Remaining Ready and Resilient in a Time of Countless Enterprise Threats
Bad things happen.
Sometimes they only seem large, like spilling coffee on your shirt just before a job interview begins. Sometimes they’re truly horrible, like a global pandemic stretching over 2 years in duration.
Resilience is how we react to these bad things and overcome them.
Here’s something else to know about bad things: They happen a lot. Research and advisory firm Forrester surveyed risk management professionals in their Business Risk Survey, 2021. The vast majority of them worked for an organization that experienced at least one critical risk event last year — 72%, or nearly three-quarters of them. (Forrester defined a critical risk event as one having a significant business, financial, or reputational effect on an organization.) If one critical risk event is bad, maybe six would be challenging — and 19% of the respondents had six critical risk events in 2021.
Things aren’t improving, either: 40% of the respondents said that risk is increasing[1]. Those risks come from everywhere, and could be anything from deadly weather to ransomware.
So what’s a business to do? We at Infinite Blue agree with the folks at Forrester, who say that preparation breeds resilience, which is the ability of an organization to deliver on its vision or brand promise no matter the crisis. This post summarizes our key takeaways from our 2022 webinar featuring Forrester.
Ready Or Not
When bad things happen, it’s challenging conducting business. Storms can render roads impassable; earthquakes can interrupt civic services; hackers can prevent an organization from accessing the data it needs to pay employees, control production, or manage its assets. Enterprise risk management is the process by which these incidents can be identified, solutions proposed and tested, and then memorialized and distributed so that everyone in the organization knows what to do… even when the unlikely happens.
The process of doing that preparation had a halo effect on the business in general. Forrester noted that companies with a mature BC program exhibited improved employee experience, quicker innovation, and more differentiation in their core markets.
Lots to Do
An important part of building an effective BC program is identifying which items are the core of what should be prioritized for recovery. Forrester encountered one enterprise that identified 16,000 services it wanted to recover immediately. Planning success only came after the company whittled down those 16,000 things to 16 core items. The problem here is plain. Resources are finite when things are going well; they’re rare as hen’s teeth when disasters strike.
And still, the focus is spread thin, even when asking BC professionals. Forrester asked which initiatives were likely to be priorities in the coming year. The respondents named eight just about the same number of times. Cyber security issues were named by 75% of the respondents, but the eighth-ranked must, at 67%, was climate change and its effect on corporate resiliency. This indicates that there may be much plate-spinning when companies are looking at what to attack next.
Prioritization
With this many priorities, if the workforce is to be resilient, the span of control must be rigid and a lot of lines need to be crossed in the organization. Communication can’t be an afterthought, but must be fundamental to a company’s efforts to foster resiliency. Teams must be able to work effectively with each other across specialties. The flip is that not every organization has the staff to address BC fully. Sometimes the organization hasn’t prioritized BC high enough — Forrester research shows that overall, it ranks as only the sixth-most-important priority in many — in which case the staff will be small by design. In small organizations, the task may belong to a single person — and it might not be that person’s only assignment.
The necessity of BC is correctly ascertaining priorities given the organization’s staffing and resources. When assembling its list of potential problems when conducting the business impact assessment (BIA), the staff could miss something entirely. Or, the priority list itself could be built incorrectly. Suppose, for instance, reputational risk isn’t considered that big a priority. If something comes out of the blue to affect the company’s reputation — a key employee is arrested for committing a high-profile crime, or a contagious disease is traced to the company’s production facility — the company may not have put enough work into planning for that contingency. Because they aren’t prepared, the company will face the disaster head-on with no strategy to address it. Or sometimes priorities live at the bottom of the list because companies think the issue has been addressed, only to discover when disaster strikes that it hasn’t been considered at all.
Big shifts affect disaster planning as well. Companies that were buttoned up prior to the pandemic have needed to adjust to changes because of it — and after. Working from home has changed even as work life returns to normal. Which company employees are responsible for planning about events like a hurricane? Does a company’s BC team need to set up contingencies for continuing or resuming work after a storm — or is it the responsibility of the employee working from home, perhaps even in another state, to ensure that they can maintain a digital connection to the office from home or an evacuation site? In a snowstorm, does an employee working from home have an obligation to have a generator should power be interrupted? Does that employee need to rely on a cell phone as a hot spot for connection to the company or its data in the cloud, or is that the job of a BC team at the main office?
Dedication
These are questions that companies evaluating their preparedness must evaluate. As discussed above, that’s not an easy problem for companies even as awareness of the necessity to have a plan for disaster and recovery has grown. Of the companies Forrester surveyed in its Business Risk Survey 2021, planning for BC was assigned to multiple departments, with just 27% of those companies having a BC team dedicated to risk management.
BC is a proactive, not a reactive sport. Companies planning to be sincere about BC should probably seriously consider devoting a specific team to it. That team should have top management’s mandate to interact with every department and team within the organization.
When businesses play defense, they lose opportunities and they increase their chances to conquer adversity efficiently.
The Future
The good news for companies trying to work their way toward a mature BC is that Forrester’s survey reveals that more than half believe their BC budgets will grow, with 5% of them expecting increases of greater than 10%. That’s not universal, unfortunately — 45% of the companies aren’t expecting an increase. Those that don’t tell Forrester they haven’t yet seen a return on their investment, or see BC as a cost without benefit.
Where survey respondents are embracing BC, they’re also adopting BC management platforms. Of the 800 respondents, 71% are in the process of implementing a BC platform, with another 14% planning to. Such platforms work because they enable everyone who needs access to reach the platform and its data from any location connected to the internet. Everyone can edit the plan, everyone can build scenarios and test them, making management easy. BC in the Cloud’s embedded Sendigo mass communication capability makes keeping track of relevant employees and the essential task of keeping them informed during disaster incidents seamless and simple.
This is because stakeholders are beginning to demand organizational resilience. Boards are now looking for feedback directly. Organizations are now being asked to ensure they update their plans yearly. They’re asked whether they’ve looked at scenarios, or conducted tabletop exercises to make sure their BC plan is as effective as possible. It’s now clear that it’s very unusual for a company to go an entire year without experiencing a problem. When that inevitable problem occurs, recovering is essential — and recovering faster is ideal. Doing this requires closing gaps, collecting good data (and avoiding disconnected or bad data), and building good processes. And it’s the kind of thing that shouldn’t be done on the fly, where the pressure organizations are already under can make mistakes, affect the ability to deliver on service level agreements, and cost money. Information in a spreadsheet is, in a sense, always out of date, may not be accessible to everyone that needs it, and may not be accessible when disaster strikes.
With planning, better decisions can be made because they’re not made under stress. For instance, consider a ransomware attack. Once files are locked and access to key information is denied, the impulse to act quickly and overlook important steps will be powerful. Knowing what the costs renders BC planning most powerful. What’s down? How long will it take to repair? What will it cost? Answering those questions before the attack means the person with decision-making responsibility will have the necessary framework for determining whether to pay the ransom or rebuild the system from a segregated off-site backup. With the additional benefits BC planning provides during times of non-emergency, we believe Forrester’s research confirms that the Infinite Blue approach yields optimal results — and risk managers are moving in Infinite Blue’s direction.
[1] Forrester’s Business Risk Survey, 2021
