“Nothing is certain except death and taxes” – Benjamin Franklin
The old quote still rings true in today’s fast-paced and ever-changing world. For businesses seeking to prosper in this environment, another certainty to add that list is risk.
Risk is ever present in this world, and, although it can never be eliminated, prudent companies will do their best to understand, manage and mitigate their risks as far as reasonably possible.
Audits and formal risk assessments will flush out financial, personnel, geographic and sectoral risks; the next step should be understanding, analysing and maintaining business continuity in the face of these diverse risks. In this context, most – if not all – business leaders will be familiar with the term ‘BCP’. But this is a broad and misunderstood acronym, sometimes used to describe the process of business continuity planning, and sometimes for the resulting business continuity programme.
“Most simply, we think of business continuity planning as the discipline of making your organisation more resilient, or able to solve big problems. A business continuity program is the means by which you embed this discipline into your organisation to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events,” explains Bryan Strawser, Principal and Chief Executive of Bryghtpath LLC, a US-based crisis management and business continuity consultancy.
“In the face of disruption, it ensures that you can continue operations and protect your most important assets, especially your people,” Strawser continues.
BCP has been written about extensively, and a number of theories and guidelines have developed as to how it can best be understood. Under ISO 22301, there are four key components required to meet the international standard: management support, business impact analysis, risk assessment and having in place a business continuity plan.
Meanwhile, the pragmatic method described in the Security Executive Council’s Business Continuity Playbook, is to break down BCP into four key pillars: assessment, preparedness, response, and recovery.
The assessment pillar would include hazard identification and risk evaluation; preparedness could involve training and crisis simulations; response may involve assembling specialist teams as well as following appropriate procedures; and the recovery and learning process may be centred around keeping thorough records of any damage sustained and corrective actions taken.
The theory is well-established, and resources are bountiful. But the key to BCP success is of course in its practical implementation. And it’s here that things become more complicated.
The world is facing unprecedented uncertainty: companies are increasingly reliant on technology, which itself is developing at breakneck speed; supply chains are under threat; remote working poses unique challenges; and fraud is at unprecedented levels. In the face of these strong headwinds, businesses must strive to ensure their BCP is robust, while balancing commercial concerns and goals.
For Katharine Leaman, CEO of compliance specialists Leaman Crellin, modern BCP looks very different from the approach taken in the 1980s and ’90s, when the focus was largely on operational risks (such as flood or power cuts).
“It’s more about how resilient your organisation is, whether you’ve stress tested for extreme scenarios, which seem to be more prevalent, and whether you’ve got a plan to recover quickly and to manage your reputation, too,” she says.
Specialists are observing a number of significant trends this year, which will impact the way companies should approach their BCP. These are driven by factors including technological advancements, changing business environments, and lessons learned from recent global events such as the Covid-19 pandemic.
“People are starting to move away from scenarios that are known and are starting to think outside the box and use tests that are more unique,” says Leaman. “It’s becoming more normal to look at things that are not known, quantified risks. You can’t rule out what you think will never happen – anything is possible really.”
Other current and emerging trends include:
Cyber resilience: As businesses become more digital, the risk of – and vulnerability to – cyber threats and attacks increases. Ransomware is a particular growing threat. In response, and to ensure quick recovery, companies can integrate cyber resilience into their plan. This can involve regular cybersecurity audits, implementing advanced security technology, and training employees.
Remote working: As Reglex wrote recently, remote work has become the norm for many businesses; companies should create BCPs that include strategies for maintaining operations when employees are unable (or unwilling) to work onsite.
“Everyone learned the really hard way that you have to allow remote working in order to ensure business continuity,” notes Leaman, who adds that even where roles simply cannot be carried out remotely, companies should also consider how this affects their BCP.
Resilience in supply chains: After the Covid-19 pandemic exposed vulnerabilities in global supply chains, businesses would do well to focus on creating resilient supply chain strategies, including diversifying suppliers and increasing inventory for critical items.
Data protection and recovery: The importance of data in modern businesses has led to an emphasis on data protection and recovery in BCPs. This includes strategies for protecting data from threats like cyber attacks and natural disasters, as well as plans for recovering lost data.
Regular testing and updating: A BCP is not a one-time task, but requires regular testing and updating to ensure it remains effective. This involves conducting regular simulations and drills, and updating the plan based on the outcomes.
Consideration of concentration risk: With climate change meaning large scale weather events and other natural disasters are becoming more common, companies need to consider the risk of grouping large numbers of employees in one hub location. Distributed resources can now be connected effectively and efficiently thanks to modern communications technology. Concentration risk also arises from focusing resources in particular legal entities, and over-reliance on certain individuals.
Communications: The vital role of clear and timely communication during a crisis is more recognised than ever. “Planning ahead is really important,” notes Leaman.“Crisis communications are possible but very stressful – really you want to plan so that communications flow much more naturally.”
Companies can leverage technology to make sure that messages reach stakeholders effectively and quickly, and should employ experienced, capable communications specialists.
“Always think about the comms people, because that protects your reputation. They have to be the first people in your business continuity room, and probably the last to leave the room, too,” Leaman adds.
Climate change, sustainability and ESG: With increasing awareness about climate change, illustrated by recent extreme weather events, businesses are also incorporating environmental risks into their BCPs; and sustainability is becoming a key consideration, with plans focusing on reducing the environmental impact of business operations, as well as recovery.
Protecting mental health: There is also a growing recognition of the impact of crises on employee mental health. BCPs should include strategies to support employee mental health during and after a crisis.
AI as a friend
A TechTarget article written in 2019 pointed out that AI could be included in, or even become the central part of, many parts of the BCP process, “both before and after a disaster occurs”. There is potential for emerging technologies, such as predictive coding, large language models and generative AI to significantly assist in enhancing the robustness and effectiveness of all forms of BCP.
“These technologies can help predict potential risks, automate parts of the recovery process, and provide data-driven insights to improve the overall effectiveness of the plan,” says Strawser.
“Technology and AI will have a significant impact on businesses in the next five years, more than it did in the last five years,” adds Henry Ee, Managing Director of BCP Asia.
The applications are varied, beginning with risk detection, identification and assessment which leverages the ability of AI to analyse very large amounts of data very quickly.
In the response phase, AI can be used to automate tasks, such as triaging incidents, decision-making, and deploying resources. “This can help businesses to respond to threats more quickly and effectively,” notes Katherine Lee, a Hong Kong-based compliance specialist.
Beyond this, technology could assist with automation of certain recovery processes, crisis communication (through AI chatbots, for example), and even supply chain management.
“AI can predict supply chain disruptions based on factors such as weather patterns, political instability, or supplier performance. This allows businesses to take preemptive action to avoid or mitigate the impact of these disruptions,” says Strawser.
While it is clear that new and emerging technologies will have a significant – and perhaps essential – part to play in BCP, enabling businesses to improve their processes and become more resilient to disruptions, most businesses are taking a cautious approach to implementing AI in real life.
“Everyone is talking avidly about AI, but there is still a low level of trust, so it tends to be used more for analysis than decisioning,” says Leaman. “We’re still working out exactly what it can do safely.”
There are a number of well-known issues with AI, such as faulty correlations and false positives (which apply to its use in BCP as much as in popular personal chat apps). Until these and others are resolved, it seems unlikely that we will see a general uptake in the BCP space any time soon. And as Hakan Kantaş, senior director of IT at Halkbank, wrote recently, the use of cutting-edge technologies leads to important ethical, privacy and security issues. These currently exist in a regulatory vacuum.
The Artificial Intelligence Regulatory Framework, which is under development by the European Commission, is likely to change this: it aims to provide a set of requirements and obligations regarding specific uses of AI to developers, deployers and users, and would be a world first. However, the framework, along with an updated Coordinated Plan on AI, is not expected to come into force until at least 2024 (and will of course only apply in Europe – although, if successful, it could lead to a regulatory domino effect elsewhere in the world). For the foreseeable future, it will be up to private businesses to address these issues through appropriate policies and guidelines.
While AI clearly has the potential for greatly enhancing BCP, in many ways, it should not – and perhaps never could – replace skilled human input and oversight.
“Remember, while these technologies can enhance a BCP, they should not replace human judgement and leadership,” says Strawser. “A successful BCP requires a combination of advanced technology and skilled, knowledgeable people.”
Developing regulatory attention
With an eye on today’s risky business environment, and driven by recent events, there has been an increased focus on implementing regulations which touch on many areas relating to business continuity, including data privacy and security.
“After the COVID-19 pandemic, governments introduced tighter regulations leading companies to focus more on training staff, reviewing their business strategies, and also enhancing their risk management and business continuity planning,” says Ee.
And in some cases, there are specific business continuity rules and guidelines which regulated firms, such as banks or insurance companies, are expected to follow. In the UK, the Financial Conduct Authority (FCA) sees BCP as a part of firms’ wider operational resilience obligations.
“We expect your firm to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each of your important business services,” the FCA states in its web-guidance.
A key part of the FCA’s focus here is on the use of outsourcing and third parties. The regulator’s guidance makes it clear that firms are responsible and accountable for all regulatory responsibilities that apply to outsourcing and third party service arrangements, and that no part of this can be delegated.
Hong Kong’s Securities and Futures Commission (SFC) has taken a similar approach, with a focus on operational resilience. On 4 October 2021, the regulator published a circular and a report on operational resilience and remote working,
In May 2022, the Hong Kong Monetary Authority (HKMA) added a new Operational Resilience module to its Supervisory Manual, and revised its BCP module (first introduced in 2002). This followed a consultation period which was triggered by additional guidance issued by the Basel Committee on Banking Supervision at the end of March 2021.
The implementation periods are lengthy: authorised institutions have only been required to comply with requirements relating to the development of their operational resilience framework since 31 May this year, and have until 31 May 2026 to fully implement the framework. This is an indicator of the importance, depth and complexity of the requirements. Within their frameworks, firms are, at a minimum, expected to include components covering operational resilience parameters, mapping exercises, risk management policies and frameworks, scenario testing and incident management.
The Monetary Authority of Singapore (MAS) appears to treat business continuity as a more distinct component of the territory’s overall regulatory framework. It issued its original Business Continuity Management (BCM) Guidelines in 2003, with supplemental guidance and a survey on industry trends and practices published 10 years later. After a considerable hiatus, the Guidelines were updated in June 2022.
“Under the revised BCM guidelines, the MAS advocates dealing with business continuity risks by adopting a service-centric approach through the timely recovery of critical business services facing customers,” explains Ching Soon Yeoh, a Principal Consultant with Bovill in Singapore. “This is in addition to the previous approach of a functional approach through the timely recovery of critical business functions that a financial institution depends on.”
“The dependency mapping will enable financial institutions to identify resources critical to the service delivery, consider the implications of their unavailability, and address any gaps that could hinder the effectiveness and safe recovery of critical business services,” Yeoh says.
Similar to the FCA in the UK, the MAS also recognises that BCP issues in the financial services sector have become increasingly interconnected with reliance on IT systems and third-party providers. As part of the Guidelines, the MAS therefore requires financial institutions to analyse the end-to-end dependencies that support their critical business services in order to mitigate the risks arising from these interdependencies.
“To ensure the third parties can meet critical business services, assurance can be obtained through due diligence performance by regularly reviewing the operational level with third-party providers and conducting regular audits and tests/joint tests with them or reviewing test results. As much as possible, financial institutions should make plans to address the interdependency risks,” explains Yeoh.
By 5 June 2024, when the revised BCM Guidelines become fully effective, it will be mandatory for businesses in Singapore to have conducted a BCM audit. After this date, commentators expect the MAS to issue clarification on the Guidelines, and conduct an updated survey looking at trends and practices.
Not just a nice-to-have
For some businesses, active regulatory oversight provides the catalyst for ensuring proper, proportionate risk management processes, including BCP, are implemented. Many others may find themselves left to their own devices.
But whatever the regulatory environment – and whatever the sector or location – BCP is an issue no business can afford to ignore. Nor should they want to, because risks are ever-present and ever-evolving.
Done properly, BCP can not only ensure efficiency of operations, but one day, it could help ensure the very existence of a company, and the security of its employees.
