The Future of Business Continuity Management

Since the COVID pandemic outbreak in 2020, there has been a significant shift in the appetite for Business Continuity planning.  But there’s been more than just the pandemic.  Recent years have felt like a state of permanent crisis, with the whole world lurching from one disruptive event to the next. As well as the pandemic there has been the EU exit, supply chain issues, economic instability, global climate instability and cyber-attacks to name but a few. Organisations have faced these and many others, often concurrently. 

At the best of times, managing an organisation’s response to a singular disruptive event can be challenging. Responding to two, three or more events at the same time can place an already burdened team under tremendous and seemingly unrelenting pressure.

These difficult times of “permacrisis”  have shown us the importance and value of resilience. As individuals and as organisations, we’ve had to dig deep and lean into the next big thing with barely a pause for reflection. 

As we have started to see, there is a general and wide-spread shift from Business Continuity to Business Resilience.  In summary, we anticipate a substantial shift in philosophies and practices:

Changes we have already begun to see:

• • The scope of BC has already started to change in terms of what is to be protected and the type of disruptive events to be actively prepared for.

  • Roles and responsibilities, such as those of executive leadership being more involved and more generally businesses taking direct responsibility for their resilience capabilities.

  • Closer integration with risk management disciplines and more generally across other areas of an organisation.  In particular, ICT and InfoSec regulations are driving a more integrated and holistic way of working across the business, which is affecting the status quo of BC being the umbrella function for disruption preparedness.

  • Technology is increasingly changing the way in which a Business Continuity programme runs.  This is in part down to how technology can support complex information and data models, shifting the practice away from a document repository to systems that can identify vulnerabilities and gaps in preparation.  But also, technology can support response activities.  The rise of digital organisation modelling is on the rise.

• Changes we expect to see more of:

  • A greater shift to ingrained resilience.  This will cover the growth of more decentralisation of planning and accountability (of course with centralised and executive governance), all the way through to business-as-usual practices where resilience and redundancy are built into ways of working as opposed to recovery strategies being added retrospectively.

  • BC professionals will move more towards a coach and advisor across the business, and guiding executives through strategic decisions related to resilience.  This helps to increase personal and team responsibility for ensuring high resilience.  This shift also frees up time for the BC experts to QA the work done on preparation and during response and more generally be able to search for gaps, risks and vulnerabilities.

  • Threat types and the likelihood of them happening will be a much more fluid situation.  As such there will be greater adaptability in planning and protecting against an ever-changing risk landscape.  Whilst a certain level of preparation and resilience will be required across the board, resources will need to shift from one attack surface to another proactively.

  • Digital organisation modelling will continue to be utilised and become more sophisticated.  This model encompasses all upstream and downstream dependencies, including business processes, locations, applications, information, suppliers, and channels. In some instances, it consists of a compilation of information, attributes, and relationships.
    
    Consider a scenario where your organisation faces a cyberattack. Leadership must swiftly comprehend the impacted servers and infrastructure, determine necessary shutdowns, identify hosting locations, ascertain linked applications, gauge business downtime tolerance for each affected application, and assess product or service impacts.  Generating such insight in real-time is unthinkable without technology and this digital model.
    
    It’s impossible to predict every disruption or planning for every scenario, but the digital model enables real-time querying to identify vulnerabilities that require immediate attention.

  • Supervised AI automation will increase.  Traditional methods in business continuity such as Business Impact Analysis (BIA), risk assessment, strategy formulation, plan documentation, and exercises often result in an approach that feels like an add-on to continuity and resilience efforts, frequently falling short of executive leadership expectations. Nevertheless, many outcomes of these traditional approaches remain essential for uncovering vulnerabilities.
    
    Consequently, rather than disappearing entirely, many traditional business continuity elements are anticipated to transition into automation facilitated by various forms of artificial intelligence. For instance, AI applications like generative AI might generate initial drafts of BIAs or business continuity plans, while AI could also aid in recommending controls or recovery strategies. Subsequently, dedicated business continuity professionals and business leaders can evaluate these outcomes and respond accordingly to identified vulnerabilities.

Prepare with practice.  Technology may help us map our organisations and aid our response efforts.  But rehearsing and practising how to respond remains very much a human responsibility.  But it will change, anticipating the need to manage the immediate impact and the risk of an escalating crisis. This idea of ‘cascading crisis’ or ‘aftershock impacts’ from an initial event is a newer, broader way of looking at disruption.