Many organisations believed they were prepared to withstand a business disruption. Then Covid-19 arrived and the reality set in: they were not as ready as they thought…
As businesses begin taking careful steps to reopen the workplace and plan for the threats to come, both for the next few months and the next couple of years, there has been a renewed interest in operational resilience.
The world is different. Your resilience planning should be too. A resilience culture and agility, which extends beyond working remotely, will be key if you want to be ready for the challenges that lie ahead.
So, now’s the time to start focusing on the future state of operational resilience within your organisation.
Here are four areas you should consider while reimagining operational resilience in the aftermath of Covid-19.
Executive-level focus on resilience
The pandemic has exposed the shortcomings of many companies’ business continuity (BC), crisis management, disaster recovery (DR) and pandemic readiness plans.
Often, their check-the-box plans are high-level and offer no actionable detail. They include out-of-date content, aren’t sustainable for long-term disruption (they focus primarily on short-term disturbances), and they don’t feature pre-event preparations and work acceleration strategies.
Additionally, Covid-19 has shown us that resilience is too critical to fall under the jurisdiction of a single department, as there are often gaps between disciplines that are siloed from one another. Investors and board members want to know that their company is resilient enough to withstand long-term disruption. Which is why resilience is now a C-suite issue.
As such, you must review your entire business resilience programme and incorporate enhancements based on proven best practices and lessons learned from the pandemic.
Launch a working group within your organisation to improve and integrate each of the key business resilience disciplines to ensure you have a holistic programme that can be called upon regardless of the situation. These disciplines include:
- Crisis management
- Business continuity
- Disaster recovery
- Pandemic planning
- Site emergency management
- Risk management
- Vendor risk management
Your business resilience working groups should also focus on internal and external concentration risk, contingency and disruption response planning, and preparing for future challenges that threaten your business.
With resilience “czars” leading a multi-disciplinary team within your working groups, you’ll be ready to answer any questions from executives and the board about your organisation’s preparedness for what comes next.
Third-party vendors’ business resilience
Cyber-security and data protection have long been at the forefront of vendor risk assessments, but those are no longer enough. Now you also need to more thoroughly evaluate your third-party vendors’ business resilience capabilities.
Ask questions that go beyond the presence of a plan. You need to know whether those vendors have an actionable and well understood plan in place, what they test and how they test it.
Touch on the “effectiveness duration” of different disruption response strategies (for example, how long their plans can withstand a disruption). You need to know that your suppliers have response strategies in place to overcome disturbances for 60, 90 or more days.
Make sure you evaluate concentration risk as well. Are your suppliers geographically dispersed, or are they all situated in the same region? Are the facilities and workers that support the products and services they provide for you located in the same area or in different regions?
Having all your eggs in one basket puts organisations at a major disadvantage if any of their vendors experience disruptions. That’s why lowering concentration risk should be a top priority for organisations, and that may mean diversifying your supply chain.
Disaster recovery effectiveness in the new normal
Covid-19 has challenged organisations to work beyond their normal workplaces, with a reduced workforce and with less than satisfactory service from third-party suppliers.
But in the broader scope of business resilience, organisations must also be ready to work in the aftermath of an IT disaster or a successful cyber-attack that comprised data. As such, DR programmes must be at the ready for both of these recovery cases.
Upon looking closely at their DR programs, however, many organisations are realising that their programmes aren’t aligned with their rapidly changing production environments and that they aren’t effective. And, in many cases, they’re unprepared to undertake a real DR effort while working virtually.
To make sure your DR programme is up to date relative to your current working environment, pay extra attention to the following questions:
- Can you recover while working remotely?
- Can you verify recovery effectiveness in complex hybrid computing environments?
- Have you addressed concentration risk within IT from a people and data centre perspective?
It’s also important to maintain a regular testing schedule. Doing so will help you close any resilience perception gaps and allow you to iron out any issues before a disaster arises.
Readiness for a future pandemic
Many companies were caught flat-footed when the pandemic hit. The only way to prevent a repeat of that is to start planning now for the next outbreak.
Develop a pandemic readiness plan to monitor and manage significant potential and realised health threats. These plans should include:
- Proactive and reactive actions to prevent or reduce the transmission of a health threat to personnel, contingent workers and visitors
- An emphasis on maintaining essential business operations and support services while mitigating the business impacts of an outbreak
- Response strategies for various scenarios in which business dynamics change
- Internal and external communication protocols for general information updates and rapid dissemination of urgent announcements
- Placing someone in charge of the response
By developing a pandemic management plan that addresses the entire lifecycle of an infectious disease outbreak – monitoring for it, preparing for it, responding to it and recovering from it – you won’t be caught off-guard.
It’s time to rethink resilience
Regardless of Covid-19’s impact on your business, the future of your organisations’ operational resilience is in your hands.
By addressing these four areas, your business will be more agile and better equipped to clear any hurdles down the road.
To learn more about making your business more resilient in the wake of the pandemic, visit www.sungardas.co.uk or call 0808 238 8080.
by John Beattie, Principal Consultant, Sungard Availability Services