The Malaysian Floods and Lessons that Businesses Learn from About Resilience

Torrential downpours following a tropical depression have swept through the eastern coast of Malaysia, leading to massive torrential downpours affecting 7 of the 11 states in the Malaysian Peninsula. Coined by many as the worst flood in the country in decades. The floods have left at least 54 dead and over 71,000 people displaced. A preliminary assessment with 100 companies has indicated estimated damage of RM 195Million. Total estimated insurance claims for flood-related claims are estimated at a staggering RM 2-3 Billion.

Despite efforts swarming in, the extensive damage and impact on the economy have taken their toll on the business operations. As the road to recovery follows the receding flood waters, businesses and residents return to clean up the aftermath to continue business. Although the concept of a natural disaster is a relatively distant term to modern-day Singapore and other major cities like Thailand, Indonesia, Vietnam, India, Sri Lanka, Nepal, and China, the garden city has seen its share of major floods recorded as early as the 1950s and the more recent flash floods between 2009-2013. While modern-day technology and comprehensive drainage systems reduced the probability and severity of flash flood occurrences, businesses and policy makers should not rest on their laurels- This is especially true with global warming and an increase in precipitation. The Intergovernmental Panel on Climate Change’s latest report forecasted an increase in Singapore’s monsoon precipitation with annual average rainfall increasing at a rate of 70mm per decade since the 1980s. The same report has also forecasted heavier precipitation and pluvial flooding in the Southeast Asian (SEA) region.

It’s not a matter of ‘if’, but ‘when’ ?

Coincidentally, more than half of the respondents in a Deloitte resilience survey conducted across 250 companies, over 500 crisis management experts believe that organizations today face more crises than they did 10 years ago. 79% of companies had reported having faced a crisis event in the past year alone. With increasing environmental volatility, what should companies do to be more resilient in the face of disasters? How can businesses dampen the impact of natural disasters on their operations? And the burning question for businesses in Malaysia and other natural disasters hit countries in Asia is how they should proceed to recover the business? This article will briefly discuss how businesses can take the opportunity to future-proof themselves while gradually resuming business normalcy and building resilience in their business operations in the face of disasters.

Step 1: Restart your business and build up a Business Continuity Plan (BCP)

As the name suggests, the BCP is a comprehensive set of tools, policies, procedures, and resources necessary for an organization to jumpstart any organization’s recovery processes to return to normalcy as soon as possible, in response to a disaster, which could of a man-made or natural origin. While the BCP may seem reactive from the preface, a solid BCP takes detailed planning before the disaster based on a systematic quantification process. It is a holistic plan stitched together to help companies manage the crisis that affects its mission-critical processes, systems, and activities. It takes a holistic view of all factors that may affect the recovery efficacy.

Confused about the terms?

Disaster Recovery Plan (DRP) = focus on IT recovery capability
Business Continuity Plan (BCP) = focus on Business recovery capability as a whole.

DRP is a contingency plan as it focuses on specific scenarios while BCP is a continuity plan that focuses on broad consequence-based scenarios.

Depending on the nature of the industry and the type of company, its business strategies, and its people, no two BCPs are the same. The BCP is a document that requires close involvement by the various layers of the organization and should be perpetually refined to reflect regulatory, technological, procedural, and business needs changes/developments and hence it is by no means a one-off exercise.

No two BCPs are the same.

BCP needs to be complemented with a competent team that is responsible for the development, implementation, and maintenance of the BCP. Disaster recovery must consider internal factors and their respective challenges to be addressed. For example, the medium of communication within the company and to external agencies such as the government, and even the press. Presuming the flood took out the electrical grid, how will communication continue within the organization? Are there any alternative locations to which the team can house temporarily? What is the logistical requirement and what are the emergency contractors that can be sourced from? Are they affected by the disaster as well? Is the alternative operational location safe enough from the disaster but near enough to expedite business recovery efforts? These are just some of the possible scenarios and questions that the BCP team needs to critically identify, assess, and quantify when coming up with a plan such that it can be addressed systematically with reasonable, practicable, and sustainable actions.

Looks good on paper? It sure does.

Organizations should refrain from taking the BCP as the one panacea to ensuring its business continuity as the BCP is designed to be a contingency plan that is reactive to the incident itself and needs to be tested and integrated with other inter-dependent factors to ensure its success to keep business-critical operations running in the face of a disaster. And how can we ensure the smooth integration between the various systems and processes in the organization during a crisis? This can be done through a thoroughly implemented BCP, which covers company-centric needs such as upstream (suppliers and clients) and downstream (staffs and subcontractors) contractual/regulatory compliance. A BCP is fluid and can conjure correspondingly with the necessary resources to cater to varying scales and types of disruptions, therefore reducing the possible impact to the organizations’ activities in an effective manner. This builds organizational resilience and increases investor confidence which in turn hones the competitive edge of the company.

Disasters strike without notice and more than often organizations that are lacking in business continuity planning suffer from a more severe economic impact as compared to one that has a resilient BCP with integrated policy frameworks. Despite its importance, many Asian companies remain lacking in a proper business continuity planning process as reported by the Asian Business Council. The global pandemic surfaced the inadequacies in organizational crisis planning worldwide. While the global pandemic served as a catalyst of growth in the field of crisis planning, it remained reactive. As companies, resources, and people becomes increasingly interconnected, business continuity planning becomes more important than ever.

Step 2: Get the Leaders on Board

The concept of Business Continuity (BC) is considered an afterthought for many organizations as it is considered as an operational issue rather than that of a strategic one. More than often leadership roles’ participation is not only limited to budgetary approval and fund allocation but also making critical decision during crisis in the form of BC leadership. As a result, the investment of time and capital in business continuity is one of the first to be axed alongside other “non-essentials” or “administrative tasks.  A crisis management survey by consulting firm Regester Larkin and Steelhenge reported the lack of management involvement as a prime weakness in many organizations. For a BCMS to be sustainable and successful, management’s buy-in is of paramount importance as they create the vision, direction, and the establishment of priorities.

While no one wishes losses in an organization during such unfortunate circumstances, leaders need to determine the acceptable loss threshold and potential loss impacts.

The term “buy-in” entails beyond the economical aspect of things and encompasses the leadership, pre-crisis procurement/ allocation of talents, and delegation of responsibilities according to the type of crisis. It is the commitment of leadership in all aspects in the contribution to the success of the BCMS.

Assets build up over the years and the impact gets bigger over the years. While no one wishes any losses in an organization during such unfortunate circumstances, leaders need to determine the acceptable loss threshold and potential loss impacts. The threshold set is based on their comprehension of the overall organization’s processes and resources interdependencies. And all the potential impacts of a loss.

Buy-ins by partners are essential in ensuring continuity of services and products crucial in business operations. A Deloitte survey reveals that organizations have failed to involve their key value chain partners/ suppliers in crisis preparedness programs, which is an indispensable factor in reducing the crisis vulnerability of companies- Despite having 34% of respondents mentioning a likelihood of challenge when working with these partners during times of crisis, only 27% were involved in their engagement.

Step 3: Taking stock of the Organization Risks and Formulate Mitigating Strategies

Another important aspect in building up a resilient BCMS is to conduct a Business Impact Analysis (BIA). This activity surfaces all mission-critical activities and inter-activity dependencies. The respective impacts of the crisis are analyzed. Through a quantitative approach, recovery priorities can be ranked following their relative importance to the business. A Risk Assessment (RA) is performed to comb through all possible scenarios on a task level. This is the step that the severity and probabilities are determined. These can be mapped into actionable items which can effectively reflect any crisis competency and capacity gaps in its people that need to be addressed. When integrated into a BCMS, the BIA and RA will enable the leadership to make strategic business continuity strategies and solutions accordingly.

When integrated into a BCMS, the BIA and RA will enable the leadership to make strategic business continuity strategies and solutions accordingly.

As with every system established within the organization, a regular, rigorous verification process is necessary to ensure that any system/ process gaps, resource shortfalls are being addressed. The BCMS’ efficacy can be ascertained through physical drills or tabletop exercises simulation and function testing. After each exercise, the lessons learned need to be archived, participant feedbacks collected such that the BCMS team can make the refinements to address them.


Unforeseen disasters such as the one that we see in the example today can severely affect business revenue and branding. Through case studies from crisis case studies globally, one of the key determinants to successful post-disaster recovery is the ability to have a solid BCMS framework, and achieving that is by no means an easy feat. The role of leadership in organizations is paramount in the formation and iterative process of the BCMS and during a crisis. For companies that are new to BCMS, it may be prudent to seek professional guidance.

Leadership will need to embrace their responsibility in playing a more involved role in the process of BCMS development. By embracing a paradigm shift from “will it happen? To “it will happen”, leaders can better guide their organization in the adaptation of risk awareness and a culture of proactivity that ultimately builds up organizational resilience in a sustainable manner.

Written by: BCP Asia Consulting Team