THE SIGNIFICANCE OF BCM IN THESE TURBULENT TIMES
Junaid Ahmad (CBCI, EFQM, MBA)
Business Continuity | Crisis Management | Organizational Resilience Professional
Building Capabilities & Enhancing Resiliency
Abstract
In these turbulent times, it is no longer the case that business continuity management is a “nice to have” part of a company’s overall strategy. On the other hand, it has become an integral component of a company’s strategy.
Junaid Ahmad Enayatullah-BC Manager
Introduction
?Global dependency on digital systems intensified by Covid-19 has altered societies. At the same time Cyber Security threats are growing. In 2020, Malware and Ransomware attacks increased by 358% and 435% respectively as per Global Perception Survey (GRPs) done by World Economic Forum 2022.
The level of disruption the COVID-19 pandemic brought is unprecedented in the modern era, however the multitude of disruptions and risks facing organisations continues to evolve. A single container ship blocking the critical Suez Canal severely disrupted global supply chains. Cyber-attacks and fires caused major outages at data centres, US fuel pipelines and operational installations. Horrific train collisions in Egypt, Japan and Mexico, all highlighting the need for response and recovery planning.
We are all now acutely aware that an incident can have major repercussions and little, or no, warning. Being prepared to keep critical processes running during an incident is a must.
Threats are evolving.
Companies today face several potential threats to their business continuity, both internal and external. Nearly one in five businesses suffer a major disruption every year. Coordinating the operations of various facilities spread across different geographical regions, adjusting to changing international trade regimes and regulations, anticipating the impacts of natural disasters on business operations, and managing dynamic global supply?chains are just a few of the challenges faced by organizations.
According to the latest?2022 MSP Threat Report?by ConnectWise, two out of three midsize businesses have suffered a ransomware attack in the last 18 months. This reveals the almost epidemic level that ransomware attacks have reached in the wild.
Over 70% of the global business leaders participating in?PwC’s Global Crisis Survey 2021,?stated that their organisation has been negatively impacted by the pandemic.
Why there is a need to prepare?
The frequent disruptions to the operations of businesses worldwide due to civil unrest, natural disasters and other events means that unless companies have a failsafe disaster management plan in place, it would be difficult for them to tide over the crisis that strikes them in sudden and unanticipated ways.
Any disruption, however caused, constitutes a strategic risk and may damage our ability to operate, thereby undermining the good reputation we have worked so tirelessly? to create. Take the current corona virus pandemic. It has posed an unprecedented challenge to the business and health sector on a global scale. In just few short month, the Covid-19 outbreak has disrupted trade, healthcare systems and commerce and supply chain. The virus has already revealed how unprepared some businesses are to respond to a pandemic. It has brought the travel industry to its knees and wiped trillions of dollars from the Stock markets worldwide. In response to Covid-19 crisis, some organizations are already adapting and innovating by shifting their business models.
On a global scale, a new study finds that when organizations paid a ransom to get their data decrypted, they ended up additionally doubling their recovery costs (UA$750,000 in recovery costs versus US$375,000 for organizations that used backups to get data back).
According to the 2022 Verizon?Data Breach Incident Report, 82% of breaches are caused by attack vectors that involve human error. This includes, social engineering attacks, phishing, spear phishing, errors, and misuse/transgressions.
According to Statista, 94% of companies that experience severe data loss never recover, and SMBs are 10x more likely to be hit with a data breach than larger organizations. While it is critical to have a backup solution to protect against data loss, 58% of SMBs have?no backup plan for M365.
48% of survey respondents from the region, compared to the global average of 30% in the PwC Global Crisis survey 2021, say they have paid significant attention to building organisational resilience and have already identified parts of their business in need of improvement in this respect
What is the solution?
Given the threats the businesses are exposed to and the recovery cost without planning, it becomes obvious that there is a desperate need to prepare to address the threat. The question to be asked then is ‘what preparation means?’ and ‘how to prepare?’
Preparedness, as we see from the definitions provided, is the state of being ready. It is concerned with putting in place the capabilities to be able to respond adequately in the face of an unforeseen threat or disruption.?
Preparedness planning, on the other hand, provides for the ability to respond to a number of potential threats.?
Preparedness, as you can see, requires a different mindset and a different level of expertise to adequately implement. And it is this space that business continuity occupies. This is because business continuity planning is concerned with what happens?after the risk materializes. Recovery, by definition, assumes that there is something to recover from. Related functions such as technology / disaster recovery and crisis management are similarly focused on the strategies and procedures for responding to an event that has already transpired.
And that is why we can see that key resilience concepts such as Crisis Management (CM) and Business Continuity Planning (BCP) have evolved and have now been actively embraced by most organisations. Recent years have made clear, however, the need to adopt and integrate additional resilience disciplines.?
?
What is BCM?
At its core, Business Continuity Management is a set of policies, processes and plans designed to ensure that an organisation can maintain critical operations during a disruption. BCM proactive measures are put into place prior to a disruption based on an organisation’s risk appetite and the potential threats it faces, to safeguard operations and brand reputation.
BCM has evolved from the 1970s as a technical and operational risk response to disruptions, contributing to OR safeguarding stakeholders’ interests.
Business Continuity Management is the “holistic management process that identifies potential threats to an organization and the impact those threats, if realized, can cause on business operations, and provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of key interested parties, reputation, brand and value-creating activities”.
BCM is related to knowledge management and dynamic capabilities, enhancing organizational performance during crises.
Significance of BCM
Having a business continuity plan is significant. The absence of preparation means the entity is ill prepared to address pressing issues. These risks can leave an entity flat-footed and can lead to other significant problems.
The survival rate of a business without a business continuity plan is less than 10%. Another study conducted by the University of Texas stated that not more than 6% of organizations that have faced catastrophic data loss have managed to survive, and around 43% of companies never reopened.
Having a robust business continuity plan will not only help avoid panic and uncertainty in a crisis, but also prove to stakeholders that our business is resilient enough to handle any unforeseen challenge.
Successful companies view BCM as much more than just a way to simply recover from a significant incident. They view business continuity as a way to anticipate changing conditions, adapt to those changes and, more importantly, to thrive.? In other words, they become more resilient. This is indeed the aspect that we are talking about when we mention the need for business continuity management.
In these turbulent times, it is no longer the case that business continuity management is a “nice to have” part of a company’s overall strategy. On the other hand, it has become an integral component of a company’s strategy.?
Under the Umbrella of Business Continuity
Business Continuity
Business Continuity revolves around a firm’s business processes. It takes into account the day-to-day operations and all that is involved in running and recovering them.
Emergency Management
Emergency Management deals with human life and safety. It lays out plans and instructions for evacuating a facility promptly and securely.
Disaster Recovery
Disaster Recovery is a technology piece of BCM. It safeguards a firm’s systems and plans for the recapture of infrastructure and technologies.
Crisis Management
Crisis Management is the playbook for managing and communicating during a disaster. It identifies business priorities and how to address them when problems occur and afterwards.
Governance
Governance is the source of strategic oversight and management of BCM. It lists policies and procedures for the program and how to implement each branch
How to Build the BCM Capabilities
Requirements to Prepare and Build the Capabilities
?????????? BCM capabilities can be developed and increased at every organisation, using proven models and methodologies based on the International Standard for Business Continuity Management ISO 22301:2019.
?????????? Defining, analyzing and documenting the potential risks that might face the Department which leads to disruption of work progress.
?????????? Determining the acceptable minimum level of influence on the Department's functions.
?????????? Finding a mechanism to continuously reduce unacceptable losses and impacts resulting from:
?????????? Absenteeism of key personnel
?????????? Damage/ unavailability of key facilities
?????????? Damage/ unavailability of assets or essential properties/ critical and vital records of department.
?????????? Loss / inability to access the organization's information technology, communications and data system.
?????????? Interruption of goods and services from internal or external sources in the department’s supply chain.
?????????? Define the minimum services / tasks that must be maintained, and the maximum allowable time to restore the ability to continue those essential services/critical tasks in the event of a work interruption.
?????????? Develop, sustain and implement business response and business continuity plans for essential and prioritized activities. These plans should include management of emergency, crisis, disaster or communications.
?????????? Ensure the ability to sustain and maintain basic and necessary functions and services at pre-determined performance levels, which are commensurate with the magnitude and impact of the outbreak.
?????????? Ensure that employees are trained to effectively perform their roles and responsibilities in managing business continuity for essential / necessary activities / services.
?????????? Conduct regular exercises to ensure the efficiency of the business continuity management plan, and train the staff to practice on BCM tasks.
?????????? Updating the risk assessment record, analyzing the impact on the business of the department, planning assumptions for managing business continuity, plans for responding to material changes in the organization and its infrastructure, employees and the operational management site.
Key considerations for building BCM capabilities
?In developing BCM capabilities, organisations should integrate various components relating to threat response and recovery and ensure they work holistically. This requires the formation of teams and plans to guide the responses to incidents, recover critical resources and manage impacts on the organisation. Those core components are:
??????? Emergency response (where physical incidents impact the safety of people and assets)
??????? Incident management and crisis management (tactical and strategic coordination, decision-making and communications)
??????? Business recovery (where operations, functions and third party supply are disrupted)
??????? Technology recovery (where information and communications infrastructure, systems and data are interrupted)
How organisations respond to and recover from disruption should be driven by a robust incident and crisis management capability, complemented by other resilience components, including cyber, third party and operational resilience. These are often brought together under the umbrella of business continuity.
Below are some key considerations to effectively develop the capabilities to prepare for, respond to and recover from the disruptive events:
?????????? Planning is crucial to build the resiliency. Organizations’ best defence is effective business continuity planning.
?????????? Effective business continuity management enables organizations to update, control, and deploy affective plans, accounting for organizational contingencies, capabilities, and business needs.
?????????? A BC plan gives critical recovery staff guidelines on what to do if their normal working processes are affected, providing a comprehensive approach to organizational resilience.?
?????????? Testing and exercising are key to validate if the plan is workable and provides the degree of protection expected.
?????????? Testing the plan using side range of potential scenarios help in building and enhancing the organizational capabilities to deal with surprises.
In addition to that, there are certain elements that can be taken into consideration when building the capabilities of the organization. They include:
?????????? Strong leadership:?Support from executive management and the board is critical;
?????????? Clarity:?Underlying plans/documents must be written clearly and take into account the capabilities of team members during a significant business disruption;
?????????? Usability:?Plans must be simple, easy to use, and accessible for everybody;
?????????? Business involvement:?Business continuity should be business-driven, with the involvement of all functions;
?????????? Beyond IT:?Remember that it’s not only about IT – that’s only one piece of a larger puzzle;
?????????? Consider the impact:?Focus on the impact of major disruptions – even when it’s difficult to accept the scenario;
?????????? Change management:?Prepare your organization to deal with immediate change, impact and action; and
?????????? Practice:?Regular simulation of failures and disasters can save your business.
Business Continuity and Resilience
Business Continuity Management (BCM) is the key driver of resilience within organisations and is guided by the global ISO22301 standard.
Business resilience can be defined as the means of how a business quickly adapts to any disturbances that threaten its existence.
Having a business resilience allow a business to predict, prevent, respond and recover from any unexpected disasters that befall it.
Without business resilience, entities cannot maintain key business workflows and safeguard their employees, assets, and most of all, their brand reputation.
BCM aims to ensure the viability of the organisation by protecting against physical threats to operations as well as threats of a strategic nature. The latter may include, for example, legal or regulatory challenges that put operating licenses at risk, the emergence of disruptive technologies and business models, and pressures relating to sustainability.
Components of Business Resilience
Operational Resilience
Operational resilience refers to a business ability to endure and recover from incidents that may result in harm, destruction, or a loss of mission-critical services.
Business Continuity Management
Business Continuity Management: What organizations should focus on to recover from disruption? Business Continuity Management helps business to identify solution to that query. BCM brings a structured approach to the table to that enables organization to identify their key departments and processes to focus on, in the condition of key unavailability of its building, people, technology, or other such business enablers.
Crisis Management
Crisis Management is a key component of Business Resilience. A Crisis Management through its structure approach to incident detection, escalation, emergency response coordination, crisis decision making, and communication enable the businesses to counter threats that threaten the existence of organization.
IT Disaster Recovery
IT Disaster Recovery program is the collection of rules and procedures for IT operations to support business functions to be recovered or continued in case of a severe IT outage.
How Business Continuity Contributes to Building and Improving Resiliency
?????????? BCM plays a vital role in building organizational resilience. An effective business continuity management (BCM) program is a vital part of the strategy to build operational resilience.
?????????? Organizational resilience consists of a broader scope of organization activities and market operations, including its supply and distribution chains, investors, brands and customers. This indicates that BCM constitutes an essential part of organizational resilience.
?????????? Business continuity can be tailored to help organizations prepare for any number of disruptions. It is therefore imperative to plan even if the unfolding events are not exactly according to our plan, the technique for your plan will enable us to effectively respond to the crisis.
?
Best Practices for a successful Business Continuity Management program
1.?????? Embed BCMS competencies and KPI’s as part of role requirements and job descriptions
2.?????? Embed BCM KPIs with employee performance management process
3.?????? Embed BCM into employee induction process
4.?????? Integrating ERM and BCM to improve resiliency
5.?????? Plan And Prepare For The Worse
6.?????? Technology is Key for Business Continuity: Technology gives boards additional leverage during crises by improving information flow, data security, and data analytics.
7.?????? Enhancing Data Security: Data and information are the most significant assets of all modern companies. Mishandling of data can lead to litigation and severe financial consequences. On the other hand, the lack of data and information can disrupt one of the fundamental roles of the board —?proper oversight.
8.?????? Integrating, coordinating and aligning with other disciplines such as health and safety and information technology to build effective organizational resilience.
9.?????? Build a network of influential individuals
10.?? Service Level Agreements: SLAs can be put in place with suppliers to support the selected solutions. Such agreements can offer some assurance that the organization will be notified of any changes in the supply chain to avoid undesirable consequences.
11.?? Horizon Scanning to monitor and identify potential threats to an organization and consider longer term change and underlying trends.
12.?? Involve experts in other management disciplines to identify and implement solutions. For example, specialists in ICT, procurement/purchasing and supply, inventory management, and capacity planning may be required to identify and implement solutions require technical skills beyond those of business continuity professional.
13.?? Collaborate with associated disciplines are every stage of BCM life cycle e.g., (a) a combined security, business continuity, and health and safety briefing may be more informative and effective than separate briefings. (b) Existing emergency routine procedures, for example, fire alarm testing, practice evacuations, or security threat drills, can also be used as a business continuity exercise
14.?? Risk management must be integrated across the organization and operational resilience must be closely tied in—especially aligning on risk appetite, risk tolerance and a risk profile.
15.?? Standardizing the risk matrix for all the relevant functions performing separate risk management activities such as health and safety, Information Technology and Internal Audit
16.?? Design and conduct challenging exercise and test using realistic scenarios with participation of critical vendors
17.?? Linking business continuity exercises with related events such as fire alarm testing, practice evacuations, or security threat drills.
18.?? Align E-learning across different domains i.e., BCM, Emergency and IT.
19.?? Plan should be direct, adaptable, concise, and relevant
20.?? To make the plan focused, specific and easy to use, it should be:
a.?????? Direct; providing clear, action oriented and time-based direction. It should provide quick access to vital information.
b.?????? Adaptable; enabling the organization to respond to a wide range of incidents, including those that the organization may not have anticipated.
c.?????? Concise; containing only guidance, information and tools that are likely to be used by the team in an incident. Anything else is unnecessary.
d.?????? Relevant; providing information that is current and useful to team using the plan.
21.?? Establish an effective maintenance program: To be effective, maintenance activities should be embedded within organization’s business as usual processes rather than being a separate activity that may be overlooked. Most of the maintenance required will be the result of internal organizational changes. The most effective way of achieving this is to incorporate maintenance activities into the organization’s change management process.
22.?? Self-assessment: It can be carried out between audits to identify progress against audit recommendations. Self-assessment assumes that an organization has identified objectives and targets against with its business continuity programme can be assessed.
23.?? Quality assurance is the process of determining whether the outputs from the business continuity programme meet the organization’s requirements and expectations, which may or may? not have been formally defined.
Quality assurance process should be regularly reviewed at pre-agreed internals or following significant change as defined within the business continuity policy.
24.?? Performance Appraisal: Performance appraisal process can be undertaken as part of a regular personnel appraisal process, or to review an individual’s performance of their responsibilities in the business continuity programme specifically.
Tips to Improve the BCM performance
§? Improving your organization’s BCM program starts with you:
o?? Take an inventory of your personal and professional skillsets.
o?? Capitalize on your strengths and manage your weaknesses
§? Build your team intelligently and thoughtful:
o?? Personal Skillsets
o?? Professional Skillsets
o?? Measure and Quantify the Skillsets
§? Gain management support:
o?? Be a picture of credibility
o?? Find a champion
o?? Know your business
o?? Speak in their language
o?? Communicate regularly
§? Measure and manage
§? Metrics are key to:
o?? Drive the Control and Feedback
o?? Make the Process Objective
o?? Setting Improvement Goals
§? Align with standards
§? Quantify the level of risk
§? Build a roadmap to success:
o?? Knowing where you want your program to go is critical to its success.
o?? Having a roadmap creates urgency, reveals gaps, guides your efforts, and builds your team.
o?? The best time to build a roadmap is in the last quarter of the year.
o?? In building a roadmap, first gather the necessary information.
o?? Follow the steps set forth in the chapter to build your roadmap.
o?? Update your roadmap on a regular basis
§? Build consistency to ensure quality:
o?? Strive to deliver consistent service to your stakeholders at all times.
o?? Develop a catalog of the services offered by your department, then devise a consistent approach to delivering each one.
o?? Clearly outline from beginning to end how each service should be performed.
o?? Quality service is timely, accurate, courteous, responsive, and convenient.
§? What constitutes quality service?
o?? Timeline
o?? Accuracy
o?? Courtesy
o?? Responsiveness
o?? Completeness
o?? Availability
o?? Adaptability
o?? Personalized Service
o?? Convenience
§? Focus your time and efforts in the right areas
o?? First, focus on criticality
o??? Second, focus on strategies and exercises
§? Stand up for your program
§? Demonstrating value on investment:
o?? Cost savings
o?? Process efficiencies
o?? Regulatory compliance
o?? Protecting the organization’s reputation
?
Things to consider when developing BCM capabilities and enhancing organizational resiliency:
To have the true ability to achieve a business continuity response, below points could be taken into consideration to achieve the capability:
§? Emphasize the need for effective business continuity management: BCM must be raised up the agenda to executive and board level. When senior management becomes more involved and can experience the potential outcomes when the organisation is not fully prepared, they quickly understand the value of BCM, making it easier to validate BCM budgets and give it strategic priority.
§? Exercise and Workshop: Conducting exercises and workshops at the operational, tactical and strategic levels will help to better prepare organisations for disruption at every step of the BCM life cycle.
§? Utilize Digital Tool: Utilizing a dedicated digital tool for business continuity management – and indeed all integrated elements of operational resilience – is much more effective than relying on spreadsheets and documents.?It will help you identify your capabilities based on critical dependencies, verify what needs to be improved and set out a prioritised roadmap for capability development. Being able to quickly create information-rich reports using intuitive displays and dashboards will also help to engage senior management.
§? Involve all stakeholders: Business Continuity Management is an ongoing process. Operations, markets and strategies change, as do all the things that can impact them. Therefore, BCM must change with them. The best way to manage this is by involving all stakeholders within the organisation that must collaborate to assure business continuity during an incident. This means holding workshops and exercises to simulate potential incidents. Finding out what worked, what didn’t, and what needs to be improved. And assessing real-life failures and success stories and learning from them.
§? Look at BCM as an integrated, holistic approach: Although many organisations have BCM programmes in place, they are often unprepared when real incidents occur. This is usually due to a siloed approach and limited integration of the core components outlined above. In many cases it will result from treating BCM as purely a box-ticking requirement instead of an integrated, holistic approach.
§? Prepare for the Worst: While preparing for the unforeseen events, consider all scenarios and anticipate the happening of any type of crisis. The military is a good example how to prepare for the crisis. So as military is prepared and ready to face unexpected events and make a sudden change in their strategy to face the enemy as enemy does not act the way we want. In the similar way we need to focus on building the capacity of adaptability to absorb the change, adjust and respond and recover from all types of the crisis.
?
Conclusion:
While disruptive events are challenging for any organization, sudden and large-scale incidents such as natural disasters, IT outages, pandemics, and cyber-attacks can expose gaps in technology, culture, and organizational resiliency. Even smaller, unexpected events such as water damage to a critical facility or electrical outages can negatively impact the organization if there is no long-term resiliency plan in place.
Start with understanding where we create the most value-now assess the risks and potential business impacts to a disruption of the ability to create value; and building plans that are flexible and adaptable to the situation and the resources available, constantly monitor and assess risks.
Business continuity management is not just about having systems in place for backups and to fall back on. There needs to be a mindset change in the employees who operate these systems and hence what is needed is the ability to switch to the backup system or the offshore site and resume operations within no time. For this to happen, the workforce must be adequately trained to react swiftly in case of emergencies and load the backup system or rush to the offsite to ensure uninterrupted service. These abilities call for agility and speed in the workforce and this can be achieved only through mock drills and procedures that stimulate the actual disasters.
In conclusion, business continuity management is not just about people or machines but the combination of which needs to click in the event of an emergency. The best laid plans go to waste if there is no backup hierarchy to manage the continuity program. So, along with the workforce and the systems, astute management and visionary leadership are essentially required.