Guest Authors:

Andreas Bryant, Business Continuity & Resilience Specialist, BMO Global Asset Management (EMEA)

Ashley Goosman, Business Continuity & Crisis Management Manager, Liberty Mutual Insurance

In this two-part series, Andreas and Ashley will provide their perspective on the how operational resilience and business continuity may intersect soon. In part one, we provided our thoughts on operational resilience, how we believe the work of the practitioner is evolving, an overview of our work, along with how it adds value to our companies.

What is Operational Resilience

New operational resilience guidance has emerged from the UK’s regulatory authorities to better protect customers and organizations from the impact of crisis events. This methodology fosters better alignment of business continuity, crisis communication, IT, and business functions so critical services experience little or no downtime due to an incident. In practice, the company should leverage this approach to understand the lifecycle of an essential service from beginning to end. Once mapped, the business conducts testing to identify any gaps. In theory, it enables them to work towards improvements that mitigate or eliminate discontinuity in the ability of the organization to provide the service.

Business Continuity’s (BC) Practitioners may be evolving

We believe it is a sign of health within an industry when faced with challenges and can adapt to external demands to emerge more resilient. Additionally, we advocate a continuous improvement process that enables the discipline to make internal course corrections on an ongoing basis to serve the needs of its customers best. The experience of Business Continuity practitioners over the past several years indicates that not only are many analyzing their best practices for greater efficiency but also considering incorporating external capabilities like those presented by operational resilience. Below are our perspectives on how business continuity adds value to organizational risk management, crisis planning, and response proficiencies.

With the adoption of operational resilience, within the financial services sector, the role of the Business Continuity (BC) Practitioner is either questioned for relevancy or is being leveraged as Business Continuity done well. Whilst there is logic in this opinion, it can do a disservice to traditional Business Continuity that has served businesses well over the past 50 years.  We have seen many Financial Services firms seeking specialist staff with experience in Risk, Business Continuity, Information Security, Vendor Management, and IT to address the requirement to become more operationally resilient.

Business Continuity can shine in linking a company’s framework. Although operational risk management groups pinpoint the most significant risks, business continuity ranks enterprises’ criticality. Additionally, it relates interdependence between process, applications, function to process relationships, and third parties. Operational resilience efforts should leverage this information to plug it into the service-level view that recognizes the forest through the trees.

We believe BC Practitioners will play an active, if not the most active role in ensuring compliance of this standard and in some cases, lead this initiative due to their exposure to the business.

Related: Creating a Successful Crisis & BCP Program – Strategies for Success Beyond the Plan

What do BC Practitioners do?

We are not immune to anxiety when asked what we do as a Business Continuity (BC) Practitioner. Sometimes articulating an answer to this can be challenging especially if the recipient is not in your industry.

If you’re out with your friends having a drink and one of them ask what it is you do for a living, how would you answer? There is no need to over-complicate this answer as the aim is to articulate a concise response that anyone outside of your industry would understand, much is the same if asked by a business or during an interview. Although we suggest that you develop and rehearse your own statement, the following might be a good starting point: “I help firms identify, plan for and respond to risks that threaten their ability to conduct business at normal operating volumes.

It is important to note that BC Practitioners are not around to complicate business processes, nor develop cumbersome projects that add little or no value. We do not just tick a box or assist in satisfying an audit although acknowledge that in some circumstances, this may be equally as important. We aim to be flexible enough to develop BC programs that are cognisant of a firms’ culture and values, business model, appetite, and demand. The BC Practitioner calls upon tried and tested industry best practices and, combined ultimately delivers a program that ensures a high level of assurance that following an unexpected disruption, there is a framework in place that rapidly addresses the response to the threat.  In some cases, planning completely mitigates the risk and equally as important, it increases the customer’s confidence that the business can continue to deliver critical services to them.

Related: 5 Easy Steps for Validating a Business Continuity Plan with Tabletop Exercises

How do BC Practitioners add value?

Imagine something unexpected happens which impacts our ability to provide a product or service. Suddenly, the business model, ability to satisfy obligations to clients, markets and shareholders are threatened.  BC Practitioners leave the business leaders to concentrate on building and running the business whilst supporting them in identifying risks that challenge their ability to do so. We do not stop at the identification stage, we include solutions, and we help with implementation, including developing a robust validation program which is achieved through continuous improvement and via a thorough exercising and testing program. This will ensure that Business Continuity Plans are well-rehearsed, and the firm is prepared to respond when needed.

Some firms absent of a dedicated BC Practitioner have said, “We already have people that do that across the business,” in which case that is great. But do they break down traditional silos by consolidating intelligence, communication, and improving coordination with each other? Business Continuity practitioners are trained for this. When information is gathered following a significant disruption, it is challenging to obtain an overall requirement and capability status. It is usually provided piecemeal by each subject matter expert which your Crisis Team will painstakingly try to knit together on the fly. BC practitioners assist with simplifying this before, during, and post an event.

We dot the I’s and cross the T’s to ensure we can respond holistically and at a component level, especially if we do not yet know the magnitude of such a disruption. A firm should not wait for something to happen and then figure it out. Nor should leaders assume someone is already working on a plan. Business Continuity should not be a one-time effort. It is an investment for which the return is often only realized post a successful response to a major incident.

Stay tuned for the second article, coming out soon where we will discuss evolving from a mandate-driven methodology to a strategic decision-making mindset, how we can convince stakeholders, and how we can future-proof business continuity practice.