Business Continuity Planners, don’t have the ability to predict the future. That doesn’t mean they should ignore current industry findings about the future either. Far too many organizations continue to plan for the “Big 4” (Loss of Building, Loss of People, Loss of IT, and Loss of Vendor) just as they have been doing for the past decade or more. But are those really the Threats they should be planning for?
In the United States, the TSA – the friendly folks at airport security – have long been reactive in their approach to security. They devise searches and precautionary measures to prevent the types of threats (like the ‘shoe-bomber’) that have happened in the past. The BCM “Big 4” is of a similar nature. We’ve seen evidence of those threats, so we plan to respond to them. But are those truly the threats we face today, and will face in the future?
The 2016 Allianz Risk Barometer survey listed today’s top 10 Business Risks. At #3 on that list are Cyber Incidents. We should all acknowledge that today’s always-on business environment has shrunken RTO’s. Just a decade ago, Tier 1 RTO’s were 24-48 hours. Today we speak of “Tier 0” RTO’s that are immediate – while even Tier 2 RTO’s may be less than 24 hours!
The standard “loss of IT” disruptions anticipated in the Big 4 are not the same as today’s Cyber Incidents – where a cyber-ransom situations or website denial of service may impact both operations and reputation (in addition to the impact on customers and regulatory requirements). Simply planning for what you’d do if a critical application or system is unavailable may not be the strategy needed to respond to today’s ever-increasing cyber-attack incidents. Nor is a ‘smoke and rubble’ approach to DR likely to be appropriate anymore.
The #1 Risk on the Allianz survey is Supply Chain disruption. In the past, we’ve generally thought of ‘supply chains’ as being confined to the processes of sophisticated manufacturers. Today it is critically important to understand that many – if not most – other industries and business types have supply chains. If your organization outsources anything – fulfillment, payroll or customer service for example – or uses 3rd party contractors, or depends on external infrastructure (the cloud, JIT, web-based customer management, etc.) there are risks inherent in those relationships. Disruption of those supply chain components may impact your entire operation – and you may have limited control over the consequences, and limited options.
And while the #4 risk is Natural Catastrophe (climatological and geologic incidents), we must understand that the severity of some floods, storms and earthquakes may do much more than make a building inaccessible; they may impact personnel availability, technology (especially the external infrastructure on which networks, telecommunications and the Internet rely) and supply chains (especially when those supply chains are local or regional).
The common Big 4 planning scenarios are no longer sufficient to respond to the accelerating sophistication of today’s business operations. Two decades ago, mainframe recovery was the heart of Recovery Planning. By Y2K, recovery’s focus had shifted to the wider Technology realm. Only in the past decade has Business Continuity Planning encompassed both Technology and Business functions. The current decade is beginning to see further evolution, in response to changes in speed, globalization, technology and markets.
Still planning for the past? Address today’s threats, or your BCM program (and your organization) risks being left in the dust as tomorrow’s threats emerge.
