Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.
The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
· Public perception
· Unethical dealings
· Regulatory or civil action
· Failure to respond to market changes
· Failure to control industrial espionage
· Failure to take account of widespread disease or illness among the workforce
· Exploitation of the 3rd party suppliers
· Failure to establish a positive culture
· Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.
Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.
Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.
This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.
So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.