It’s not a matter of if a disaster strikes, but how well you are organized and ready to give assurance to your stakeholders that you are in control when it does.

It comes as no surprise that we are living in an ever-changing environment, which is shaped by numerous risk events and potential threats. Floods, cyber-attacks, IT breakdowns, asset failures, supply chain issues or loss of skilled staff are just some of the possible threats to the smooth running of an organization. Advances in technology and rapid digitization are fundamentally transforming the way of doing business and the way of working, but they also bring more and new security risks. And, of course, we are still experiencing the impacts of a global pandemic.

Despite this, a recent KPMG poll indicated that a majority of companies are at still at the level of “ad hoc and reactive” or “developing” an approach towards Business Continuity and Resilience Management.

If not addressed effectively, these threats can cause disruption or even business failure. Consistent planning for what to do when a disaster strikes, means a more effective response and a quicker recovery.

What does business continuity actually mean?

“Business Continuity Management” is an holistic process that identifies potential threats to an organization and identifies the impacts to business operations that those threats, if realized, might cause. It enables organizations to be equipped with the ability to prevent, respond to and recover from various operational disruptions in the future. 

What are the key components of Business Continuity Management?

  • Business Impact Analysis (BIA): Based upon a standardized approach, as well as clearly defined impact criteria, you identify, prioritize, and quantify the impact on time-critical business processes, customers, premises, technologies, assets and suppliers. 
  • Risk assessment – what matters most: Here you use risk assessment techniques to achieve one important goal – to plan for the worst case scenario and to protect your most vulnerable assets.
  • Strategy and recovery: Management should be able to give assurance that they are in control of managing failures, incidents, and so on. They should also be able to ensure immediate recovery of the critical processes.
  • Testing and exercising: Organizations should determine the feasibility of – and test the efficiency and effectiveness of – emergency plans on a regular basis.
  • Monitoring and improvement: Performance review processes provide transparency for all stakeholders. In the light of continuous improvement, the combination of Risk & Review is essential – we learn from the lessons of the past to improve the future. 
  • Governance: There should be clear roles and responsibilities to facilitate implementation of the framework.

 

Three documents to have in place:

  • A Crisis Management Plan, which outlines the immediate response of the management to manage a crisis and recover critical operations.
  • A Business Continuity Plan, which outlines the procedures to follow during a major, unanticipated and disruptive event. Business Continuity Plans may include: business recovery strategies (in other words, what needs to be performed to continue critical operations); contact lists; equipment requirements; personnel requirements; etc.
  • A Disaster Recovery Plan, which outlines the specific procedures required to recover or restore critical operations and/or systems.  

What are the key criteria for a successful Business Continuity Management program?

  • Strong leadership: Support from executive management and the board is critical;
  • Clarity: Underlying plans/documents must be written clearly and take into account the capabilities of team members during a significant business disruption;
  • Usability: Plans must be simple, easy to use, and accessible for everybody;
  • Business involvement: Business continuity should be business-driven, with the involvement of all functions;
  • Beyond IT: Remember that it’s not only about IT – that’s only one piece of a larger puzzle;
  • Consider the impact: Focus on the impact of major disruptions – even when it’s difficult to accept the scenario;
  • Change management: Prepare your organization to deal with immediate change, impact and action; and
  • Practice: Regular simulation of failures and disasters can save your business.

What is resilience management?

Operational resilience is the ability to deliver critical operations in the face of disruption. It allows organizations to absorb internal and external shocks, ensuring the continuity of critical operations by protecting key processes and resources such as systems, data, people and property.

The ongoing coronavirus pandemic has held up a mirror to organizations’ resilience under pressure. Faced with an increased threat landscape, organizations need to accept that it’s impractical – and too costly – to prevent all disruption. Instead, their whole organizations should be ready to limit, respond to, recover and learn from a wide variety of events.

This means investing in operational resilience.

What are the key steps to achieving operational resilience?

  • Set the stage: Create an operational resilience strategy; assign roles and responsibilities from the top down; and break up siloed functions.
  • Take stock: Identify critical operations; map resources; and identify interdependencies and vulnerabilities.
  • Know your limits: Define indicators for each critical operation that provide an effective early warning signal along the entire value chain; define thresholds aligned with risk appetite to enable a timely response, and consolidate and harmonize reporting.
  • Prepare for reaction: Develop inventory of contingency measures and related preparatory steps; adapt business continuity plans and incident management; and execute business continuity plans and testing.
  • Roll-out: Implement the operational resilience framework; promote an operational resilience culture; train employees in their new roles and policies; set up processes and management information systems; and learn and improve continuously.

What are the key criteria for an effective framework for operational resilience?

  • Top-down: Board-driven, with clear ownership and accountability to drive differentiated investment decisions, and enable the integration of operational resilience into overall organization management;
  • Enterprise-wide: Move away from siloed functions to develop an end-to-end view, driven by customer needs and linked to the organization’s goals;
  • Measurable: Put operational resilience on the same footing as financial resilience, with specific and quantifiable KPIs, thresholds, tests and reporting;
  • Resilience culture: Embed resilience as a key element across all management decisions and business activities, and as core to the organization’s culture;
  • Flexible: Enable the organization to react appropriately to unknown situations and adapt to changing circumstances, instead of following rigid action plans;
  • Recovery-centric: Adopt a recovery-centric mindset, with firms able to demonstrate adaptability assuming major disruption will occur.
  • Testing: Establish rigorous testing programs which challenge the organization’s ability to stay within set impact tolerances in severe but plausible scenarios.
  • Communication: Take a multi-channel, enterprise-wide communications approach, to deal with disruption across internal and external stakeholders.

How do I implement a management system for Business Continuity and Resilience?

You do not need to reinvent the wheel. There is already an ISO standard on Business Continuity and Resilience – ISO22300x. It gives you access to international good practice to help you to respond to, and recover from, disruptions effectively, leading to reduced costs, less impact on business performance, and even respect from your customers.

With a standardized approach your actions will be consistent throughout the entire organization, and you will be able to reassure clients, suppliers, regulators, and other stakeholders that your organization has sound systems and processes in place for business continuity.

What’s the role of the board?

The most important drivers for good Business Continuity and Resilience are that it should be taken up multi-disciplinary, and it should be positioned strategically within your organization.

Active board involvement is key to integrating business continuity management and operational resilience into the organization’s business and risk strategies, and to setting the tone at the top.

Considering the perspective from various management positions within the organization will ensure that the “business continuity and resilience” is based on the different corporate objectives and is implemented and operated in line with your strategy, the customer experience, as well as financial and IT perspectives and requirements.

Key questions for boards to consider

  • Do we have a business continuity plan in place? If so, has it been tested?
  • Do we have a full view – end-to-end view– of our processes?
  • How will we keep operating and serving customers/clients in the face of a disaster?
  • How well is business continuity and resilience experienced within our organization?

Conclusion

A Business Continuity Management System makes your organization more “incident proof”. And by building Business Resilience, you not only gain the capacity to survive, adapt and thrive, but also get another view on your organization and its critical processes and systems.

Since we all know to what a disaster can lead to – 2020 has given us plenty of examples of this – now is the time to make sure you do not miss the opportunity for positive change that this crisis represents.

Contact us

Olivier Macq
Partner and Chairman, BLC Belgium

T: +32 2 7083686
E: omacq@kpmg.com