Posted on: September 8, 2021
Solutions Customer Summit Series
In your organization, you may have many programs that are focusing on a lot of different objectives in a siloed manner. For business continuity professionals, the goal is to protect the organization’s continuity of operations. There may be other parts of the organization that have this purpose as well. Third-party management, for example, is not just about onboarding vendors, but also assessing them and understanding the vendor risks so that your organization can continue to deliver products and services, no matter what.
With operational resilience being a popular topic right now, it is important to note that just having a business continuity program does not mean that your organization is operationally resilient. Operational resilience brings every part of the organization together, from business continuity to risk to compliance, and so on. When all these different parts of the organization are talking to each other, you can gain a holistic view of how your organization works, how it might break, and how to put it back together again. The traditional business continuity approach is reactive to respond to an event while being operationally resilient stresses a proactive and flexible approach.
For business continuity programs, you identify processes, perform business impact analyses (BIA) and siloed risk assessments on a specific site or vendor, and prepare and develop plans to respond to a consequence, such as losing a facility, vendor, technology, or people. The next step is to establish a proactive approach.
So, how can we be more proactive as continuity professionals?
When you introduce risk, it brings a proactive perspective to the table. Instead of planning what your response will be to an event or a disaster, you can try to identify risks that could cause that event. For example, when we talk about loss of technology or a critical application, think about how the application is being backed up or if it is even backed up to begin with. Is there a disaster recovery plan for those applications? Are there backup disaster recovery data centers? Have the plans been exercised in the last 12 months?
Another example is loss of site – when discussing risk, risk assessment is done at a site level, so is there a backup generator for the site? Does the site have dual power network and fiber?
These are risks you can identify so you can put controls in place to mitigate risk. By doing this, the probability of using your business continuity plan will be lowered because these events may not be as likely to happen since you are mitigating the risks with your controls.
Risk Management Framework
If you already have an enterprise risk management framework or program in your organization, you can take the next step by aligning your approach to their framework, and it can be a guide for you to bring risk management and business continuity together. If you do not have a framework yet, here are some critical key components to get started:
1. Governance and Organizational Structure
It is important to understand what your organization looks like. If you have done business impact analyses, then you already have a good baseline for your organizational overview. The next step would be to tie your organizational structure to your processes, such as your business units, business functions, and departments. From there, you can understand your key operational assets which consist of your processes, applications, vendors, etc. Lastly, it is important to keep a consistent language across your programs that may be participating in your risk management program.
2. Risk Identification
Once you establish a consistent language, you can start to build out your tactical risk register. This means that your organization needs to collectively understand what is considered high risk and what is low risk so that there isn’t any confusion as you continue to mature and grow your program. To start off, you will need to create risk categories that you can organize and tie individual risks to. You will need to establish risk likelihood and the categories of impacts. Ask: What is your risk likelihood? What is the risk impact (there can be multiple risk impact categories e.g., financial impact, operational impact, reputational impact, legal/compliance impact)? As you assess your risk, there will be an inherent and residual risk score. An inherent score will show you if there is something that would ring an alarm or if it is a risk that you can accept. Residual risk is the risk that remains after your controls have been accounted for and assessed for effectiveness.
3. Control Environment
Once you have identified your risks in the step above, you will need to establish controls. Controls are methods that prevent or detect risk. This includes creating a detailed inventory of internal controls by identifying control types, categories, and using the same language for the controls your organization creates just as you would for risks.
Discover What’s Possible
If you would like to take your business continuity management program to the next level, contact Fusion for a demonstration today!