2024 Opportunities for Resilience
2023 was a turbulent and uncertain year, but it also presented opportunities for organisations to build resilience. We anticipate that organisations will continue to face challenges, but there will also be opportunities to transform resilience capabilities ahead of both new regulations and increasing expectations by both customers but also supply chains seeking to improve and adopt good practice as an extended period of permacrisis and polycrisis events continue. There are five areas where opportunities are likely to emerge and suggestions on how to address them:
1. Working with third parties to establish supply chain resilience
Establishing resilience within the supply chain and with critical third parties should be an opportunity for organisations to consider in 2024. In December 2023, the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (BoE) jointly issued a Consultation Paper outlining their proposed regulatory requirements and expectations for Critical Third Parties (CTPs) in the financial sector. Whilst this is only applicable to financial services organisations, we can anticipate that this emerging industry good practice will expand into other sectors and industries. Specific actions in this area include:
- Using 2024 as an opportunity to prepare for (and learn from) regulatory changes; building supply chain resilience by conducting value chain mapping to understand dependencies and resilience gaps and risks. Any identified resilience gaps should be prioritised and remediated in collaboration with the specific internal and external stakeholders within the supply chain.
- Identifying which critical third parties have the highest dependencies within the organisation and conduct joint resilience exercises. The benefit of this is to understand how business continuity plans may be missing, misaligned or ineffective and where improvements could be made.
2. Going back to basics to validate resilience foundations
As technology, threats and risks evolve, it is easy to focus solely on keeping up with these developments. It is important however, not to neglect the foundations of business continuity management. As such it is important to regularly assess and validate the maturity of a current business continuity programme to ensure it meets the needs of the organisation in its current and future states. Key areas to focus would be full understanding of data, IT assets, property, technology and people and how they support delivery of services and commercial activities. This could incorporate:
- Reviewing the effectiveness of the current business continuity programme to assess how well it has penetrated the behaviours and culture of the organisation and its impact on decision making.
- Assessing the maturity of business continuity connected controls to make sure they were owned, managed and effective in preventing an incident that would impact the resilience of the organisation. Connected capabilities and protection will include areas such as IT Disaster Recovery, Physical Security, People Security, Travel Security, HR and Risk Management.
3. Anticipate and prepare for continued crises
The past few years have served as a stark reminder of the profound impact of polycrisis events on society. Recently, organisations have faced a convergence of multiple risk events (e.g. pandemic, geopolitical conflicts, supply chain disruptions, climate issues and cyber-attacks). These polycrisis events have created an operational landscape where organisations with inadequate resilience maturity find themselves in a ‘perma-crisis state’. As we enter 2024, these existing pressures on resilience controls are further compounded by additional crises affecting a broad range of sectors and the interconnected supply chains. Turbulence and disruption are expected to continue and developing resilience maturity will help reduce impact and resulting costs and wider harm. Areas to consider when addressing this:
- Testing resilience using more immersive and challenging exercises based around credible worst-case scenarios. Embrace concepts such as reverse stress testing to better understand where weak controls across all aspects of the business not just IT, incubating environmental factors and opportunities for the active and latent control gaps to generate crises.
- Leveraging audit and risk management teams to understand how interconnected risk events could compromise the resilience of important and critical business services/functions. Better understand the likelihood and impact of such events happening using a combination of real time data, qualitative and quantitative risk management methodologies to determine the resilience posture against polycrisis events.
4. Evolve crisis management and communication strategies
Crisis management is going to be an important activity. It demands effective external and internal communications and relationships. The accessibility of real time, relevant information has significantly grown within the last few years alongside the growth of social media platforms. This has led to customers and stakeholders holding organisations to ‘real time accountability’ during incidents. This can provide both challenges and opportunities as the increase in customer feedback can indicate faults even before internal indicators have activated. The challenges being that customers can communicate when they have been immediately impacted from an incident can lead to reputational damage. Communications, and the wider leadership teams now need to be proactive and anticipate further disruption and adopt a ‘readiness’ mindset and to be better prepared and tested ahead of the next crisis. Good practice suggests:
- Reviewing current crisis communications strategies to establish how the organisation will deal with a sudden increase in negative consumer feedback and the likely scenarios. How does the organisation manage its reputation whilst adapting to constantly evolving and potentially volatile circumstances.
- Conducting immersive and scenario led exercises that focus on assessing the stakeholder impact of a loss of important business services alongside the capability to restore these services. This analysis helps identify the specific needs and concerns of both internal and external stakeholders, who may be particularly vulnerable in such situations. Additionally, these exercises help in understanding stakeholder expectations during a crisis, ensuring alignment with the organisation's values and objectives.
5. Exploring how to build resilience with and into AI
Over the past year, Artificial Intelligence (AI) has undergone a remarkable transformation, evolving from an emerging technology into strategic enabler of the business by the C suite. This rapid shift presents a dual landscape of opportunities and challenges that organisations must navigate in 2024. On the one hand, AI offers immense potential to enhance organisational resilience by automating tasks, improving decision-making, and optimising processes. Conversely, organisations must carefully consider the ethical implications of AI deployments, address data privacy concerns, and ensure responsible implementation to mitigate potential risks. Leading organisations are currently:
- Exploring how to build in the fundamentals of resilience when determining the functionality of an AI tool. This includes examining the impacts of losing the AI tool, establishing manual workarounds for a loss in AI capabilities and what is the Maximum Tolerable Period of Disruption (MTPD) for a loss of AI.
- Anticipating AI will permeate all aspects of cybersecurity, both in attack and defence. It will give threat actors new vectors to exploit with a mix between passive use of AI for example using a Large Language Model tool to develop phishing emails or active uses for developing an exploit for identified vulnerabilities. Therefore, monitoring of AI systems, and those of vendors, will be imperative to ensure they remain secure, trustworthy, and compliant to the growing number of global AI regulations.
Please contact us if you require more information about maturing your resilience capabilities and our experiences in this area.