What is Business Resilience Planning?
Crisis management and business continuity planning is something that your organization may have engaged with quarterly or even annually pre-pandemic, but it is likely to have become significantly more active since then. Before settling back into complacency, thinking that one “black swan” event is all your organization will ever endure- think again. Crisis management and business continuity leaders are busy preparing for simultaneous natural disasters, widespread power or technology outages, civil or political unrest, and all other manner of large-scale disruption. A major consideration is that of convergence- the possibility that disaster events could overlap. Owen puts forth three questions to consider regarding your organization’s risk management position1:
- What if the digital infrastructure breaks down during a disaster?
- What key infrastructure redundancies should be in place to address aggregate compounding disaster events and ensure resilient enterprise operations?
- Can remote workers perform their work as multiple disaster events occur simultaneously?
To prepare for the unimaginable, consider these key concepts1 when implementing continuity risk management, crisis management, and business resumption plans:
No panicking. Cultivate a flexible and resilient culture that is cool and prepared in the face of commotion.
Meet regularly. Incident response and crisis management teams should meet often to reflect and plan for the future.
Mapping. Update the business impact analysis to note the physical locations of resources.
Third-parties. Evaluate the organization’s relationships with third-party providers.
Make The Plan. Have a crisis management plan that clearly defines the process of managing incidents.
Remote work. Ensure that employees can access everything that they need from home, including access to The Plan.
Review. Evaluate how crisis command centers have responded to the pandemic and note shortcomings.
Supply planning. Evaluate supply chains weaknesses and plan alternatives.
Resilience. Objectively assess the organization’s resiliency.
Plan for the remote workers. Ensure than planning accounts for the portion of employees who may continue to work remotely.
Those concepts address the development of business resiliency generally, but what do organizations need in order to ensure that their IT is also resilient? Here is an IT resilience approach in six stages2:
- Protect the IT system. Secure the system and take steps to identify and mitigate risks including physical risks, electronic risks, technical failures, infrastructure failures, and human error.
- Detection. Implement monitoring solutions to identity and address IT outages.
- Remediation. Have a remediation plan to make sure that data can still provide critical services during outages.
- Rescue. Returning critical services to pre-disturbance levels quickly and efficiently.
- Analysis. Continually assess the system, learning from past disturbances.
- Updating the resilience approach. Achieve IT resilience by collecting information from the previous stages and applying it to strengthen the system.
Proactive planning for business resilience and IT resilience will be rewarded with less loss, less disruption, and less uncertainty, no matter what compounding disasters befall us in the future.
1 Owen, 2021, Risk Management, “Lessons for Business Resilience Planning”
2 Ivancevich, 2020, Internal Auditing, “Information Technology Resilience and the Internal Audit Role”