The year of 2020 will be forever printed in world history and will certainly be remembered as the year we all managed multiple crises at once. Whatever the advert circumstances faced, it is unquestionably recognizable that we have been through tough times financially, psychologically, professionally and in other countless ways. The far-reaching impact of the COVID-19 pandemic is still causing irreparable damage in a myriad of ways, including the plunge of stock markets around the globe, while multinational companies request financial aid or file for bankruptcy. Consequently, an increase of unemployment and recession can already be observed across the globe.
Although light can be seen at the end of the “Coronavirus tunnel” attributed to the high expectation of the various vaccine announcements and their successful rate of efficacy, the vast impact to our personal and professional lives are far from over. Nonetheless, what is left is hope, and lessons to be learned (and applied).
Despite the wide-ranging and borderless impact of intermittent crises caused by this pandemic, society must look ahead. Humans have demonstrated over thousands of years that being resilient is an intrinsic characteristic, and we will – or at least try – to adapt to different and eventual difficult circumstances over time. But now that we have been dealing with this pandemic crisis for over a year, how can the private sector and risk and resilience professionals within their organizations, leverage a diverse set of crises and disruptions to develop or enhance preparedness, responsiveness, recovery, and actually save money and time?
It is evident that both the public and private sector have constantly witnessed historic recurrence, and the fact is that lessons can – and must - always be learned in order to strive for error avoidance in the long run. However, learning is not sufficient in order to improve. Organizations must convert lessons into concrete, but agile and flexible strategies followed by actionable items. One must accept the fact that crises will eventually occur, and that being vulnerable is a reality despite the often-heard sentence by crisis management professionals: “this will never happen in our company.” Risks and impact must be measured. Plans must be tested and constantly updated.
The basics of crisis management
Prepare, respond, and recover is the traditional framework lifecycle of a basic crisis management structure that should be implemented by any organization in any industry. However, is your company really preparing for unforeseen circumstances? How much money and time could preparedness and effective response be conserved? How big of an impact would a major outage or a data breach cost to your organization? What is the cost of a reputation fiasco? Several companies that have been through major crises will ratify that preparing for the worst would be crucial from a capital and time perspective.
Year over year, we read or see on the news multiple external/internal crises or major disruptions among agencies and enterprises: ransomware attacks, data breaches, disease outbreaks, environmental hazards, civil unrest, lawsuits, societal risks, employee turnover, workplace violence, and other relevant eventualities. Internal crises are also more frequent than we imagine.
Within the past few years, companies have been heavily impacted by considerable financial effects following a crisis; Pinterest settled a gender discrimination lawsuit with former executive for $22.5 million; Europe Union hit Google a $1.7 billion antitrust fine; Target, one of the largest retail companies in the U.S. was fined $18.5 million for a 2013 data breach that affected 41 million consumers; Equifax paid $575 million as part of settlement with FTC, CFPB, and states related to 2017 data breach; Facebook was fined $5 billion by the FTC, and was urged to update and adopt new privacy and security measures.
The added risk of work from home
In 2020, the vast majority of businesses worldwide adopted a working from home policy which automatically reflects a concern regarding security vulnerabilities related to the cyber environment. According to a survey conducted by Ontrack, 39% of organizations are not prepared for a ransomware attack and 1 in 5 organizations are not able to access a working back-up of their data. Enterprise-wide defense plans must be considered in order to reduce the risk of being caught in major downtime, loss of data or having to face heavy fines by privacy laws, followed by negative publicity.
Enhancing resiliency
The term “resilience” has been often used across the private sector in the past few years to mainly identify crisis management, business continuity and operational recovery efforts. Business resilience should be seen as an overarching strategic capability to efficiently prepare for, effectively respond to, and quickly recover from crises or disruptions, whilst applying all necessary strategies to continue providing critical services to internal and external stakeholders.
The world is coming to terms with a new economic and political order, trying to deal with increasing global threats; ranging from security, mass migration, cyber-crime, supply-chain, climate changes and others. Crisis management, business continuity management and operational recovery facilitate organizations to develop and enhance resiliency by providing the capability for an effective response to threatening events that have the potential to directly or indirectly impact organizations. Such programs provide the framework to understand how value is created and maintained within an organization and establishes a direct relationship to dependencies or vulnerabilities inherent in the delivery of that value. As such, mature business continuity, disaster recovery, and crisis management programs are key disciplines required in any organization to become more resilient — which is a key building block to strengthen any pragmatic program foundation.
Resilient organizations with a mature business resilience program established are forward thinking and due to the ability to adapt to changing circumstances which may have the potential to result in damaging effects on the organization’s ability to survive and prosper. Data driven strategies followed by business impact analyses, and risk / threat assessments can result in significant decrease in money and time spent dealing with response or recovery that haven’t been identified.
In order to become more resilient, risk and resilience professionals must rely on setting the foundation correctly, therefore adding value to both internal and external stakeholders. To ensure resiliency in the face of varied risks, it is essential to have a holistic business resiliency strategy approach which permeates all business functions, concluding overarching plans, as follows:
- A crisis management plan which contains directives with strategic and tactical procedures with predefined roles and responsibilities to effectively respond to crises or incidents with the potential to impact staff, customers, key stakeholders or cause significant financial, operational, and/or reputational impact to the business.
- A business continuity plan which proposes and rehearses a response to all identified and likely operational disruptions according to the business line. International standards as well as respected institutions such as the ISO 22301; BCI or DRI, respectively, can be very helpful in developing a business resilience program.
- A disaster recovery plan which is a technical subset of business continuity mainly focused on IT recovery enables the organization to recover from disruptions.
It is obvious that crisis response plans/playbooks, business continuity and disaster recovery plans are part of a wider strategic governance and structure that incorporate many factors, including impact thresholds; risk assessments; policies or statements; guidelines and standards; incident management and remediation plans; playbooks; tabletop exercises; failover tests; mass notification and crisis communication tooling; vulnerability audits; debriefing or post-mortem practice; next-of-kin response; dedicated internal and external communication channel for transparent information; insurance; reporting and escalation procedures; continuous update of contact list and employees emergency details; intelligence capabilities; crisis briefings to C-suite level; collection of metrics; project management; third-party risk assessment evaluation; external technical and expertise support (e.g. legal, cyber, public relations); and many others.
There are two quotes by Warren Buffet that should be considered as a must within organizations regarding managing crises and overall resilience which cannot be neglected, especially if the goal is to thrive while facing a vulnerable and uncertain environment:
- "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
- “Risk comes from not knowing what you're doing."
Business resilience programs will not generate revenue for organizations, but will most certainly create awareness, change a responsiveness culture into a preparedness culture, cut expenditure, save time and minimize reputational impact – not if, but when improbable circumstances become reality.