Getting Ready for ISO 22301:2012 Certification, Part 1


Our two-part blog series Getting Ready for ISO 22301 Certification will give you a comprehensive overview on how to prepare for third-party certification to this international management standard. Part one will focus on required general steps to implement a compliant business continuity management system. It will explain what is needed to fully understand the steps needed to plan, build, deploy and internally audit your business continuity management system.

Part two will provide a deeper dive into what the typical internal challenges are and the suggested solutions to address them.


Background: ISO 22301:2012 was published by ISO in 2012 as a harmonized standard with multiple inputs from national standards bodies, industry and academia. This is the world’s first ISO standard focused on business continuity. This complements the disciplines noted in ISO 27031  for IT disaster recovery.

Outlined below are 15 key steps to take to prepare for your certification audit.

  1. Listening to presenterObtain senior management support and commitment to the program and certification goal. Appoint a Champion empowered to provide the required resources.
  2. Identify interested parties (internal, external, government and community members) and their unique requirements.
  3. Define business continuity program objectives, scope, and policy and exclusions (if any).
  4. Define management framework, including three mandated procedures: document control, internal audit, and corrective action. Adopt the Plan, Do, Check, Act Model (Common to all ISO Management Standards)
  5. Conduct risk assessments, apply risk treatments and update methodologies as needed.
  6. Define recovery time objectives and recovery point objectives.
  7. Define resources and align with your business continuity management strategy.
  8. Define response and recovery actions via data centric recovery plans.
  9. Implement training and awareness program throughout your organization and extend to your supply chain as identified as part of the risk assessment.
  10. Exercise and test your program activities using independent staff, enabling impartiality.
  11. Learn from each event in testing and benchmark experiences of multiple functions.
  12. Communicate the necessary information in a consumable format. Test knowledge regularly via interviews, tests and exams as appropriate.
  13. Measure and evaluate against the initially set Resiliency program objectives
  14. Conduct an internal audit and maintain records demonstrating compliance.
  15. Make improvements based on the information found from the steps above and include top management to review processes and drive change. Continue the PDCA cycle as noted in 4.

The 4 step certification process, includes:

  1. Design, develop and implement system (15 steps)
  2. Interview and select accredited* registrar. Obtain references and interview lead auditor if possible. Check for ‘chemistry’, if in doubt do not engage. Remember registrars must be impartial however much provide value throughout the assessment process.
  3. Conduct stage 1 (remote) and stage 2 (onsite) audits. Close correction action requests fully and promptly ensuring both compliance and effectiveness of remedy is demonstrated.
  4. Obtain certification, celebrate, and prepare for first surveillance audit

*Accreditation from UKAS, ANAB, or equivalent

Throughout this process you’ll learn how to engrain the business continuity discipline across your enterprise. Achieving ISO 22301 Certification puts you within unique group of companies committed business resilience. It not only allows you to obtain a better understanding of your organization, but also implement a business continuity strategy with proper response tactics. Ultimately, you will be able to better drive alignment of resilience capabilities in parallel with key management initiatives to drive continual improvement. In part two of this series we’ll break it down further and discuss challenges and solutions during the process.

Resiliency Through Relationships


Guest Blog Series

We are excited to debut our Guest Blog Series featuring some of the amazing experts from the Fusion community with their industry insights. Our first guest blogger is Resilience Manager at Network Rail Rina Singh, MBCI with her first post titled Resiliency Through Relationships.

Rina is passionate about all things business continuity, risk management, and organisational resilience. With more than a decade of experience, she is currently equal part of a dynamic award-winning resilience team at Network Rail and runs her own blog the Resilience Pod, dedicated to helping organisations and individuals become resilient in a world full of disruptions.

–       Marketing Associate Bridget Anders


People talkingCollaboration is important in most professions, but in business continuity management, it’s essential. Whilst digital transformation through systems and processes make our daily lives much easier, it’s still about people and relationships. The idea of using automation via technology is to save time, and that time needs to be spent building relationships and developing strategies.

While technology improves efficiency, the resilience of a company cannot be solely reliant on one person or one department. It must be through a collaborative effort across the company. It’s a joint effort in all aspects, but this can be difficult in a siloed environment where communication is sparse. If you get that relationship right, you may be able to influence in ways you never knew you could to ensure resiliency. That’s why building and maintaining those relationships are so important. Here are four key tips to empower resiliency through relationships! 

1. People must know you exist

This sounds obvious, but if people don’t know who you are, they can’t come to you. Start with a basic introduction over a coffee or tea with your subject matter experts and stakeholders before getting in to the nitty gritty. Then build it up via lunch-and-learn sessions for example. This way your first interaction with them isn’t you asking something of them via email but taking the time to get to know them. It also takes some people more time to warm up than others. Don’t let this discourage you – be consistent in your efforts.

Find a way you can relate with them and doing so face-to-face when possible. We are in that digital age now where it’s easy to message each other or pick up the phone. While this is necessary sometimes, it’s so important to meet in-person to strengthen that connection when trying to influence resilience activities. If you are there, they can see you, making things much more tangible. Then when you do email them later, they remember you and the connection made.

A great example is through a lot of effort I put into trying to get hold of one stakeholder via email to meet about business continuity management activities. I consistently emailed this person and followed up but kept getting nowhere. But when we did meet, it was great, because the way one can come across in an email is completely different than how they can come across in person. Now, even though this person is busy, they will always take the time to respond to my emails. That’s purely from the relationship I have built, which is important because when something is required, they know me, and my name is out there.

2. Create a mutually beneficial relationship

You must be authentic and transparent to create a mutually beneficial relationship. It’s more than just small talk; you must genuinely listen to subject matter experts and stakeholders. It’s that personal touch and level of understanding with the other person. Don’t hide your personality, adding that personal touch is so important.

You can give, give, give, but there comes a time when you think “well, I am doing all this stuff for you, why should I do more? What’s the incentive?” Naturally, as human beings, we are selfish, and we want something back.

Helping each other is mutually beneficial because if you do me a favour, I will remember it. When you need something, I will know that you helped me, and I will want to do that because all of the help you’ve given me. If you are helping another department by introducing them to another stakeholder, they will remember that. It’s proving that credibility and following through on it.

3. Educate others on business continuity management

You must translate the requirements into simple steps avoiding all jargon and showcasing the value of doing this work. The simple question, “what’s in it for me?” comes to mind. A part of this process is training so they understand what business continuity means to them, rather than just telling people what to do. Once they understand the “why,” it provides clarity and gives them part ownership, which in turn helps build that relationship and promote a collaborative culture.

Educating also means you must be educated on the wants and needs of subject matter experts and stakeholders. Listen to their concerns and apply that in your planning. So when you’re communicating activities you have all of the information you need to educate others properly. These things take time, but showing people that you truly value them by giving them your time is important.

4. Continue the relationship

Even if it’s just going for a coffee or catching up weekly for two minutes, that really makes a difference to understand your stakeholders. You need to stay up-to-date on what their concerns and constraints are in their business area. It’s important to remember that you must stay committed to approach but be flexible on some of the details when you can to accommodate your fellow colleagues.

Always follow up, whether it was your first interaction or your ninetieth. Be sure they know you are listening and want to collaborate with them. This also helps them remember what was discussed and also feel like you really value their time.

Empower a culture centered on teamwork and collaboration

By building these relationships through helping others and listening to their concerns, it gives people a sense of community. They know they can come to you and vice versa, which can make the difference when ensuring organisational resilience.

Essentially, we can’t get things done if we don’t involve other people, and if you don’t have that relationship it’s not going to happen. This creates siloes. All this will not only move your business continuity programme forward, but also create an example for others to empower a more collaborative culture for better resiliency. After all, resiliency is achieved through relationships.

Why Protecting the Brand Matters

Ah, branding. The marketing and communication department loves it and most of the rest of the company doesn’t really care that much. But, branding is about more than just fonts and colors. Organizations must protect their reputation that comes with the brand.

Brand Concept. The meeting at the white office table.

A big component of business continuity and risk management is protecting a company’s reputation. Often times many focus solely on the financial aspect.

Don’t get me wrong – financials are very important – but there is so much more that goes into protecting your brand reputation.

There are so many factors as to why people buy a product or service, and having a good brand is usually a large part of that. Yes, sometimes people simply just need something specific at the time, or they are making an impulse purchase, but having longstanding customers and/or clients who will advocate for your product or service only comes with a strong brand.

Consumers are less likely to work with your company or buy your product if they don’t trust you, and a company’s brand plays a large role in that trust. For example, if they see that all of your users’ information was somehow searchable on the internet, they aren’t going to give you their information and, ultimately, not work with you or buy your product or service.

More than 40% of businesses never reopen after a disaster, for those that do, only 29% were still operating after 2 years.

And many times, a damaged brand will negatively impact financials. There is some truth to the common saying, “any press is good press,” but typically it’s a short-term strategy. In general, sometimes business is boosted for a very short period of time but declines in the long-term. And if it’s bad enough, it will put an organization out of business. This is, of course, situational, so this isn’t completely the case all of the time, but it does happen a lot. According to the Federal Emergency Management Agency (FEMA), more than 40 percent of businesses never reopen after a disaster, for those that do, only 29 percent were still operating after two years.

Then there’s the phrase, “that’ll never happen to us.” Wrong. Natural and manmade disasters can hit at any moment. Billions of people have been affected by data breaches and cyberattacks, many brick and mortar retailers have already filed bankruptcy this year, and, in the past month, there have been multiple severe earthquakes that have hit around the world. It’s not if something happens but when something happens. And, if people find out you didn’t even try to prevent said negative thing from happening, they won’t trust you.

What’s more, with the world of social media and almost everyone constantly being connected, there is really nowhere to hide either.

Complaints on Twitter, Google reviews, and Yelp are just a few places your brand could be impacted. Just one video or tweet can go viral and change everything. Yes, not every single post will go viral, but a multitude of similar complaints can still really do some damage. Being prepared for these types of situations, help organizations make improvements and properly communicate.

It is important to remember that social media is not all bad and can be used as a medium to help relieve some of these pressures and impacts. The key though is sticking to your brand values. If you know something is coming up, depending on the situation, you can use social media to let people know what is going on or lead people back to your site with the information they might need. It is a good way to keep people updated in real-time, address issues, and elevate your brand.

In the UK, one company who has created a witty name for itself is Tesco Mobile. It’s known for hilarious tweets and clever replies. In its case, Tesco Mobile also uses social media to manage inquiries and complaints. For them, the playfulness works.Tesco Mobile Tweets

Oracle also uses social media as an avenue for its brand, but it takes a much different approach. It often posts industry insights and keeps people updated on things happening at Oracle. It also manages complaints with more care in a fact-based manner.Oracle Tweets Both Tesco Mobile and Oracle use social media to communicate, but in different voices that reflect each company’s brand. There are a number of ways social media can be used to strengthen a brand, and organizations must find what is right for their company by aligning with the company’s voice and brand. It’s also important to remember social media is just one aspect of what makes up a company’s brand, but due to its wide reach, it can be a large component.

So why does protecting the brand matter?

In this case, the little things really do matter. If you waver, people will likely get confused. How you present yourself affects people’s perception of your brand. Transparency and consistency are key, whether that is on social media, in a press release, on your website, or via email. That doesn’t mean you have to tell the public everything, but you cannot twist the truth because that can lead to a whole other slew of trust issues. People understand that mistakes happen, but they have to trust that you are doing the right thing in a bad situation. And, you have to consistently show them that.

So how do you protect your brand in a constantly connected world with infinite disruptions and risks?

Well, the short answer is quite simple: easily accessible information (a.k.a. an information foundation that holds all of the organizational knowledge), which can be done through a secure business continuity management software. If you have a system that already holds regularly updated data, then it makes searching for the answers you need so much easier, especially during a crisis or incident. You can use this information to make more educated decisions, which enables you to be transparent because you have the single source of truth.

A good system should not only give you the ability to make a data-driven decision, instead of guessing what the right thing to do is based on what you think you know, but also allow you to track progress. This way you are working with facts, which in extreme cases can save a business. And since you have the facts, you can solve the issue (or mitigate the impact) and communicate the right information internally and externally quicker.

As laid out, there are an infinite amount of risks to your company’s brand, making it impossible to look at every single way something could go wrong. But, when you have the data you need, you can prioritize based on impact and likelihood. Thus, allowing you to properly prepare from prevention and impact reduction to communicating results and analysis, which in the end, protects your brand reputation.

Learn More About How Fusion Can Help

Want to learn more about making sure your brand reputation is protected through easily accessible information? Check out the Fusion Framework System.

A Single Source of Truth: The Key to Organizational Resiliency and Efficiency

Siloes: they are the bane of organizational resiliency and efficiency, and they are notoriously hard to tear down. Departments that focus on business continuity, IT, disaster recovery, third-party management, and incident management all tend to function independently of one another, even though the intersection of their responsibilities is where organizational resiliency and efficiency live.

But, what if you could have a single source of truth about business data and business processes that could be shared and accessed across departments and disciplines to improve not only recovery and continuity, but overall organizational resiliency and efficiency?

That would go far toward tearing down siloes, wouldn’t it? You would be able to avoid duplicative work, address gaps that create risk, and optimize processes across the enterprise. It’s a beautiful thought … and the good news is, it is possible to achieve.

The fact is, business continuity is uniquely positioned to destroy departmental siloes and improve the alignment of various functional areas. The reason is simple: business continuity’s responsibilities involve a tremendous amount of data collection and analysis. This includes information from business impact assessments, configuration management databases, application impact analyses, technical impact analyses, and other sources. By gathering all this data into one location, business continuity can create an information foundation that can act as a single source of truth for the entire organization. By sharing the data in the information foundation across siloes, business continuity can help diverse business functions work together to optimize organizational resiliency and efficiency.

For real-world examples of the information foundation in action, read our whitepaper Creating the Foundation for Increased Business Resiliency and Efficiency.

The Uncertainty with Brexit

As 29 March 2019 nears, the uncertainty with Brexit continues to grow. Many organisations have not fully grasped what this means for their business, but it is clear that it will likely be the largest operational business resilience undertaking most UK organisations will face.

A majority of organisations are focusing on the high level financial impacts, while ignoring business continuity and risk impacts that are no less important. Preparing financially for a completely new economic structure is imperative, but planning for other aspects such as changes to privacy and security laws, employment regulations, trading legislation, and more is still key to successfully navigating Brexit through it’s full lifecycle. Each upcoming change comes with its own set of potential risks, many of which organisation’s will have little control over.

However, many things can be accounted for by educating organisations on their operational risks along with their the financial risks. Now there is no way to be fully prepared for this magnitude of change, especially right now when so much is still to be decided, but organisations must stay up-to-date to make informed decisions on new legislation, cross border agreements, resources, residency, etc. This not only means up-to-date on the state of Brexit, but also up-to-date on organisational data necessary for business resilience.

What’s next is organisation’s must run exercises and simulations with all of the factors in line to help prepare programs for the upcoming changes. Unfortunately for many, the time given to business operational and resiliience teams will probably be far smaller than those given to financial impact managers to prepare for Brexit. According to a CBI survey, 48 percent of participants said the cost required to make contingency plans is prohibitive, while 47 percent find the complexity of the information challenging.* This could lead to some organisation’s not running test simulation exercises as a part of their strategy, and ultimately not being prepared for the impacts of Brexit.

The heart of these issues is storing the correct information in an easily accessible vessel like an information foundation. Having clear and up-to-date access and visibility to who owns what process, site, and object transposed over the associated impacts of failure will be key to managing the threat of Brexit.

Learn more about how Organizational Knowledge Empowers Enterprises with our whitepaper!

*http://www.cbi.org.uk/cbi-prod/assets/File/FINAL-Brexit-preparedness-survey-write-up.pdf

Why IT Managers Need an Information Foundation

Business continuity’s responsibilities involve a tremendous amount of data collection and analysis. This includes information from business impact assessments, configuration management databases, application impact analyses, technical impact analyses, and other sources. Everything centers around business processes.

That brings us to the crucial point: every department has business processes, and many of these business processes and required support of these processes cross departmental siloes. For example, if IT updates an application, it can have a direct impact on finance. If vendor management chooses not to renew a contract, it can have ramifications from production to pricing to sales.

Frequently, the existence of siloes means that such connections and interdependencies are not recognized – to the detriment of the business. But, by creating an information foundation and sharing its data across siloes, business continuity can help diverse business functions work together to optimize organizational resiliency and efficiency.

The information foundation can be defined as a single source of truth about business data and business processes that can be shared and accessed across departments and disciplines to improve not only recovery and continuity, but overall organizational resiliency and efficiency. With this as the definition, it is readily apparent that the right software is key to creating, maintaining, and leveraging the information foundation. In a typical organization, IT is tasked with:

  • Providing a redundant, hardened processing environment
  • Protecting systems and data from unauthorized access
  • Ensuring that data and applications are available to meet business process requirements in production
  • Managing current capacity
  • Planning for future capacity
  • Providing for the recovery of systems and applications that support critical business processes in response to a major incident

These priorities may be applied to on-premise environments owned by the business, or toward managing a relationship with an external IT provider or cloud service. The question then becomes, what data does business continuity already have in the information foundation that could support IT with these priorities?

One place where the information foundation can be of assistance is when there is an IT storage upgrade. Take the case where an older storage frame needs to be replaced. Using the shared information foundation, the IT storage team may discover the storage frame is connected to a Linux server and the server supports a critical revenue generating business process. Therefore, the IT storage team will need to work with the Linux team to insure error free operation after the upgrade and work with the process owning business unit to investigate how an upgrade could potentially impact the revenue process should problems be encountered. Representatives from the business unit could also be engaged to validate successful process operation following the upgrade. By collaborating with these other business units, IT can make plans to upgrade the storage in a way that will not generate a negative impact on enterprise operations.

This example shows how, through the information foundation, data concerning process criticality, impacted audiences, teams and contact information, applications used, affected locations, and more are all available to IT to increase production process efficiency and reduce potential undesired ramifications, thereby increasing organizational resiliency.

Learn how to establish your information foundation.

It Takes a Community to Manage Risk Effectively

Risk managers are seeking ways to engage a broader range of the organization to keep risk management as a top priority for all. Without engagement across the organization, today’s risk manager can put the organization at greater risk by missing out on key insights that cannot be gained by relying on personal experience and training. The community has the answers (or at least the right questions) in today’s complex organizations.

Many risk management programs tend to look at external and internal risks in traditional ways which results in programs stuck in risk initiatives that have good intentions but lack the most current operational insights. Organizations have simply become too complex to understand potential risks without engaging more constituents deeper into the extended enterprise. The challenge is how to reach those that may not fully be aware of their role in controlling risk but who are very much aware of where risk exists.

Today’s leaders seek to obtain and leverage more direct input by engaging communities of people that are not typically thought of as core to managing risk. Ideally, these communities would become occasional users of the central risk management system and contribute their unique insights to build a more complete information foundation that tells a complete picture of the organization.

A community is built around a specific purpose that can benefit both the risk manager and the users. Members of each community may not always be aware of the larger impact they are having, but when a system is effective, the community users both receive and share information in ways that expand what is possible in any risk management program, including operating efficiently and uncovering issues faster to help the organization meet its obligations to customers, shareholders and employees.

Users who make up a community that a risk manager needs to engage may not even know the other members of their community. However, the risk manager can group them together when they have similar information needs to share and gain new insights in both directions.

The positive impact of engaging broader communities in managing risk directly through their personalized view of the central risk system includes:

  • Identifying risks earlier so they can be treated or mitigated
  • Recovering faster through better planning based on community insights
  • Communicating accurately at critical times of need because the community is organized in the system
  • Reducing effort to onboard and approve new vendors, reducing risk by engaging the vendor community directly in formal risk processes
  • Engaging an executive community to drive more efficient workflows and approval processes
  • Engaging trusted vendors as part of your extended team securely
  • Providing tools for safety and security to the broad community, preventing harm and optimizing outcomes

Managing risk can no longer be done only by the few who have the words “risk manager” in their title. Organizations are too complex to rely on traditional methods to uncover internal risks, which can be akin to guessing or chance when broader communities of contributors are not engaged. Fusion can help those communities with our products and services. Find out more about how to better engage your community of users.

5 Factors for Building an Information Foundation

Companies should consider five major factors when compiling and organizing all of their components into one repository and dashboard that integrates information from multiple sources into a unified display, an approach we view as a “single pane of glass.”

1. Knowledge Must Be Consolidated

We have all seen enterprise companies where no one had an understanding of what others in the business did. IT has no clue what the sales is doing, and sales doesn’t know much of what is happening in product development, and so on. People’s knowledge is limited strictly to the work they do on a daily basis. And that can lead to a myriad of problems.

If there is little to no interdepartmental communication, what will happen when a disaster – manmade or natural – strikes? It will be every department for itself; recovery and continuity efforts will almost certainly elongate or possibly fail due to a complete lack of coordination. Knowledge is power, as the old adage goes. When it comes to maintaining a streamlined and secure company, it is imperative all stakeholders have full knowledge of operations so that they can respond to any need across the organization with confidence.

The processes undertaken by an enterprise on a daily basis can number in the hundreds. It is nearly impossible to maintain organizational knowledge without a single repository where all of these processes can be viewed.

2. Command and Control

Executives never want to feel they have lost control of a potentially damaging situation. Nothing can be accomplished in the face of a disaster if leadership doesn’t have command over the events that are unfolding. Proactive planning and a firm grasp on every piece of information needed makes for the best chance at a full recovery in the least amount of time possible.

It is important to possess a software solution that pulls all of the necessary processes into that all-important single pane of glass, so everyone involved in the response has access to the most up-to-date information to efficiently execute a plan.

3. Visualization and Decision Support

There are many cases in which there are no clear and actionable steps for addressing a disaster. Businesses can choose to prepare for a potential recovery using either data (knowledge) or documents (plans). It is inefficient, ineffective, expensive, and risky to rely on documents when success versus failure can lie in the balance. Visualization and decision support can serve as a force multiplier for your teams while documents can slow you down and cause you to make costly mistakes and possibly even outright fail.

A living, virtual system can digest this information and update data in real time so that processes are always current and easily accessible. The ability to use that information to provide visual insights and deep analysis can materially change not only the effectiveness and efficiency of your teams but also the outcomes you achieve. In the face of a threat, an enterprise needs to able to immediately contact key decision makers, review all assets, and determine which locations have been affected. People need to be able to trust this information and make decisions in real-time. In other words, they can generate a reliable plan on the fly or be confident that existing plans are utilizing current information while filtering out information that is not relevant to the situation at hand.

4. Enable Wisdom

Steve Jobs once said, “Great things in business are never done by one person. They’re done by a team of people.” That is the essence of organizational knowledge. If all processes are known and accessible by every executive and employee within a company, the likelihood of recovering when a disaster strikes is much greater.

Everyone involved in a business should be able to easily view best practices and know how to implement them in the face of a threat. When stakeholders can find all of the most up-to-date information via one pane of glass, they are much more likely to educate themselves on policies across all departments and gain that all-important wisdom – not just knowledge.

Some people might see wisdom and knowledge as interchangeable. However, that isn’t the case. Knowledge by itself simply refers to information that has been acquired – it is awareness. Wisdom, meanwhile, is experience and the ability to convert acquired information into action. When we talk about “organizational knowledge,” it is really a combination of both concepts.

5. Vulnerabilities are Endless. Resources are Not.

Try as we might, it is impossible to identify, let alone plan for, every disaster that might befall an organization. You cannot solve them all, so you must prioritize.

Say you come up with 20 different scenarios in which your company is at risk. Some will inevitably be more likely to occur than others. It is important to determine which have the highest probability of occurring and which will have the most impact on your organization should they occur and use that information as your guide.

Every enterprise, no matter the size, has limited resources to dedicate to its business continuity efforts. The threats that have the highest probability of occurring, along with the highest potential impact, are obviously the ones that will require the most attention and planning. It can be viewed as a simple line graph that helps you determine how to delegate time, money, and staff.

Read more of John’s thoughts on organizational knowledge in Corporate Risk and Insurance.

4 Disruptions That Impact European Business Resilience

Our European business climate is rife with potential risks these days. Countries where the political landscape has remained relatively stable now face polarization, borders are being hardened, corporate domiciles are in flux, and the regulatory environment is becoming more complex. As the General Data Protection Regulation (GDPR), addressing individuals’ personal data, recently became enforceable, many businesses are scrambling to determine whether they are compliant or, if not, what they need to do to get there.

And with the looming economic fallout of Brexit yet to be determined, talks continue on how to undo decades of treaties and agreements with the European Union. All these serve to magnify and exacerbate what’s become the standard list of growing risks and threats affecting organizations across the globe – terror threats, data breaches, supply chain risk, and extreme weather events to name just a few. The types of disruptions that can readily impact any organization include:

  1. IT services disruption – any disruption affecting access to IT services (often referred to as “IT disaster recovery”) or the protection of critical data (often referred to as “cyber security”).
  2. Workplace disruption – any disruption of a business entity (offices, call centers, retail locations, trading rooms, manufacturing plants, labs, warehouses, etc.) as well as its critical assets such as machinery or other specialized equipment.
  3. Workforce disruption – any disruption involving personnel such that sufficient, trained and skilled employees are not available. Possible causes may include labour actions; regional disasters during which the community or public infrastructure is severely impacted; or pandemics, any of which can cause severe absenteeism.
  4. Supplier disruption – any disruption to critical suppliers, service providers, utilities and related infrastructure, or logistics that stops or slows the movement of critical products and/or services into or out of your business.

The potential for any of these to critically impact an organization based on its complex dependencies are what drives the need to operationalize risk management.

While the concepts of risk, compliance, crisis response, and disaster recovery are becoming more familiar throughout European businesses, the evolving threat landscape and growing uncertainty call into question legacy approaches to business resilience. Today, more than ever, an organization failing to prepare both strategically and tactically for any type of disruption can experience a much greater impact than it can readily absorb.

How Organizational Knowledge Empowers Enterprises

Organizational knowledge – it’s not a term commonly associated with business continuity, resilience, or disaster recovery, but it is a critical component.

First, let’s briefly explore the concept of knowledge. Merriam-Webster offers several definitions of knowledge, including “the sum of what is known: the body of truth, information, and principles acquired by humankind.” Take a London Black Cab driver as an example – they spend several years studying the streets and buildings so they can get anywhere by the fastest route by address or building name, all without GPS assistance. They each know what few others know – every nook and cranny of London. This indispensable body of knowledge gives them a strategic and tactical advantage in conducting their business.

Before I co-founded Fusion Risk Management, I was the general manager of a Fortune 500 enterprise that sold one of its subsidiaries. Of course, whenever a large acquisition occurs, due diligence is of utmost importance. The potential purchasing companies needed their teams to review all elements of the business to ensure everything was in order.

To do this, we created a “data room.” We took over a large conference room and filled it with filing cabinets, stacks of paper, and thick binders. This was the only way we could demonstrate a complete view of the business. In came hordes of people from a myriad of potential acquirers, and they spent several days to weeks painstakingly digging through these physical documents and putting all of the information they needed into spreadsheets. It’s hard to believe, but that was just in 2001. Things have certainly changed.

The “data room” we put together now seems like a relic of the distance past. Today, a business can gather all of its data virtually and store it in one place, creating a level of efficiency that was completely unimaginable less than 20 years ago. Moreover, information can be stored in its raw form rather than embedded in documents, enabling leadership to gain valuable insights and make more informed decisions.

Any business that evolves beyond a few people in a single location runs the risk of developing information silos that different departments or people are responsible for. There is not a person or group that knows every process, asset, vendor, and dependency that allows the organization to operate successfully. It is inefficient and can cost a company time and money, while also creating unnecessary risk. This leads to a fundamental need to avoid the many pitfalls of a fragmented company through the use of organizational knowledge.

An organization improves over time as it gains experience, and experience enables an organization to equip itself with a broad base of knowledge to make the best decisions for continued success. When a company commits to ensuring all leadership and employees understand the process of creating, retaining, and transferring knowledge, it is much better positioned for that success. The concept is simple – the more we understand how an organization works, the better we can understand how it might break or fail. With that knowledge, we can best implement processes to protect and recover it.