In my last blog, I spoke about the importance of having a Crisis Management plan in place to respond to major issues affecting the organisation - anything from a significant natural disaster to the kidnapping of a senior member of staff.
This is an absolute must have - the last thing you want to be doing in the face of a crisis is figuring out how you are going to respond. But the Crisis Management arrangements should be one component of a larger Business Resilience plan.
If you look at a dictionary definition of resilience it will say something like 'the capacity to recover quickly from difficulties'. And that just what Business Resilience is - if the business is hit by an unexpected event, it's about how well and how quickly it can restore 'business as usual' operations.
Like most things in business, there won't be one absolutely correct way of structuring your business to maximise resilience. But there are a few common components that should exist in all plans.
Many people will be familiar with the traditional model of business resilience which typically included four key elements - Business continuity plans, IT disaster recovery plans, Emergency Response plans and Crisis Management plans.
Today however, these plans have been complimented by additional resilience tools.
Mainly, Cybersecurity Incident Response plans and Critical Infrastructure protection plans.
So lets review each of the elements, new and old, in more detail.
Business continuity plans - these plans are designed to ensure that key business locations within the organisation are able to respond to a local crisis situation and get back to 'business as usual' as rapidly as possible. The plan will allocate responsibilities and roles to key people in the team and will generally feature a generic approach capability rather than event specific responses.
Critical Infrastructure Plans - may be considered a sub-set of the business continuity plans. These target critical infrastructure rather than specific sites - for instance, communications or energy networks. They can feature specific responses to known potential events or generic response plans for unknown challenges.
Emergency Management Plans - are all about immediate actions when a critical event occurs. The event could affect one or multiple sites. These plans usually belong to the front line management teams as they are the first responders to any incident. Key to these plans is weathering the event and minimising further losses.
Occupant Emergency Plans - are a sub-set of Emergency Management plans in that they respond to events that primarily impact on your people, customers or contractors. An unfortunate example in this day and age is the rogue shooter episodes that occur frequently in the USA. Protection of human life is obviously the key goal.
Information Technology Disaster Recovery - is more frequently being broken into two sub-sets:
Information Security Contingency Plans - which are about preparing for interruptions to IT services and availability. Plans include Maximum Tolerable Outages (MTO) for major systems and also have pre-determined which systems are not critical for 'stay in business' functionality.
Cybersecurity Incident Response Plans - these plans have a technology component and a data protection element and the type of incident will determine whether either or both are required. Understanding key systems and where critical data is stored is essential to being prepared.
Crisis Management Plans - readers will recall that I covered Crisis Management plans in my previous blog so I won't repeat the message here. I will stress however that a key component of Crisis Management planning is to have thought about your Crisis Communications well in advance of an incident occurring.
Organisations need to think through their own situation and determine what effort is required for business resilience planning given their own operating model. This should also include an analysis of what key functions are being performed by third party providers.
It is not unusual to find a majority of IT services outsourced, with many key functions and critical data being sourced or stored via the Cloud. Does your business resilience planning phase include these service providers as responses are developed?
Some organisations have no choice but to have robust business resilience plans in place - it can be mandated by regulators, shareholders or financiers.
Other businesses have a choice - choose wisely as these plans may be the only thing between a profitable recovery and the end of an otherwise successful business!
To discuss business resilience or any of your other risk management needs, please feel free to contact me on 0404 829 040 or via my email, anthonyw@proximityriskassurance.com.au