Syda Productions - stock.adobe.c
Cyber security discussions have become increasingly about cyber resilience in recent years, but the concept of being able to bounce back from disruption needs to be applied across the entire business, especially as organisations become more dependent on IT.
Resilience, however, is not something that happens by itself in cyber security or any other aspect of business operations. It has to be planned and managed, and therefore business resilience management (BRM) ought to be on the agenda of most organisations.
Simply put, BRM is the comprehensive and standardised management of all processes to identify and mitigate risks that threaten an organisation.
These risks include disruptions to ICT continuity, cyber attacks, consumer demands, market changes, regulatory compliance requirements and even pandemics, as Covid-19 has demonstrated.
BRM, therefore, is aimed at ensuring that organisations have and maintain business resilience, which is the ability to adapt quickly to risks and disruptions, while maintaining key business workflows and safeguarding employees, assets and brand reputation.
Resilience is the foundation for continuity and mitigating against any form of economic disruption at a business, regional, national or global level. However, resilience can require complex management tasks, depending on the size and nature of the business.
As a comprehensive approach to risk management, BRM goes beyond just business continuity management and disaster recovery. It aligns all protective disciplines to achieve the goal of resilience. BRM not only includes business continuity, crisis management, crisis response and IT service continuity, but adds testing of resilience plans, simulation of crises and their impacts, education of impacted teams and, crucially, the gathering of ideas for continuous improvement.
BRM is therefore a cross-functional and inter-disciplinary approach involving risk, business and security professionals. This includes reputation management, the ability to respond to growth opportunities, communications during a crisis, and post-disruption improvement strategies for avoiding downtime, reducing IT and physical security vulnerabilities, improving fraud control, and maintaining business operations in the face of unexpected disruptions in future.
Start with risk management
Resilience, continuity and risk management are all closely related. They work together to protect businesses from disruption. But risk management should always be the starting point to identify potential risks and then create controls to manage them.
However, risk management does not necessarily eliminate risks altogether. Therefore, risk management needs to be complemented by business continuity management to ensure organisations plan for contingencies, such as planning alternative suppliers of goods and services.
In turn, business continuity management does not necessarily eliminate risks altogether, either. This is where BRM really comes into play because resilience is about building in flexibility that enables organisations to respond and adapt to unexpected circumstances.
Business resilience is important
Business resilience is extremely important to any business because without it, few businesses are likely to be able to recover from unexpected disruptions or adapt fast enough to sudden changes in market demand or regulatory requirements.
Business resilience can make the difference between business survival and failure, and so should be high on any business agenda. Only by achieving resilience can a business be assured of surviving disruptions.
But achieving business resilience requires careful business resilience planning to ensure business models are flexible enough to adapt to market changes and other changes, and that ICT continuity is assured. This includes business continuity planning and management, as well as disaster recovery planning based on a comprehensive risk assessment in the form of a business impact analysis (BIA), which is a key element of a comprehensive approach to BRM.
Business resilience planning could also include skills development and training because a shortage of skilled workers poses a risk to resilience if an organisation does not have people with the right skills to produce their product/service or adapt production when circumstances change.
Ensure organisational flexibility and avoid silos
A rigid organisation that cannot adapt flexibly will face challenges in any crisis. Traditional organisational structures, non-transparent communication, poorly funded IT, a lack of digitisation and rigid management processes are all obstacles to business resilience in a crisis.
Instead, ensure that employees and managers are able to act in any situation, communication is clear, there is an honest feedback culture, IT is focused on resilience, employees are trained to be resilient, processes are all digital, employees can act independently, and micromanagement is avoided.
It is also important to make all the necessary organisational changes without delay to get rid of silos, integrate IT and the business, and plan comprehensively to build a culture of resilience. If IT, supply chain management, cyber security and other stakeholders work in isolation, there is a risk of failure. Plan instead to work in cross-divisional teams to prepare for a crisis.
Next, ensure that IT fully understands what keeps the business running, so that there is deeper alignment of business and IT, and technology investments focus on resilience, collaboration and self-service. Plan for a crisis in a comprehensive way and adapt the business model, financing, business processes and IT operations to be more resilient.
Also plan for how the business will run during a crisis. Draw up an IT emergency plan and set up an incident command structure to ensure everyone knows their role and responsibilities in various crisis scenarios. Education and training are essential, and regular testing of crisis business continuity plans should not be overlooked.
Understand business dependence on IT
It is extremely important for every organisation to assess and understand the degree to which their business operations depend on IT because the greater the dependence, the greater the importance of IT resilience to overall business resilience.
Cyber resilience is a core element of business resilience. While dependence on IT will vary from one organisation to another, the general trend towards digital transformation and increasing reliance of organisations on IT for critical business functions and data means that for most organisations, IT resilience is becoming the cornerstone of business resilience.
In the wake of the Covid-19 crisis, this dependence will accelerate as organisations seek to become more digital. Without IT resilience, therefore, few businesses would be able to maintain critical-business functions during and after disruptions caused by natural disasters, fires, disease outbreaks, terrorist-related incidents and cyber attacks.
Cyber supply chain risk management
IT resilience is crucial to business resilience, as shown by the Covid-19 pandemic, which has also highlighted the importance of cyber supply chain risk management (C-SCRM).
The business impact of suppliers being unable to deliver physical goods is well understood, and most businesses have plans to manage the risk of supply chain disruptions. However, many organisations underestimate cyber supply chain risks.
As businesses become increasingly digital, they need to put as much effort into managing the risks of their cyber supply chain as they do their traditional supply chain because failure to do so could lead to potentially crippling production downtime.
Given the complex supply chain risk management challenges and the increasing sophistication of cyber attacks, now is the time to add C-SCRM as a key component of any BRM strategy. This can be done by agreeing cyber security standards with suppliers, adding cyber suppliers to existing supply chain monitoring, conducting regular risk checks, and drawing up contingency measures and processes to deal with disruptions.
Consider appointing a business resilience manager
Every business needs business resilience, but whether a company needs a dedicated business resilience manager depends largely on the nature of the business, organisational flexibility to adapt to disruptions, and the overall risk any potential disruption could pose. However, regardless of the title of the person tasked with responsibility for business resilience, they must have the power and authority to act. Without the necessary power and authority, resilience cannot be guaranteed.
Where the nature of the business is particularly sensitive to disruptions of any kind, such as companies that are based on high-speed, high-volume transactions, a dedicated and empowered business resilience manager is essential, regardless of the size of the company, because any disruption would be extremely costly and potentially fatal to the business.
Where the impact of disruptions to the business is not especially high, whether the company is large or small, responsibility for business resilience can be assigned to the CIO, CISO or whatever senior role in the company has the required overview of both the business and IT operations. These roles could be expanded to include the comprehensive and standardised management of all processes to identify and mitigate the full range of risks that could disrupt business operations.
The coronavirus pandemic has underlined the importance of business resilience and the value of business resilience management. Only through the comprehensive and standardised management of all processes to identify and mitigate risk can businesses ensure they are in the best possible position to sustain operations through unexpected disruptions and beyond.
Although disruption due to pandemics is rare, other causes of disruption, such as cyber attacks, are increasingly common and only likely to grow as businesses become more digital. Business resilience is essential, especially as organisations become more dependent on cyber supply chains.
Business resilience is directly linked to survival of the business in the short term as well as the long term, and therefore should be integrated with the long-term sustainability plans for any business.
Investment in building a business resilience capability should be about more than just surviving disruptions and long-term sustainability, however. Through standardisation of BRM best practices and potential certification, businesses could not only improve the efficiency and flexibility of their operations, and thereby ensure good corporate governance, but could also use BRM as a market differentiator.