Cayuse Blog

Untangling the Web of Business Continuity Management

Written by Cayuse | Jul 27, 2023 2:39:05 PM

Unpredictability is just that – unpredictable. The unknown can be costly, hurtful, and debilitating. Wars, pandemics, shortages, and weather are just a few examples of the damaging events that businesses find themselves facing. The ability for survival after such events, however, isn’t a guarantee. 

Recovery within a business is a hidden requirement, often with overlooked details or elements until necessity dictates otherwise. The integrity of your company’s cybersecurity and operational resilience program is dependent upon a plan of preparedness and resilience because the most unpredictable disaster is the one you aren’t fully ready to overcome. 

Planning for Resilience and Continuity

An Operational Resilience (OR) or Business Continuity Management (BCM) Program gives businesses a perspective on threat and risk factors. Creating disruptions that can be detrimental to a company allows for essential planning for the hidden and unknown.

In recent months, the media has been highlighting the importance of BCM in business. In December 2021, Open Access BPO shared a powerful infographic titled ‘The Cost of Not Having a Business Continuity Plan (BCP)’, highlighting the difference between assuring resilience (BCM) and the development and measurement of resilience (BCP). 

In its simplest form, BCM combines discovery and strategy with planning and testing. Providing an initial foundation for determining a company’s threat-risk matrix (both internal and external), OR aids in deciphering a plan of defense and strategies to use for recovery when threats become a reality. Managing this:  

  • Leads to OR planning and validations that meet regulatory and business requirements
  • Sustains the organization’s stated mission and goals 
  • Provides the actual methodologies and framework for responding to a threat 
  • Enables continued business practices during an adverse event 
  • Matures organizational resilience toward recovering from an event 

In his blog, Stephen Watts of BMC explains that ‘often coming after IT security, quality management, and environmental management, the Disaster Recovery Preparedness Council recently announced that continuity and recovery are seen by more than ¾ of organizations worldwide as a second thought. A detrimental move, according to many experts and studies, following a disaster, 75% of organizations without a BCM in place fail in 3 years.”  

The management of an effective BCM/OR program empowers businesses with the ability to defend, manage, and resume operations following an unplanned breach, outage, or natural event. By effectively and efficiently applying better practices to implement and mature their program, organizations are more than just investing in an insurance policy for something that may or may not happen. They are investing in their own future via new technologies, upgrades, and implementations.  

An OR Program goes beyond ‘busy-work’ and documents maintenance. It is a view into an organization’s culture, change processes and prioritizations. Driven by the mission and goals of the organization, it creates a perspective through a threat/risk matrix, and provides strategic insights for improving: 

 

The Importance of OR

As BCM programs continue to become more complex in gathering improved data and interfacing regularly with senior management, insights and information become available. This helps to drive big data decisions regarding where the organization is versus where it might leverage itself for better opportunities. Remaining competitive within today’s fast-paced market is paramount to staying in business. When adversity strikes, it goes beyond the immediate issues caused. Customers, vendors, stakeholders, employees, data, property, intelligence, and trade secrets, are at risk of being compromised.  

A solid OR initiative collects and processes the data with the goal of recovery. As executives consider crisis situations, they generally think about ‘negative impact’ questions such as: 

  • What is at risk?  
  • What is being lost hourly, daily, weekly?  
  • What are the threats that can be realized? 

Because OR programs take a proactively pessimistic approach, most of these reactive questions are already answered. In fact, due to this proactive state, the process goes beyond responding, recovering, and restoring and involves a robust program where internal and external relationships are formed and enriched. This results in building trust, raising awareness, enhancing cross-training, and gathering metrics via the monitoring of vital systems, processes, data, and team member insights. 

Often, a singular focus limits an OR program and thus an organization, resulting in application malfunctions or system shut downs. Seldom in a DR situation is the OR program robustly pursuing broader aspects of the business, in large part due to a lack of executive involvement and insight. Typical recovery aspects rightly concentrate on questions and concerns such as: 

  • How will we manage the impacted business units to avoid morale decline and rumors, knowledge and IP departures, layoffs, and other adversities?  
  • What messages will be crafted to inform shareholders, regulators, the public, third parties, and employees of the events as they unfold?  
  • Who will gather the assessments needed to know what infrastructure was damaged, what is physically recoverable, and what has to go through reclamation?  
  • Is there a way to manage events so that technology upgrades are leveraged? 

There are many areas OR programs influence as they mature, build trust, and gain respect, particularly as broad data and key-organizational knowledge brokers improve and augment both strategic and tactical approaches to the mission and goals of the organization. These might include: securing the recovery network, back-up restorations, system and application builds, system administrator validations, end-user usage, and production environment revival. 

Resilience is Unique

There are multiple strategies when implementing an OR Program. Just as each organization is unique, each OR program must be unique to fit and capture cultures and capabilities. The tried-and-true basics of assessing current state, strategizing on possible mitigation solutions, creating plans to deal with the known (and unknown) issues, and verifying and validating that recovery is possible, remains a valid and necessary path for practitioners.  

Aiming for a higher mark with your OR program requires guidance from your executives in breaking down existing silos within the traditionally focused BCM practices (including Crisis Management, Emergency Response, Business Continuity, and Disaster Recovery). To re-think and re-imagine what OR is and what it can become is to deliver at a higher level - driving better data points and metrics, providing more thorough analysis, and ultimately delivering a more robust and integrated safety-net.

Proactive measures produce results that drive change for the better across and beyond the organization’s current circles of influence.