This post first appeared on Risk Management Magazine. Read the original article.
The European business climate is rife with potential risks these days. Particularly in the UK, where Brexit has caused a relatively stable country to face polarization, borders are being hardened, corporate domiciles are in flux, and the regulatory environment is becoming more complex. As countries continue to adjust to GDPR and anticipate the looming economic implications of Brexit, these significant changes magnify and exacerbate the spectre of many risks, such as terror attacks, data breaches, supply chain disruptions and extreme weather events. These can pose critical risks in the form of:
- IT services disruption—any disruption affecting access to IT services (IT disaster recovery) or the protection of critical data (cybersecurity).
- Workplace disruption—any disruption of a business entity (like offices, call centers, retail locations, manufacturing plants or warehouses) as well as critical assets like specialized equipment.
- Workforce disruption—any disruption involving personnel that means sufficient, trained and skilled employees are not available. Possible causes may include labor actions, pandemics, or disasters that severely impact public infrastructure.
- Supplier disruption—any disruption to suppliers, service providers, utilities or infrastructure that impedes the flow of goods or services in or out of the business.
While the majority of businesses have already made efforts to develop and test business continuity plans, traditional approaches can be inadequate and ineffective. Plans become stale, risk management and compliance programs are disjointed, and attempting to utilize any of this information prior to or during a disruption can be cumbersome or even unmanageable. In order to achieve true business resilience, organizations need to operationalize the data residing in risk and compliance programs by integrating this information with their business continuity management program. There are three key ways to accomplish this:
Data over documents. In the modern era of always-available services and continuous operations, it is critical to immediately know what and who have been impacted to determine appropriate response and attempt to identify any possible opportunities to reduce the impact of an event immediately. It is important to also be able to draw upon operational business data in a way that allows quick access and analysis in response to an incident. By better integrating existing data sources with purpose-built tools for business continuity and crisis management, organizations can better determine which locations, people and processes are impacted, and respond faster and with greater confidence to resolve a crisis. With a data-oriented perspective, organizations can best establish an information foundation about risks, impacts, resilience, response and recovery activities—both before and during an incident—to enable more strategic decisions about where to invest and what level of resilience is required.
Change your mentality. Cultivating an operational risk mitigation mentality—not just a response and recovery mentality—enables businesses to respond and recover more quickly from a disruptive event. It is not just about having a plan for when something goes wrong—it is also important to know how to minimize the risk and reduce the impacts in advance of a business disruption.
For executives to responsibly address risks and impacts comprehensively, business continuity programs must include a wide range of departments and business functions. For example, both risk managers and information security officers need to be aligned with the overall business continuity program. This is known as operationalizing risk management through a “single pane of glass.”
Risks must be identified, contingencies considered, various scenarios evaluated, and response capabilities established to ensure strategic objectives can be achieved even in the face of disruptions. All parties involved must be on the same page and working from the same data points to achieve the outcomes intended.
A risk mitigation mindset requires examining each type of disruption with broader perspective. This includes, for example, assessing the facilities and locations in which a business operates, such as understanding that a business in the congestion zone of central London might suffer greater impacts from terror attacks or civil unrest, and planning for those potential events accordingly. It also includes seemingly ancillary considerations like data protection, employee safety protocols and dependencies on third-parties, which are all components of a comprehensive strategy to mitigate risks, reduce impacts and ensure timely recovery.
A risk mitigation strategy should go hand-in-hand with the data-supported business continuity management program. Such an approach combines risk management and contingency planning as an essential part of strategic and tactical decision-making, enabling better and more consistent decisions about risk and resilience at all levels of the organization.
Keep the focus on your business, not just compliance. Just as a business continuity plan should not simply be a compilation of documents in a binder or on a server somewhere, neither should it solely be designed to satisfy auditors and comply with regulations. While compliance is necessary, it can represent the bare minimum and may give executives the illusion of meeting their fiduciary responsibility while actually leaving the business poorly prepared to manage an incident or disaster.
The significance and interconnected nature of risks are clearer than ever before, meaning executives can no longer claim that an operational risk could not have been foreseen or that a business impact was unreasonable to assess. To deliver true resilience, business continuity and risk management leaders must implement a data-driven program, take a risk-based approach, and remember that the goal behind all of this effort is ensuring the business can meet all of its commitments even in the face of disruptive events.