In this bulletin, Charlie discusses how business continuity has evolved in response to COVID‑19, the rise of cyber threats, geopolitical instability (including the Middle Eastern war), and supply chain vulnerabilities, and reflects on whether the profession has the right skills to remain relevant as these risks change.
When writing the bulletin “Some Updated Cyber Ransomware Figures” about a month ago, I came across some figures that set me thinking about the future of business continuity, and I’ve been waiting for a spare week to write down my thoughts. The other event that prompted this reflection was the ongoing war in the Middle East and its implications for business continuity practitioners and the profession. So, this week I am going to put together some initial thoughts on where I see the profession going and how I see it changing in the future.
To understand where the profession might go next, it is worth reflecting briefly on what has happened to business continuity over the last few years.
What Covid Revealed About Business Continuity
I remember writing a post-COVID-19 bulletin questioning whether the business continuity profession was in decline and whether it could survive the headwinds it was facing. The first of these was COVID-19 itself. Most organisations survived, both those without a business continuity plan and those with one. All the work done on the Business Impact Analyses (BIAs) was worthless. I recall the BCM of a large telecoms outsourcer saying that they had a whole load of activity RTOs which stretched from hours to months. Management advised the BCM that they wanted all activities back now and that the graduated recovery was not to be implemented.
There was a huge failure of risk management. We were all told that a pandemic was the greatest risk, but nobody, as far as I have heard, had plans that adequately addressed how Covid manifested and affected the delivery of products and services. Those who didn’t have plans quickly formed teams to manage the incident and I suspect, although I don’t know that it is true, that the incident teams they envisaged beforehand were the same teams which managed the organisation’s COVID-19 response. For me, it seemed, in terms of the COVID-19 response, that business continuity didn’t really make a difference.
Business continuity, as opposed to disaster recovery, was originally developed to allow large organisations to recover their operations following the major IRA bombings in London. It was about recovering operations if your office was lost. This spawned the emergence of the Work Area Recovery (WAR) industry, which provided a cost effective alternative to organisations maintaining an empty office ‘ready to go’.
During the COVID-19 pandemic, the move to work from home completely undermined the need for WAR. Sungard, the chief provider of alternative office space, went bust. High availability IT also came of age, and so the chances of large IT outages were decreased, further reducing the need for business continuity.
Resilience was all the rage and all those who worked in business continuity rebadged themselves as resilience departments. It didn’t seem to matter that nobody really knew what resilience consisted of. It was the new term and was embraced by all. Around the same time, Operational Resilience was being rolled out in the financial industry. While analogous to business continuity, it had its own methodology – and, more importantly, financial organisations were being held accountable for implementing it. What gets checked gets managed, and as a result, Op Res teams were the top dogs, and business continuity teams were the poor relations.
The Rise, and Possible Fall, of Cyber as the Driver of Business Continuity
Luckily for business continuity practitioners – along came cyber, which completely revitalised the need for business continuity. While there were cyber attacks during the 2010s, they have really ramped up within the last three to four years. The recent cyber attacks on high-profile organisations – particularly Co-op, JLR, and M&S – have made all organisations aware of their vulnerability to cyber threats.
At PlanB Consulting, perhaps almost two-thirds of our work is cyber-related – writing plans, playbooks, cyber training and cyber exercises. Possible loss of IT has caused the dusting off of manual workarounds and the revising of RPOs and backups. The cyber threat has woken up many of the C-suite to the need for business continuity as a whole, and rollouts have surged.
If Ransomware Declines, What Happens to Business Continuity?
Coming back to the bulletin I wrote earlier, titled “Some Updated Cyber Ransomware Figures”, I noticed that cyber attacks in the last year were up by 50%, which should ensure plenty of work for business continuity practitioners, especially those who carry out exercises, in the near future.
I noticed another figure: the percentage of organisations paying ransoms had gone from roughly 50% to 25%. I did note that the amount paid per ransom had increased. The whole cyber consultancy ecosystem for us is predicated on ransomware cyber attacks continuing. If, through a combination of much better cyber defences, legislation that prevents the payment of ransoms, and the disruption of gangs by law enforcement, ransomware attacks may not be a thing any longer.
There was a time when car radios were constantly being stolen and I remember taking the stereo with me when I locked the car. Due to changes in manufacturing, the way stereos are incorporated into cars, and increased car security, they are very rarely stolen nowadays. Cyber attacks will never stop, but if there is no money to be made in ransoms, cyber criminals will have to go elsewhere.
For me, this could have a huge impact on the business continuity as senior managers will pivot their focus and budget to the next threat.
A More Unstable World and the Future Direction of the Profession
In business continuity we normally talk about the four things we need to recover our organisations: people, technology, suppliers and buildings. Technology without cyber may be less of an issue; buildings have a ready-made solution, which is WFH; business continuity practitioners have never been able to do a lot about people, so that leaves us with suppliers or supply chain.
With the Middle Eastern war, mapping and understanding your organisation’s supply chain in the future could become a new focus for business continuity practitioners, so they can identify and mitigate threats before they occur and have an impact on the organisation. This is one way that business continuity can develop.
The other direction for business continuity practitioners to go is to focus on how they can protect their organisation in the more volatile and war like world in which we live. I wonder if all the organisations around the Gulf which have been targeted by Iran have implemented their business continuity plans and are using them to manage their organisation’s response. There has been some damage to facilities, but also there is the management of communications with their staff and ensuring they are safe and know what is expected of them.
With an increasing number of Russian organised low level warfare against the West, and the possibility of further escalation beyond the Ukrainian conflict, perhaps the business continuity manager should be exploring what this looks like.
My concern with supply chain issues – whether organisations are caught up in conflict or preparing for wider disruptions – is whether the business continuity profession has the right skill set and is viewed as the appropriate group to manage and prepare for these threats. Are supply chain or procurement professionals, or risk managers, better qualified and prepared to identify risks and then mitigate supply chain issues?
Is being caught up in a general war greater than the “maximum scale of incident” that we normally prepare for, so that the business continuity methodologies are not valid? Making our organisation more resilient and able to absorb the impact of our volatile world, such as the surge in fuel prices at the moment, is more of a top-management decision than something driven by the business continuity manager.
Where Does Business Continuity Go Next?
Business continuity has survived for about 30 years but I do feel that if the cyber threat was to greatly diminish, it would leave a significant hole in the work we do. As we live an increasingly volatile world, with more conflicts and with the close coupling of organisations, industry and global systems, we are likely to see more threats and events which business continuity methodologies can mitigate.
We need to ensure that we have the skills, knowledge and techniques to deal with these emerging threats and be ready to adapt if the cyber threat rapidly diminishes. If the profession is to remain relevant, it must be willing to evolve as the threat landscape changes.
