In principle, all companies should have a so-called business continuity plan – commonly known as “BCP” – in place. Business continuity planning is the process a company undergoes to create a prevention and recovery system from potential threats such as natural disasters or cyber-attacks. It is designed to protect personnel and assets and make sure they can function quickly when disaster strikes[1].
These days, there is a lot of talk about BCP with respect to COVID-19. Above all, the global pandemic has shown that many companies do not have any BCP in place. The government of Indonesia recently jumped the bandwagon by issuing a decree regarding the drafting of BCPs (the “Decree”)[2]. This has raised some questions, in particular whether it is required to have a BCP in place and more generally, what (new) obligations there are for businesses.
No obligation for not having any BCP in place in principle – yet recommended As the Decree makes it clear itself, its intention is to provide guidance for companies in preparing a BCP to protect their business continuation from the impact of the pandemic as well as to prevent the spread of the virus in their companies. It is supposed to help companies. As such, companies which do not set up their own BCP do not face any sanction.
However, companies are encourage to involve labour unions and coordinate with the Labour Inspector (Pengawas Ketenagakerjaan) when they set up the BCP. It is for this reason that we recommend that you set up a brief BCP for your company, especially when you employ 50 or more employees. Having a BCP in place will not take a lot of time and based on our experience, following recommendations like the one in the Decree will get you the goodwill from authorities, such as the Labour Inspector.
The content of a BCP as per the recommendations in the Decree The Decree splits up the BCP preparation/implementation into seven different stages:
Stage 1, Recognizing business priorities
The main products/services determine the business priorities – which in turn decide what the core business activities of your company are. The Decree makes specific reference to identifying the manpower required for these business activities. You should consider who can replace them in cases of absence.
Stage 2, Identifying pandemic risks
On a scale from 1 to 5, you should identify the risks that arise out of the Coronavirus pandemic with respect to Stage 1. You should map various scenarios, both from within your company and from the outside, which may disrupt the continuity of your business. It is recommended that you identify vulnerability points for the key functions of your company, e.g. finance, manpower, etc. Thereafter, you should take steps to prioritize and identify what can be done to control the risk.
Stage 3, Planning mitigation for pandemic risks
The Decree advises that you prepare various SOPs, implement flexible working hours, secure your supply chain, assess your HR-related policies (e.g. business travel, overtime, etc.) and occupational health and safety. You should also have a communications team.
The Decree recommends determining the risk for each threat and the actions required to mitigate such risk(s). There should be a schedule together with an identification of what resources are needed to carry out the mitigating actions and it must be clear who is responsible for what actions.
Stage 4, Identifying the response to impacts of the Coronavirus pandemic
According to the Decree, the response to the impacts of the Coronavirus pandemic should be clear. This includes (i) identifying the events that trigger the response and (ii) the response itself – what actions should be taken based on the mitigation plane with all sub-items mentioned above in Step 3?
Stage 5, Preparing and implementing the BCP
The Decree proposes that a designated team be formed specifically for the preparation of the BCP. This team should also include employees, with the responsibilities of the management and the employees clearly defined. We highly recommend that you coordinate with the Labour Inspector in setting up your plan. The authorities will not hear about you following their recommendations unless you involved them.
Stage 6, Communicating the BCP
Once the BCP has been finalized, the Decree advised to communicate it internally (both management and employees) and externally (all stakeholders including suppliers and customers).
Stage 7, Testing the BCP
You may test your BCP via simulations, etc. The Decree recommends periodical testing to keep the BCP updated.
Your advised steps and how Schinder Law Firm can assist you.
Overall, the recommendations in the Decree are rather simplified and, above all, were issued many months late[3]. Business continuity planning is the opposite of crisis planning – it happens before there is a crisis and is not simply an action during a crisis to mitigate its effects. Any company which now, many months into the global Coronavirus pandemic, starts wondering about its BCP will almost certainly face bankruptcy. This makes us wonder about the usefulness of the Decree.
There was some confusion among our clients, so we want to assure you: as noted at the outset, there is no obligation to set up a BCP. That said, it would certainly get you the authorities’ goodwill if you nevertheless set one up. Numerous free BCP templates exist on the internet and setting up a plan will not take a lot of time. Schinder Law Firm can assist you in liaising with the Labour Inspector or any other authorities to make sure that your actions are well-noticed.
________________
[1] Investopedia, Business Continuity Planning, available here (last accessed on 2020-10-06).
[2] Decree No. 312 of 2020 on the Guidelines for the Drafting of Business Continuity Plans in Facing a Disease Pandemic.
[3] As such, even the entry on Wikipedia is clearer and more detailed than the Decree.