In recent years, many more organisations have established business continuity management programmes (BCPs) which define the different processes (suggestion to utilise the wording of ‘process’ rather than ‘system’ due to general, but not always, confusion around BCP and DRP) of avoiding and recovering from potential disasters to their business.
By Mpho Modisane, IRMSA risk intelligence committee
With the number one goal of a Business Continuity Plan (BCP) serving to allow for continuation of operations while recovering from a disaster, the key component of the success of BCP’s relies on the organization’s resilience programme.
Resilience Defined
The Business Continuity Institute defines Resilience as the adaptive capacity of an organization in a complex changing environment.
Resilience is the more mature aspect of recovering from disaster which is the ability of an organization to uphold its functions regardless of drastic changes in the internal and external environment.
Therefore, in their quest to achieve greater maturity in response to and recovering from disasters, an organization must consider a tailor-made resilience program to enable continuation of business under adverse circumstances.
Resilience Statistics
In their annual Africa Resilience survey, Ernst and Young (EY) discovered that although majority of African Organizations have good BCPs; they in addition require a matured resilience programme to reduce the likelihood of exposure and recover from disruptive events when they happen.
The conclusions from the survey indicate that approximately 72% [Level 2 – Level 5] of the respondents reported that their resilience programme can assist in recovering business operations after a disaster.
Of that number, 5% is certifiable and 28% can recover all critical functions within approved Recovery Time Objectives.
Only 28% either cannot recover operations or the respondents do not know the maturity level of the programme.
Over 64% of the aggregated participants have indicated an alignment of their companies BCM resilience solutions, to international best practices, i.e. ISO 22301, ISO 22316, BS 65000, ISO 27031, the Business Continuity Institute Good Practice Guidelines 2013 and/or COBIT.
Of the 64% approximately 10% have specified that their companies are aligned to BS 65000 i.e. a Guidance document on organisational resilience.
The EY survey further rated the resilience maturity of the sampled organizations in line with international standards on a five-point scale, with five being the most mature level.
With the survey having revealed that 5% of the sampled organizations have reached level 5, 28% level 4, 24% level 3, 15% level 2 and 10% level 1 maturity of business resilience. The remaining 18% of the respondents indicated level of resilience unknown.
What this indicates is that although 72% of the respondents reported that their resilience programme can assist in recovering business after a disaster, only 5% have their risk management sources spread beyond the scope of traditional risk methods.
The need to be multinationally resilient
The complication with any organization operating multinationally is that the nature of disasters become foreign, away from the home country.
The best assurance any organization can get against unknown material disruptive events is to align with international standards both at policy level and implementation.
A multinationally resilient organisation can reduce their vulnerability through adopting a resilience programme which gives them the opportunity to recover all critical functions within the approved Recovery Time Objectives.
As a risk professional have you considered that:
* Business Continuity Management and Resilience are a subset of Risk Management, both disciplines are a critical part of mitigation of certain risks, is the value of risk management tested whenever any of these risks materialise?
* Sooner or later your business could grow multinationally. At some point in your business there’s contact with global customers or business partners. Have you considered your organization’s exposures as a result of these relationships?
* Your employees might travel outside your home country exposing them to multinational risks. Have you added an emergency repatriation plan in your resilience programme?
* Some of your business recovery sites are sitting elsewhere in the world. Have you considered resilience backup if a disaster hits your recovery?
* For a multinational business, what infrastructure challenges in the other country similar to the local water and electricity challenges experienced in South Africa could impact on overall business continuity?
* For a multinational business, given the rise of cyber risk which holds no political boundaries, has the business considered the impact of system failure (DRP) and the link to their cyber risk management controls?
* Is your business focusing on generic disaster scenarios or specific scenarios which may have a higher probability of occurrence such as power outages (local), political unrest depending on the economic state of the foreign country?
The most responsible decision of any organization would be to be aligned with international business resilience standards and formally adopt these as part of the risk management and business continuity program, because in spite of everything we are all part of the global world.