Irrespective of size or nature of the business, every enterprise is exposed to ever changing threats that could disrupt its business. According to Forbes report 2019, the top five global risks in terms of likelihood are;
- Extreme weather conditions
- Failure of climate change mitigation and adaptation
- Natural disasters
- Data fraud or theft
- Cyber attacks
In addition, there are several other threats that organisations are exposed to. Technology failures, terrorism, supply chain failures and rapid spread of infectious diseases are some of the high impact emerging threats that organisations should be aware of.
It is a common understanding that the randomness of these harsh or destructive threats is much higher today, than a decade ago. Furthermore, there is also a certain degree of denial that the harsh disruptions will not happen any time soon, and that they can remain ‘safe’. Staying in denial is the worst obstacle to tackling the issues and threats. They fail to understand the big picture as they are engrossed in their day-to-day activities. It is often seen that these business leaders down-play the consequences of materialisation of the threat.
However, there are others who think more rationally and with a strategic vision. They attempt to understand the threats and the risks that are associated with them. They take the right action to diminish the impact or measures to reduce the frequency or scale of occurrence. They are committed to continue their business activity. They want to protect their businesses, safeguard their people and assets, when the worst happens.
The closed mind-set or the inability to see the holistic picture by the leaders, could put their businesses into serious danger. This is called the ‘blind spot syndrome’.
Blind spot #1: Relying on the trouble-free past
When things are smooth everyone is happy. It is human nature to think that tomorrow is an extension of today. If today is good, why not tomorrow? History has shown that many business leaders are blindsided by apparent risks around – may be political, natural disasters, people related, cyber threats, etc. There is no preparation for any of the unforeseen events. People are not trained and the senior leadership refuses to accept the evolving threat landscape. They lack the vision to see beyond the obvious and have conveniently grown to be complacent.
Blind spot #2: Lack of governance and a structured framework
There are organisations which have thought of business continuity and the function is delegated to a middle level officer to manage. The continuity of business and incident response readiness are at the bottom of the leadership priority list. Most often, the person who is assigned for business continuity has had no training in the discipline of business continuity. The leadership focus is mainly on audit compliance.
This is a very dangerous situation. Most often they presume that the business continuity templates can be downloaded from the internet. In my experience such a template may never be ‘fit-for-purpose’. This is a crisis waiting to happen!
The implementation of business continuity is hugely different to adopting some accounting or IT system. It is a people centric discipline that must be developed according to the nature of the business, the organisation culture and its maturity. I have seen several organisations having bits and pieces of business continuity but lack the holistic approach.
The ISO 22301 Business Continuity Management (BCM) standard defines “BCM as a holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats if realised might cause and which provides a framework for organisational resilience…”
It is often observed that the essential components such as a leadership commitment, business continuity policy, business impact analysis, threat analysis, etc. are missing. There is no evidence of collaboration, teamwork and reciprocity in building the business continuity management system and practices. It is apparent that if an unexpected event or a disaster happens, the ability to cope with it and recover from the situation will be a hard or impossible.
Blind spot #3: The processes that contribute to the delivery of key products and services are not understood
If any organisation tries to protect its business from disruptive events, firstly, it should know what processes and activities must be given more importance and protect them. Called ‘Business Impact Analysis (BIA), it is a scientific analysis- both qualitative and quantitative, to predict the consequences of disruption of a business function. This helps in determining the point in time that functions should be up and running. It is the tool for prioritising business activities for recovery. It also helps in knowing what the interdependencies are and if any of the processes or activities are outsourced, how the service level agreements should be calibrated.
Not knowing such information is like playing a guessing game. Operating in the dark, the repercussions are severe and may cause irreversible damage,
Blind spot #4: Threats and risks are not properly assessed
All threats, especially those associated with the prioritised business functions have to be understood and addressed. Due to lack of awareness and understanding, some organisations have no idea what could happen to the business and people, if these risks are manifested.
The probability and impact associated with these threats must be evaluated in assessing the risks. These should be mitigated and closely monitored. This is an essential step in business continuity management. Some industries such as banking, financial services, manufacturing, IT service providers, airlines, hospitals, utility services should pay greater attention to this aspect. Any outage or disruption to services they offer, will have plenty of irritated customers and loss of customer confidence!
The leadership team then should prioritise the organisational needs and identify risks inherent to continuity of business to address accordingly. Strictly speaking, the risk information has to be effectively transformed into action by applying appropriate control measures. Not adhering to such analytical approach is a risk by itself.
Blind spot #5: Lack of clarity in business continuity roles and responsibilities
Lack of role clarity in the implementation and management of Business Continuity Management is very common even in larger organisations. Also, it is seen that the staff is overburdened with conflicting roles, resulting in the loss of overall effectiveness.
The roles and responsibilities, in the implementation of business continuity arrangements may differ according to the organisation. The roles and responsibilities may also be combined or distributed. The ultimate accountability for continuity of business, however, must rest with the directors and the chief executive. The implementation and operation of the Business Continuity Management system is usually delegated to a senior manager, who will organise the roles among other staff, to ensure incident readiness and response/recovery capability is established and people are trained. In medium to large size organisations, the use of ‘RACI charts’ (Responsible, Accountable, Consulted & Informed) is recommended. Here, the roles are mapped to responsibilities, tasks or deliverables, as implementing and maintenance of business continuity involve cross functional personnel.
The lack of business continuity role clarity therefore leads to confusion, communication gaps, uncovered accountability, loss of critical staff, etc. This is a blind spot that organisations should pay attention to.
Blind spot #6: People are not trained properly in incident response and business continuity
The competency and capability of those directly and indirectly involved with all aspects of business continuity is vital. A single untrained staff member will be the weakest link in the chain and when it is necessary to respond to an incident or fix a critical business processes, the organisation’s expectations will never be achieved. We have seen many instances, even some of the senior managers are totally unaware of the existence of a business continuity program in the organisation. This is another case of pushing the responsibility of employee training, down to the bottom of the list of priorities.
In general, business decisions are evaluated using a simple equation: value – cost = benefit. However, some leaders tend to focus only on the cost, which is called the ‘tunnel vision’ to drive the results. A recent Harvard Business Review article titled ‘why highly efficient leaders fail’ highlights the necessity to constantly look at things holistically.
We commonly hear excuses from the senior management why staff is not trained. Budget constraints, staff shortages, operational priorities, etc. are frequent justifications, but looking holistically from the organisational objectives’ standpoint, it can be proven incorrect. It may be more costly to the organisation, when things go wrong due to incompetence or inefficiency!
Effective leaders focus on the goal of embedding business continuity to become a part of business-as-usual across the entire organisation. Skills and competencies of its people are developed at all levels on a need-based approach. People are encouraged to share their knowledge among colleagues and they are the healthy signs of learning organisations.
As Jack Welch, former CEO General Electric, said: “An organisation’s ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage.”
Blind spot #7: Business continuity plans are rarely validated
As the Boy Scouts’ motto says, ‘be prepared’. Similarly, in Business Continuity Management, being prepared is the key. Here again, the common main reason is that it is not a priority. Day-to-day operations are more important. The business continuity plans and arrangements are often allowed to stagnate and be dated. They become ‘un-fit’ for the purpose the plans were built.
This is exactly the same as caring for our health and well-being. Despite so much of literature, public awareness campaigns, free-yoga classes, how many of us are really keen to consistently exercise to remain healthy and fit? We all now the dire consequences of not regularly exercising!
Business continuity management exercising and testing to validate the plans and arrangements is the same. Those organisations who systematically schedule exercising and testing, can soon find out the weaknesses in the plans or other continuity arrangements. It will help them to better align the arrangements for effective and efficient incident response and recovery. It will help to ensure that all dependencies including IT can work in a harmonised manner and the credibility of the business continuity plans can be established. The response and recovery roles/responsibilities/authorities become clear with better awareness.
Another valuable benefit in exercising and testing is that it provides critical hands-on exposure and training for those responsible for business continuity or crisis management. It helps to understand as to how the organisation responds or recovers from incidents, when the primary person responsible is unavailable.
Repeated and frequent exercising and testing is the key reach higher levels of reliability and operational excellence. As the famous Greek philosopher and thinker, Aristotle said, “We are what we repeatedly do. Excellence, is not an act, but a habit.”
Blind spot #8: Critical suppliers and outsourcing partners not included in the business continuity plan
Frequently, I have seen business continuity plans and arrangements are only inward focussed and the vendors or suppliers are not incorporated into planning. In a world on inter-connectivity, practically every organisation or business focusses only on what they are good at also called core-competencies, and other processes or activities are outsourced. Outsourcing, is the use of a third-party to perform some process or activity or supply a product or a service on a continuing basis
For example, many banks outsource activities such as, IT application development, contact centre activity, ATM cash collection and replenishment, etc. to external parties. Other organisations also commonly outsource less strategic processes such as pay-roll, logistics and warehousing, physical security services, housekeeping and janitorial services, etc. It makes sense to the business due its cost-benefit ratio and focus on the delivery of their key products and services. However, any disruption or outage of the outsourced services will have a chain reaction and could even impact the mission-critical business processes, thus affecting the customer services. The damage will not only be financial but more importantly, the reputational harm.
Therefore, the service level agreements must be carefully calibrated to ensure uninterrupted supply of services and the organisation is not impacted due to issues at the service provider or suppliers end. The good practice is to have a summary of vendor details and service delivery timelines in the organisation’s business continuity plan document.
Effective business continuity management is establishing governance principles and policies for protecting key products and services and to remain resilient when disruption or disaster happen. They should be well documented with least jargon, giving emphasis to all of the above blind-spots, and the documents should be regularly updated.
The business continuity policy should be shared with every staff member and a culture of business resilience should be built. These proven and tested actions could help in preventing organisations, ‘sleep walking’ into unwarranted crisis, disruptions or disaster.
(The writer, MBA, AFBCI, CISA, CGEIT, MIoD, Managing Director – ContinuityNZ Ltd., is an international expert in business continuity and information security. He will be in Sri Lanka shortly to conduct two training workshops on business continuity and an accredited Information Security – Lead Auditor course – ISO 27001. He can be contacted on firstname.lastname@example.org)