Business Resilience Management
Business Resilience is the ability to adapt quickly to risks and disruptions, while maintaining key business workflows and safeguarding employees, assets, and brand reputation. Business Resilience Management is key to business survival in the face of rapidly changing IT, cyber threat, and regulatory environments.
Principles of Business Resilience Management
Business Resilience Management (BRM) is the comprehensive and standardized management of all processes to identify and mitigate risks that threaten an organization. These risks include disruptions to ICT Continuity, cyber attacks, consumer demands, market changes, and regulatory compliance requirements, which are all increasing due to globalization and market demand for 24x7 service.
BRM, therefore, is aimed at ensuring that organizations have Business Resilience, which is the ability to adapt quickly to risks and disruptions, while maintaining key business workflows and safeguarding employees, assets, and brand reputation. Simply put, business resilience is the ability to operate a business under difficult and uncertain conditions.
The most common risks faced by organizations today include IT system or service failures due to cyber-attacks, human error, equipment failure, sabotage, and power failures, in addition to the traditional risks such as fires, floods, economic and financial uncertainty, terror attacks, and epidemics or pandemics such as Covid 19.
Resilience is the capacity to recover quickly from adversity or difficulty and return to a normal state. Resiliency, therefore, is the foundation for continuity and mitigating against any form of economic disruption at a business, regional, national, or global level.
However, resilience can require complex management tasks, depending on the size and nature of the business.
As a comprehensive approach to Risk Management, BRM goes beyond Business Continuity Management and Disaster Recovery to align all protective disciplines to achieve the goal of resilience, and has 5 essential building blocks as detailed in the figure below.
BRM, therefore, is a cross-functional and inter-disciplinary approach involving risk, business, and security professionals. This includes:
- Reputation Management
- The ability to respond to growth opportunities
- Communications during a crisis
- Post-disruption improvement strategies for avoiding downtime, reducing IT and physical security vulnerabilities, improving fraud control, and maintaining business operations in the face of unexpected disruptions in future
- Having an effective Business Resilience Management capability means an organization has the processes in place to identify physical, economic, cyber and other risks, put in controls to reduce those risks, and where these fail to eliminate risk, have the flexibility and processes in place to adapt to any change in conditions to ensure normal business operations can continue and suffer little or no impact.
If we take distributed denial of service (DDoS) attacks as an example, an organization with an effective BRM capability would have the processes in place to:
- Identify the risk of DDoS attacks
- Set up contracts with DDoS protection companies
- Implement the means to detect a DDoS attack
- Invoke the pre-arranged DDoS protection in the event of an attack
- Communicate an attack and its impact (if any) to all stakeholders
- Investigate how the DDoS attack was carried out
- Reduce vulnerability to similar attacks in future
The Differences Between Resilience, Continuity, and Risk Management
Resilience, continuity, and risk management are all closely related and work together to protect businesses from disruption.
As discussed above, Resilience is about dealing well with adversity through adapting to new or changing conditions, continuity is about preventing or minimizing the impact of adversity on the normal state of operations, and risk management is about identifying, assessing, and controlling threats to the normal state of operations.
Risk Management should always be the starting point to identify potential risks and then create controls to manage them. Risks come from a range of sources, including natural disasters, accidents, financial uncertainties, legal liabilities, and technology issues, which includes cyber-attacks.
Risk Management, however, does not necessarily eliminate risks altogether. Therefore, risk management needs to be complemented by Business Continuity Management to ensure organizations plan for contingencies, such as planning alternative suppliers of goods and services.
Business Continuity Management, however, does not necessarily eliminate risks altogether, and therefore needs to be complemented by Business Resilience Management. Resilience is about building in flexibility that enables organizations to respond and adapt to unexpected circumstances, such as adopting alternative ways of ordering from normal or backup suppliers if normal channels/methods are not available.
Business Resilience management, therefore, is about ensuring that an organization is not affected adversely by a changing environment and can adapt quickly to working in new ways if required.
Read more about risk management in a blog post on 3 Steps to Improve Your Cybersecurity with Enterprise Risk Management by Christopher Schuetze, Cybersecurity Practice Director and Lead Analyst at KuppingerCole.
What Business Resilience Means for Your Organization
Business resilience is extremely important to any business because without it, few businesses are likely to be able to recover from unexpected disruptions or adapt fast enough to sudden changes in market demand or regulatory requirements.
A Matter of Survival
Business resilience can make the difference between business survival and failure, and therefore should be high on any business agenda. Only by achieving resilience, can a business be assured of surviving disruptions caused by natural disasters, attacks due to cyber crime and cyber terrorism, supply chain failure, technology failure, and compliance failure.
Achieving business resilience, however, requires careful business resilience planning to ensure that business models are flexible enough to adapt to market changes and other changes, and that ICT continuity is assured.
This includes Business Continuity planning and management as well as disaster recovery planning based on a comprehensive risk assessment in the form of a business impact analysis (BIA), which is a key element of a comprehensive approach to BRM as shown below.
Business Resilience planning could also include skills development and training because a shortage of skilled workers poses a risk to resilience if an organization does not have people with the right skills to produce their product/service or adapt production when circumstances change.
The Main Risk Factors for Any Company
The main risk factors for any company are pandemics and epidemics, political unrest and war, severe weather, and cyber attacks or hacker attacks. However, of these, cyber attacks have the highest level of probability and the greatest potential impact at a corporate and even regional and global level, and can even combine with other risks, as we have seen in the Covid-19 pandemic. To find out more about this topic, listen to this analyst chat about how to avoid becoming a phishing victim during the pandemic. The impact of cyber attacks is also increasing as attacks by nation states or those supported by nation state level development capabilities become more common and destructive in nature, capable of disabling access to systems and data or even destroying IT infrastructure.
While the Covid-19 crisis has shown that pandemics can also have a high level of impact locally, regionally, and globally, they are much less likely than cyber attacks. At the same time, the likelihood of cyber attack is set to increase even further as businesses become more digital, and therefore more vulnerable to cyber attack. For digital businesses, cyber attacks are a major risk because failure to recover quickly could cause total business failure, strongly underlining the urgent need for a joint Business Impact Analysis to ensure Business Continuity and Cybersecurity teams fully understand the risks and align technology, policy, processes and people to ensure those risks are addressed. For some ideas on how to do that, listen to an analyst chat about protecting your organization against ransomware or key topics for cybersecurity in the times of crisis.
Taken altogether, it is clear that organizations must ensure that efforts to secure IT operations are closely aligned with efforts to maintain/restore IT operations in the event of a cyber attack, focusing on Risk Management, resilience and recovery of IT systems and networks, and contingency planning for varying degrees of IT failure. To achieve this, there needs to be a fresh, collaborative approach to Business Continuity and Cyber Security to limit the impact of cyber attacks on business operations and achieve the common goals of resilience and recovery. KuppingerCole Principal Analyst Martin Kuppinger discusses the topic in the video: Why BCM/BCRM and Cybersecurity must converge.
How to Ensure Business Resilience
Ensuring business resilience essentially boils down to the three phases of preparation, execution, and recovery. All three stages require careful planning and exercising beforehand. The more effort that is put in ahead of a crisis, the greater the chance of achieving business resiliency.
Preparing for a Crisis
A rigid organization that cannot adapt flexibly will face challenges in any crisis. Traditional organizational structures, non-transparent communication, poorly funded IT, a lack of digitalization, and rigid management processes are all obstacles to business resilience in a crisis. Instead, ensure that employees and managers are able to act in any situation, communication is clear, there is an honest feedback culture, IT is focused on resilience, employees are trained to be resilient, processes are all digital, employees can act independently, and micromanagement is avoided.
It is therefore important to make all the necessary organizational changes without delay to get rid of siloes, integrate IT and the business, and plan comprehensively to build a culture of resilience.
Getting rid of siloes is very important. If IT, supply chain management, cybersecurity and other stakeholders work in isolation, there is a risk of failure. Plan instead to work in cross-divisional teams to prepare for a crisis. Next, ensure that IT fully understands what keeps the business running so there is deeper alignment of business and IT, and technology investments focus on resilience, collaboration, and self-service.
Plan for a crisis in a comprehensive way and adapt the business model, financing, business processes and IT operations to be more resilient. Also plan for how the business will run during a crisis. Draw up an IT emergency plan and set up an Incident Command Structure to ensure everyone knows their role and responsibilities in various crisis scenarios. Crucially, run regular exercises in which these plans are put into action. This not only ensure everyone knows exactly what they need to do in a crisis, it also helps to identify any flaws or uncertainties in the crisis business continuity plan so that these can be resolved before there is a real crisis.
Education and training are essential, and should not be overlooked. KuppingerCole Analyst Annie Bailey explains how to set up Business Continuity and Business Resilience planning, and provides guidance in a webcast entitled: Managing a Crisis: Prepare for weathering the next storm to come. Listen to this analyst chat for more information on how to efficiently identify and rate your investments in Cybersecurity.
Surviving a Crisis
It is when a crisis hits that organizations will discover and appreciate the true value of careful planning and rehearsal of business resilience plans. Designate an individual (with backups) to activate the plan and ensure the relevant crisis organization team leaders are notified.
In all too many organizations, even if they get around to drawing up crisis business continuity plans as part of a Business Resilience Management initiative, these plans remain on a shelf gathering dust. When a crisis hits, even if someone knows of the existence of a plan and how to access it, nobody will know exactly what they need to do, and they are likely to encounter problems when they discover that the plan is out of date.
The main aim of this phase is to keep the business operating as near to normal as possible despite adverse conditions, and having an up-to-date and well-rehearsed plan is crucial to success. This phase is essentially about executing the plans designed to keep the business alive in a variety of different crisis situations.
In the survival phase, it is important to:
- Activate and follow the crisis business continuity plan, including:
- Activation of the crisis organization teams for key departments.
- Clear communications with all stakeholders.
- Activation of the business continuity plan.
- Activation of the IT continuity plan.
- Activation of cybersecurity incident response plan.
- Activation of supply chain management plan.
- Conduct a proper risk assessment before taking any unplanned actions.
- Ensure that all regulatory requirements are still being met.
- Ensure that all cyber security processes are being followed.
- Carefully select technologies such as VDI rather than relying on employee-owned devices.
During the crisis phase, it is important to avoid:
- Panic at all costs – keep a clear mind.
- Rushing into any new contingencies not contained in existing crisis plans.
- Trusting any recommendations blindly – consider options carefully and do a risk assessment.
- Trying to create a virtual office – instead let employees focus on essential tasks.
- Adding VPNs if none exist already – invest instead in more modern cloud-based options, applying the principles of Zero Trust.
- Over investing – try to use existing or low-cost collaboration and communication solutions.
- Overlooking the human factor – keep stakeholders informed and educate them where necessary to deal with the current crisis.
For some guidelines on best practices for small businesses that may not have a continuity plan, see this blog post on the don'ts of IT in times of crisis and this blog post on the Top 5 Work from Home Cybersecurity Recommendations for Enterprises.
Recovering From a Crisis
Business Resilience Management (BRM) goes beyond disaster recover, but nevertheless includes disaster recovery. An organization that is not able to recover from a disruptive incident or disaster could not be described as resilient. An important part of recovery is not only restoring business operations to normal, but also identifying lessons learned and new opportunities to protect against a similar crisis in future and put the business in the best possible position to thrive amid uncertainty.
Disaster Recovery is Essential: Disaster Recovery (DR) is the ability to recover from an incident, event, or change in circumstances that has a negative impact on normal business operations, and the goal of DR is to enable an organization to resume normal business operations as soon as possible.
Disaster recovery often includes regaining the use of critical IT systems and infrastructure and typically requires data and system backup and recovery capabilities, and an established and rehearsed disaster recovery plan. DR plans specify recovery goals and outline how the organization will respond when an incident occurs. In addition to a list of key personnel and contact information, DR plans typically include step-by-step instructions to follow in various scenarios, outlining for example, details of recovery sites, a list of software and systems to use, details of what third party services to contact, procedures for communicating with affected stakeholders, a summary of insurance cover, and guidelines for dealing with legal and financial issues. Disaster Recovery, therefore, is an essential part of BRM.
An all-too-common use of disaster recovery nowadays is recovering from ransomware attacks. A typical disaster recovery plan will include processes for identifying affected systems, communicating with affected stakeholders, switching to backup systems, restoring normal business operations, and rebuilding affected systems.
Like Risk Management, Incident Response Management and Business Continuity Management, the need for Disaster Recovery will never go away. Instead, these must all be recognized as essential elements of an overarching Business Resilience capability that needs to be managed in a standardized and coordinated way.
In all these elements of BCM, it is important that the human factor is not overlooked. Ensuring that employees are prepared and educated on how to respond in a crisis situation is essential to the success of each of these elements and ultimately to the overall business resilience capability of any organization. Matthias Reinwarth, lead advisor and senior analyst discusses the topic of the human factor in security a short video entitled The wrong click: it can happen to anyone. The topic is also explored in this whitepaper on the dark side of the API economy.
As mentioned earlier, recovery should include preparing for future growth by identifying ways in which the business needs to adapt to guard against a recurrence of past crises as well as find new revenue streams and opportunities for growth in a new and changing business environment. A crisis should always be considered to be an opportunity for a business to reinvent itself, reassess the market conditions, review investments, and reorganize the business to achieve new goals.
How IT Resilience Relates to Business Resilience
It is extremely important for every organization to assess and understand the degree to which their business operations depend on IT because the greater the dependency, the greater the importance of IT resilience to overall business resilience. Learn how to reduce the impact of cyber attacks in the following advisory note: Business Continuity in the age of Cyber Attacks.
A Question of Dependency
Cyber resiliency is a core element of business resilience.
While dependency on IT will vary from one organization to another, the general trend towards digital transformation and increasing reliance of organizations on IT for critical business functions and data means that for most organizations, IT resilience is becoming the cornerstone of business resilience.
Learn about boosting IT resilience in a blog post entitled: The Next Best Thing After "Secure by Design". In the wake of the Covid-19 pandemic crisis, this dependence will accelerate as organizations seek to become more digital. Without IT resilience, therefore, few businesses would be able to maintain critical business functions during and after a disruption caused by natural disasters, fires, disease outbreaks, terrorist-related incidents, and cyber attacks. IT resilience is therefore crucial to business resilience.
The Role of IoT and AI in Business Resilience
The role of internet-connected devices or the Internet of Things and artificial intelligence (AI) within business operations is growing, driven by the ability of these technologies to enable new services and revenue streams, improve business efficiency, and provide better customer service.
As the dependence of business operations on IoT and AI grows, it is important to identify the potential risk to business resilience these technologies introduce.
Organizations need to ensure that their business impact analysis and risk assessment processes identify how IoT and AI impact business operations.
Similarly, cyber security and disaster recovery processes need to be updated to include IoT and AI systems to protect them as much as possible from disruption and recover them as quickly as possible in the event of a disruption or failure.
This further underlines the value of cyber security, disaster recovery and other protective disciplines working together under a comprehensive Business Resilience Management framework.
While IoT and AI represent an increasing potential attack surface for cyber criminals, they also represent an opportunity to improve information, communication, and coordination across protective teams to improve overall business resilience.
The Importance of C-SCRM to Business Resilience
The business impact of suppliers being unable to deliver physical goods is well understood, typically resulting in production downtime and shortages of processed or manufactured goods.
To avoid these consequences, most businesses have a program in place to manage the risk of supply chain disruptions.
But most organizations underestimate cyber supply chain risks, even though cyber incidents can happen every day, anywhere in a supply chain.
KuppingerCole Co-Founder & Management Board Member Joerg Resch discusses this topic in the blog post: Why C-SCRM is becoming so essential for your digital business.
This topic is explored even further in a panel discussion on managing Cyber Supply Chain Risks and achieving Digital Business Resilience.
As businesses become increasingly digital, they need to put as much effort into managing the risks of their cyber supply chain as they do their traditional supply chain because failure to do so could lead to potentially crippling production downtime.
Considering how increasingly dependent organizations are becoming on IT services (such as SaaS) and IT support in delivering services (such as installed software) on the one hand, and the increasing risks to the cyber supply chain in the form of cyber attacks on the other, the need for Cyber Supply Chain Risk Management (C-SCRM) is clear.
Given the complex supply chain risk management challenges and the increasing sophistication of cyber attacks, now is the time to add C-SCRM as a key component of any Business Resilience Management strategy.
This can be done by agreeing cyber security standards for suppliers, adding cyber suppliers to existing supply chain monitoring, conducting regular risk checks, agreeing co-regulatory measures based on NIST SP 800-161 and ISO 27036 and 28000 standards, and drawing up contingency measures and processes to deal with disruptions.
Risk analysis and impact mitigation controls can significantly reduce the impact of a failure or incident in the cyber supply chain.
Does My Company Need a Business Resilience Manager?
Every business needs business resilience, but whether or not a company needs a dedicated Business Resilience Manager, depends largely on the nature of the business, organizational flexibility to adapt to disruptions, and the overall risk any potential disruption could pose.
The Right Power and Authority
Regardless of the title of the person tasked with responsibility for business resilience, they must have the power and authority to act. Without the necessary power and authority, resilience cannot be guaranteed.
Where the nature of the business is particularly sensitive to disruptions of any kind, such as companies that based on high-speed, high-volume transactions, a dedicated and empowered Business Resilience Manager is essential, regardless of the size of company because any disruption would be extremely costly and potentially fatal to the business. The need for a Business Resilience Manager, therefore, is not related to the size of a company.
Where the impact of disruptions to the business is not especially high, whether the company is large or small, responsibility for business resilience can be assigned to the CIO, CISO or whatever senior role in the company has the required overview of both the business and IT operations.
These roles could be expanded to include the comprehensive and standardized management of all processes to identify and mitigate the full range risks that could potentially disrupt business operations.
Where Responsibility for Business Resilience Should Reside
Business Resilience spans the entire organization and is therefore a board-level topic.
It follows that the role assigned responsibility and accountability for Business Resilience Management should have direct or at least indirect board-level representation, depending on how sensitive the business is to disruption.
Where sensitivity to disruption is relatively low, Business Resilience managers would report to board level CIOs and CISOs.
However, where sensitivity to disruption is high, either the Business Resilience manager should have board level representation or responsibility for Business Resilience should reside with a board-level CIO or CISO.
Essential Skills of a Business Resilience Manager
Anyone tasked with the role of Business Resilience Manager first and foremost needs to be someone who has a thorough and preferably long-term understanding of the business, the business model, and the IT requirements to support it.
In addition to business and IT knowledge, resilience managers must have experience and skills in risk management, strategic thinking, and communicating with members of the board.
Experience in disaster recovery, compliance, business continuity, facility management, information security, and emergency planning would also be an advantage.
Where to Find Future Resilience Managers
Ideally, Business Resilience Managers should come from the organization itself due to the requirement of having a deep and long-term understanding of the business, how it works, and the IT needed to support it.
Therefore, organizations should draw up succession plans that include training and mentorship for employees with the necessary skills and experience of working in several departments within the organization who will be able to take over this role when necessary, either permanently or temporarily in a crisis if the current business resilience manager is not available.
The Importance of Corporate Resilience in Future
As businesses have become increasingly digital and the consequences of cyber attacks and other ICT disruptions have increased, the importance of corporate resilience has grown proportionately.
Need for Corporate Resilience Set to Grow
Increased accountability through compliance with a growing number of industry regulations is also likely to continue to drive the importance of corporate resilience as a key part of corporate governance, which is based on the principles of accountability, fairness, transparency, assurance, leadership and stakeholder management.
With the trend towards digitalization set to continue, corporate resilience was always likely to become increasingly important.
However, the Covid-19 pandemic has strongly underlined both the importance of resilience and the dependence of business on digital technologies and infrastructure.
As a result, more organizations are likely to focus on resilience in the post-pandemic era because so many underestimated or even failed to consider the impact of something like Covid-19.
Therefore, there is likely to be greater investment in corporate resilience in future, with more organizations introducing the role of Business Resilience Manager.
Where this role exists already, it is likely to grow in importance and power, and where a separate role is not introduced, specific responsibility for business resilience is likely to be added to the CISO, CIO, IT manager or other similar roles.
The Covid-19 pandemic has underlined the importance of Business Resilience and the value of Business Resilience Management.
Only through the comprehensive and standardized management of all processes to identify and mitigate risk can businesses ensure they are in the best possible position to sustain operations through unexpected disruptions and beyond.
A Key Market Differentiator
To learn about what actions can be taken to handle the current pandemic crisis and bolster business resilience in the future, attend the KC Master Class: Business Resilience Management in a Pandemic Crisis.
While disruption due to pandemics is rare, other causes of disruption, like cyber attacks, are increasingly common and only likely to grow as businesses become more digital.
Business resilience is essential, especially as businesses become more dependent on cyber supply chains.
Business resilience is directly linked to survival of the business in the short-term as well as the long-term, and therefore should be integrated with long-term sustainability plans for any business.
Investment in building a Business Resilience capability, however, should be about more than just surviving disruptions and long-term sustainability.
Through standardization of Business Resilience Management best practices and potential certification, businesses could not only improve the efficiency and flexibility of business operations, and thereby ensure good corporate governance, but could also use BRM as a market differentiator.