Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts And my guest today is Warwick Ashford. He's senior analysts and works with KuppingerCole analysts from London. Hi Warwick.
Hello from London.
Great to have you again, a long distance podcast episode we want to talk about, and this is the first in a series of various assume two episodes. We want to talk about business resilience management. So we're moving a step back. When we talk about business resilience management, we of course all have been in the situation that many businesses have met challenges with the COVID-19 crisis. And the resilience of many businesses was really challenged. So Warwick, what is business resilience management? Is it preparing for being resilient?
Yes. In a, in a, in a very simple way, my definition would be that it's a comprehensive and standardized management of all the processes to identify and mitigate risks that threaten an organization. So these risks include disruption to ICT continuity, cyber tax, consumer demands, market changes, regulatory compliance requirements, and all these are increasing all the time because of the globalization and market demand for 24 by seven service. But business resilience management is, is aimed at ensuring organizations, as you said, have business resilience. And this is the ability to adapt quickly to risks and disruptions while maintaining key business workflows and keeping the business running. So resiliency is the foundation for continuity and mitigating against any form of economic disruption at a business regional national, or even global, as we've seen with, with COVID-19. However, this can require a complex set of management tasks depending on the size and nature of the business,
But aren't, we then bringing together lots of different disciplines that should be in place anyway.
Well, yes, that's that's the whole point of it is, is as a comprehensive approach to risk management business. Resilience management goes beyond continuity management, disaster recovery, but it aligns all the protective disciplines to achieve the goal of resilience. So it's a cross functional interdisciplinary approach involving risk business and security professionals.
That sounds like not an easy task and an ongoing task to get it. That seems like to me, like a really, really challenging task, then
It is, but it's not something that happens by itself in cybersecurity or any other aspect of business operations. It's gotta be planned and managed. So I, that's why I think business resilience management is something that must be on the agenda of most organizations.
You, you mentioned the different disciplines solves or risk management and continuity management and where, where can we draw the line between these disciplines? Is there something that we can really slice up?
Well, not really because they're all closely related resilience, continuity and risk management work together to protect the business from disruption. The starting point should always be risk management to identify the potential risks, and then you can create the controls to manage them, but risk management on its own doesn't eliminate risks altogether. Therefore risk management needs to be complemented by business continuity management to ensure that organizations plan for contingencies, such as planning for alternative suppliers of goods and services, business continuity management on its own. Doesn't eliminate all risks altogether either. So therefore we need this concept of business resilience management resilience is about building in flexibility that enables organizations to respond and adapt to unexpected circumstances such as adopting alternative ways of ordering from a normal or backup suppliers if normal channels are not available. Right?
Right. So th th this is really a joint effort that needs to be executed in a coordinated way. So what does business resilience mean then for my organization, for our organization as KuppingerCole and for the organizations of the audience, listening to this part?
Well, business resilience is extremely important to any business because without it, few businesses are able to recover from unexpected disruptions or adapt fast enough to sudden changes market demand or regulatory requirements. So business resilience can make the difference between business survival and failure. And therefore, again, it should be high on the business agenda only by achieving resilience. Can a business be assured of surviving disruptions caused by natural disasters, a tax due to cyber crime or cyber terrorism, supply chain failure, technology failure, compliance failure, achieving business resilience requires careful business resilience planning. As we said earlier, to ensure that business models are flexible enough to adapt to market changes and other changes, and that ICT continuity is assured, right?
So that needs to be a structured process for achieving business resilience management and an ongoing effort that is understood also at the board level. I understand. So when an organization that really wants to embark on that trip towards business resilience management, how can my company be prepared for risk? Does that really start with risk analysis?
Well, as, as we said earlier, it's, you know, it starts with the risk analysis and identifying those risks. But I think what any organization has to do beyond that is kind of almost reorganized or look at their structures because traditional organizational structures and non transparent communication, poorly funded it, lack of digitalization, rigid management processes, all these things are obstacles to business resilience in a crisis. So instead you've got ensured that employees and managers are able to act in any situation that communication is clear. There's honest feedback culture. It is focused on resilience. Employees are trained to be resilient. Processes are all digital, and that employees can act independently. Micromanagement is, is a no, no, that's, that's completely art. So it's important to make all the necessary organizational changes to get rid of silos. You need to integrate it and the business, and you need to plan comprehensively to build a culture of resilience,
Right? So I think a good example that many organizations had to achieve very quickly is restoring communication. Once the COVID-19 crisis emerged. So many organizations just were not in a position to have all their people working from home. So many organizations, just very, the hard way made the step towards online collaboration platforms like zoom, like Microsoft teams, like Skype, whatever, and had no really good working environment, for example, for sharing documents. And that would be something, as I understand you, that would have to be prepared beforehand so that you really have an alternative way of communicating once you're not able to, to move into the office anymore.
Yeah. Well, the, you know, business resilience management is about planning to work in cross divisional teams. You've got to fully understand that, that how it and the business work together, and that there's a deeper alignment between business on it and that the technology investments focus on resilience, collaboration, and self service. So you've got to plan for a crisis in a comprehensive way and adapt the business model. So as well as the financing and the business processing, so that all operations or it operations become more resilient. And as you said, you've got a plan for how the business will run during a crisis. So this involves drawing up an it emergency plan. You can set up an incident command structure to ensure that everybody knows their role and responsibilities in various crisis scenarios and education and training is essential as well as regular testing so that you know, that your plans are work can, will work.
So we are still struck with the COVID-19 pandemic and different countries are in different situations right now, not many organizations really planned for a pandemic, although they should have, what are the main risk factors for a company when it comes to such a risk assessment? What are the more probable risks emerging?
Well, as you say, there, there, there are a whole host of risks and most organizations seem to overlook the pandemic, but I mean, there's always political unrest, war, severe weather and cyber attacks or hacker attacks. And, and these are, have the highest level of probability and the greatest potential impact at a corporate and even regional and global level. And they can even combine with other risks as we've seen with COVID-19 pandemic. And so the impact of cyber attacks is also increasing as a tax by nation states or those supported by a nation state level development capabilities become more common and destructive in nature. So while COVID-19 has shown that pandemics can have a high level of impact locally, regionally, and globally, they're much less likely than cyber techs at the same time, the likelihood of a cyber attack is set to increase and even ER, even further as businesses become more digital. So therefore they are more vulnerable to cyber attacks. So for digital businesses, cyber attacks are a major risk because failure to recover quickly could cause total business failure and the strongly underlines, the urgent need for joint business impact analysis to ensure business continuity and cyber security teams fully understand the risks and they align the technology and the policy and the processes and the people to address those risks.
So if I understand you correctly is the business resilience is the higher level of resilience management, but with processes becoming more and more digital, it resilience is a core part of it in that digitalization era.
Yes, absolutely. It's extremely important for every organization to assess and understand the degree to which their business operations depend on it because the greater the dependency, the greater, the importance of it resilience to overall business resilience. So cyber resiliency is a core element of business resilience while dependency on it will vary from one organization to another, the general trend towards transformation and increasing reliance on organizations on it for critical business functions means that for most organizations, it resilience is becoming the cornerstone if you like of business resilience,
Right? So if organizations want to take away something from this first episode of this business resilience management track within our podcast, then it's really first understanding that there needs to be a strong business resilience management approach within almost every organization. And so far that we've come right now, it resilience should be a main starting point to look at. Do you agree?
Yes. You know, do the risk analysis and so on, but I mean, an important part of that is understanding your dependence on it and addressing that. And I think, I think in the wake of the COVID-19 pandemic, this dependence on it will accelerate because organizations will seek to become more digital. And so without it resilience our businesses, won't be able to maintain critical business functions during and after a disruption caused by whatever reason. So yeah, as you say, it resilience is crucial for business resilience.
Perfect. And that's a perfect summary. Also for this first episode, we will follow up on that in an upcoming episode very soon. So for the time being, I would like to recommend our audience of course, to go to KuppingerCole dot com and just type in business resilience management into our search engine. There's lots of material available there to read more and to understand more or get in touch with us if you need support, thank you Warwick for being my guest today. And we will follow up on that and I'm looking forward to more aspects of business resilience management. Thank you. Thanks bye-bye. Bye