Development of Risk Based Business Continuity Plan Using House of Risk Method on Container Terminal

Business processes on every organization is essential to be maintained sustainably. Business disruption in certain area by large scale disaster weakens community resilience through halting productivity as experienced recently, and could also further impact national, regional and the global economy. Most of organizations have not realized that business continuity plan (BCP) is essential to their business continuity. This study aims to analyze the disruptions that might happen on container terminal and rank which disruption contributes most to the loss. This study also try to explain how business continuity plan can minimize the loss caused. The case study in this research is a container terminal. To be able to maintain business continuity in an organization, the terminal should implement business continuity planning in order to identify the risks of a disaster then provide procedures and strategies to reduce or minimize the risk. The development focused on the company’s ability to identify disruptions that might disrupt the business process and also to take action as. The research will be carried out using House of Risk method. Development & integration of the actual BCP will be conducted based on international standard ISO 22301:2012. The ranking of each identified risk agents and also the biggest contributor of the Aggregate Risk Potential will be the main output of this research.


Introduction
Indonesia is considered as a country which belong to one of the most prone to disaster. Indonesia is geographically located at the intersection of three pivotal earth plate: the Pacific, Indo-Australian, and Eurasian. Therefore, the country has to face frequent and powerful seismic activity, such as earthquake and volcano eruption, and other types of natural disasters, such as tsunami, typhoon, and drought. 12,494 natural disasters in the period of 2002-2012 with 190,087 numbers of casualties were recorded by Indonesian National Agency for Disaster Management. [1] Natural disasters have significant impacts to many aspects of life of the people in the affected areas, and such tremendous event can take a considerable amount of time for recovery. The 2020 New Years Eve Flood of Jakarta in Indonesia reminded us again of the risks of business termination and further impacts on national, regional and global economy through their supply chains, as some buildings such as malls were forced to shutdown due to the flood. [2] Regardless of how complex the business process in the organization, a plan to deal with the disruptions that affect their businesses should be prepared in every organization. Therefore, business continuty plan is suitable in order to ensure that the operational activities of an organization will still operate despite the possible disruptions.
One of the most significant contribution by the private sector for disaster impact reduction is marked by the formulation of Business Continuity Plan/Planning (BCP) or Business Continuity Management System (BCMS) of each enterprise that can reduce damages and help quick restoration from business interruption. ISO 22301 is the business continuity plan internationally recognized standard and currently being used in many business enterprises around the world. ISO 22301:2012 defines BCP as a comprehensive management process that identifies potential disruption that could halt business objectives and could be applied adaptively to each organization's risk appetite and preferences in managing risk. [3]. Business continuity plan could be implemented, before, during and after the disruption occur. Being one of the most critical components of the disaster recovery strategy, unfortunately, only a few organizations are aware of the significance of BCP and how to implement it. This could happen because the business continuity plan on each organization will be conducted differently, due to the unique business processes and treatment difference [4]. The nature of an industry which could not afford a downtime makes it important to develop a BCP for a port business, considering the position of port that is near sea body, makes it even more prone to several natural disasters. In this case study, a port that claims itself to be a green port utilizes shore connection technology. A container port will be subject to the development of Business Continuity Plan. Previous research that studies how BCP and maritime industry can be related to one another is one that was done by [4], the study concludes that systematically implementing business continuity plan in ports are vital for maintaining continuity of logistics infrastructure services and a variety of business activities in ports. This research is aimed to identify the possible disruption for container terminal that come in many forms, and rank them based on two properties which are consequence (severity) and frequency.

Business Continuity Management
Business continuity management (BCM) is a defined as a management process that identifies risk, threats and disruptions which are a threat to the organization's continued operations. In order to ensure organisational resilience and effective implementation, BCM also serves as an adaptive framework. BCM is also initially came from risk management, but BCM only deals with risks that could potentially stop the whole business process, which is called disruptions [6]. Because consistenly implementing BCM across different business is an issue, ISO Standards issued a dedicated publication for business management system, ISO 22301. It is established in the publication, a "Plan-Do-Check-Act" (PDCA) model for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization's BCMS.

Business Continuity Plan
Business continuity plan (BCP) is a plan that is developed in order to protect an organization's assets and could continue key business processes after a disaster with every capabilities necessary, it should be implemented when an unexpected business interruption caused by natural or man-made events occurs [6]. What BCP does is upon the declaration of a disaster, it activates preapproved policies and authorities. BCP also restores the business process for products or services with the least possible cost to the organization and with the least possible time [6]. The BCP framework was made using a common format, to ensure that all plans are appropriate and to determine the priorities of testing and maintenance. Each plan must be clearly defined the conditions under which the plan will be carried out, and the person responsible for carrying out each plan. When new requirements are identified, the establishment of an emergency procedure, for example an evacuation plan or anything that changes, the BCP must be renewed. Different approaches may be needed for each service, business function or part of the organization, it is recommended to add a plan to the additional parts added. [7]

House of Risk
The House of Risk (HOR) is a risk identification and mitigation model which developed from the House of Quality and Failure Modes and Effects Analysis (FMEA) method. In this study, HOR is used to develop a framework for managing supply chain risk [7]. The HOR approach is focused on actions prevention to reduce the probability of the occurrence of risk agent. Risk arises as triggered by the agent

House of Risk 1.
The phase 1 of this method is the risk identification phase. Risk identification phase is used to determine the risk agents that has been prioritized for actions. The first stage in this phase is by identifying the activities based in the SCOR model. Next, identify risk events that occur in supply chain activities inside the company. The third stage of this phase is identifying the level of impact (severity) as risk event and severity assessment with an assessment rating. The fourth stage, identifies the agent that become the source of the risk. The fifth stage is identifying the correlations between risk events and causative agents risk with correlation values. The sixth stage, determining the value of Aggregate Risk Potential (ARP). ARP can be calculated with the following formula: Oj is defined as the probability of occurrence of risk agent j, while Si is defined as the severity of the disruption if risk event i occurred, and Rij show the value of causality between risk agent j and risk event i (which is interpreted as how likely risk agent j would cause risk event i. The values then will be analyzed using the equation for prioritizing risk agent that needs to be handled first. The last stage is by ranking the risk agents based on ARP value. Hereby is the following HOR phase image. Severity is the rating of seriousness due to the failure result. The value of severity risk event with a scale from 1-10 where 1 has no impact and 10 has and extreme dangerous impact. After weighing the severity value later weighing the occurrence value. Occurrence is define as the possibility level of from the cause of the failure. Weighting the value of occurrence on the source of risk with a scale from 1-10, where 1 means almost never happened and 10 means often to happen. Next, by weighing the correlation value between the risk occurs (risk event) and the source of risk (risk agent) along with the scale correlation values. After being able to determine the aggregate risk potential number based on the risk agent, the determination of preventive action will be asses from the Pareto Diagram. The Pareto diagram hold the law of 80:20, where it enables to prioritize those with a high aggregate risk potential. In this case, the risk agent that will be selected will be based on the 80% or above that has the highest ARP, which this will be contribute the most rather than the other risk agent. In expectation, the 80% or higher risk agent will be prioritized in solving the issue, by determining the preventive action based on this selection.

House of Risk 2.
In the HOR 2, a selection process on choosing a number of risk agents based on the highest ARP value for each risk agents. In HOR 2, it will be more exclusively focusing on the preventive action. The first stage, is by identifying effective preventive actions in related with the occurrence of risk agents. At the second stage, determine the magnitude of the correlation between each action and risk agent. The third stage, calculates the total value of effectiveness in each action. Stage five will determine the level of difficulty in each preventive measure. The sixth stage is supposed to calculate the total effectiveness for difficulty level ratio. The last step of this phase is by ranking each action. Table 2. HOR 2 Model

Result and Discussion
The process of compiling the risk potential has 4 types of ways, which are from the author inputs that is based on previous journal, paper, and thesis; conducting a direct observation; conducting an interview towards experts; and a spread questionnaire. The identified risk potential is determined into 33 potential risk, and the events will be classified as either risk agents or risk event, the purpose of this stage is to understand a various types of risk event that may possible to occur because of the affection of a single risk agents.

Risk Events
A single risk event can be caused by more than one risk agents, therefore it is very important to analyse and identified on how many possibilities that a certain risk event is correlated to a certain risk agents. The list of identified risk agent and risk events are presented on the table below. Internet is unavailable E15 Communication signal is unavailable E16 Loss of primary supplier E17 Wharf destroyed E18 Fire on building E19 Automation system is not operable E20 Remote control is not operable E21 Worker injured The risk event identification table show various types of risk potential that may occur in such a percentage amount of time. The function of determining the risk event is to understand what kind of event that may possibly happen due to the problem of stevedoring process. The value of the impact of the risk event above will come from the assessment of the expert through a questionnaire. The filling of questionnaire is guided by a standard that has been developed for this case study. Below is the standard table.

Risk Agents
The identification of risk agent is a way in order to understand the possible potential failure that will cause into a possible risk event. Risk agent will then be assess according to the occurrence value. The higher of probability that may happen, the higher the risk agent resulting in the occurrence value. The risk agent is a various points of determination that lead into a risk event. Below are the identified risk agents. Theft by worker A8 Inaccurate record keeping A9 Industry law A10 Error of material estimation A11 Management policy failure A12 Theft by outside party Same with the risk events, the value of the frequency of the risk event above will come from the assessment of the expert through a questionnaire. The filling of questionnaire is guided by a standard that has been developed for this case study. Below is the standard assessment

Identification of Correlation between Risk Agent and Risk Event
The risk agents and risk event that has been determined from the table of identification relation between risk agents and risk event, will then be classified based on the calculated correlation between the risk event and risk agents. Each risk event is possible to occur by various risk agents, therefore from the table below the assessment will determine the value of correlation between a certain risk events that is related with a various risk agents. The standard assessment for the correlation is below.

Strong Correlation
Risk agent is strongly correlated to Risk event

Assessment Result
The next step is the assessment. This was accomplished by distributing questionnaire to relevant position such as managers or above, in this research the total of 7 employee of the Container Terminal has successfully filled the questionnaire. The following table determines the calculation of ARP value based on the assessment of severity value, occurrence value, and correlation between risk agent and risk event value. Based on the overall ARP calculation of each risk agent, the further step is by adjusting the ARP value from the biggest value to the lowest value. The ranking table will be able to determine priority for mitigation action for each risk agents. The risk agent that has the biggest ARP value will be acquired the highest priority to obtain the mitigation action. The higher the ARP value, the further it will be prioritized in order to obtain the mitigation action. In this research, the risk agents that contribute the 85% of ARP will be studied further in order to obtain the preventive action needed. The aggregate risk potential graph can be seen on the table below, the calculated values are between 120 and 2130. There is only one risk agent with an ARP value of above 1,500, which is natural disaster warning from BMKG; there are four risk agents with ARP value between 1,000 and 1,500; six risk agents with an ARP value between 500 and 1,000; and the rests (11) have an ARP value below 500. It is also could be concluded that six risk agents contribute to about 85% of the total ARP values and the other 6 risk agents only contribute to 15 percent of the total ARP.  The Pareto diagram shown above illustrates there is a huge variations between the degree of importance of reducing the probability of occurrence of each risk agent. Naturally, a company should prioritize those with high-aggregate risk potentials, because the highest ARP means it contribute most to the loss endured by the company.

Table 8. House of Risk Model
After receiving the ARP value of each risk agent, the next steps is by determining the risk evaluation that will become the main reference in order to procede a preventive action. It occurred that the highest risk agent that placed the 1st rank is a risk agent with a code (A1), which is BMKG disaster warning. Meanwhile the lowest risk agent that resulting an ARP value is (A7), which is theft by employee. Based on this ranking assessment of ARP value, the mapping of ARP assessment will be conducted through the aforementioned Pareto Rules. The Pareto Rules will ease and determines the result to discover which risk agent that has the highest concerns. The top 6 risk agents that contribute 85% of total ARP are: (1)

Conclusion
This research is trying to answer the question about which events are at risk of disrupting the business process in a Container Terminal. Based on the research and analysis of possible disruption using House of Risk model in Teluk Lamong Container Terminal, from 12 risk agent that has been determined, there are 6 risk agent that is being prioritized to prevented/mitigated in order to reduce major impact for the business. The highest ARP contribution is occupied as follows: (1) BMKG disaster warning; (2) External theft; (3) Management policy failure; (4) IT sabotage; (5) Employee mass demonstration; (6) Pandemic. The author noted that the usage of BCP is vital for reducing disruption at ports, for which the proposed risk events severity assessment & risk agents frequence assessment are powerful to properly undertake BCP preparation. In this regard, it is concluded that further mitigation or preventive action development is needed for improving performance of the BCP.