Historically, risk management, business continuity, and IT disaster recovery have all been highly siloed within organizations, and, frankly, many organizations have been planning and testing for specific, isolated incidents. But the pandemic has really opened a lot of eyes. In business, planning and testing for an isolated, unlikely event is not a way to be resilient. There’s nobody on the planet who had a plan for how to manage for wildfires, civil unrest, hurricanes – all during a long-term pandemic. That plan just did not exist.
This year has made many organizations realize the need for a different mindset in how they operate. Resilience has to be an integral part of the way you run your business as opposed to a library of incident plans or a checklist for scoring good governance points. This is both the opportunity and, certainly, the hurdle that businesses have to face operating in this new normal.
People who historically haven’t had much knowledge about risk and business continuity now deeply understand the value, as everyone has been living and managing through a worst-case scenario. Before, many were reliant on just static plans and testing. The real-time and operational aspects of being truly resilient were just theoretical. Now, it’s understood that we are living in an environment where you need to have a holistic, real-time picture of threats to your business coupled with prioritized actions to assist in effective executive decision making in a crisis.
Many organizations didn’t really understand how their businesses and supply chains would break. They certainly didn’t have any way to know in real-time what was hitting them hardest and where the biggest risks were. They didn’t have a viable mechanism to quickly make and execute the most critical decisions first. A lot of companies were left with pieces of their business around their feet as the crisis unfolded. Unfortunately, for many senior executives, that’s where that lesson was learned. Businesses can’t continue to operate that way – the cost is just too great.
This has caused a sudden realization on the operating side of the business, at a senior executive and board level, that resilience needed an equal weighting with efficiency when creating your business plan. Operating executives need a system that provides a holistic view for better decision making. As a large crisis unfolds, events (and responses) happen in different ways and at different times across regional and national boundaries. Through regulatory edicts, different regional and national governments had varying COVID restrictions. Operating executives realized they didn’t have visibility to manage multiple threats, hitting across sites and key employees – breaking internal processes and crushing supply chains and critical partners.
It was almost an overnight event when COVID-19 hit because it wasn’t only a healthcare issue. When everyone started working from home, it became an IT issue. Then it became a supply chain issue and then a financial meltdown. It just kept cascading, and it was not possible to think anymore that these are isolated events or that organizations can actually plan for everything.
The pandemic has really shown that organizations need to have resilience built into the business in order to understand how your business works, how it breaks, and how do we respond. That’s a big change for many businesses outside of heavily regulated industries. The financial services industry has been pushing down this path even before the pandemic. Many of the largest regulatory bodies have been working explicitly on making and keeping the financial services industry resilient. We’ve also seen that other high impact and regulated industries are close followers in pushing true resilience, like utilities and energy, healthcare, and insurance. With their focus, and head start, these industries can help others find the way.
The most important thing you can do is understand how your business works and understand how it breaks – that’s the core of a real operational resilience program – it’s not the plans themselves. It’s how the business operates and what can impact it. For years, it’s been a difficult exercise to try to figure out not just how your business works, but where are the critical points? What are the critical business flows? Organizations have learned the hard way through this crisis exactly how their business breaks and what the most imperative business processes are. Organizations need to spend time, right now, understanding those lessons learned because the threats and impacts continue.
Try to catalog as much as you can about how your business failed, where the pain points were, and try to figure out how you’re going to protect those processes going forward – and build them in a way that they can’t fail the same way again. This gives you an automatic focal point: here are the things that were threats that hurt me, here are the things that hurt the most when they failed, etc. Now you know empirically what your critical business processes are, and you can get a strong start from that perspective.
While 2020 has been very painful, it’s also been a year of learning. We’ve seen our customers survive and thrive through this pandemic because they had all the information needed to make data-driven decisions, with resilience baked in to how they do business. This is the time to become a resilient organization. Make it a part of your business and your culture.