We often talk about dealing with disruptions to business operations as “putting out fires,” evoking images of harried frontline employees scrambling to identify and contain the cause of the problem. In reality, firefighters depend on extensive preparation and exacting procedures to ensure they can respond effectively and safely when emergencies arise. When the alarm sounds in the middle of the night, they are so well rehearsed, they are on the truck and en route in less than two minutes. Can you say the same about your company’s ability to spring into coordinated action when disruptions occur or disasters strike?
If we learned anything from 2017, it should be that disruption and disaster take many forms, from hurricanes to data breaches to workplace misconduct, and can impact businesses in many ways — damaging property and infrastructure, financial status, operations, and brand reputation.
Business resiliency in the face of disruption starts with good governance practices and business continuity and disaster recovery (BC/DR) planning is an essential element. Identifying potential disruptors, creating plans to ensure services and operations receive minimal impact, and implementing procedures to respond to disruptions are the first steps toward better governance.
Assessing Risks and Scenarios Intelligently
The goal of business continuity and disaster recovery (BC/DR) planning is to optimize the organization’s ability to go from business interruption to business-as-usual as soon as possible. Given the complexity of digital technology infrastructure and supply chains, efficient recovery is not feasible without extensive planning and well-rehearsed procedures. Failure to thoroughly assess risks, model scenarios, and map out incident response can lead to tremendous losses. Too many companies have done little to none of this essential risk management work. Those who think it won’t catch up with them are taking a big gamble; EY reports that 40 percent of businesses that experience a disaster go out of business within five years.
Last year’s global cybersecurity attacks and massive breaches give board members a compelling reason to be more attuned to their IT risks and more focused on BC/DR. And yet the C-suite continues to struggle to communicate and plan for the risks their company could face in the aftermath of a disruption or disaster. It’s not easy to formulate practical answers to questions like: How do you plan for the unpredictable? How can we plan to address the impact a business disruption would have on finances, operations, and relationships? What are the potential cascading effects of a service outage or disaster? Executives need to put better processes, systems, and supports in place in order to calculate what to expect when risk becomes reality, including downtime duration, services and products affected, remediation costs, revenue impacts, and regulatory obligations.
Many of these calculations and remediation and response plans can be made ahead of time. Instead of focusing solely on lower probability risks like natural disasters and power outages, pick common threats and risks, and run scenarios that align with your company or industry. Consider risks such as hacking, fraud, and vendor failure. Of course the topmost large-scale threats should be addressed, especially if your business is particularly vulnerable to hurricanes or geopolitical strife. In general terms, the surest way to optimize business resiliency is to identify, assess, and plan for risks in the following categories: cybersecurity fundamentals, internal threats, and third parties.
What Does Proactive Planning Entail?
It may sound futile to plan for the unpredictable. Yet this is what lies at the heart of integrated risk management — acknowledging that modern enterprises and the environments in which they operate are so complex and interdependent, they require comprehensive systems and processes designed to find, define, and mitigate risks on a continuous basis. Similarly, the concept of business resiliency encompasses not only BC/DR, but also preparation for the quasi-predictable stressors: growth and expansion, resource and talent shortages, infrastructure upgrades, disruptive technology innovations, and mergers and acquisitions. When this wider perspective drives risk assessment and planning, it becomes clear that BC/DR should not be solely in the purview of IT.
Business continuity planning, testing, and evaluation efforts should be continuously optimized across the enterprise. Controls should be implemented based on risk assessments and implemented through systematized processes that can be tracked and analyzed. Continuity planning should not be an afterthought – include it up front in contracts, negotiations, and acquisitions to address third-party risk. BC/DR plans should be kept up-to-date, incorporating software, infrastructure, vendor, personnel, and regulatory changes in addition to shifts in enterprise offerings, consumer priorities, and markets.
Many aspects and factors go into developing plans that effectively minimize the impact of negative incidents and optimize recovery time and procedures. It’s essential to consider not only the negative event (e.g., a data breach), but also the cascading effects. Business operations depend on an ecosystem comprised of people, process, and technology controlled both internally and externally. While BC/DR plans are being executed, executives and risk managers will also have to address impacts on employees, customers, supply chain, health and safety, communications, and regulatory compliance.
Embracing Challenge and Change
Business continuity requires coordinated, all hands-on deck efforts, especially in times of opportunity, disruption, and disaster. This requires leadership from the top and initiatives that include a broad selection of business and operations managers. The effectiveness of BC/DR programs directly impacts brand reputation and revenue, putting them solidly in the realm of the CMO and CFO in addition to operations and IT security leaders. CTOs and product leads are involved through security-by-design, paramount now that attacks on IoT devices are increasingly widespread.
We can’t continue to conduct business from a traditional mindset. It’s high time to acknowledge the centrality of data and digital systems to everything we do. We can no longer afford to ignore business and IT risks or neglect the strength and flexibility of operational fundamentals. It’s imperative for every enterprise to conscientiously develop business resiliency through integrated risk management, and to ensure that governance, risk management, and compliance activities are valued and prioritized across all enterprise functions.