The past several years of rapid change have brought a risk management challenge for organizations: increased volatility and unpredictability. In addition to an unprecedented global pandemic, companies had to navigate external risks such as market shocks, supply chain disruptions, political upheaval, cyberthreats and an increased amount of extreme weather events.
In response, many companies have reprioritized risk management and business resilience as critical strategic priorities, with risk managers taking the lead and embracing proven techniques and insights. One crucial resilience aspect is business continuity management (BCM): the ability to identify, mitigate and reduce risk impact while ensuring continuity of critical business processes. The COVID-19 pandemic, and the highly infectious Delta and Omicron variants, provided a new baseline for BCM programs, along with valuable lessons to better prepare organizations for the risks and challenges that lie ahead. Here’s a look at the new BCM paradigm.
A Shift in BCM Thinking
Before the pandemic, more than eight in 10 companies didn’t consider a pandemic or other major health crisis as a top 10 risk. Indeed, fewer than 31% of North American organizations had a pandemic plan in place, and many companies found that their coverage would not respond to business losses from the pandemic.
But the ongoing pandemic serves as a wake-up call for companies to rethink their BCM programs. More than eight in 10 businesses reported that the pandemic created the need to have an enterprise-wide approach to risk to solve complex issues and maintain operational resiliency. Many have now incorporated their learnings from the pandemic to inform specific pandemic-response plans and toolkits. Even more important, companies have broadened their perspective on existing, emerging and unknown risks to their business continuity.
Powered by the Cloud
Business continuity during the pandemic was greatly dependent on cloud-based computing and the IT infrastructure that allowed people to continue working, buying and selling remotely. Software-as-a-service (SaaS) providers, such as Amazon, Google and Microsoft, became indispensable and have enabled a paradigm shift in the way we work today.
However, the reliance on cloud computing comes with its own set of risks that companies need to factor into their BCM plans. The most obvious is the rise of cyberthreats. Last year, ransomware attacks grew dramatically (up 715%), with payments increasing 60% from 2019. While preventive security measures are crucial in protecting against cyber risk, companies should also have a contingency plan for a cyberattack.
In some cases, this means preserving the ability to use tried-and-true manual processes as backup for critical operations. For example, one U.S.-based clothing retailer recently experienced a ransomware attack that shut down its entire cloud-based system, including point-of-sale e-systems and employee email accounts. The company quickly and quietly reverted to offline sales and manual reconciliation (e.g., with pen and paper) during the weeks it took to rebuild the system, which allowed it to continue critical business operations without severely damaging consumer confidence or its bottom line.
Mapping Supply Chain Risks
The past few years have underscored the global interconnectedness of people and businesses — and the supply chains on which they depend. Ongoing shortages affecting the auto manufacturing and home construction industries, for example, have revealed just how fragile supply chains can be, especially in the face of emerging risks such as worker shortages, extreme weather events, cyber threats and geopolitical uncertainty.
Risk managers are learning that it is no longer sufficient to rely solely on their own supply chain business continuity management plan during a catastrophic event. It is equally important to assess the resilience of key suppliers (and their suppliers’ suppliers) to ensure that risks do not cascade downstream. Companies are increasingly recognizing the value of a vendor resiliency analysis — an examination of suppliers that can validate they can continue to provide the products and services critical to the company’s core business operations should a crisis occur. Furthermore, requiring vendors to have their own BCM plan can push risk upstream and minimize the downtime and costs associated with disruption to a supply chain or vendor service.
Practice Makes Perfect
When the COVID-19 pandemic hit, many companies found that their BCM plans were outdated, inconsistent or simply did not work in practice. A business continuity management plan is much more than a piece of paper. It is a blueprint for action that works only if the key players are able to understand and execute the plan accordingly.
Learning from mistakes of the past, companies are spending more time on drills and tabletop exercises that put their plan to the test. These exercises allow senior leaders and decision makers to practice their emergency response, clarify their roles and responsibilities, and address any gaps in the BCM plan before an actual risk event occurs. Even a two-hour tabletop exercise can better prepare employees to respond to future risks, which can save precious time and resources during a crisis situation.
 “Businesses Thought They Were Covered for the Pandemic. Insurers Say No,” New York Times
 “5 Steps to Help Rethink Your BCM Program,” Aon