Business continuity: How to confidently approach it with a clear focus
16 Minute Read
Coronavirus (COVID-19) is rightly considered the most significant challenge to daily business of the modern era. But its business disruptions are not unique: the financial crash of 2007/08, the Fukushima nuclear reactor burnout, and the terrorist attacks of 9/11 all left long-lasting global footprints on business.
Business disruptions happen – and seemingly with increasing regularity.
Business continuity is therefore a priority for modern businesses, yet it often seems overcomplicated and delegated to an isolated function within the organisation.
Business continuity should have a strategic approach, it should be principles-based rather than offering tactical plans, and it should be inherently linked to crisis management plans and processes.
With the hindsight of coronavirus, how can companies approach business continuity with renewed focus and confidence?
Start with a framework
There are plenty of frameworks for business continuity guidance, all of which provide a solid basis for shaping plans.
But as the saying goes: “Everyone has a plan until they’re punched in the face.” And coronavirus has certainly been a tough experience for many. So, let’s frame our discussion with one of the most famous.
Former US Secretary of State Donald Rumsfeld famously talked about the “known knowns”, the “known unknowns” and the “unknown unknowns”.
This framework (known as the “Johari window”) was developed by psychologists to help people better understand themselves and their relationships with others.
It can be a helpful tool in daily life, as well as in business when there is uncertainty.
I’ve used it in thinking through data breaches or negotiation and communications strategies in ransomware events, and during fast-paced post-breach moments, when attempting to recover operations as quickly and as securely as possible.
It can be a useful framework for reviewing progress in any business continuity scenario. Let’s use it with coronavirus as an example.
The known known
Coronavirus, although a surprise, was not completely unexpected.
In recent history, the SARS endemic resulted in several regional lockdowns, and the World Economic Forum has cited the potential for a pandemic as a global risk for the past decade or more.
Governments have responded, investing into their pandemic preparedness plans and exercising them as best they can (my sisters, both front line emergency doctors, have been involved with national level exercises).
However, it was only in 2019 that the Global Health Security Indexes assessed global preparedness to respond to a pandemic.
Companies, too, have responded, especially those with recent memories of territories affected by lockdowns in the wake of SARS and MERS.
At the same time, the realities of the pandemic have highlighted some of the limitations of any planning:
Do we isolate?
For how long?
How do we keep the lights on?
Which videoconferencing tool should we use?
For businesses, few were truly prepared for wholesale homeworking or the effect on people and infrastructure.
Certainly, businesses and governments have worked tirelessly – the Job Retention Scheme was rolled out incredibly fast, and many businesses moved to a remote workforce in the space of a week.
But in the final analysis, did we listen to the warnings and handle the “known knowns” as best we could have?
The known unknowns
Once coronavirus hit, we were faced with further questions: how long will it last, what will the depth of operational or financial challenges be, etc.
And particularly, what is the effect on a workforce: the wellbeing of remote workers, their ability to execute their work consistently and securely in a complex new environment, and the overarching job security concerns, for example.
We are still answering all of these questions.
Given the global and interconnected dependencies of our response, these can’t all be answered in isolation.
Nor will all the answers always be correct first time: in moving on from the shock of the “punch”, a level of responsive agility is required as we reduce uncertainties and increased vigilance on potential secondary effects.
The unknown unknowns
This is particularly a case of the law of unintended consequences – the fact that unexpected circumstances cause a host of issues that are increasingly unpredictable.
As a cybersecurity practitioner, for example, a key effect of coronavirus has been the proliferation of opportunistic cyber attacks on remote workers, just as the security environment they were used to in the workplace has likely been dismantled.
Companies need to think how they can hedge their risks – transferring risks where they can, establishing clear responsibilities with providers, and making sure they invest in the right people for advice and expertise when something does go wrong.
Disruptions happen. Coronavirus is a dramatic outlier in terms of scale but no business should bury its head in the sand. Be aware of the warnings and pay attention to the known knowns.
All disruptions have some unpredictability. This needs to be reflected in your plans. That means ensuring principles are in place, being clear and reducing uncertainty as early as possible, and having the right talent and budget to work through or around any issue.
Disruptions create volatility. In a crisis, break up your horizon: focus on the immediate priorities, and appreciate that constant change will demand management attention.
Resilience and agility
Business continuity means doing whatever it takes to keep the lights on.
We shouldn’t be too scared, nor lose sight of the goal. Yes, coronavirus is negatively affecting some sectors of the economy – hospitality, for example.
But with any challenge comes opportunity, once we have adjusted to the shock of the “punch”.
A majority of companies are simply readjusting to their circumstances. In most cases, disruption means exactly that – a requirement to adjust, not completely refactor.
Those who adjust quickest and with clearest intention are likely to profit from the opportunities.
For that reason, despite the fact that most business continuity plans will consist of practical scenarios, we should not ignore the bigger picture: the most valuable strategic commodities are resilience (the capacity to flex to circumstances) and agility (the capacity to capitalise on those circumstances).
No business can operate completely risk-free. It’s not possible to eliminate all risks, and minimising risk in itself can stifle entrepreneurship and manoeuvrability.
This is why startups succeed by taking risks and snapping at the heels of less agile and more risk-averse grown competitors. Instead, we must accept some degree of risk and focus on developing a response for when challenges occur.
The key is in the balance.
Understanding your capacity for resilience and agility demands a clear sense of purpose and direction.
Now, more than ever, honest and clear purpose (vision, mission, and direction) is an enabler: for the integrity of employees; for corporate identity; for a sense of what matters most; for establishing space, trust, and autonomy for individuals; and to understand the boundaries of responsibilities and dependencies.
In practical execution, this can mean thinking through your value chain: where does your value lie? In making car parts or respirators? What do customers expect and appreciate? And where are the weak points in your supply and demand to consider?
Creating resilience and agility in the key areas across the value chain should be at the heart of your business continuity approach.
Business continuity is not about business as usual. It’s about preserving the most important parts of the value chain, as perceived by customers.
Resilience doesn’t mean eliminating risk altogether.
Resilience needs a sense of purpose and direction. Now is a great time to reaffirm that.
Leadership when it’s needed most
Leadership is a quality (not a title) needed to deliver a clear and genuine vision.
Crises are times for leadership. You may have detailed business continuity plans, but leadership provides the heart and mind to get up once you suffer disruption.
Yet there can be challenges.
In crises, there can be a tendency for leadership to become narrow: overly focusing on operational matters inside the organisation, and neglecting well-informed situational awareness from the outside.
Do your plans include ways to help your senior management team focus on what is important? Do you have a ‘war cabinet’ who can be brought together quickly?
What about a list of external advisers with right skills and experience – from banks to suppliers to consultants?
The tactical playbook is only the start of a business continuity operation. Continuity demands new thinking, and boards should be prioritising a new set of values. These include:
Prudence: The ability to make measured judgments based on understanding a situation as it really is, and to learn from experience. In-house knowledge and experience are suddenly of increasing value.
Foresight: The ability to interpret the near-term future with confidence; understanding customer sentiment, financial trends, and operational needs to solve issues before they become problems.
Counsel: The ability to identify well-informed and experienced advisers, to deploy them to address inevitable gaps, to absorb and implement their guidance.
In this respect, business continuity is indistinguishable from business strategy: you need the right heads around the table to exercise a new paradigm in thinking until normality of a sort is resumed.
Particularly in medium or family businesses, your external sources of advice will be invaluable.
Disruptions that solely affect your operations may only require tactical solutions. When the world changes, you need the expertise of a whole leadership team.
In a dynamic world, knowledge from all quarters is valuable.
Cybersecurity and coronavirus
As a cybersecurity practitioner, coronavirus has been both testing and interesting.
The subsequent waves of cyber attacks after lockdown (waves that are still breaking) is an example of unintended consequences, an “unknown unknown” side effect of the pandemic itself.
It’s not just the good guys who innovate. And the bad guys don’t have regulators, compliance teams, or oversight.
In the current pandemic, they have industrialised their approach, because:
Remote workers don’t have the security coverage of the workplace environment, and many are using their own equipment.
A sustained shift in working patterns added strain on the technical infrastructure and the resources to support them.
With ‘normal’ society disrupted, employees are more susceptible. For example, they are vulnerable to scam emails purporting to be from colleagues (business email compromises, or ‘BECs’).
This matters, because for a medium business, a ransomware event can be completely debilitating – even existential.
Pre-coronavirus, ransomware events typically had six-month dwell-times (i.e. the time between compromising an organisation and ‘detonation’).
This is shrinking to weeks during the coronavirus outbreak, further reducing the ability to detect and respond (hopefully before ‘detonation’).
These are quite low-level activities relative to the state-sponsored actions at the top of the spectrum of cyber events but the sheer volume we see at the moment is extraordinary. Businesses must be on guard.
Cybersecurity was difficult enough before coronavirus, so how can we deal with it now?
There isn’t a bulletproof solution, but you can build resilience and increase your immunity by minimising risks and maintaining hygiene.
Understand and implement the minimum standards published by experts such as the National Cyber Security Centre (NCSC).
For your suppliers, particularly in the cloud, make use of all the facilities that those suppliers give you. The principle cloud providers offer customers a raft of additional security measures, with a level of alerts for suspicious activities to control the digital environment as best you can.
Create a hotline ready for the ‘first-responder’ cavalry. That may be a full response team, a lawyer, an insurer, or a mix. It should be a risk transfer mechanism that you understand how to deploy properly. There is, of course, some cost attached to these services, but the costs of anticipation are usually smaller than those for response or consequence. Moreover, few businesses will be able to cope with modern cyber threats alone. Be sure of the quality of your providers and their ability to serve when you need it.
Yes, increased cyber risk has been an unintended consequence of coronavirus, but there are ways and means to minimise risk and maintain hygiene. Prevention is better than cure.
At the same time, a cyber incident must be expected, though its nature cannot be defined: being able to react quickly (stop the bleeding and minimise infection) is essential. It requires having the right ‘first-responder’ cavalry ready and contactable.
Strategic leadership is again essential: maintaining genuine vision and ensuring the right counsel to inform and respond.
This is just a snapshot of the business continuity discipline. By definition, it’s a profession that continues to learn and refine from experience.
At some stage every business faces disruption, though not always as dramatic as coronavirus. Don’t be put off by complexity. Rather, understand at a strategic level what matters most and draft in all the expert help you can afford.