Michael Gips and Chris Palmadesso, both Kroll, explore how the creation of a business continuity plan impacts an organization.
The world fell apart in the first half of 2020. Unprepared businesses collapsed as COVID-19 spread across the globe.
Many organizations with continuity plans fared poorly; their contingencies expired after a few weeks, as the pandemic officially dragged on for three years.
In mid-2020 the murder of George Floyd unleashed a wave of civil unrest that led to arson, vandalism and looting of businesses.
The police defunding movement again jolted the corporate world by forcing businesses to perform security and loss prevention functions typically carried out by law enforcement.
If we weren’t sure that we were living in a VUCA world – volatile, uncertain, complex and ambiguous – 2020 sealed the deal.
The years since then have brought at least 1,500 weather and climate disasters, costing over $400 billion in damage in 2024 alone.
The culprits: hurricanes and heatwaves, floods and famines, typhoons and tornadoes, wildfires and winter storms.
And those numbers don’t include manmade disruptions – wars and civil conflicts in Ukraine, Gaza, Sudan, Ethiopia and Myanmar; the 2021 blockage of the Suez Canal that created an estimated $60 billion in economic losses; massive cyber-attacks, such as of Colonial Pipeline, which disrupted transportation and logistics across the world; and the 2020 Beirut port explosion that wrecked infrastructure and impeded global trade.
In a VUCA world, it has become vital for organizations to prioritize crisis management and business continuity planning.
The increasing frequency and severity of these events, driven by global warming, underscore the importance of having robust and adaptable plans in place to ensure business continuity.
The recent wildfires in California serve as a stark reminder of the unpredictable nature of natural disasters.
These events can cause widespread devastation, disrupting businesses, displacing communities and straining public resources.
In such scenarios, the ability to respond swiftly and effectively is crucial, requiring a well-structured business continuity plan (BCP).
A BCP outlines the procedures and strategies for maintaining operations before, during and after a crisis.
Having a plan isn’t enough; it must be continuously reviewed, tested, updated and adapted.
Creating a BCP is an indispensable exercise.
It helps to proactively identify and address potential weaknesses resulting from disruption.
This process, often referred to as “poking holes” in the plan, involves rigorous testing and scenario analysis to uncover vulnerabilities, ensuring that plans are robust and capable of withstanding various types of crises.
Global warming has led to an increase in the frequency and intensity of natural disasters.
As such, it is imperative to build out a comprehensive business continuity framework.
This business continuity framework should be developed with the support of external, unbiased experts to ensure a thorough and objective assessment of the current state.
External experts can provide valuable insights and recommendations, helping organizations identify gaps and areas for improvement.
In a case one of the authors was involved in, an outside expert advocated that the organization’s BCP include the ability to provision laptops for staff who would have to work at home in the case of a flu epidemic.
A few months later, as the organization was in the process of sourcing the laptops, COVID shut down the world.
Every BCP should include a current-state assessment, a critical process in understanding an organization’s risk management and business continuity capabilities.
It acts as a looking glass, offering a clear view of strengths and weaknesses.
This business continuity assessment is an opportunity to enhance resilience and preparedness.
The authors have observed that this process is particularly important for financial institutions and high-tech firms, where continuity risks ebb and flow by the minute.
Both verticals depend heavily on real-time operations and accommodate high transaction volumes.
For example, banks, payment processors and stock exchanges handle millions of transactions per second, such that even a one-second disruption can cost billions of dollars.
Similarly, high-tech firms rely on real-time data processing, where minor hiccups can cascade into major failures.
Beyond these two verticals, many companies shifted their resiliency strategies following COVID-19 and now conduct at least annual state assessment reviews in recognition of the fast-paced digital environment and protean geopolitical landscapes.
In some cases, a business impact analysis (BIA) may be required to prioritize continuity capabilities within specific business units, functions or applications.
A BIA helps organizations understand the potential impact of disruptions and prioritize resources accordingly.
Understanding your recovery time objective (RTO) – the maximum length of a disruption before the consequences are disastrous – and recovery point objective (RPO) – the maximum amount of data loss that can occur before the loss is considered unacceptable – are key to ensuring that a business continuity plan is both up to date and practical.
Ideally, a third party providing these resources can leverage proprietary client interviews as well as industry benchmarks so they can help organizations rank RTOs and RPOs on a dashboard scale for actionable intelligence.
Once the current-state assessment and BIA are complete, the next step is to develop a BCP that is applicable, contextual and capable of being exercised annually.
In other words, the plan should be tailored to the unique needs and circumstances of the organization, ensuring that it is relevant and effective.
Regular exercises and drills are essential to test the plan and ensure that all stakeholders understand their roles and responsibilities.
These exercises help identify any gaps or weaknesses, allowing for continuous improvement.
Had Southwest Airlines exercised a scenario in which its IT systems had to handle large-scale weather disruptions during the height of 2022’s Christmas travel season, it might not have suffered the system meltdown that stranded thousands of passengers and sabotaged countless vacations and family get-togethers.
The incident tarnished Southwest’s previously pristine reputation and cost them $800 million.
BCPs involve more than security and business continuity personnel.
Other stakeholders play a crucial role as well.
For example, it is good practice to include the critical business units, functions or applications as part of the team.
It’s likely that these critical business units or functions work together and have developed interdepartmental efficiency (think of the often-seamless relationship between IT and payroll as an example).
However it is also vital that they truly understand their roles and functions as they relate to the BCP and crisis management so they can work just as seamlessly in a crisis scenario.
Effective crisis communication is also essential, ensuring that all parties are informed and coordinated during a crisis.
All too often, outdated plans contain employees who have left the company, old phone numbers or emails, and new staff who never knew they had business continuity responsibilities.
Regular tabletop or role-playing exercises will reveal communication gaps.
Those gaps can be filled by updated crisis-communication phone trees, perhaps backed by emergency-notification apps or texting systems.
Risk management professionals and senior executive leadership teams must embrace training and awareness for continuity.
This ongoing education helps build a culture of preparedness and resilience.
If business continuity and crisis management are not already a priority, organizations should consider establishing a business continuity executive steering committee.
This committee can provide oversight and guidance, ensuring that the BCP is continuously updated and tested.
The committee should include representatives from various departments, including risk management, IT, operations and communications.
It should also include the critical business functions that contributed to the original BCP.
By working together, these stakeholders can ensure that the organization is prepared to respond effectively to any crisis.
A business continuity plan is not a static report; it is a living document that requires constant attention and refinement.
Organizations must be proactive in updating and testing their plans, incorporating lessons learned from past events and emerging threats.
With these mechanisms in place, organizations can achieve a greater sense of peace of mind, knowing that they are prepared for the next disaster.
Wherever it may come from in our VUCA world.
Michael Gips, JD, is a Managing Director in Kroll’s Enterprise Security Risk Management (ESRM) practice.
He was formerly the principal of Global Insights in Professional Security and Chief Knowledge and Learning Officer at ASIS International, responsible for content, education, certification, standards and guidelines.
Chris Palmadesso is an Associate Managing Director in Kroll’s ESRM practice.
He leverages almost 20 years of experience in threat management, vulnerability assessments and business continuity management.
He previously served as the senior intelligence representative for the DHS Chief Intelligence Officer in Vermont and New Jersey.
This article was originally published in the May edition of Security Journal Americas. To read your FREE digital edition, click here.