Achieve True Business Resilience by Operationalizing Risk Management
An Interview with Richard Cooper, Managing Director of Europe for Fusion Risk Management
As an expert in business continuity, and in his current role as Managing Director of Europe for Fusion Risk Management, Richard Cooper has seen the many risks inherent in today’s European business climate. In a recent Q and A, Mr. Cooper discussed these issues, and explained the best ways organisations can address them.
Q: Talk a bit about the current risks facing enterprise businesses in Europe.
A: There are several European countries where the political landscape is facing polarization. Borders are being hardened, corporate domiciles are in flux, and the regulatory environment is becoming more complex. As the General Data Protection Regulation (GDPR), addressing individuals’ personal data, becomes enforceable in May 2018, many businesses are scrambling to determine whether they are compliant or, if not, what they need to do to get there. And with the looming economic fallout of Brexit yet to be determined, talks continue on how to undo decades of treaties and agreements with the European Union. All these serve to magnify and exacerbate what's become the standard list of growing risks and threats affecting organisations across the globe – terror threats, data breaches, supply chain risk, and extreme weather events to name just a few.
Q: Can you describe some the disruptions that can readily impact an organisation?
A: I would start with IT services disruption, which is any disruption affecting access to IT services – often referred to as “IT disaster recovery” – or the protection of critical data, which is often referred to as “cyber security”. Workplace disruption describes any disruption of a business entity –
offices, call centres, retail locations, trading rooms, manufacturing plants, labs, warehouses, etc. – as well as its critical assets such as machinery or other specialised equipment. A workforce disruption affects personnel such that sufficient, trained and skilled employees are not available. Possible causes may include labour actions; regional disasters during which the community or public infrastructure is severely impacted; or pandemics, any of which can cause severe absenteeism. Finally, supplier disruption is related to critical suppliers, service providers, utilities and related infrastructure, or logistics that stops or slows the movement of critical products and/or services into or out of businesses. The potential for any of these to critically impact an organisation based on its complex dependencies are what drives the need to operationalize risk management.
Q: When you say “operationalize,” what exactly do you mean?
A: While the concepts of risk, compliance, crisis response, and disaster recovery are becoming more familiar throughout European businesses, the evolving threat landscape and growing uncertainty call into question legacy approaches to business resilience. Today, more than ever, an organisation failing to prepare both strategically and tactically for any type of disruption can experience a much greater impact than it can readily absorb.
Q: What has created the need for that strategic and tactical approach?
A: While it’s likely the majority of Western European businesses have already made efforts to develop and test business continuity plans, some as a component of their risk management or compliance programs, traditional approaches have proven inadequate and ineffective. Plans become stale, risk management and compliance programs are disjointed, and attempting to utilise any of this information prior to or during a disruption can be incredibly cumbersome or entirely unmanageable.
Q: How does that impact the goal of achieving true business resilience?
A: Companies can never be 100% resilient. They can, however, be much better prepared to minimise the impact of a situation and stop an incident becoming a crisis. To do this, they must be able to rapidly “operationalise” data to rapidly make informed decisions. Without reliable, up-to-date information, a company’s ability to react to a situation will be delayed, and there will be the probability of a higher impact.
Q: Speaking of the 21st century, data has become key to a successful modern business continuity management program. Can you talk about that?
A: In the modern era of always-available services and continuous operations, data is much more important than maintaining actual documentation. The traditional method of having business continuity or disaster recovery plans defined as documents is an outdated approach and ineffective against today's needs. If something is going awry, it’s critical to immediately know what and who have been impacted, and that’s not possible to do when relying on documents alone. By the time someone has gone to a binder to look up information or printed a document off a server, opportunities to reduce the impact have been missed, and the number of options for a quick recovery have been reduced. Particularly in Europe, where many organisations have representation across multiple regions or countries, executives and front-line managers need to understand very quickly the impact of a particular event on all or some of the business.
Q: How can this approach to data be leveraged by companies to keep information current?
A: It’s impossible to have a solid business continuity program without current information, so it’s important to draw upon “business as usual” data in a way that allows quick access and analysis in response to an incident. By integrating existing data sources with purpose-built tools for business continuity and crisis management, organisations are better able to determine which locations, people, and processes are impacted, and respond faster with greater confidence to resolve a crisis. With a data-oriented perspective, organisations are positioned to establish an information foundation about risks, impacts, resilience, response, and recovery activities – both during an incident and in advance, to enable more strategic decisions about where to invest and what level of resilience is required.
Q: This requires a change in approach for many organisations. How is that done?
A: By cultivating an operational risk mitigation mentality – not just a response and recovery mentality. This is how businesses are able to respond and recover more quickly from a disruptive event. It’s not just about having a plan for when something goes wrong – it’s also important to know how to minimise the risk and reduce the impacts in advance of a business disruption.
Q: So how do executives responsibly address risks and impacts comprehensively?
A: Business continuity programmes must be inclusive. For example – as a company typically has risk managers as well as an information security officer, both need to be aligned to the overall business continuity programme. This is known as operationalizing risk management through a “single pane of glass.” Risks must be identified, contingencies must be considered, various outcomes and scenarios must be evaluated, and response capabilities established to ensure strategic objectives can be achieved even in the face of disruptions to the business. And all parties involved must be on the same page and working from the same data points to achieve the outcomes intended.
Q: Does that require a broader perspective across each type of disruption?
A: Yes. For example, assessing the facilities and locales in which a business operates – such as understanding that a business in the congestion zone of central London might suffer greater impacts from terror attacks or civil unrest, and planning for those potential events accordingly. It also includes seemingly ancillary steps like data protection, employee safety protocols, and dependencies on third-parties, which are all components of a comprehensive strategy to mitigate risks, reduce impacts, and ensure timely recovery. A risk mitigation strategy should go hand-in-hand with the data-supported business continuity management programme. Such an approach combines risk management and contingency planning as an essential part of strategic and tactical decision-making, enabling better and more consistent decisions about risk and resilience at all levels of the organisation.
Decision-makers should also keep the focus on their business, not just compliance. Just as a business continuity plan shouldn’t simply be a compilation of documents in a binder or on a server somewhere, neither should it solely be designed to satisfy auditors and comply with regulations. While compliance must be achieved, it can represent the bare minimum, giving executives the illusion of meeting fiduciary responsibility, while leaving the business poorly prepared to manage an incident or disaster.
Q: To summarize, how should organisations prepare for the new European business climate?
A: Today, multiple factors are converging on the need for enterprise organisations to establish an effective business continuity programme. No longer can executives make the claim that an operational risk could not have been foreseen or a business impact unreasonable to assess. To deliver true business resilience at levels deemed prudent and appropriate, business continuity and risk management leaders must implement a data-driven programme, take a risk-based approach, and remember that the reason behind all of this effort is to ensure the business can meet all of its commitments even in the face of disruptive events.
####
Richard Cooper is Managing Director of Europe for Fusion Risk Management. Cooper can be reached at [email protected].
More on
