The Future of Business Continuity: Cyber, Conflict and Supply Chains
Charlie Maclean-Bristol discusses how business continuity has evolved in response to COVID‑19, the rise of cyber threats, geopolitical instability (including the Middle Eastern war), and supply chain vulnerabilities, and reflects on whether the profession has the right skills to remain relevant as these risks change.
I came across some figures that set me thinking about the future of business continuity. The other event that prompted this reflection was the ongoing war in the Middle East and its implications for business continuity practitioners and the profession. Here are some initial thoughts on where I see the profession going and how it will change.
To understand where the profession might go next, it is worth reflecting briefly on what has happened to business continuity over the last few years.
What Covid Revealed About Business Continuity
I remember writing a post-COVID-19 bulletin questioning whether the business continuity profession was in decline and whether it could survive the headwinds it was facing. The first of these was COVID-19 itself. Most organizations survived, both those without a business continuity plan and those with one. All the work done on the Business Impact Analyses (BIAs) was, for all intents and purposes, worthless. I recall the BCM of a large telecom outsourcer saying they had a whole load of activity Recovery Time Objectives (RTOs) which stretched from hours to months. Management advised the BCM that they wanted all activities back now and that the graduated recovery was not to be implemented.
There was a huge failure of risk management. We were all told that a pandemic was the greatest risk, but nobody, as far as I have heard, had plans that adequately addressed how Covid manifested and affected the delivery of products and services. Those who didn’t have plans quickly formed teams to manage the incident, and I suspect, although I don’t know that it was true, that the incident teams they envisaged beforehand were the same teams that managed their organizations’ COVID-19 responses. For me, it seemed, in terms of the COVID-19 response, business continuity didn’t really make a difference.
Business continuity, as opposed to disaster recovery, was originally developed to allow large organizations to recover their operations following the major IRA bombings in London. It was about recovering operations if their office was lost. This spawned the emergence of the Work Area Recovery (WAR) industry, which provided a cost-effective alternative to organizations maintaining an empty office “ready to go.”
During the COVID-19 pandemic, the move to work from home completely undermined the need for WAR. Sungard, the chief provider of alternative office space, went bust. High-availability IT also came of age, and so the chances of large IT outages were decreased, further reducing the need for business continuity.
Resilience was all the rage, and all those who worked in business continuity re-badged themselves as resilience departments. It didn’t seem to matter that nobody really knew what resilience consisted of at the time. It was the new term and was embraced by all. Around the same time, Operational Resilience was being rolled out in the financial industry. While analogous to business continuity, it had its own methodology – and, more importantly, financial organizations were being held accountable for implementing it. What gets checked gets managed, and as a result, Op Res teams were the top dogs, and business continuity teams were the poor relations.
The Rise, and Possible Fall, of Cyber as the Driver of Business Continuity
Luckily for business continuity practitioners, along came cyber, which completely revitalized the need for business continuity. While there were cyberattacks during the 2010s, they have really ramped up within the last three to four years. The recent cyberattacks on high-profile organizations – particularly Co-op, JLR, and M&S – have made all organizations aware of their vulnerability to cyber threats.
At PlanB Consulting, perhaps almost two-thirds of our work is cyber-related – writing plans, playbooks, cyber training, and cyber exercises. Possible loss of IT has caused the dusting off of manual workarounds and the revising of Recovery Point Objectives (RPOs) and backups. The cyber threat has awakened many C-suite members to the need for business continuity across the board, and roll-outs have surged.
If Ransomware Declines, What Happens to Business Continuity?
I noticed that cyber attacks over the last year were up by 50%, which should ensure plenty of work for business continuity practitioners, especially those who conduct exercises, in the near future.
I noticed another figure: the percentage of organizations paying ransoms had gone from roughly 50% to 25%. I did note that the amount paid per ransom had increased. For us, the whole cyber consultancy ecosystem is predicated on ransomware cyberattacks continuing. If, through a combination of much better cyber defenses, legislation that prevents ransom payments, and disruption of gangs by law enforcement, ransomware attacks may no longer be a thing.
There was a time when car radios were constantly being stolen, and I remember taking the stereo with me when I locked the car. Due to changes in manufacturing, the way stereos are incorporated into cars, and increased car security, car radios are very rarely stolen nowadays. Cyber attacks will never stop, but if there is no money to be made from ransomware, cyber criminals will have to go elsewhere.
For me, this could have a huge impact on business continuity as senior managers will pivot their focus and budget to the next threat.
A More Unstable World and the Future Direction of the Profession
In business continuity, we normally talk about the four things we need to recover our organizations: people, technology, suppliers, and buildings. Technology without cyber may be less of an issue; buildings have a ready-made solution: Work From Home (WFH). Business continuity practitioners have never been able to do a lot about people, so that leaves us with suppliers and supply chains.
With the war in the Middle East, mapping and understanding your organization’s supply chain could become a new focus for business continuity practitioners, enabling them to identify and mitigate threats before they impact the organization. This is one way that business continuity can develop.
The other direction for business continuity practitioners is to focus on how they can protect their organizations in the more volatile and war-like world in which we live. I wonder if all the organizations around the Gulf that have been targeted by Iran have implemented their business continuity plans and are using them to manage their organizations’ responses. There has been some damage to facilities, but there is also the need to manage communications with their staff and ensure they are safe and know what is expected of them.
With increasing Russian-organized low-level warfare against the West and the possibility of further escalation beyond the Ukrainian conflict, business continuity managers may want to explore what this could look like.
My concern with supply chain issues – whether organizations are caught up in conflict or preparing for wider disruptions – is whether the business continuity profession has the right skill set and is viewed as the appropriate group to manage and prepare for these threats. Are supply chain or procurement professionals, or risk managers, better qualified and prepared to identify risks and then mitigate supply chain issues?
Is being caught up in a general war greater than the “maximum scale of incident” that we normally prepare for, so that the business continuity methodologies are not valid? Making our organizations more resilient and able to absorb the impact of our volatile world, such as the surge in fuel prices at the moment, is more of a top-management decision than something driven by the business continuity manager.
Where Does Business Continuity Go Next?
Business continuity has existed as a profession for over 30 years, but I do feel that if cyber threats were to greatly diminish, it would leave a significant hole in the work we do. As we live in an increasingly volatile world, with more conflicts and with the close coupling of organizations, industries, and global systems, we are likely to see more threats and events that business continuity methodologies could mitigate.
We need to ensure we have the skills, knowledge, and techniques to address these emerging threats and be ready to adapt if the threat rapidly diminishes. If the profession is to remain relevant, it must be willing to evolve as the threat landscape changes.
+++++++++++++++++++++++++++++++++++++++++++++++
This article was originally published by BC Training Ltd.
Charlie Maclean-Bristol is the author of the groundbreaking book, Business Continuity Exercises: Quick Exercises to Validate Your Plan
“Charlie drives home the importance of continuing to identify lessons from real-life incidents and crises, but more importantly, how to learn the lessons and bring them into our plans. Running an exercise, no matter how simple, is always an opportunity to learn.” – Deborah Higgins, Head of Cabinet Office, Emergency Planning College, United Kingdom
Click here for your FREE business continuity exercises!
