Risk and Business Continuity: My thoughts

Risk mitigation and business continuity are gaining more significance in today’s volatile geopolitical environment. This reality applies across all industries, companies of all sizes, and even in our personal lives. We have become so dependent on services that we often believe nothing can seriously disrupt us. On a personal level, it’s essential to remember the importance of 72-hour preparedness. For more information, visit this link or in Finnish this link.

Here are a few thoughts based on my more than 10 years of experience in risk management, business continuity, and exception management. I hope these provide some food for thought.

Firstly, preparedness and all that it entails must be taken seriously. To me, risk management and business continuity merge into one concept: Readiness. We must understand that certain events, although they seem improbable now, can severely impact businesses. Consider the unexpected nature of events like COVID-19, volcanic eruptions, the cutting of data cables in the Baltic Sea, or the Russian invasion of Ukraine.

I believe everyone agrees on the importance of managing risks and business continuity. However, it’s crucial to allocate time and resources to these efforts. This is not merely a topic for discussion in meetings; it requires concrete actions such as planning, working, and training. Without these actions, risk management remains just words on paper.

Investing in preparedness can be seen as process development. A well-planned risk management process identifies bottlenecks and areas that need enhancement. This feeds into developing a more robust and efficient way of working, leading to cost-effective simplification.

One key factor is that you cannot prepare in silos. Large companies often have multiple silos due to their structure, with majority of KPIs and metrics typically done by units. Recognizing and addressing this is essential. Strong cross-functional cooperation is needed even when there are no disturbances. Well-designed and executed risk and business continuity management breaks silos and brings together key stakeholders, creating a natural way of working and distributing best practices across the company.

Transparency within the company and towards customers is crucial. Open and real-time communication about how risks are managed, and services are provided in case of disruption is vital. A good way to show commitment to solid services is by following the standards like ISO 27001, ISO 30001, and ISO 22301. Even without the certificates, following these guidelines is a significant step forward, making it easier to eventually obtain the certification if decited to do so. And naturally if some major disturbances occurs, transparent communication is even more important.

Continuous improvement is a key pillar in all processes. When a process is established, always consider how it can be improved. This doesn’t mean constant changes in the management system, resulting in endless slides and meetings. Small, continuous corrections are beneficial, and lean principles are highly applicable. Customization is essential as different businesses and services have unique needs, despite the same principles and guidelines.

Learning, improving, and training keep the process and actions alive. Plans that sit unused in a folder for years become useless. As time, organizations, and the world change rapidly, we need to keep pace. Regular updates and training highlight areas needing improvement, whether they are tools, roles, or responsibilities. This brings us back to the importance of resource and time allocation.

Finally, look beyond your organization. Cooperation with officials, customers, and other companies can provide new ideas and insights on how to prepare for changes. At Posti, where I work, we are designated as an organization vital for the security of supply. This means we must operate under any circumstances, whether it’s a major power failure, large ICT failure, or conflict. It has been a privilege to be involved into discussions how to increase our resilience. Even though companies are competitors, sharing ideas on handling large national emergencies is crucial. This doesn’t reveal any company secrets but builds contacts, networks, and a common approach in national emergencies. This is a part of Finnish method of comprehensive security.

Overall, risk and business continuity should not be seen as separate processes lingering somewhere in the organization. They should be integrated into everything we do. This approach not only addresses risks but also breaks silos, increases cost efficiency through simplification, and fosters learning and networking.

This text turned out “a little bit” longer than I planned, but passion can do that. If you have any comments or ideas, please do not hesitate to contact me.

Jarmo Ainasoja Head of Risk Management and Business Continuity Posti Group

?