Exclusive: It’s time to reset your business continuity program

Malcolm Brian Reid, Global Security and Resiliency Thought Leader calls for security leaders to re-think their approach to business continuity.

Throughout recorded history we have seen major events that have caused us to take a step back and re-evaluate the way we conduct business. These inflection points as I like to refer to them are fairly prevalent considering that within the span of an average lifetime, at least three of these events may be experienced in today’s fast paced society.

The methodology with which we plan for such events must therefore be constantly evaluated. In most cases, these inflection points are low probability, high impact events, sometimes referred to as “Black Swan” events – a term made popular by author Nassim Nicholas Taleb. The impact of such an event usually takes us by surprise, is global and affects us significantly from at least a social, economic and technological viewpoint.

It is former President of the United States, Dwight Eisenhower who is credited with saying “the plan is nothing but planning is everything.” Business continuity was not top of mind within organisations pre-pandemic, some were fairly mature in developing and testing and validating their business continuity programs and others had scheduled it for another quarter to start the process. In the months after the pandemic was declared all of that changed and search engines saw an explosion of searches related to business continuity. Many companies were reporting to their investors that they had ‘activated their business continuity plans’.

Light at the end of the tunnel

From my view within the industry, I can tell you that many of these organisations have never embarked on a process for building a business continuity program. Fast forward to 2022 and there seems to be the possibility of ‘light at the end of the tunnel’ with respect to the pandemic. Those organisations that have survived and thrived must be pleased that all of their planning paid off and they are indeed prepared for any future event such as COVID-19.

However, history is indeed our best teacher and these points of inflection have so far not been playing according to our rules. Such events as 9/11 or the global financial crisis of 2008 have wreaked havoc in our society and their ripples were felt long after. Also, no two events are alike and most organisations are left changed to some degree and this includes new improvements and innovations as well.

Membership associations that focus on business continuity learning and training have established methodologies to build and maintain business continuity plans. I would humbly suggest that not only should organisations conduct a Business Impact Assessment (BIA) across the enterprise coming out of the pandemic but the membership association should also seek to evaluate what they publish as business continuity methodology. We are indeed witnessing another wave of technological advancement riding the tail of COVID-19.

Many organisations have now adopted Cryptocurrencies as a method of payment over the last couple of years. The rise of the mysterious Metaverse is also going to present challenges to those who plan for disruption, disasters and protect assets as real estate (or should I say virtual estate) which is being sold in the Metaverse as we speak. These digital assets would expand the capability of organisations but also create new avenues for risk.

Combining functions

Organisations may soon realise that having corporate security and business continuity or resiliency operating in separate siloes may not be the most effective way of managing risk. By combining these functions within an organisation, much more can be leveraged in terms of optimisation of resources, effective communication and – to mention a principle of war – economy of effort.

Our risk universe is expanding rapidly and we must go back to the drawing board soon and reevaluate these risks to our organisations, find the impact on the business and craft the right strategies to address possible events in the future, some of which may be very similar to, but definitely more complex in impact than compounded events from the past. Remember when your business continuity program is revised, you must also test and validate it so that when the next major event hits us circa 2030 you will be much better prepared.

I also expect that membership organisations that focus on business continuity will be ready to publish updates to their methodology documents soon. They would also do well to include a much more inclusive approach to the revision of their methodology. By including those from different backgrounds, countries, gender, races, economic status, Inter Alia, the resulting methodology would provide a much more holistic framework that will also be more robust when applied.

In conclusion, organisations should actively begin the project to update their business continuity programs and consider converging them with their corporate security focus as well. The Chief Security Officer will therefore have to be someone skilled in the practice of corporate security management, information security, business continuity, corporate investigations and so on. Membership organisations publishing best practice should be reflecting and constantly evaluating their methodology against the changing landscape. It is time for us to press the symbolic reset button, as we focus on finding new and innovative ways to ensure the continuity of our business and the protection of our people, information, physical and now digital assets.

This article was originally published in the March 2022 edition of International Security Journal. Pick up your FREE digital edition here.