In just a few years, in the light of an increasingly digitized and globalized economy, now accustomed to a certain immediacy, the operational resilience has become a strategic topic in most organizations. And all the more so as the seizuresand the associated risksfollow one another continuously: crises financial, terrorism, geopolitical tensionsclimate risks, and of course the health crisis, which acted as an electric shock for the economy, and ultimately as a “life-size” test of the resilience of organizations.
Globalization: multidimensional and interconnected risks
In this context, it is quite remarkable to note that the companies which came out of it the best are those which had at least a risk management plan or, even better, a Business Continuity Plan (PCA). The most agile among them have even not only continued their activities in a completely normal way, but have also succeeded in arrogating new market sharesor even to set up in new markets.
Naturally, risk management and resilience are inherent aspects of any business. But the major difficulty now lies in the operational interconnections and in the “cascading” effects of the risks that this implies. For example, the Covid crisis and successive confinements have imposed teleworking, which has generated cyber risks but also social risks. There was also an impact on the supply chainswhich led to production difficulties, etc.
In other words, in a globalized and interconnected economic and regulatory environment, risks themselves become globalized and interconnected, and their domino effects must be anticipated.
PCA: engage in an offensive battle plan
By definition, the risks and their effects are specific to each company, depending on its activities and businesses, its locations and catchment areas, its size, etc. Especially since these risks are potentially very numerous : risks on processrisks operationalaspects humansrisks suppliers and supplyrisks IT and digital, or brand image risks. Faced with these threats, the practice of risk management provides a methodological framework for the identification, analysis and risk prevention phase, as well as for the design of an associated business continuity plan, which must be adapted to each context and activity.
Of course, there is no question of developing an exhaustive BCP that would cover absolutely all the processes exposed to risks: the approach would be too complex, probably impossible, and, in any case, too expensive.
Among the potential risks are:identify the most critical on the most strategic aspectstheir offshoots and their possible consequences in the event of a crisis. This is one of the objects of risk mapping, which makes it possible to visualize the most critical risks and identify the processes impacted. Mapping helps design and refine the business continuity plan to bring resilience to business processes and the IT assets that support them.
To this end, it is essential to combine a process view with a resource view (IT resources, physical sites, logistics, raw materials, human resources), to be coordinated from upstream to downstream via a holistic vision.
In other words, the function of the mapping is to define the risks with which the company is confronted and to affix the appropriate means of control, according to the company’s appetite for risk. In all cases, the objective is to provide the organization with the necessary anticipation capabilities for conscious decision-making.
Continuity: anticipate, prevent and heal
As its name suggests, a business continuity plan requires organizing the resilience of the organization around several upstream actions, but also to remedy a crisis that has materialized. Starting with identifying processes and prioritizing their criticality. Critical processes are obviously those without which the company cannot operate: they are therefore generally core business, and to be treated as a priority. The other processes should be prioritized according to the potential impacts of stopping or deteriorating them.
Then, it is a question of imagining the possible methods of circumvention in the event of a proven malfunction : tools to use, so-called degraded (but useful) procedures to put in place immediately, etc. Methods capable of ensuring business continuity that it is important to test regularly, to guarantee their success in real situations. Finally, the remediation plan must also be designed upstream according to a specific scenario, in order to reduce the time needed to return to the nominal situation to a strict minimum.
While it is true that we can only prepare and ensure business continuity if the risks are identified, this is not enough: a holistic approach is needed. It makes it possible to analyze, anticipate and coordinate, by having a very detailed and global view of the organization and its vulnerabilities – and therefore of the mechanisms to be put in place to safeguard the company and its activities.
To know more
Cyril Amblard-Ladurantie is marketing manager for GRC (Governance, Risk & Compliance) products at MEGA International with more than 15 years of experience in the field. Before joining MEGA, he was a manager at a large consulting firm (EY), where he supported companies in their digital GRC solution acquisition journey, from the expression of needs to change management. .