KuppingerCole Report
Analyst Advice
By Warwick Ashford

Business Resilience Management (Crisis Roadmap for Beginners)

Business Resilience Management is key to business survival in the face of rapidly changing IT, cyber threat, and regulatory environments.

1 What is Business Resilience Management?

Business Resilience Management (BRM) is the comprehensive and standardized management of all processes to identify and mitigate risks that threaten an organization. These risks include disruptions to ICT Continuity, cyber attacks, consumer demands, market changes, and regulatory compliance requirements, which are all increasing due to globalization and market demand for 24x7 service.

BRM, therefore, is aimed at ensuring that organizations have Business Resilience, which is the ability to adapt quickly to risks and disruptions, while maintaining key business workflows and safeguarding employees, assets, and brand reputation. Resiliency is the foundation for continuity and mitigating against any form of economic disruption at a business, regional, national, or global level. However, resilience can require complex management tasks, depending on the size and nature of the business.

As a comprehensive approach to Risk Management, BRM goes beyond Business Continuity Management and Disaster Recovery. BRM aligns all protective disciplines to achieve the goal of resilience, and has 5 essential building blocks as detailed in the Figure 1. BRM, therefore, is a cross-functional and inter-disciplinary approach involving risk, business, and security professionals. This includes Reputation Management, the ability to respond to growth opportunities, communications during a crisis, and post-disruption improvement strategies for avoiding downtime, reducing IT and physical security vulnerabilities, improve fraud control, and maintaining business operations in the face of unexpected disruptions in future. For some guidelines on best practices during a crisis, see this blog post on the don'ts of IT in times of crisis.

Figure 1: Essential building blocks of BRM

2 Where to draw the line between resilience, continuity and risk management?

Resilience, continuity, and risk management are all closely related and work together to protect businesses from disruption. Risk Management should always be the starting point to identify potential risks and then create controls to manage them.

Risk Management, however, does not necessarily eliminate risks altogether. Therefore, risk management needs to be complemented by Business Continuity Management to ensure organizations plan for contingencies, such as planning alternative suppliers of goods and services.

Figure 2: Risk Management, Continuity Management and Resilience Management are complementary

Business Continuity Management, however, does not necessarily eliminate risks altogether, and therefore needs to be complemented by Business Resilience Management. Resilience is about building in flexibility that enables organizations to respond and adapt to unexpected circumstances, such as adopting alternative ways of ordering from normal or backup suppliers if normal channels/methods are not available. Read more about risk management in a blog post on 3 Steps to Improve Your Cybersecurity with Enterprise Risk Management by Christopher Schuetze, Cybersecurity Practice Director and Lead Analyst at KuppingerCole.

3 What does business resilience mean for my organization?

Business resilience is extremely important to any business because without it, few businesses are likely to be able to recover from unexpected disruptions or adapt fast enough to sudden changes in market demand or regulatory requirements.

Business resilience can make the difference between business survival and failure, and therefore should be high on any business agenda. Only by achieving resilience, can a business be assured of surviving disruptions caused by natural disasters, attacks due to cyber crime and cyber terrorism, supply chain failure, technology failure, and compliance failure.

Achieving business resilience, however, requires careful business resilience planning to ensure that business models are flexible enough to adapt to market changes and other changes, and that ICT continuity is assured. This includes Business Continuity planning and management as well as disaster recovery planning based on a comprehensive risk assessment in the form of a business impact analysis (BIA), which is a key element of a comprehensive approach to BRM as shown in Figure 2. Business Resilience planning could also include skills development and training because a shortage of skilled workers poses a risk to resilience if an organization does not have people with the right skills to produce their product/service or adapt production when circumstances change.

Figure 3: Elements of a comprehensive approach to BRM

4 How can my company be prepared for a crisis?

A rigid organization that cannot adapt flexibly will face challenges in any crisis. Traditional organizational structures, non-transparent communication, poorly funded IT, a lack of digitalization, and rigid management processes are all obstacles to business resilience in a crisis. Instead, ensure that employees and managers are able to act in any situation, communication is clear, there is an honest feedback culture, IT is focused on resilience, employees are trained to be resilient, processes are all digital, employees can act independently, and micromanagement is avoided.

It is therefore important to make all the necessary organizational changes without delay to get rid of siloes, integrate IT and the business, and plan comprehensively to build a culture of resilience. Getting rid of siloes is very important. If IT, supply chain management, cybersecurity and other stakeholders work in isolation, there is a risk of failure. Plan instead to work in cross-divisional teams to prepare for a crisis. Next, ensure that IT fully understands what keeps the business running so there is deeper alignment of business and IT, and technology investments focus on resilience, collaboration, and self-service. Plan for a crisis in a comprehensive way and adapt the business model, financing, business processes and IT operations to be more resilient. Also plan for how the business will run during a crisis. Draw up an IT emergency plan and set up an Incident Command Structure to ensure everyone knows their role and responsibilities in various crisis scenarios. Education and training are essential, and regular testing of crisis business continuity plans should not be overlooked. KuppingerCole Analyst Annie Bailey explains how to set up Business Continuity and Business Resilience planning, and provides guidance in a webcast entitled: Managing a Crisis: Prepare for weathering the next storm to come. Listen to this analyst chat for more information on how to efficiently identify and rate your investments in Cybersecurity.

Figure 4: Setting the foundation for resilience with strategic alignment

5 What are the main risk factors for a company?

The main risk factors for any company are pandemics and epidemics, political unrest and war, severe weather, and cyber attacks or hacker attacks. However, of these, cyber attacks have the highest level of probability and the greatest potential impact at a corporate and even regional and global level, and can even combine with other risks, as we have seen in the Covid-19 pandemic. To find out more about this topic, listen to this analyst chat about how to avoid becoming a phishing victim during the pandemic. The impact of cyber attacks is also increasing as attacks by nation states or those supported by nation state level development capabilities become more common and destructive in nature, capable of disabling access to systems and data or even destroying IT infrastructure.

While the Covid-19 crisis has shown that pandemics can also have a high level of impact locally, regionally, and globally, they are much less likely than cyber attacks. At the same time, the likelihood of cyber attack is set to increase even further as businesses become more digital, and therefore more vulnerable to cyber attack. For digital businesses, cyber attacks are a major risk because failure to recover quickly could cause total business failure, strongly underlining the urgent need for a joint Business Impact Analysis to ensure Business Continuity and Cybersecurity teams fully understand the risks and align technology, policy, processes and people to ensure those risks are addressed. For some ideas on how to do that, listen to an analyst chat about protecting your organization against ransomware or key topics for cybersecurity in the times of crisis.

Taken altogether, it is clear that organizations must ensure that efforts to secure IT operations are closely aligned with efforts to maintain/restore IT operations in the event of a cyber attack, focusing on Risk Management, resilience and recovery of IT systems and networks, and contingency planning for varying degrees of IT failure. To achieve this, there needs to be a fresh, collaborative approach to Business Continuity and Cyber Security to limit the impact of cyber attacks on business operations and achieve the common goals of resilience and recovery. KuppingerCole Principal Analyst Martin Kuppinger discusses the topic in the video: Why BCM/BCRM and Cybersecurity must converge.

6 How does IT resilience relate to business resilience?

It is extremely important for every organization to assess and understand the degree to which their business operations depend on IT because the greater the dependency, the greater the importance of IT resilience to overall business resilience. Learn how to reduce the impact of cyber attacks in the following advisory note: Business Continuity in the age of Cyber Attacks.

Cyber resiliency is a core element of business resilience. While dependency on IT will vary from one organization to another, the general trend towards digital transformation and increasing reliance of organizations on IT for critical business functions and data means that for most organizations, IT resilience is becoming the cornerstone of business resilience. Learn about boosting IT resilience in a blog post entitled: The Next Best Thing After "Secure by Design".

In the wake of the Covid-19 pandemic crisis, this dependence will accelerate as organizations seek to become more digital. Without IT resilience, therefore, few businesses would be able to maintain critical business functions during and after a disruption caused by natural disasters, fires, disease outbreaks, terrorist-related incidents, and cyber attacks. IT resilience is therefore crucial to business resilience.

7 What role does IoT and AI play in business resilience?

The role of internet-connected devices or the Internet of Things and artificial intelligence (AI) within business operations is growing, driven by the ability of these technologies to enable new services and revenue streams, improve business efficiency, and provide better customer service. As the dependence of business operations on IoT and AI grows, it is important to identify the potential risk to business resilience these technologies introduce.

Organizations need to ensure that their business impact analysis and risk assessment processes identify how IoT and AI impact business operations. Similarly, cyber security and disaster recovery processes need to be updated to include IoT and AI systems to protect them as much as possible from disruption and recover them as quickly as possible in the event of a disruption or failure. This further underlines the value of cyber security, disaster recovery and other protective disciplines working together under a comprehensive Business Resilience Management framework. While IoT and AI represent an increasing potential attack surface for cyber criminals, they also represent an opportunity to improve information, communication, and coordination across protective teams to improve overall business resilience.

8 What role should C-SCRM play in business resilience?

The business impact of suppliers being unable to deliver physical goods is well understood, typically resulting in production downtime and shortages of processed or manufactured goods. To avoid these consequences, most businesses have a program in place to manage the risk of supply chain disruptions. But most organizations underestimate cyber supply chain risks, even though cyber incidents can happen every day, anywhere in a supply chain. KuppingerCole Co-Founder & Management Board Member Joerg Resch discusses this topic in the blog post: Why C-SCRM is becoming so essential for your digital business. This topic is explored even further in a panel discussion on managing Cyber Supply Chain Risks and achieving Digital Business Resilience.

As businesses become increasingly digital, they need to put as much effort into managing the risks of their cyber supply chain as they do their traditional supply chain because failure to do so could lead to potentially crippling production downtime. Considering how increasingly dependent organizations are becoming on IT services (such as SaaS) and IT support in delivering services (such as installed software) on the one hand, and the increasing risks to the cyber supply chain in the form of cyber attacks on the other, the need for Cyber Supply Chain Risk Management (C-SCRM) is clear.

Given the complex supply chain risk management challenges and the increasing sophistication of cyber attacks, now is the time to add C-SCRM as a key component of any Business Resilience Management strategy. This can be done by agreeing cyber security standards for suppliers, adding cyber suppliers to existing supply chain monitoring, conducting regular risk checks, agreeing co-regulatory measures based on NIST SP 800-161 and ISO 27036 and 28000 standards, and drawing up contingency measures and processes to deal with disruptions. Risk analysis and impact mitigation controls can significantly reduce the impact of a failure or incident in the cyber supply chain.

Figure 5: C-SCRM involves a wide range of topics

9 Is there still a need for Disaster Recovery?

Business Resilience Management (BRM) goes beyond disaster recover, but nevertheless includes disaster recovery. An organization that is not able to recover from a disruptive incident or disaster could not be described as resilient.

Disaster recovery includes data and system backup and recovery capabilities. Therefore, Disaster Recovery is an essential part of BRM. Like Risk Management, Incident Response Management and Business Continuity Management, the need for Disaster Recovery will never go away. Instead, these must all be recognized as essential elements of an overarching Business Resilience capability that needs to be managed in a standardized and coordinated way.

In all these elements of BCM, it is important that the human factor is not overlooked. Ensuring that employees are prepared and educated on how to respond in a crisis situation is essential to the success of each of these elements and ultimately to the overall business resilience capability of any organization. Matthias Reinwarth, lead advisor and senior analyst discusses the topic of the human factor in security a short video entitled The wrong click: it can happen to anyone. The topic is also explored in this whitepaper on the dark side of the API economy.

10 Does my company need a Business Resilience Manager?

Every business needs business resilience, but whether or not a company needs a dedicated Business Resilience Manager, depends largely on the nature of the business, organizational flexibility to adapt to disruptions, and the overall risk any potential disruption could pose. However, regardless of the title of the person tasked with responsibility for business resilience, they must have the power and authority to act. Without the necessary power and authority, resilience cannot be guaranteed.

Where the nature of the business is particularly sensitive to disruptions of any kind, such as companies that based on high-speed, high-volume transactions, a dedicated and empowered Business Resilience Manager is essential, regardless of the size of company because any disruption would be extremely costly and potentially fatal to the business.

The need for a Business Resilience Manager, therefore, is not related to the size of a company. Where the impact of disruptions to the business is not especially high, whether the company is large or small, responsibility for business resilience can be assigned to the CIO, CISO or whatever senior role in the company has the required overview of both the business and IT operations. These roles could be expanded to include the comprehensive and standardized management of all processes to identify and mitigate the full range risks that could potentially disrupt business operations. Read more about Redefining the Role of the CISO.

11 Where is the topic of resilience best located in the company?

Business Resilience spans the entire organization and is therefore a board-level topic. It follows that the role assigned responsibility and accountability for Business Resilience Management should have direct or at least indirect board-level representation, depending on how sensitive the business is to disruption.

Where sensitivity to disruption is relatively low, Business Resilience managers would report to board level CIOs and CISOs. However, where sensitivity to disruption is high, either the Business Resilience manager should have board level representation or responsibility for Business Resilience should reside with a board-level CIO or CISO.

12 Who is qualified as a Resilience Manager?

Anyone tasked with the role of Business Resilience Manager first and foremost needs to be someone who has a thorough and preferably long-term understanding of the business, the business model, and the IT requirements to support it.

In addition to business and IT knowledge, resilience managers must have experience and skills in risk management, strategic thinking, and communicating with member of the board. Experience in disaster recovery, compliance, business continuity, facility management, information security, and emergency planning would also be an advantage.

13 Where will the Resilience Managers of the future come from?

Ideally, Business Resilience Managers should come from the organization itself due to the requirement of having a deep and long-term understanding of the business, how it works, and the IT needed to support it.

Therefore, organizations should draw up succession plans that include training and mentorship for employees with the necessary skills and experience of working in several departments within the organization who will be able to take over this role when necessary, either permanently or temporarily in a crisis if the current business resilience manager is not available.

14 How important will corporate resilience be in the future?

As businesses have become increasingly digital and the consequences of cyber attacks and other ICT disruptions have increased, the importance of corporate resilience has grown proportionately. Increased accountability through compliance to a growing number of industry regulation is also likely to continue to drive the importance of corporate resilience as a key part of corporate governance, which is based on the principles of accountability, fairness, transparency, assurance, leadership and stakeholder management.

With the trend towards digitalization set to continue, corporate resilience was always likely to become increasingly important. However, the Covid-19 pandemic has strongly underlined both the importance of resilience and the dependence of business on digital technologies and infrastructure.

As a result, more organizations are likely to focus on resilience in the post-pandemic era because so many underestimated or even failed to consider the impact of something like Covid-19. Therefore, there is likely to be greater investment in corporate resilience in future, with more organizations introducing the role of Business Resilience Manager. Where this role exists already, it is likely to grow in importance and power, and where a separate role is not introduced, specific responsibility for business resilience is likely to be added to the CISO, CIO, IT manager or other similar roles.

15 Conclusion

The Covid-19 pandemic has underlined the importance of Business Resilience and the value of Business Resilience Management. Only through the comprehensive and standardized management of all process to identify and mitigate risk can businesses ensure they are in the best possible position to sustain operations through unexpected disruptions and beyond. To learn about what actions can be taken to handle the current pandemic crisis and bolster business resilience in the future, attend the KC Master Class: Business Resilience Management in a Pandemic Crisis.

While disruption due to pandemics is rare, other causes of disruption, like cyber attacks, are increasingly common and only likely to grow as businesses become more digital. Business resilience is essential, especially as businesses become more dependent on cyber supply chains. Business resilience is directly linked to survival of the business in the short-term as well as the long-term, and therefore should be integrated with long-term sustainability plans for any business.

Investment in building a Business Resilience capability, however, should be about more than just surviving disruptions and long-term sustainability. Through standardization of Business Resilience Management best practices and potential certification, businesses could not only improve the efficiency and flexibility of business operations, and thereby ensure good corporate governance, but could also use BRM as a market differentiator.

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top