Among the clearest lessons over the past 18 months is that disruptive events must be planned for as a core part of every organization’s long-term strategy.
Until recently, continuity and resilience planning were viewed by many as the purview of compliance or internal audit functions, rarely reaching into strategic plans or Board of Directors’ agendas. However, the impact of COVID-19 has demonstrated that long duration events with a global reach can arise from a variety of sources. These include wildfires, climate shifts, cyber-attacks, as well as the ongoing threat from virus mutations.
Brokers can play a key role in helping clients understand the need to elevate their resiliency planning and to make it a strategic priority. To be effective this needs the involvement of senior leadership, board level updates, and regular planning sessions with key staff. Such planning allows an organization to understand its capabilities to fulfil its mission in the event of an unforeseen crisis.
Developing an effective resilience plan should include the following key steps:
- Assessing potential threats: The assessment should involve all levels of the organization and be clearly understood by senior leadership. Careful consideration should be made of the potential impact and duration of each event, including worst-case scenario planning.
- Identifying and prioritizing critical functions: Every organization should have a clear understanding of its recovery priorities and the impact of the loss of a function on the organization’s mission. This includes identifying the recovery time objective for each core function and the resources needed to support the restoration of critical activities. Such prioritization allows for the effective direction of limited resources during an operational recovery.
- Determining options for alternative workflows in the event of disruption: By having a clear understanding of its recovery capabilities, realistic expectations can be set for customers and stakeholders on service delivery. Consideration of options for alternative workflows must include participation from various levels of personnel.
- Documenting and communicating the plan of action: Make sure the plan of action and the supporting team roles are clearly communicated. Each team member needs to understand their role in the recovery plan, particularly those involved in key restoration activities. The goal is to minimize the need for improvisation during a crisis event.
- Critically testing the plan and evaluating its actionability: Often overlooked is the critical role of testing and exercise of the plan in the creation of an effective resilience program. A thorough test must challenge the plan and the participants to critically evaluate the assumptions on which the plan is based. Communication plans and alternative workflows should be tested using real world scenarios. The results of the exercise should be thoroughly documented with clear steps for plan improvement.
The landscape for resilience planning has changed considerably since the appearance of COVID-19. The expected duration of an operational disruption has increased significantly from those prepared for in most plans. The increased risk of cyber events for example also means that plans must contemplate loss of key systems for weeks and not mere days. The potential for extended supply chain disruption creates a need to affirm key vendors’ resilience capabilities or seek quickly accessible alternatives.
Plans are not for filing
A key part of ensuring a resilience plan remains effective is challenging the plan’s assumptions and continually improving the planning process. Experts external to the organization can assess the quality of the planning efforts against best practices. In addition, experts can lead a testing process that is objective and ensure that plan assumptions are in line with the risks faced by the organization. Finally, external expertise can readily share lessons learned by other organizations during recent crisis events.
Resiliency planning can no longer be considered a back-office obligation but must be a core part of every strategic plan and be thoroughly communicated within the organization. The above considerations will provide for a dynamic planning process that is attuned to the priorities and requirements of key stakeholders and customers. During an operational disruption, the effectiveness of the recovery plan may determine the survival of the organization.