role. The Planning Committee should establish a working definition of a key position using the above information. Likewise, a working definition needs to be developed for hard-to-fill positions. Positions are typically hard to fill if they are characterized by shortages of trained workers and high wages relative to State pay scales. These factors often lead to extended recruitment and reposting periods and, sometimes, an inability to fill a position.

The chocolate company should follow a policy of maintaining optimum staff strength for its requirements. Accordingly all personnel are considered important for organizational functioning. However there are certain key positions in the Company which are considered to be critical for successful operations. These key positions are those that may be difficult to fill at short notice if the incumbents suddenly leave. This could be so for reasons like technical knowledge or expertise required for those positions or due the leadership attributes necessary.

The General Manager in consultation with Departmental Heads should carry out a periodic analysis to identify these critical positions in the company. This analysis shall also be placed before the Board for their approval.

D. Planning the staffing requirements based strategic goals

Based on the strategic goals as finalized by the Board, the staffing requirements in the short and medium term will be decided by the General Manger, as the head of the Personnel & Administration department, in consultation with the Finance and Administration Manager. Other staff related matters such as management of the talent pool of existing employees, management hierarchy and reporting structure will also be reviewed. While planning the staffing pattern due care shall be taken to ensure that all existing laws and regulations of the Sultanate of Oman are complied with including the stipulations regarding the employment of Omani nationals.

E. Reviewing the roles and skills of key personnel

While deciding on the staffing pattern the General Manager along with the concerned Managers shall review the roles and identify the skill sets which would be required by key personnel to ensure their effective functioning. An analysis would also be made of the existing job profiles and skills presently available in the Company. A skill gap analysis would be carried out as an adjunct to this exercise to identify the shortcomings in the Company in relation to its needs. The skill gap analysis will be undertaken for various segments of the employees as follows:

• Senior Management level- Heads of various departments in the Company
• Junior Management level and supervisory level - executives and supervisors in the various functional areas who report to departmental heads and are responsible for shop floor management, and field and administrative staff
• Workers, field staff and administrative staff

The purpose of the skill gap analysis will be to identify the existing shortfalls of the employees in relation to the requirement of leadership and other soft skills as also work skills. Once the skill gap analysis has been carried out, the General Manager, in consultation with the concerned Managers shall decide on the remedial measures to be adopted to meet the existing shortcomings.

F. Need based Recruitment of Personnel

While recruiting personnel externally the Company has a policy of identifying the requisite skills required for the positions to be filled up and in the case of Managers and other key personnel the recruitment has to be approved by the Audit Committee. The Company also has an open policy of recruitment and appoints personnel after considering multiple applicants for each position, and after undertaking detailed evaluation. The Company is thus able to secure best available personnel to meet its needs. Also the Company prior to external recruitment tries to locate suitable employees from within the Company.

After recruitment the new recruit generally undergoes an induction process to familiarize him with the Company's working, and is on probation for a period of 3 months to enable the Company to judge whether he has or can pick up the requisite skills for effectively handling responsibilities assigned to him.

G. Policies on emergency recruitments at Senior Management level

The Company should have a policy of filling up vacancies at the Senior Management level by promoting or replacing by existing employees as far as possible. However it may not always be possible to source talent from within the organization for a particular position, and recruitment from outside may be the only option.

In such a case, the primary objective to be kept in mind would be whether the new recruit would have the core technical competencies required for the position as also the leadership qualities and other traits for effective functioning. Also the recruit should be able to adapt quickly to the work environment of the Company. To this end, the Personnel Department, under the guidance of the General Manager, should compile job profiles for each Senior Management other key positions. They shall simultaneously identify the skill sets including leadership and other soft skills required for each position.

This information should be discussed with the Audit Committee and reviewed from time to time. As and when an emergency recruitment has to be made, applicants shall be screened for the requisite skill sets. Also the Company shall follow an open policy of recruitment with multiple applicants and all such recruitments shall be approved by the Audit Committee. This process will ensure that the company employs the best available personnel.

Workforce

In line with the legislative requirements in the Sultanate of Oman for progressive Omanisation of the workforce, the Company should adopt a conscious policy of employing Omani nationals at all levels as far as practicable. The Company shall give preference in employment to Omani nationals.

It shall also provide suitable training and continuously develop local talent available in the Company so that they can acquire the relevant skills for effective functioning in the assigned jobs. The Company shall also provide for promotional opportunities for deserving Omani employees so that they can progress in the organization and take up roles at the senior management level in course of time.

The progress of Omanisation in the Company shall be reviewed by the Board at periodic intervals.

H. Identification of Training and Development needs

The Company should consciously follow an ongoing system of identifying and addressing any deficiencies in skills that may exist at various levels of employees to enable them to carry out their existing responsibilities as also to shoulder higher responsibilities should the need arise. The company can therefore always have at its disposal a trained pool of manpower from which it can choose personnel for most of the key positions should they fall vacant.

The Company should strive to impart appropriate training to its employees depending on the deficiencies in the skills of personnel as may be ascertained from the skill gap assessment carried out for its personnel. This training can be in-house or external depending on the nature of training to be imparted. The training process shall also take into account the special needs of employees at various levels:

In house training

The Company shall have a system of basic on the job training at various levels to familiarize employees with the work skills required for carrying out their assigned functions. This will include as follows

For workers

• Training on technical aspects of the work each individual is supposed to perform including the special requirements as applicable to confectionery industry
• Job rotation at periodic intervals to familiarize them with all aspects of the plant operations so that workforce has a certain amount of versatility to perform jobs in the plant other than the one they have been assigned to.
• Training that may be required to enable operating procedures to be maintained in consonance with the certifications that the Company has received or may receive in future
• Training sessions to familiarize them with the organizational ethics and work ethos so that they can adapt readily to the work environment and are also be responsive to expectations of the management

For field staff

• Training in marketing skills as may be relevant to the confectionary industry
• Periodic rotation of domestic sales territories to enable the sales personnel to familiarize themselves with different markets
• Training to impart awareness about the ethics and work ethos in the organization so that they are in a better position to meet management expectations.

For administrative staff

• Training in overall administrative systems followed by the Company
• Job rotation at periodic intervals to familiarize administrative staff with the working of departments other than the one assigned to.
• Training required for maintenance of work procedures as may be necessary for certifications of operating standards
• Training to impart awareness of organizational ethics and ethos and expectations of the Company

For Junior Management and Supervisory Staff

For shop floor personnel

• Training in the general work systems followed in the factory
• Training in the overall administrative systems in the company
• Training in the specific responsibility areas assigned
• Job rotation at periodic intervals
• Training related for maintenance of certifications
• Training for imparting awareness about the corporate ethos and expectations of the Company from its personnel
• Training related to leadership and other soft skills

For others

• Training in the administrative systems followed in the Company
• Training in the general aspects of plant working
• Training in the specific responsibility areas assigned
• Job rotation at periodic intervals
• Training related for maintenance of certifications
• Training for imparting awareness about the corporate ethos and expectations of the Company from its personnel
• Training related to leadership and other soft skills

The in house training process should primarily be restricted to the above category of employees. New recruits at the senior management level would be familiarized with the working systems and procedures in the Company during their induction. The Company, should the need arise, may involve specialists in the respective areas in the training process. Special attention shall be paid to training Omani nationals so as to impart the requisite job specific skills and equip them for higher responsibilities in due course.

External Training

The Company should provide training opportunities to its Senior Managerial personnel through external sources as and when required. The Senior Managers in the Company shall also be expected to attend seminars, workshops and other external training programs to advance their knowledge and expertise in their functional areas. They should also be expected to participate in external training programs to enhance their general management skills. The General Manager shall be the authority for sanctioning such external training. The purpose of such training would be to equip the Senior Managers to discharge their functions more effectively and also help them to assimilate skills that may be required to shoulder higher responsibilities.

External training programs would generally be restricted to Senior Management level only. However should staff at the junior management or supervisory levels display exceptional ability or performance, they can be nominated by the respective Departmental Heads for external training and such training can be sanctioned by the General Manger at his discretion.

The primary rationale for having a training schedule in place is to impart to employees the ability to discharge their functions effectively, and also create a talent pool in the organization equipped to accept additional or higher responsibilities should the need arise.

I. Identify strategies and programs to increase the competency level of employees

The following are examples of developmental activities:

• Career Development Plans should be in place for all employees who might be future candidates for key or hard-to-recruit position vacancies.
• Job Swapping - Two employees switch jobs for a definite period of time to cross train them.
• Job Shadowing - An employee observes another employee while that employee performs a task.
• Mentoring - An employee is assigned to provide guidance, advice and assistance to another employee.
• Job Rotation - An employee is moved from job to job over a period of time to broaden skills.
• Conferences and seminars - These are especially useful when an employee works in an occupational area where knowledge evolves
• Study of policies, manuals, instructions, etc.
• On-the-job training - Specific job related training provided by a more experienced co-worker or supervisor.
• Knowledge Transfer - The transfer of knowledge from an employee in a key position who is at-risk of leaving to other employees.
• Formal leadership development program - If significant gaps exist in leadership competencies, a formal leadership development program should be considered.
• Because employees in the applicant pools are responsible for their own development, they should be made aware of key positions, their competency requirements, and developmental activities that are available to them. The success of succession management efforts lies with employees and their supervisors.

J. Performance Appraisal

The Company should periodically (at least once a year) carry out a Performance Appraisal of all its employees. The Performance Appraisal should be carried out on the basis of benchmarks of performance set out in advance. These benchmarks should be periodically reviewed to ascertain their relevance for the functioning of the Company. The performance benchmarks should be finalized by the General Manager as the head of the Personnel & Administration Department, in consultation with the concerned Managers. The performance benchmarks should also be approved by the Audit Committee. The performance benchmarks should include such items as the competence of the employee at the job assigned to him, leadership qualities and other abilities that can enable him to take higher responsibility, commitment to the organization, innovative ability, etc.

The Performance Appraisal should be carried out in the first instance by

• In case of workers/field staff/administrative staff- by the Supervisor or Junior Manager who is the employee's immediate superior and to whom he reports
• In case of junior management and supervisors- by the Departmental Head who is the immediate superior of the employee and to whom the employee reports
• In case of Senior Mangers/Departmental Heads- by the General Manager.
• The employee concerned should call for a discussion with his reporting authority before finalization of his Performance Appraisal.
• The Performance Appraisal report should be reviewed by the General Manager and, in case of key employees and those at the senior management level, the Audit Committee shall also be associated with the review process.

The Performance Appraisal should be preserved as an employee record so that the performance profile and progress of an employee can be monitored. Based on the periodic appraisal exercise, the Company should identify exceptional employees for higher responsibilities, promotion, and other rewards and incentives.

The Company should strive to keep the appraisal process objective as far as possible. The Company should also counsel employees whose performance has declined sharply.

K. Promotion and other incentives

Based on the performance of an employee, the Company may consider granting increments in salary or performance linked bonuses or other incentives to him. Such increments or bonuses will be decided by the General Manager after discussions with the Audit Committee or other designated members of the Board In case of exceptional performance of the employee concerned over a period of time, the Company may decide to grant the employee a promotion to the next higher level. Such promotions shall be decided by the General Manager in consultation with Audit Committee or other designated members of the Board.

L. Evaluation & Review of the Succession Planning Process

The Company should carry out a periodical evaluation of the succession plan process. The review will primarily focus on the following areas-

• Analyzing the skill gap assessment and training mechanism from the point of utility in imparting the appropriate skills to the employees
• Tracking selections from the identified talent pool of the Company and their progress
• Feedback from Departmental Heads on the success of existing employees promoted to higher positions
• Feedback from immediate superiors on the success of new recruits from outside the Company in case of emergency recruitments
• Analyzing the feedback from customers, employees, and other stakeholders

BENEFITS

• Development of skills sets and knowledge of employees within the organization enabling them to cope with wider roles and responsibilities in light of the Company's goals.
• Improve recruitment process for key positions
• Active development of longer-term prospective successors by ensuring their career growth and analyzing work, responsibilities, skills and knowledge required for the future
• Audit the ‘talent pool' of the organization and that helps in allocation of responsibilities and development strategies and fill the identified talent gaps
• Build a ‘key talent resource' of employees who share key skills, knowledge, experiences and values seen as important to the future of the organization

DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN

The readiness of a company in reacting to contingencies such as terrorism, the avian flu pandemic, killer tsunami waves, etc. is dependent on how actively involved its management is in embracing its business continuity plan. Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and activities can be defined as a disaster.

At present disaster recovery has stretched to incorporate all scenarios necessary to ensure the successful running of critical systems during an emergency and include the long-term recovery of the business. Business continuity provides an alternative and most rigorous approach for an organization to develop its response to service interruption. It concentrates on the impact of an incident rather than its cause and, crucially, on its duration. It tries to identify the point in time where an interruption becomes intolerable. Issues such as data protection, human resource concerns, vital records, telecommunications, risk management, security, environmental concerns, product recovery and the business premises are all documented in a disaster recovery plan/business continuity plan.

A requirement of the business continuity planning process is to instigate a “risk reduction programme”. This will ensure that company threats are identified and assessed accordingly. After having identified the risks, “managing” them within the business recovery timeline should be a straightforward process.

Wikipedia describes Business Continuity planning as “an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted criticalfunctions within a predetermined time after a disaster or extended disruption.

Thus Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are integral parts of corporate governance policy and risk mitigation policy which addresses the most serious concern of any stakeholder in the organization with respect to the ability of the business to survive the most distressing circumstances. A well conceived business continuity plan would be a holistic one which identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. The key to the entire planning exercise is preparedness.

The BCP would essentially include two elements

• A mitigation plan to reduce the risk of catastrophic incidents
• A disaster recovery plan to be implemented

DIFFERENT PHASES OF DISASTER RECOVERY FOLLOWING BUSINESS CONTINUITY PLAN

Following are the phases of a business continuity planning:

• Project initiation
• Risk assessment/business impact analysis.
• Design and development of the BCP.
• Creation of the business continuity plan.
• Testing and exercising BCP
• Maintenance and updating.

A. Project initiation

The principal critical activity required prior to the establishment of a BCP is obtaining senior management approval and support. Having obtained management approval, the initial phase of the BCP will include establishment of the BCP objectives and requirements of the plan. A business continuity steering committee would normally be established. This committee is likely to be made up of senior staff within the organization that has the relevant strategic view of the company's operation. It is important that they also have nominated deputies who are suitably briefed and have an in-depth knowledge of the BCP process.

B. Risk assessment/business impact

Principal objectives of phase two is to relate to data gathering and review of alternative courses of action. The collation and evaluation of this information will then allow senior management to make decisions on the critical aspects of the core business. Having identified the risks a business impact analysis should then be carried out identifies this as a key step in protecting an organization. It identifies some of the minimum objectives as being

• determine critical requirements and resources and the effects a disaster may
• have on the people, place, process and premises;
• estimate anticipated target recovery
• time for each core business function and service;
• establish core business recovery priorities;
• identify key personnel, equipment,
• facilities need to support core functions;
• estimate costs of extended business disruption; and
• Identify resources required to develop, test and implement BCP.

C. Design and development of the BCP

Principal issues to be addressed at this stage include

• detailed scope strategy and objective of the plan;
• administration procedures;
• Formation of business continuity committee and downstream business recovery teams;.
• Lines of communication, escalation notification and plan activation;.
• Scenario setting for plan execution.
• BCP records, storage, access;

D. Creation of the business continuity Plan

This phase deals principally with the creation of the BCP. The key issues to be addressed include:

• emergency response procedures covering evacuation, decanting access to work areas, access to documentation;
• emergency control centre - establishment, command and control procedures;
• detailed procedures for communications, delegation/designation of authority, key stakeholders;
• Detailed resumption, recovery and restoration procedures; and
• External support, vendor contracts, contacts and resources.

E. Testing and exercising BCP

In order to establish the effectiveness of BCP it is essential to implement a regular testing and exercise programme. The key activities

• to be established during the testing and exercising stage will include:
• preparation of exercise programmes and objectives;
• detail of exercise scenarios and monitoring and recording procedures; and
• Identification of training requirements, communication channels, induction of new staff.

F. Maintenance and updating

Having established the need for testing and the degree of probability that a substantial number of plans will fail following the testing exercise, it is essential that the lessons learned and shortfalls documented are incorporated into the plans. The key issues to be addressed are

• Review criteria and objective.
• Plan distribution and security.
• Schedule and programme of reviews.

RESOURCES REQUIRED FOR BUSINESS CONTINUITY OF THE COMPANY

As two of the principal focus areas of the Company's business are on its customers and investors, it is important to protect and salvage resources connected to these areas first. In any crisis it is most important to retain the customers' loyalty which means that the Company's products should be always available in the market. It is also important to retain the confidence of investors which entails communicating with them at regular intervals especially in times of crisis. The Company also needs to protect and preserve requisite financial and other records for the purposes of business and those required in terms of applicable laws and other regulations. The principal resources required for business continuity would be the following

• Personnel
• Critical plant and machinery required to maintain operations
• IT and telecommunications infrastructure of the company
• Distribution networks and storage facilities at factories and offsite
• Information on the following
• Procurement contracts/orders entered into for raw materials, consumables, equipment, projects, etc.
• Stages of execution of various orders placed
• Inward receipts of material
• Stock registers and inventory records in the factory and at distributors' stocking point
• Production statistics
• QC records
• Customer records
• All vendor/supplier records
• Personnel and payroll details
• Records relating to all kinds of budgets
• Legal and secretarial records
• Other financial records

BUSINESS IMPACT ANALYSIS AND RISK MITIGATION STEPS

ASSESMENT OF POTENTIAL RISKS

A major part of the disaster recovery planning process is the assessment of the potential risks to the organization which could result in the disasters or the emergency situations themselves. It is necessary to consider all the possible incident types as well as the impact each may have on the organization's ability to continue to deliver its normal business services.

The following list of potential events has been considered with individual risk profiles

Threat	Overall Risk Profile
Affecting physical business processes
Earthquake, Fires, Floods and tornado	Medium
Utility outages	Medium
Raw material shortages and failure of supply lines	Medium
Distribution system failures including customer defaults, and sudden loss of market demand	Medium
Devaluation / currency fluctuations	High
Transportation and logistical disruptions	High
Technological obsolescence	Medium
Key employee attrition and Labour disputes	Medium
Major theft/burglary/bribery	Medium
Threat	Overall Risk Profile/Impact
Critical equipment failure, internal power failure and sabotage	High
Affecting IT infrastructure	Medium

RISK MITIGATION STEPS

An overview of the various mitigation steps to be taken for the various threats as perceived by the company is listed below:

A. Earthquake, Fires, Floods and tornado (Risk Profile: Medium)

• Oman is almost aseismic, but the possibility of earthquakes cannot be ruled out totally.
• Though Oman is considered to be a desert country, there have been recent incidents of flooding. Being situated near the coast also means that there can be a possibility of hurricanes and tsunamis. The manufacturing facilities do not call for very tall structures so the chance of extensive damage is limited.
• Fires are always a normal hazard in any activity.

Mitigation steps:

• The Company has loss of profit insurance cover
• Have first aid and fire-fighting equipment in the premises
• Identify manufacturing facilities with a partner and have contingency arrangement to outsource production there
• Create buffer stocks at alternative stocking points. The perishable nature of goods should be taken into account while creating the stock.
• Fire protection and fire fighting measures to be taken including proper maintenance of fire escapes and display signs. In case of fire prone areas proper warning signs to be displayed.
• To minimize possibilities of electrical fires all wiring, motors, process equipment using electricity to be checked periodically. All equipment purchased to comply with fire safety standards
• To have documentation and IT resources adequately protected at multiple locations if need be
• To ensure no smoking in all production areas and administration offices at all times

B. Utility outages (Risk Profile: Medium)

Disruption in electrical and water supplies could happen even without any major natural disaster. To protect against any unforeseen disruption in utility supplies, adequate arrangements for standby supplies have to be made.

Mitigation steps

Electricity

• Standby generation capacity to keep essential production processes functioning
• Adequate stocks of fuel for the generators
• Proper housing for the generators and fire protection measures
• Changeover mechanism from grid supply to own generation at short notice

Water

Adequate storage/overhead tanks/ underground reservoirs for production process, drinking and sanitation

C. Raw material shortages and failure of supply lines (Risk Profile: Medium)

In case of likely extended disruption in supplies or raw material shortages, the production processes may suffer leading to adverse impact on the business.

Mitigation steps

• Diversification of raw material sources and vendors
• Procurement policy to have flexibility to activate alternative supply lines in case of sudden disruptions

D. Distribution system failures including customer defaults, and sudden loss of market demand (Risk Profile: Medium)

In case of a likely extended disruption in distribution system or a sudden fall in market demand, the company's products may disappear from outlets, affect the company's credibility with customers in turn impacting business revenue.

Mitigation steps

• Diversification of sales and distribution channels if need be
• Flexible sales and distribution policies to take care of sudden disruptions
• Additional promotional and publicity efforts in case the failure is related to loss in demand
• Better quality control or change in ingredients if failure is linked to product quality or safety.
• Change the pricing structure if required
• To keep a close watch on market trends so that appropriate steps can be initiated in case demand shows signs of flagging
• Credit profiling of customers to minimize payment defaults

E. Devaluation or currency fluctuations (Risk Profile: High)

Currency fluctuations are an important factor since the company depends to a large extent on imports for raw materials and exports a significant part of its production.

Mitigation steps

• Hedging and forward purchases/sales of appropriate currencies in case of exports or imports
• Changes in the company's product mix within its product range
• Close monitoring of pricing and cost structure

F. Transportation and logistical disruptions (Risk Profile: High)

For an extended disruption in transportation and logistical arrangements in its supply lines and distribution arrangements, the company would have to fall back on alternative methods to handle the crisis.

Mitigation steps

• Access to alternative transporters
• Maintain at all times buffer stocks of raw material at more than one location and rotate the stock to eliminate problems of limited shelf life
• Geographical dispersion of stocking points for finished goods and additional buffer stocks of finished goods at these points. Also arrange for rotation of stocks to take of perishable nature of finished goods.

G. Key employee attrition and Labour disputes (Profile: Medium)

The departure/absence for an extended period, of key employees and labour disputes are ever- present threats in any organization.

Mitigation steps

• HR policies to reward outstanding employees
• Training and creating a second line to key personnel
• Appropriate succession plans in the organization
• Proper HR procedures so that labour disputes can be resolved

H. Critical equipment failure, internal power failure and sabotage (Risk Profile; High)

Since the company uses a continuous manufacturing process, even minor disruptions in the operations can be considered to adversely affect the financial performance of the company.

Mitigation steps

• Company to maintain an in house maintenance team to carry out emergency repairs
• Company to have a service agreement with an outside agency or with the supplier of the equipment to carry out repairs or replace equipment at very short notice
• In case of very critical equipment, company may consider having a set of replacements available at site or even a back up system so that production time is not lost
• To eliminate sabotage, it is important to have proper surveillance in the plant

I. Major theft/burglary/bribery (Risk Profile: Medium)

Mitigation steps

• Proper insurance cover including fidelity insurance for personnel
• Proper security and surveillance systems in the plant area
• Checks at various levels including periodical audits/stock taking

DRP: ORGANIZATIONAL RESPONSIBILITIES PRE & POST DISASTER

INFORMATION ON DISASTER RECOVERY

A disaster recovery is a response to a declared disaster. A disaster recovery plan describes how an organization has to deal with a potential disaster.

STEPS BEFORE A DISASTER

• To have BCP, CM and DR team identified and trained
• To inform the essentials of BCP/DRP to concerned employees
• Testing the BCP/DRP regularly so that employees are familiar with the drill to be followed
• The Company shall decide in advance the alternatives available to restore operations to a functional level should a disruption occur. The level of response to various disruption scenarios should also be decided in advance.

STEPS DURING DISASTER

• When a disaster or business interruption occurs, the first priority is to ensure the safety of the employees.
• Evaluation of the disaster and determination of the impact on personnel and enterprise operations. This evaluation exercise is critical in making the decision to activate the disaster recovery/ business continuity procedures.
• Communication with team of managers, employees, affiliates, and vendors frequently
• Ensuring that the disaster recovery/business continuity plan is known to employees. Testing the business continuity plan regularly helps everyone in becoming familiar with what will happen and how it will be done.
• Once the level of disaster is determined and everyone is safe to operate, it is time to make the decision if the Company needs to implement the business continuity procedures or if the downtime for recovery is acceptable.
• Company to start with recovering the most critical business systems first to restore business operations to a functional level. There should not be any question which order or which applications need to be restored first.
• All backups and critical documentation to be locked down. The first step to recovery is having a set of data to recover from. This could be anything from archives, local disk copy, and a co-location or disaster recovery data centre.
• Reactivate operations at the earliest, if need be at alternative sites.
• Once the systems are operational, the disaster is over and systems are repaired, it is time to move the workloads back to where they were originally.

DISASTER RECOVERY PLAN AND BACKUP STRATEGY

The chocolate manufacturing company should have a site strategy from where it can carry on operations. In case the disaster denies it can access to its manufacturing and other facilities, and an operational back up strategy of operating procedures to be followed in the interim period till all facilities are restored.

Site Strategy

• Alternative corporate office- The Company has its corporate office in the factory premises at present. The Company shall rent an alternative office in case a disaster denies renders its present corporate office unusable or inaccessible.
• Alternative storage facilities for buffer stock of raw materials and finished goods - The Company has an alternative warehouse for storage at Rusayl situated away from the factory premises. Besides the Company stores its products at various distribution points at other places. These storage facilities can be used for storage of buffer stocks of raw materials and finished goods should its storage facilities at the factory premises become unusable. Additional storage space can also be rented if the need arises. All storage points will be adequately stocked and the Company shall rotate stock as required to obviate problems ofshelf life.
• Alternative production facilities - The Company has an understanding with a manufacturer of similar products outside Oman for outsourcing its production. The Company can also enter into similar arrangements with other manufacturers outside Oman should the need arise.
• Alternative site for storage of all electronic records/IT assets- The Company as a policy stores all its electronic records at two secure alternative locations outside its premises and these records are updated regularly. The Company shall make arrangements for processing data at an alternative site should the need arise.

Back up Strategy for carrying on physical business processes

• Distribution and marketing of products: The company shall set up a reasonable buffer stock of finished goods at its alternative stocking locations to take care of sudden disruptions.
• Production:Since survival of the business depends on the availability of the Company's products in the market, it is a priority to start production at the earliest possible opportunity at an alternative site if a disaster renders the plant inoperable or inaccessible.
• Procurement of Raw materials from alternative vendors (in case of supply line failures: The production functions of the Company can be carried on only with an adequate supply of raw materials and consumables. It is therefore relevant to consider the continued availability of raw materials and consumables in case of supply line failures and/or a disaster occurring. As a policy, the Company sources its inputs from multiple vendors. The Company shall set upadequate buffer stocks of raw materials and consumables to take care of unforeseen supply line failures and also create alternative storage points. Emergency procurement may also have to be considered in case of serious disruptions or if the Company's raw material storage facilities become unusable.
• Administration & Finance: In case of a major disaster, certain essential administrative and finance functions have to be resumed almost immediately. In case the company's offices at its existing location becoming inaccessible or unusable, the Company shall set up an alternative office to carry on these essential functions.
• IT Systems and Telecommunications: The Company has an ERP system with two modules-finance and inventory. Many other records are also maintained in an electronic format. It is therefore important to be able to resume the IT functions of the Company on an urgent basis.

The basic steps for all activities like distribution and marketing, Production, Finance, Administration and other functions would be

• Technical/Legal requirements
• Nature of arrangement: Hot/Warm/Cold (depending on the set up time)
• Site /vendor address
• Negotiation of price
• Nature of site: Hot/Warm/Cold (depending on the set up time)
• Period for which facility is retained
• Approving Authority for the activity: The General Manager (or in his absence the Finance Manager). Department/Person Responsible for activity
• Critical Items List and Minimum quantity of each item
• No. of staff of staff to be deployed

IT Resources

It is desirable that the profit-seeking activities of a business including the IT operations are not interrupted in the event of a disaster, secondary storage media (usually removable hard disks or DVDs) are used to store programs and associated data for backup purposes. These hard disks or other secondary storage media are stored in or more physical facilities (referred to as off site libraries) based on availability of use and perceived business interruption risk. It is the off site librarian's responsibility to maintain a perpetual inventory of the contents of these libraries, to control access to library media, and to rotate media between various libraries as applicable. The General Manager and the Finance Managers residence can be treated as the offsite library for this purpose.

Both data and software files should be backed up on a periodic basis.

• A minimum level of back- up information, together with accurate and complete records of the back- up copies and document restoration procedures, should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.
• Backup should be taken automatically on a daily basis in workstations other than the server.
• Every week three sets of back ups should be taken by the IT department and hand over the same to the General Manager, Finance manager and any other person as decided by the General Manager, who should carry the backup hard drives outside the office location on the same day.
• Back up information should be given an appropriate level of physical and environmental protection consistent with the policies applied at the main site.
• Back up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.
• Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.

Classification	Description
Operating procedure	Application data files, control instructions, operating system manuals and special procedures
System and Program Documentation	Flowcharts, program source code listings, program logic descriptions, special job control language statements, error conditions and user manuals
Special Procedures	Any procedures or instructions that are out of the ordinary such as exception processing, variations in processing and emergency processing.
Input Source Documents output Documents	Duplicate copies, photocopies, microfilm reports or summaries required for auditing, historical analysis, performance of vital work, satisfaction of legal requirements of expediting insurance claims.
Business Continuity Plan	A copy of the correct plan for reference.

The following table shows the documentation to be backed up and stored off site

Cite this page