While the Covid-19 crisis is still in full effect, many businesses have mastered the first phase of disruption. Now, the time starts to plan for the future, at many levels – financials, business models, product strategies, and more. One of these topics must be Business Continuity & Resilience Management (BCRM), for being better prepared for weathering the next storm to come. And that will come, be it the next peak of Covid-19, be it a major natural disaster hitting your business, be it – and that is the one with the highest probability – a severe cyberattack. And everything you do today for BCRM will also help in the current situation.
KuppingerCole Analyst Annie Bailey explains how to set up BCRM planning, what to include, and gives you guidance from practice on various aspects such as risk assessment, business/IT alignment, and improving your cyberattack resilience.
Learn more about Business Resilience Management with the free Analyst Advice from Senior Analyst Warwick Ashford: Business Resilience Management (Crisis Roadmap for Beginners).
We also deliver master classes on timely and relevant technical topics like incident response management, business resilience in a pandemic access management and more. And so these have interactive webinars with analysts exclusively for masterclass participants. You get access to our research library with documents on vendor, independent information. You receive a certification of these acquired skills. And also as part of the curriculum, you have access to an all day remote workshop with the final exam, but also with the opportunity to discuss your individual challenges with Analyst. So we encourage you to take a look at the classes we offer and educate yourself a little more. Here are some housekeeping items to get through first, before we dive in, you are muted centrally, and we are controlling these features. So there's no need to mute or unmute yourself. And we are recording this webinar and you will have access to that as well. So the recording will be available, be made available shortly after the webinar today. And we also provide the slide deck and we'll be ready for download soon. We also invite questions. If you do have a question, you can enter it in your go to webinar panel and that will be submitted to me and I'll handle those at the end.
So in this webinar, we'll go through the following topics. We'll first tackle the elements of BCR M including what constitutes a comprehensive BM plan. And then we wanna understand the crisis and find some good methods to look at the possibilities, assess your risks, and then understand the business impact. One of the key themes we'll look at today is the importance of aligning your business and it, and also related to digital transformation. How does this complicate and even create the need for a deeper alignment? And then to end, we'll look at methods to respond and recover, which really is the cornerstone of cornerstone of resilience. And this is important for both business resilience and cyber resilience.
So that is influential on BM is of course is business continuity management, which is the ability to continue running a business during a crisis. And it comes as a result of resilience, which is the ability to recover quickly. So if a business and its model are resilient, it can bounce back from a sudden shock, like this pandemic, a cyber attack or other crises. So would you move from your foundation of BCM of business continuity management? You wanna make sure that all act activities extending from this foundation and integrating various other disciplines and initiatives that your organization might have. This must be targeted at becoming resilient from the business model, all the way to operations. So remember that resiliency, this ability is foundation continuity. You cannot have continuity if you never get up off your you've knocked down all, all of this, especially in these times, businesses will be coming far more digital than they have been before.
And so thus, they become more agile, more able to handle changes quickly and to remain in communication and able such things as remote working. But they also have a higher risk of being exposed to a cyber attack. And so cyber resilience is very important here and now. And cyber resilience then becomes a core element of business resilience that if you are more exposed to an attack, there's no possible way that your business could continue operating. You've just been hamstringed by this refers to looking at your business model in context of what could happen to it, what stress it must have to endure. And so you wanna think of various crisis scenarios, which have a high probability of happening, but hopefully not a high probability of happening, but regardless of if the volcano is going to explode tomorrow or not, if there's one in your region, you should start consider that possibility wide range of scenarios.
How will one particular scenario affect your supply chain will affect your operations will affect demand. And then you can do some emergency planning for that. What would you have to adjust or change to keep going? Given those impacts, you wanna get some policies and governance in place, and you also want to be considering that resilient business model, how and what, how quickly could your business model change to adapt to those impacts? And so have a couple outlines in mind for how you could change quickly, what things could be switched out for something else. And then it's important to be on the road to digital transformation. This is very useful in normal days, and it's incredibly important in non-normal days and non-normal times.
So next we have to consider the crisis management. So you want to be set up with a clear plan in mind, how your organization will look in a crisis. You won't be able to plan this down to a T, but you can be prepared. Part of this preparation comes with how you arrange your management structures, how you define your crisis organization. There will be a need for different roles in the time of a crisis, and people will have to fill those roles. So who is going to do what in a crisis. And also if those people who fill the new roles, if they abandon their old role from normal times, there'll be need, there'll need to be somebody to step in and fill that for them. So you need substitutes and deputies, you also need very clear crisis communication, and this absolutely needs to be set up before a crisis comes into place. There needs to be a clear hierarchy of who checks the information who delivers the information to who and that everything remains congruent. And in agreement, there cannot be conflicting statements going out from your company internally or externally.
So next consider the crisis response. This is involving preparation and your reaction to so have some clear planning for each of your divisions, your financials, your supply chain, your HR, and this also involves preparation. Having again, proper management structures and communication. In order, you want to have continuous controls for the status of preparedness. There should include indicators for how prepared you are. Is your team ready? Do you know who to contact or where your emergency plans are? You should have a partner network for crisis situations, know who to contact and who you can be supporting. And also your supply chain preparedness for continuity. Take a good look at your supply chain and see what situations is going to cause your supply chain to become weak or break or for you in fact, to be the weak link in the supply chain. So next consider your it service continuity. So this is very important for the digital digital resilience, which if you are a company becoming ever more digitally present and transforming in this direction, taking care of your digital cyber health is very important. Part of this is getting your business and your it into alignment. So it's really important that both sides of this organization can understand each other and look for ways to support each other.
So you want do a cyber risk impact analysis to really understand what your cyber risks are and what parts of your business processes could be affected. So you want to build your cyber resilience beyond prevention and onto recovery
And resilience. And then you also need to do some fallback planning for your it outages scenarios, where you may need to work from home and more. It's very important to consider the people and you do this through testing simulation and education. So it's all good and well to be prepared to have plans on paper, but if your team and your employees have never seen that plan before, and don't know what to do when it is rolled out and are in no way, mentally prepared, it's going to be rough. So your people are the ones who actually carry out these plans in times of crisis. So it's really important to test these plans, make sure they're going to work, make sure your people understand them and what to do. And it's also good to test them with your processes to make sure that they can still be carried out from beginning to end that you're not all of a sudden stuck with a broken process. You can do this with simulation to train your people, but also to better understand the impact of course, educate your teams and your teams are a great place to gather ideas for continuous improvement.
And then we have some to lists for BM on continuity and resilience. So we need some policy and governance, and this is good for preparation. And in operations, remember we need a business impact analysis to understand the potential impact of a crisis at the starting point for planning it's to have the emergency planning already done and in place ready for adjustment when the time comes. So this should be done at all levels. You also should define your crisis organization, who is in what role and how is the management structure organized? Do your tests and exercises, educate your team, and finally have room for a continuous improvement.
So we've already tackled section one and let's go on to section two for understanding the crisis. So we need to define our crisis situations and think beyond a traditional business continuity view, resilience is a complex management task because it has to anticipate and economically balance the probabilities costs and capabilities to act. So here we have an example matrix that an organization could use and could adapt to their specific needs and situation. So along the top, you can see potential crises which could hit and along the left side, you have the scope and then we've simply mapped or indicated simply here what the probability is that it could occur and what the impact is that it could have on your organization, on the region or for a global impact. So this is a good starting point a thought exercise to become aware of the possibilities and to give you a good indication of where you should focus your energy. Look for those crises, which have a high probability and high impact. And of course, start there and put more realistic effort into building those plans and being a little bit on, on a bit higher alert for those crises to happen.
You also wanna think about your own organization and resiliency is very much about bouncing back and this of course can be thought of on the organizational level, but it also comes down to people and how they're able to react. And so it's very important to build a culture of resiliency within your organization, and also to recognize when the environment is perhaps not conducive to building resiliency. So look out for these indicators of perhaps an inflexible organizational structure where a traditional, purely hierarchical approach is difficult to manage remotely. And so the tools for managing people have limited effectiveness here. If there's non transparent communication, this is a problem where if employees, colleagues, and customers expect honesty in the communications and statements made, and sometimes traditional companies are a bit slower and make and complete statements. So sometimes there is not a culture of open-minded feedback. So be sure that your organization is welcoming of open-minded feedback or is not penalizing or disregarding such feedback.
Watch out if your it is not prepared, but he is capable of doing everything, but it's only possible if those things are supported by the budget and watch out for bottlenecks, such VPNs, which quickly reach their limits without sufficient scalability. Going back to this idea of a culture of resilience, sometimes organizations do not work flexibly or adapt to new requirements and circumstances due to external factors that are difficult to influence. If there's a lack of digital digitalization, manual processes and systems break, and this leads to problems in the sequence of individual steps, especially in a crisis. Sometimes a traditional leadership approach is also difficult to implement, and this quickly leads to wrong prioritization can overtax employees in a crisis, and there are also wrong ways of employee control for resilience. The micromanagement is one of those which can lead to limited flexibility and creativity of the employees and is therefore inefficient for remote working models.
So you also want to build and prepare your organization for the crises. Once you've identified, which of those indicators might apply to your organization, it's important to work on improving those and look for ways to improve. So one of those methods is also to look for data silos, which do not help your organization at all. So one challenge for any crisis and for everyday business and regular times are silos. And if it infrastructure, supply chain management, cybersecurity, and others work in isolation, there's a huge risk of failure. There must be cross-department communication and cooperation. And so one very important thing to prepare your organization for a crisis is to align your it in business and a crisis. It frequently becomes apparent that it does not know enough about business and thus it is not really aligned with business. It must understand what keeps a business running and alive. This requires better and deeper alignment of business and it comprehensive planning should be part of your organization should plan for a crisis in a comprehensive manner from the business model and financing down to working in a crisis, or it operation having this resilience and recovery. This could include changing your business and the way you work ahead of not just during a crisis.
And so we also want to define the crisis organization. Remember that people have different priorities and different roles. Some people may be offline totally and be inaccessible. So there must be a defined crisis organization where it's adds some clarity and allows people to know what to do during a crisis and remember to educate your team. So remember, people are the ones who deliver the plans and carry it through and they cannot be forgotten in this. So we've completed the first sections and now we're moving on to a practical business and it alignment. So one thing that we should keep in mind is that it and business sometimes don't understand each other. And one way to influence this is to allow questions, to be asked between the sides, particularly for business processes in this situation, we're thinking of how to keep the business running, what can go, what needs to stay in order to keep this going.
So it's important to know what the impact would be if a particular it system failed, how would that impact? So let's go through a series of questions and figure out, use this as a starting point to figure out how your it and business processes could start to understand each other a bit more. So it's important to know which it systems cause cost, which systems could cause a business risk or incur costs if they fail or malfunction, is this crisis what to it systems are critical, which are the systems which allow operations to happen and revenue to come in. So think of it on a flat factory floor or where this can entirely stop production. If a particular system goes down, this sort of system, once you've identified, it must be protected. Must have backups, must have other alternatives of operating if it does get shut down.
So the same question goes then for the business processes side, which business processes are critical to revenue and how can it sustain them, if is such a, how can these essential processes, then the logical question, which more that need better protection need more optimization and what optimization measures are actually feasible. So these are some questions that can start to bring your two sides, your business, and your it into better alignment and start to understand how one supports the other and not operate in silos. So next we want to set the foundation for resilience with this strategic alignment. Here are another set of processes for businesses and for it. And they're organized along the top that we have some business processes and along the bottom, some it, and it's important to know how these can compliment each other. So if you can define the crisis organization, including who holds what roles, what systems can be shut down, what systems are critical to survival, then you're able to test this crisis organization with your systems to have experience under your belt, operating at partial capacity with only some systems running. So again, from the business side, you could prioritize and remember that it's most important to keep the business alive. And every action must focus on this before it can focus on the future. And this translates into practicing good cyber hygiene, patching, hardening detecting, and this contributes significantly to a digital business's ability to survive.
And then finally to know the partners in your supply chain, especially it supply chain, what is the plan when they cannot deliver reliably? And then you can communicate what it assets would be affected in different crisis scenarios, work with the business team to have backup plans for maintaining critical it assets, a crisis that your business, and it can compliment each other to better achieve this digital transformation. So we also have some tips on what to avoid for your it, and it's in times of crisis. And it's a bit overwhelming to think of going through digital transformation at all, let alone, during a crisis. And some people want to overcommit over invest, and that should be avoided with some careful consideration. So of course do not panic. That's not going to help right now, please clear mind. And we could all use a reminder of that every once in a while. Don't blindly trust anybody's recommendation, not even ours. So step back and think about what could really deliver a benefit now and what you and your team can actually manage to do. Don't build a virtual office. So don't try and host all of your home office workers in a virtual office. Let them focus on the most important things can reduce meetings and try and optimize the work style.
Don't add a VPN. Now, if you don't have one yet, don't consider going for one. There are other more motto options which are available on the cloud. And zero trust is the keyword to remember and carefully select your technology. If you don't trust, bring your own D device and not everyone has a company owned notebook, you could go for a virtual desktop infrastructure. If you feel you could get it done now. And of course don't over invest. You should look for various solutions that allow collaborating and communicating in teams. Many of these are free for the times of crisis or are really affordable. Most companies do it and you can communicate. You can share, and you can, you can organize the work. And of course, don't ignore the human talk with your people. They need to understand the basics of working in a secure manner and human biggest security educate, but, and for good common sense of these these sections. And we finally arrived at the last one, how to respond and recover for both business resilience and cyber resilience.
So now we need to go beyond prevention. We need to prepare to recover. There's the assumption that we can't always see when a crisis hits and we certainly can't prevent a pandemic crisis. There's the assumption that the only place we start at is at recovery. So with this recovery mindset need to quickly be able to identify the risks. Don't ignore them and don't make them smaller than they are. Be very realistic about this, and then prevent as best you can, a strong of defense knowing about your risks, but still assume breach still assume that your prevention and your defenses will fail when the time comes, we're quickly to detect what is happening and be able to react immediately, work to defend and respond to the situation such as cyber or backing as it happens here, all of this should be leading to recovery. This is the point you're trying to get to as quickly systems rapidly.
I resilience organizations can build a culture of resiliency, and here are some ways to break down structures and be able to react in new ways to changes. So really work hard to prepare your organizational structures. Organizations must be set up in a way that employees and managers are able to act in any situation. There must be defined structures for the everyday business, as well as protectable purpose in case of an emergency need to be able to communicate in reliable and open ways. There is no use in trying to sugarcoat things, facts and figures must be stated, but it is always important to have an open culture, a clear message that all those responsible are doing their best establish, an honest feedback culture. It must be possible to talk about things openly. This approach should be lived at all levels and should be earnest, implement a resilient it department. It must be structured in a way that I can act flexibly as a service organization. It should also deal with important issues such as scalability and resilience.
It also train people for resiliency. Resilience can be strengthened by regular training and further education of your employees. That corresponding adaptability is also trained. You should, should invest into end to end digitalization. The fewer manual steps one has in processes. The less influence a pandemic has a basic process use in the company and revise the way you do leadership. Employees need flexibility and freedom within their level of resilience, clear and feasible targets on a weekly level are sufficient. Try not to rebuild a virtual office, but not every employee is the same. And remember to pay attention to the human needs and have an adapted way of progress. Micromanagement doesn't help managers must think about the big picture and allow and promote new ideas.
So one key failing of many situations is a broken process and you won't notice your process is broken until you've tested it under different circumstances. So let's take a look at a few steps for increasing and improving process resiliency. So as with many things, first, you need to identify it, identify, which are the most critical. Your low priority processes can be postponed and single point of failure can be mitigated. So allow for employee self-help allow them to help themselves and not everything can be solved immediately. Facilitate collaboration have well working, having a well working team, improves collaboration a lot and leads to faster results. And you have people who are working together, then they can sidestep these process breaks and learn how to find the information that they need for themselves to continue next. Once you've found those loopholes, those potholes it's time to fix them, looking for alternative technologies, alternative ways of routing the workflow. When finally apply some well known standards. You have the ISO 27 0 3 1, which provides concepts in principles behind improving the resilience of an organization.
And finally, here are some topics to consider for building digital resilience, which as we've noticed before, is the cornerstone of having a resilient business, which is able to pick itself up and continue after a crisis. So remember to create alignment between your business and your it, and take action to create alignment here, assess your risks and a cyber risk and impact analysis. To understand the weakness before a crisis hits and beyond prevention, build internal cyber resilience, going beyond prevention to recovery and resilience, have a fallback plan and do this for it. Outages working from home scenarios. So as you're not taken by surprise, if, and when a crisis hits and have a continuity strategy, an it continuity strategy will help visualize what actions will be necessary to get your business up and running again. And your cyber supply chain risk management is a risk mitigation measure to ensure your ability to continue your operations. So thank you so much for participating in this webinar and I hope it was helpful to you. I'm happy to take questions now and we'll wait a moment for those to come in. And if there are no questions, then I thank you very much for your attendance here. And I look forward to working with you at one of our future virtual events or webinars and invite you to take a look at our research. So thank you very much. And bye.
How can we help you