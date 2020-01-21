advertisement

In the era of the industrial revolution, merchants would have looked after the supply of raw materials if their ships had sunk. During World War II, companies would have been worried about their survival if they had been bombed or if rationing had affected their supplies. In addition to natural disasters such as hurricanes, fires, floods, pandemics and man-made problems such as wars, organizations today face other challenges for their business. A modern company now has to deal with widespread economic and political instability, organized cybercrime and eco-terrorist attacks. Their weaknesses have also changed. Disruptive technologies such as AI and IoT, together with hyper-expanded supply chains, have created a level of operational complexity where vulnerabilities are difficult to identify and more difficult to protect.

Regardless of whether it is the 18th or 21st century, the cost of business downtime can be devastating for a company.

The technological revolution and the need for disaster recovery

Planning, investing, and providing resources for events that you don’t want to do yet are a two-way business. On the one hand, it seems advisable to invest based on the cost of the potential downside. On the other hand, it is impossible to anticipate all possible scenarios, and therefore an investment can prove to be futile. This dichotomy has resulted in companies responding ad hoc to disruptions primarily for many years, and it was only with the technological revolution in the 1970s that business continuity became a formal discipline.

In the 1970s, general-purpose computer systems became more and more available and provided companies with an integrated, unified information management system. Productivity, service, efficiency, and similar improvements were achieved almost overnight, resulting in an explosion of innovation and widespread acceptance. However, the novelty of the systems together with the inexperience of the organization and the operator led to a system-related vulnerability for companies.

Due to the economic pressure, companies have voluntarily invested in standby systems and important data backups to reduce the risk. However, when information technology began to directly impact citizens ‘economic wellbeing by enabling a variety of operational and cross-bank operations, such as the Bankers’ Automated Clearing System (BACS), the Society for Global Interbank Money Transfer (SWIFT) and the development of electronic money transfers at the point of sale (EFTPOS), the supervisory authorities intervene and demand disaster recovery planning. One of the first was the US Foreign Corrupt Practices Act (FCPA). Introduced in 1977 to prevent and prosecute cases of corporate bribery by foreign officials, it called on organizations to take special precautions to keep important corporate records and protect them from destruction. As such records were increasingly stored in electronic form, this required processes for data backup and recovery.

Transition from technical recovery to continued business

The economic impact of terrorist events such as the London Stock Exchange in 1990, the World Trade Center in 1993 and the London Financial District in 1992 and 1993 posed a new threat to organizations and showed that they had to be able to systematically address them protect and restore All aspects of value-adding activities protect and restore not only the IT systems that supported them. Business continuity developed into a formal discipline with the aim of maintaining the essential customer service, the generation of sales, the essential support, the trust of customers, shareholders and employees as well as the image of the company in public.

The establishment of the U.S. Disaster Recovery Institute (DRI) in 1988 and the UK Business Continuity Institute (BCI) in 1994 helped formalize business continuity as a management discipline with membership criteria, certification standards and training guidelines.

Post 9/11 – the emergence of rules and automated plans

The September 2001 terrorist attacks in New York and Washington brought with it the possibility of extreme events, along with the fact that the resilience of nations is largely dependent on the resilience of small and large private sector companies, which are essential products and services for these are provided by the citizens.

Policies, standards, and regulations have tightened, and what was previously a specialist-led discipline, in which the solutions were often ad hoc and specific to the company, became a specialist-led discipline with its own language, academics, and Tailor-made solutions such as Work Area Recovery, which combines a standby workstation with the IT systems and data required to continue working as usual.

Likewise, the focus of culture and awareness shifted to the existence of formal plans, the creation of which was often automated by one of the myriad of business continuity software planning tools emerging on the market.

The present – cyber threats and other strategic threats

Like every company, technology does not stand still, but constantly evolves and changes constantly. Similarly, malware such as ransomware and worms keep pace with technological advances and pose a real threat. For example, ransomware attacks increased in 2017 when WannaCry paralyzed thousands of companies, while the cryptovirus Petya companies such as the multinational shipping company Maersk , the British advertising company WPP and the pharmaceutical company Merck switched off. Losses from the WannaCry attack are estimated to be up to $ 4 billion worldwide.

While the cause of the problem may be IT system and serious operational disruption, the main impact of a cyberattack is strategic because you need to be prepared to adjust your response in real time. The attackers adapt their strategies to your defense measures. So if you are unwilling or unable to adjust your plan, you are likely to be defeated.

There will also be many stakeholders involved who create a complex (as opposed to complicated) environment, and certain approaches can have unintended consequences that need to be addressed in real time.

It is therefore easy to say that there is no point in having a plan if it will never work. However, you primarily need a piste if you want to start off the piste, and you will never find a sports trainer that indicates that there is no point in learning standard situations as the exact situation will never occur in a real game ,

The current focus for business continuity is therefore on the planning process and not on the plans themselves. During the planning process, knowledge about the functioning of the organization is generated and shared, which normally never comes to light. In addition, knowledge is generated about what is important from the perspective of other people, e.g. B. management and customers.

This knowledge enables the organization to adapt its plans to the specific circumstances – and not only to fail if they face the unexpected.

The future of business continuity

In today’s consumer-driven, complex and constantly active world of 24-hour news cycles and social media, it is almost impossible to have an “isolated case”, since even minor disruptions hit social media feeds within minutes of their appearance , Likewise, it is a very rare customer who likes to wait while a disrupted organization makes a heroic recovery – it is much more likely to turn to competitors.

As the risk landscape in which organizations operate becomes more and more complex, insecure organizations have to be able to show innovations in the face of adversity. However, the innovation process requires that people have the confidence to be innovative along with the time to think and experiment. The business continuity process not only offers clarity about the priority organizational processes, a series of exemplary answers to expected scenarios, but also a safe environment through training and exercise programs to experiment under stress and to practice innovations.

The next time someone says that you need to update your BIA or take part in a table exercise, do not keep in mind that you are wasting your time helping the Business Continuity Manager write a plan and check a compliance box, but being able to find out what that business continuity process can do for you.

Dr. Sandra Bell, Head of Resilience Consulting, Sungard Availability Services

