By: Gert Kogenhop, Founder, bcm+, The Netherlands
Gert Kogenhop is founder of bcm+, the business continuity management (BCM) consultancy firm. He chairs the Netherlands Normalization Institute’s ISO Business Continuity Management and Crisis Management Mirror Committee and is an Honorary Member of the Business Continuity Institute. Gert has written numerous publications about business continuity and edits the BCM column for a regional magazine on sustainability. He is also Course Governor Resilience Management at the Security and Continuity (SECO) Institute in the Netherlands.
This paper discusses the benefits of tooling as an enabler for resilience management, specifically business resilience. Business resilience entails the integration of different areas of expertise in a joint effort to secure the future of an organisation in a dynamic environment. It requires the right balance of risk management, information security and data protection, business continuity management and crisis management. To ensure that each area of expertise can operate independently within a coordinated framework, the right structure is essential. Much like a carpenter needs a hammer, the business resilience manager requires the right tools. Attention must be paid to collaboration, information sharing and balancing the right level of integration. While the tooling process will not be a panacea for the various challenges facing the business resilience manager, it will, however, be an enabler: it is beneficial, has deliverables and supports management and control.
Keywords: business resilience, tooling, collaboration, information sharing, integration
Many organisations that have implemented a risk, crisis or business continuity management system do so by creating lots of Word and Excel files, supported in many cases by databases, and using PowerPoint or other office software to support the information flow. In some cases, SharePoint is used to make the system more robust and to create a secure environment for storing documents, calculations and other data components. Some larger organisations have built their own system or tool to fulfil their specific needs, but in most cases, these tools are difficult to maintain, let alone develop further in an ever-changing environment with evolving rules, regulations, requirements and demands. Organisations must ask themselves whether they have created a resilient management system that is ready to be used when required, or whether they have simply found the easiest way to meet the requirements of a document management system. Every organisation is exposed to risks. Many are generic, like IT outage, building fire, utility issues or extreme weather; others are specific, resulting in a risk set particular to the line of business, be that chemical production, software development, construction, data management or baking bread. Location also has an impact on risk; for example, risks will differ between organisations located close to an airport, major waterway, chemical plant or oil distribution facility. Risk management, both enterprise and operational, is a must for organisations and, generally Gert Kogenhop Kogenhop Page 353 speaking, it is reasonably well managed, especially in larger organisations where the use of integrated risk management tooling is common practice. This approach consists of a set of practices and processes to support and improve decision making and performance. It delivers an integrated view of how well an organisation manages its specific risk set. The world — especially the business world — is changing at a rapid and accelerating pace, so it is essential to keep one’s eye on the ball when it comes to major issues such as climate change, Brexit and the so-called ‘trade war’ between the USA and China.
In today’s world where everyone depends on information technology, information security and data protection are important elements that demand attention. In this regard, the European Union (EU) directive ‘Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union’1 and the General Data Protection Regulation2 (GDPR) are important drivers. IT dependency makes organisations vulnerable and as such must be addressed and managed. Indeed, an IT outage can result in anything from a major disruption to the collapse of an organisation — something that would have been almost unheard of 40 years ago.
It is far too easy for serious disruption to develop into crisis. For this reason, crisis management and business continuity management are the prerequisites of a well-run organisation; indeed, in some countries they are even legal requirements. Being unprepared is simply unacceptable, and any ‘plan’ to act ‘when the time comes’ is not just poor business practice, but frankly irresponsible and unworkable.