Analyst Chat
Analyst Chat #46: Business Resilience Management Part II
Warwick Ashford and Matthias Reinwarth talk about business resilience again, focusing on cyber supply chain risk management.
Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, I guess today is again and for very good reason, Warwick Ashford. He is senior analyst and works with KuppingerCole analysts from London. I work from London. Great to have you back welcome for this second episode in a series of episodes about the topic of business resilience management. We had an episode about that a few weeks ago, and we want to actually just continue to look at this interesting topics because we have not yet covered all of the most important aspects that you have been also working on quite recently, as a short recap, what is business resilience management? In a nutshell,
It is a framework, really an approach that's aimed at ensuring that organizations have business resilience, which is the ability to adapt quickly to risks and disruptions while maintaining the key business workflows and safeguarding employees, assets and brand reputation. So resiliency is the foundation for continuity and mitigating against any form of economic disruption,
Right? So, and last time we talked about, first of all, what kind of risks we should prepare for how an organization can go in that direction by applying risk analysis, risk management, and we've looked also at it risk and it resilience in relation to business resilience. And maybe we can start there again for this episode as well, because more and more organizations are actually acquiring digital services and their infrastructure when it comes to it as a service. So what role should cyber supply chain risk management play in business resilience?
It's an, a very important aspect of that. As you say, matures, the business impact of suppliers being unable to deliver physical goods. This is well understood. It typically results in production downtime, shortages of processed or manufactured goods and avoid these consequences. Most businesses have a program in place to manage the risk of supply chain disruptions, but most organizations under estimate cyber supply chain risks, even though cyber incidents can happen every day, anywhere in the cyber supply chain. So as businesses become increasingly digital, uh, they need to put as much effort into managing the risks of their cyber supply chain as they do their traditional supply chain, because if they don't do so, that could lead to potentially crippling production downtime. So as you said, considering how increasingly dependent organizations are becoming on it services such as software as a service and it supporting, uh, delivering services and the increasing risks to the cyber supply chain in the form of cyber attacks. Um, other things, uh, the need for cyber supply chain risk management to me is care.
So this is also an aspect that organizations should look at and also again, apply a diligent risk analysis, how they are dependent of it, which is provided in a digital form. So when you manage your risks more or less adequately, I hope so. Is there then still a need for preparing if something happens. So it's, there's still a need for disaster recovery afterwards,
This resilience management goes beyond disaster recovery, but nevertheless includes disaster recovery. As we discussed last time, um, an organization that is not able to recover from a disruptive incident, uh, can't be described as being resilient. So disaster recovery includes data and system backup and recover capabilities. Therefore disaster recovery is an essential part of business, resilience management like risk management, incident, response management and business continuity management. The need for disaster recovery will never go away. Instead. These must all be recognized as essential elements of an overarching, uh, business resilience capability, uh, that needs to be managed in a standardized and coordinated way.
Understood. So if we look at this very business oriented, very security and resilience oriented topic, um, when we look at more emerging technologies. So if we think of IOT and AI, I think many organizations do not yet have a full grip on providing resilience there. And on the other hand can IOT and I play a role in business resilience as well.
You're absolutely right. I mean, on the one hand, it's a risk. And on the other hand, it's an opportunity. So it's important for all organizations to recognize how much IOT and AI they're using and then identify the potential risk to business resilience, those technologies introduced. But then on the other hand, these IOT and AI represent an increasing opportunity to improve information, communication, and coordination across protective teams to improve overall business resilience. So two parts, it can increase the risk, but it can help manage the business resilience side of things. So these need to be balanced and taken into consideration.
Okay, great. Thank you. If you then have a final look at organizations. So you've mentioned that this is a huge organizational effort that needs to be achieved. It might require changes to the underlying organization, be it the real organization or a virtual project organization on top of that, but in general, where is the topic of resilience and resilience management best located in an organization?
Oh, business resilience spans the entire organization. Therefore I think it's a board level topic. It follows that the role assigned responsibility and accountability for business resilience management should have direct or indirect board level representation depending on how sensitive the business is to disruption. So where the sensitivity to disruption is relatively low business resilience managers would report to board level CEOs or CSOs, but where the sensitivity to disruption is high. Uh, either the business resilience manager should have board level representation or responsibility for business resilience should reside with a board level CIO or CSO, right?
I would fully agree because if you think of business resilience management, being the means of continuing work and continuing to achieve the business goals, these business goals are something that are defined and enforced of course, by the board, by the CIO or the CSO when it comes to defining how to be able to continue work in different types of crisis. So now that we know where this business resilience management is located or should be located, who will do the job who is qualified as a resilience manager, is there such a thing as a resilience manager?
Yes. In some organizations, there is the named role. And as I said earlier, some in other organizations, it's sort of something that comes under the CIO or CSO. Uh, the important thing is that whoever is tasked with business resilience needs to have a thorough and preferably long-term understanding of the business, the particular business, the business model. And importantly, as we discussed last time, VIT requirements to support it in addition to business and it knowledge, but resilience managers must have experience and skills in risk management, strategic thinking, and communicating with members of the board and experience in disaster recovery compliance and business continuity, even facility management, information security and emergency planning, or these would be an advantage.
Okay. That is a really challenging job description that you just mentioned. Where will they come from?
Well, as I a thorough understanding of the businesses essential, so ideally business resilience managers or people tasked with that role should come from the organization itself. They should know how the organization works and the it that's needed to support it. So I think therefore organizations should draw up plans that include training and mentorship of employees with the necessary skills and experience of working in several departments within the organization. So that they'll be able to take over the role where necessary either permanently or temporarily in a crisis or when the current business resilience manager is not available.
Okay. So we've talked a lot about, um, business resilience management as a corporate challenge. We've talked about how it looks like in the organization, um, how risk management takes place, how it comes into play, how the organization should look like. I think that many organizations have learned it, the hard way that corporate resilience is important. I assume that this also will be increasing and that more organizations will have to invest heavily in achieving that resilience, especially when they failed at one or the other point with the COVID-19 crisis.
You're absolutely right. I mean, as we've discussed, those businesses become more digital and the consequences of cyber techs and other disruptions have increased. The importance of corporate resilience has grown enormously so and increased accountability through compliance to a growing number of industry regulations is also likely to continue to drive the importance of corporate resilience as a key part of corporate governance, which is based on the principles of accountability, fairness, transparency, assurance, leadership, and stakeholder management. So I think with the trend towards digitalization set to continue corporate resilience was always likely to become increasingly important, but the whole COVID-19 pandemic has underlined both the importance of resilience and the dependence of business on digital technologies and infrastructure. So as a result, I think most organizations are likely to focus on resilience in the post pandemic era because so many underestimated or even fail to consider the impact or something like COVID-19. So therefore there is likely to be greater investment. I think in corporate resilience, in future with more organizations introducing either introducing the role of business resilience manager, or I think where that role already exists is likely to grow in importance and power and where a separate role is not introduced specific responsibility for business resilience is likely to be added to the CSOs CIO or even the it manager or other similar roles.
Right? And I think business resilience management is executed adequately like, like cyber security, like it resilience identifying the right controls, identifying the right measures will always be something that helps in more than one potential risks scenario that organizations have to look at. So if organizations do that with a bigger picture of how they are relying on infrastructure, on people, on services, on the supply chain, and that can then handle more than one type of potential risks that can influence business operations. So I think doing business resilience right, is a key challenge for many organizations. And that involves all the disciplines that we've mentioned before, including cyber security work, what is available at our website? When we look at business resilience management, is there more for the audience to find there?
Uh, yes. If they, as you, I think you've mentioned previously, if they just search for business resilience management, they will find all the research that we've done there. And there is also quite a lot of this in the master classes, around dealing with a pandemic crisis, anything to do with risk management. So they are all closely related and there is a lot,
Right. And if there are really, uh, current challenges that focus on the areas of cybersecurity off business resilience management, then please feel free to get in touch with us with, uh, info at KuppingerCole dot com or with Warrick and me. So if the audience is interested in learning more here, please get in touch. We really want to continue that conversation also with you. So thanks again, Warrick for being my guest here today for this follow-up session on business resilience management, any final words to add from your side?
I would say that business resiliency is directly linked to the survival of a business in the short term and in the longterm. And therefore it should be integrated with, uh, the long-term sustainability plans for any business. Um, and I'm very excited about this topic because I think it's just something that we should be talking about more and organizations should be looking at more because it's just, there's so many benefits.
Okay, great. Thank you very much again for that. Thank you for being my guest today. I'm looking forward for having another episode soon with you together, and maybe even around that same topic, because there's much more to talk about here, but for the time being, thank you very much Warrick. Always. Thanks, Mathias. Bye. Thanks. Bye. Bye
It is a framework, really an approach that's aimed at ensuring that organizations have business resilience, which is the ability to adapt quickly to risks and disruptions while maintaining the key business workflows and safeguarding employees, assets and brand reputation. So resiliency is the foundation for continuity and mitigating against any form of economic disruption,
Right? So, and last time we talked about, first of all, what kind of risks we should prepare for how an organization can go in that direction by applying risk analysis, risk management, and we've looked also at it risk and it resilience in relation to business resilience. And maybe we can start there again for this episode as well, because more and more organizations are actually acquiring digital services and their infrastructure when it comes to it as a service. So what role should cyber supply chain risk management play in business resilience?
It's an, a very important aspect of that. As you say, matures, the business impact of suppliers being unable to deliver physical goods. This is well understood. It typically results in production downtime, shortages of processed or manufactured goods and avoid these consequences. Most businesses have a program in place to manage the risk of supply chain disruptions, but most organizations under estimate cyber supply chain risks, even though cyber incidents can happen every day, anywhere in the cyber supply chain. So as businesses become increasingly digital, uh, they need to put as much effort into managing the risks of their cyber supply chain as they do their traditional supply chain, because if they don't do so, that could lead to potentially crippling production downtime. So as you said, considering how increasingly dependent organizations are becoming on it services such as software as a service and it supporting, uh, delivering services and the increasing risks to the cyber supply chain in the form of cyber attacks. Um, other things, uh, the need for cyber supply chain risk management to me is care.
So this is also an aspect that organizations should look at and also again, apply a diligent risk analysis, how they are dependent of it, which is provided in a digital form. So when you manage your risks more or less adequately, I hope so. Is there then still a need for preparing if something happens. So it's, there's still a need for disaster recovery afterwards,
This resilience management goes beyond disaster recovery, but nevertheless includes disaster recovery. As we discussed last time, um, an organization that is not able to recover from a disruptive incident, uh, can't be described as being resilient. So disaster recovery includes data and system backup and recover capabilities. Therefore disaster recovery is an essential part of business, resilience management like risk management, incident, response management and business continuity management. The need for disaster recovery will never go away. Instead. These must all be recognized as essential elements of an overarching, uh, business resilience capability, uh, that needs to be managed in a standardized and coordinated way.
Understood. So if we look at this very business oriented, very security and resilience oriented topic, um, when we look at more emerging technologies. So if we think of IOT and AI, I think many organizations do not yet have a full grip on providing resilience there. And on the other hand can IOT and I play a role in business resilience as well.
You're absolutely right. I mean, on the one hand, it's a risk. And on the other hand, it's an opportunity. So it's important for all organizations to recognize how much IOT and AI they're using and then identify the potential risk to business resilience, those technologies introduced. But then on the other hand, these IOT and AI represent an increasing opportunity to improve information, communication, and coordination across protective teams to improve overall business resilience. So two parts, it can increase the risk, but it can help manage the business resilience side of things. So these need to be balanced and taken into consideration.
Okay, great. Thank you. If you then have a final look at organizations. So you've mentioned that this is a huge organizational effort that needs to be achieved. It might require changes to the underlying organization, be it the real organization or a virtual project organization on top of that, but in general, where is the topic of resilience and resilience management best located in an organization?
Oh, business resilience spans the entire organization. Therefore I think it's a board level topic. It follows that the role assigned responsibility and accountability for business resilience management should have direct or indirect board level representation depending on how sensitive the business is to disruption. So where the sensitivity to disruption is relatively low business resilience managers would report to board level CEOs or CSOs, but where the sensitivity to disruption is high. Uh, either the business resilience manager should have board level representation or responsibility for business resilience should reside with a board level CIO or CSO, right?
I would fully agree because if you think of business resilience management, being the means of continuing work and continuing to achieve the business goals, these business goals are something that are defined and enforced of course, by the board, by the CIO or the CSO when it comes to defining how to be able to continue work in different types of crisis. So now that we know where this business resilience management is located or should be located, who will do the job who is qualified as a resilience manager, is there such a thing as a resilience manager?
Yes. In some organizations, there is the named role. And as I said earlier, some in other organizations, it's sort of something that comes under the CIO or CSO. Uh, the important thing is that whoever is tasked with business resilience needs to have a thorough and preferably long-term understanding of the business, the particular business, the business model. And importantly, as we discussed last time, VIT requirements to support it in addition to business and it knowledge, but resilience managers must have experience and skills in risk management, strategic thinking, and communicating with members of the board and experience in disaster recovery compliance and business continuity, even facility management, information security and emergency planning, or these would be an advantage.
Okay. That is a really challenging job description that you just mentioned. Where will they come from?
Well, as I a thorough understanding of the businesses essential, so ideally business resilience managers or people tasked with that role should come from the organization itself. They should know how the organization works and the it that's needed to support it. So I think therefore organizations should draw up plans that include training and mentorship of employees with the necessary skills and experience of working in several departments within the organization. So that they'll be able to take over the role where necessary either permanently or temporarily in a crisis or when the current business resilience manager is not available.
Okay. So we've talked a lot about, um, business resilience management as a corporate challenge. We've talked about how it looks like in the organization, um, how risk management takes place, how it comes into play, how the organization should look like. I think that many organizations have learned it, the hard way that corporate resilience is important. I assume that this also will be increasing and that more organizations will have to invest heavily in achieving that resilience, especially when they failed at one or the other point with the COVID-19 crisis.
You're absolutely right. I mean, as we've discussed, those businesses become more digital and the consequences of cyber techs and other disruptions have increased. The importance of corporate resilience has grown enormously so and increased accountability through compliance to a growing number of industry regulations is also likely to continue to drive the importance of corporate resilience as a key part of corporate governance, which is based on the principles of accountability, fairness, transparency, assurance, leadership, and stakeholder management. So I think with the trend towards digitalization set to continue corporate resilience was always likely to become increasingly important, but the whole COVID-19 pandemic has underlined both the importance of resilience and the dependence of business on digital technologies and infrastructure. So as a result, I think most organizations are likely to focus on resilience in the post pandemic era because so many underestimated or even fail to consider the impact or something like COVID-19. So therefore there is likely to be greater investment. I think in corporate resilience, in future with more organizations introducing either introducing the role of business resilience manager, or I think where that role already exists is likely to grow in importance and power and where a separate role is not introduced specific responsibility for business resilience is likely to be added to the CSOs CIO or even the it manager or other similar roles.
Right? And I think business resilience management is executed adequately like, like cyber security, like it resilience identifying the right controls, identifying the right measures will always be something that helps in more than one potential risks scenario that organizations have to look at. So if organizations do that with a bigger picture of how they are relying on infrastructure, on people, on services, on the supply chain, and that can then handle more than one type of potential risks that can influence business operations. So I think doing business resilience right, is a key challenge for many organizations. And that involves all the disciplines that we've mentioned before, including cyber security work, what is available at our website? When we look at business resilience management, is there more for the audience to find there?
Uh, yes. If they, as you, I think you've mentioned previously, if they just search for business resilience management, they will find all the research that we've done there. And there is also quite a lot of this in the master classes, around dealing with a pandemic crisis, anything to do with risk management. So they are all closely related and there is a lot,
Right. And if there are really, uh, current challenges that focus on the areas of cybersecurity off business resilience management, then please feel free to get in touch with us with, uh, info at KuppingerCole dot com or with Warrick and me. So if the audience is interested in learning more here, please get in touch. We really want to continue that conversation also with you. So thanks again, Warrick for being my guest here today for this follow-up session on business resilience management, any final words to add from your side?
I would say that business resiliency is directly linked to the survival of a business in the short term and in the longterm. And therefore it should be integrated with, uh, the long-term sustainability plans for any business. Um, and I'm very excited about this topic because I think it's just something that we should be talking about more and organizations should be looking at more because it's just, there's so many benefits.
Okay, great. Thank you very much again for that. Thank you for being my guest today. I'm looking forward for having another episode soon with you together, and maybe even around that same topic, because there's much more to talk about here, but for the time being, thank you very much Warrick. Always. Thanks, Mathias. Bye. Thanks. Bye. Bye
Video Links
Stay Connected
Related Videos
How can we help you