In just a few years, faced with an increasingly digitized and globalized economy accustomed to a certain immediacy, operational resilience has become a strategic subject for most organizations. And all the more so since the crisis, and their related risks, follow one another continuously: financial crises, terrorism, geopolitical tensions, climate risks, and of course the COVID-19 pandemic which acted as electroshock for businesses worldwide, and represented a “real-life” test of organization’s resilience.
In this context, it is quite remarkable to note that the companies that withstood the most in the pandemic are those which had at least a risk management practice or, even better, a business continuity plan (BCP) in place. The most agile of them have not only continued their activities in a business-as-usual fashion but have also managed to claim new market shares, even to settle in new markets.
Naturally, risk management and resilience are inherent aspects of any business. But the major difficulty now lies in the operational interconnections and in the "domino" effects of the risks that this implies in business operations. For example, the Covid crisis and the successive lockdowns have imposed teleworking, which has generated cyber risks but also social risks. There was also an impact on supply chains, which led to disruption in production, etc.
In other words, in a globalized and interconnected economic and regulatory environment, risks themselves become globalized and interconnected, and their domino effects must be anticipated.
The risks and their impacts are specific to each company, depending on its activities and businesses, its locations, size, etc. Especially since these risks are potentially numerous: process risks, operational risks, human aspects, third party, and supply risks, IT and digital risks, or reputational risks. To address these threats, the practice of risk management provides a methodological framework for the identification, analysis, and mitigation, as well as for the design of the associated business continuity plans (BCP), which must be adapted to each context and business operations.
Of course, there is no need to draft an exhaustive BCP that would cover absolutely all the organization’s processes exposed to risks: the approach would be too complex, probably impossible, and, in any case, too expensive. Among the potential risks, it is a question of identifying the most critical on the most strategic assets, their ramifications, and their possible consequences in the event of a crisis. This is one of the goals of the risk mapping exercise, which makes it possible to visualize the most critical risks and identify the processes impacted. Risk mapping supports the design and refinement of a business continuity plan to provide resilience to business processes, but one also needs to consider the numerous resources that support them. To this end, it is essential to combine a process view with a resource view (IT resources, physical sites, logistics, raw materials, human resources), to be coordinated from upstream to downstream via a holistic vision.
The purpose of risk mapping is to define the risks to which the company is exposed and to affix the appropriate mitigating measures, according to the company's risk appetite. In all cases, the objective is to provide the organization with the necessary anticipation capabilities for conscious decision-making.
As its name suggests, a business continuity plan requires organizing the resilience of the organization around several upstream actions, but also remedying a crisis that has materialized. Starting with the identification of processes and the prioritization of their criticality. Critical processes are obviously those without which the company cannot operate. They are therefore generally core business and need to be treated as a priority. The other processes should be prioritized according to the potential impacts of their stopping or deterioration on the business.
Then, it is a question of imagining the possible methods of circumvention in the event of a disruption: tools to be used, so-called degraded (but useful) procedures to be put in place immediately, etc. Methods capable of ensuring business continuity that it is important to test regularly, to guarantee their success in a real-life situation. Finally, the remediation plan must also be designed upstream according to a specific scenario to reduce the time required to a strict minimum to return to a nominal situation.
While it is true that you can only prepare and ensure business continuity if the risks are identified, this is not enough: a holistic approach is necessary. Without this very detailed and global view of the organization and its vulnerabilities, it is impossible to analyze, anticipate and coordinate - and therefore put in place the defenses to safeguard the company and its activities.