Assessing Business Resilience

Business resilience determines to a great extent whether a business can continue or not. The risk of failure to forecast and build business resilience to weather out a disaster is the most significant risk that could affect the continued existence of an organization.

What is Business Continuity?

Business continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

A “Crisis” is an abnormal situation which threatens the operations, staff, customers or reputation of the organisation and many business crisis situations can be foreseen (example a supply disruption or logistics crisis or a financial crunch). One can handle a crisis situation through emergency response or recovery plans for a particular incident.

On the other hand, a “Disaster” can be defined as an unplanned interruption of normal business process and cannot always be foreseen. Disasters can be natural disasters or man-made ones. They can interrupt business processes to threaten the continuance and viability of an organization.

Over the years, man-made and natural disasters have unveiled the vulnerability of businesses on a global scale. Many well laid out, documented and executed Business Continuity Plans during normal times do not hold good during times of disasters.

Disasters, by their very definition, do not happen at a convenient time and is always unpredictable, making it difficult to forecast its impact. There is no way of knowing the time it would strike, the form it will take and the damage that it can cause.

Take for example the current COVID19 pandemic – is it a natural disaster or man-made? Many differing opinions exist on this subject.

COVID 19 pandemic and its severity across the world has thrown into disarray all business, trade, commerce and logistics operations. Even the best laid crisis management / disaster recovery / business continuity planning could not have forecast the severity of this threat and impact.

However, that does not mean that one should not attempt to understand the impact of various disaster scenarios and plan for effective response as this is key to business continuity and resilience building.

Business Resilience (BR in short) is dependent on many factors:

  1. Financial resilience: This is a no-brainer, as any organization that is strapped for cash and liquidity during the crisis is likely to succumb faster than companies with reserves to see through the difficult times.
    1. Receivable management and avoidance of bad debts should be the focus of primary concern to strengthen cash and liquidity positions.
    2. During a crisis of the nature of a world-wide pandemic, suppliers, their stability and supply availability would directly impact working capital, raw materials and ideal stock levels to be maintained.
    3. Bank loans, interest moratoriums and other debt facilities will have to be re-looked and restructured.
    4. Inability to adhere to existing agreements like lease, rentals, customer commitments on agreed due dates, operational restrictions brought in by regulatory authorities for the common good, etc.
    5. Top management will face challenges in estimating reasonably possible future cash flows in uncertain conditions.
    6. Unlike traditional budgeting methods, relying on historical data to project future business is not going to be of use.
    7. There is a big question mark on what is the “new normal” and how it would be for each industry and within organizations.
    8. As estimations becomes complex, it would be difficult to show adherence to the existing audit and accounting standards and convince Audit Committee on the underlying assumptions behind such estimations.
    9. Last but not the least, is the criteria of “going concern” met? Assumptions underlying the certification may be complex and difficult and will have to pass the test of the auditors before reporting and disclosures to the key stakeholders.
  2. Physical resilience: How deeply affected are an organizations’ locations / premises / access to facilities and how long can it take to restore normalcy? This is an important factor to assess how quickly the business can spring back to normalcy. Is there an adequate insurance cover for such contingencies?
  3. Data Protection Plan: Is there a plan in place that ensures your existing data is retained and protected? The company’s computing resources such as server, networks, firewalls, access authorizations, hardware and software, etc. need to be protected and safe guarded. This is a must for the continued availability of the Information Systems to function at basic levels during the crisis and without losing critical business information.
  4. Customer retention: Brand loyalty and assured customer retention makes it easier to estimate potential earnings when normalcy is expected to return to the economy. This factor is more pronounced in retail and FMCG industries where customers can easily switch between brands. However existing revenue contracts may need to be revisited, reviewed and revised in the light of the shutdown.
  5. Employee retention: An organization that lays off employees during a pandemic or crisis is going to take a longer time finding replacements or skilled people when it wants to get back to business. Migrant workers who have attained skills in many industries may not desire to shift locations but find better alternatives in their own home locations. The shortage of adequate and appropriate human resources may impact resilience of the organization in the long run.
  6. Workplace transformation: During a pandemic (such as the COVID 19), all essential operations cannot come to a sudden standstill. It is important to ensure that basic activities go on without endangering the employees to infectious diseases. Organizations that can quickly bring in, enable and encourage “Work from Home” alternatives can adapt to the situation and show more resilience than those that are not ready with the infrastructure to adopt such measures.
  7. Digital transformation and adoption: Resilient organizations will always be at the forefront in being flexible and adaptable to new technology and embrace digital transformation. However, this adoption and transformation would be dependent on the financial readiness and budget allocation during times of crisis.
  8. Emotional / psychological resilience: It is finally the human psyche that matters – whether the key stake holders are mentally resilient and steadfast – in the continuance of business, the form in which it can be carried out in future. Small and medium businesses may fold up in current locations, larger organizations may look at mergers and amalgamations, start-ups may see a bleak future in the near-run.

What is Business Continuity Management (BCM)?

Organizations lay down Business Continuity Plans at various business processes and with emphasis on Information Systems and execute and audit them at regular intervals to ensure preparedness of the organization to handle any event, incident or crisis.

Business continuity management (BCM) enables organisations to restore their businesses to normal operations following an unanticipated disaster or business interruption.  To date, however, the corporate BCM capabilities necessary to establish that resiliency generally have ranged from absent to insufficient. 

Can a disaster (except probably the weather forecast for a cyclone or typhoon) be predicted to near accuracy? Can one predict if the business will be resilient after the effects of the disaster – say economic downturn, depression, catastrophic effects on humans, country-wide regulations and lockdowns?

Assessing the operational / financial resilience on the Business Continuity Plans is not just limited to Information Technology risks (or protecting information assets and financial information). There is a lot of difference between executing BCM audits in normal times and during unexpected natural or man-made disasters like the pandemic we are currently facing.

My take on IRM and GRC

The next buzzword after GRC (Governance, Risk and Compliance) is now IRM (Integrated Risk Management). (Not to be confused with another acronym “IRM” which denotes “Information Rights Management” which is a form of IT security technology for protecting access to sensitive documents and emails.)

Why are we emphasizing so much on new acronyms and confuse practitioners of risk, control and compliance? Why debate on whether GRC is dead and IRM is the new norm? Would it not be better to get down to basics and understanding the importance of and concepts that each of those words denote? (People generally like to put old wine in new bottle to keep the interest going.)

Technology -when properly deployed – has and is always capable of giving an integrated view of things in an organization.

But jumping into a technology approach without proper understanding by all stakeholders concerned leads to quick disillusionment and project failure.

It is a fact that silos exist is several organizations. This is mainly because different departments (such as finance, internal audit, risk committee, operational heads) cocoon themselves into their own departmental priorities and have a short-sighted approach. Their reasons and defences are many – inertia to collaborate with other stakeholders, ego issues on whose approach is better, having a “get-it-done-with” approach, citing shortage of staff, insufficient budget that makes them adopt sub-optimal solutions, etc. The top reason could also be that the C-level is not apprised of the benefits or they do not consider these initiatives adding to their top line revenues!

Quoting Gartner’s definition – Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.

Since the summer of 2018, Gartner has been moving away from GRC (Governance, Risk and Compliance) towards IRM (Integrated Risk Management).

In my perspective, if one forgets the acronyms – GRC and IRM – and look at what are the concepts that are being espoused, one can very well see that the fundamentals have not changed, but the emphasis is on a holistic approach towards a better management of risks arising out of poor governance, failed business controls, non-compliance, weak IT security leading to data breaches, external threats, etc.

To elaborate further, what all of us (or most of us) understand / agree at a high level are the following points

  • There is no “business” or “for-profit” organizations without taking calculated risks. Managing those risks intelligently and on time ensures business continuity and success. That is why “Risk Management” is ideal in all decision-making processes.
  • In the long run, only integrity pays and ethical practices in business help its brand value and survival – others simply vanish. This is what we understand as the “Governance” standards set by the entrepreneurs, promoters and expected to be followed and communicated by the top management to the operational teams.
  • The “Governance” has two aspects to it – one set of internal practices and policies set up by the management and the other set of operational, tax and statutory compliances set up with respect to any or specific industries, countries and communities. This broadly comes under the “Compliance” umbrella.

On a deeper level, one can see that all the above points are intertwined and one cannot exist without the other –

  • Governance cannot be enforced without proper policy formulation and communication of the internal policies (corporate specific procedures and ethical practices) that the management envisions and laying emphasis on external compliances to ensure business continuity. It is a failure of governance if business risks are not identified, assessed and mitigated on time. Governance also implies that proper internal controls are in place and working effectively.
  • Compliance does not stand alone – failure to comply – whether with internal policies (such as purchase or pricing policies) or with external statutes (such as taxation, etc.) – is a reflection of poor business controls.
  • Risk awareness is the overarching umbrella that recognises threats to the business continuity – whether arising from poor governance, improper compliance, inadequate IT security measures to protect data and ineffective business controls in its processes that could lead to frauds.

The bottom line for all organizations wishing to set up a framework for Governance, Risk Management and Compliance may need to consider the following:

  • have a holistic understanding and approach of the proposed integrated framework, include all functions and processes – not just finance or internal audit or SOX compliance. External threats such as legal risks, brand risks, cyber security, IT risks, conflict of interest that results in abuse and fraud, environment, health and safety risks deserve equal importance when we talk about a sustainable business in the long run.
  • bring all stakeholders on one page – workshops, discussions, whitepapers, surveys, opinions, etc.,
  • don’t jump into a technology solution without assessing preparedness and maturity of all functions,
  • as far as possible avoid siloed programs (that are focussed only on a particular function or department),
  • even if you have to start small (if there are budget or resource constraints), never compromise on the big picture of where you want to be at the end of the program,
  • keep in mind an integrated approach that ties together all types of internal or external risks to the enterprise.