Why Business Continuity is failing in our Complex Cyber World and how it needs to Change?
•
2 likes•1,049 views
Business Continuity Management (BCM) has evolved over the last 25 years to the point where it is a well-accepted part of corporate governance. Do we continue to simply embed this into our day to day operations, or does the current concern of Resilience and Cyber mean that we have to change our approach? This presentation will look at the shortcomings of our current approaches and the dominant trends in the marketplace, and discuss what these mean for Business Continuity in the future. Main points covered: -BC history and the short-comings - Drivers of change - What trends are making a difference and are likely to continue to do so? - What a 21st century resilience systems should be doing? - What can BCM do better? - New technologies: increasing vulnerability or benefits? Presenter: Martin Caddick is an independent adviser on Business Continuity and Resilience, and has worked with organisations of all sizes, from global corporations to small local businesses, helping them to build sustainable resilience through a pragmatic and flexible approach. He has recently retired from PwC, where he built and led their award-winning Resilience team, covering Organisational Resilience, Business Continuity, Crisis Leadership, and IT Disaster Recovery. Before that he ran Marsh’s Business Continuity service, having cut his teeth building the Year 2000 services for Amdahl/DMR. Martin is a fellow of the Business Continuity Institute and a member of the Institute of Operational Risk. He sits on the 20-20 Strategy ‘think tank ‘of the BCI and was a member of the advisory board for the Resilience Network of London First. He is a regular public speaker and media commentator. Link to the recorded webinar: https://youtu.be/_8QmmE1_Lqg
Recommended
Recommended
More Related Content
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
Why Business Continuity is failing in our Complex Cyber World and how it needs to Change?
- 1. What is the future for Business Continuity? Martin Caddick 5 Jan 2018
- 2. History of Business Continuity The more you know about the past, the better prepared you are for the future. (Theodore Roosevelt)
- 3. The short-comings we are left with…. • Plans are office oriented rather than business process oriented • Plans are overly methodology driven • Approaches are reactive, not proactive • There is a lack of integrated approach or response Governance ImageApproach • Ownership within the business varies widely • BCM is not a board concern • BCM is managed too low in the organisation • Lack of consistent investment • BCM seen as a dull cottage industry • BCM seen as operational, not strategic
- 4. Drivers of change Globalisation and Technology • Complex systems • Multinational networks • “Internet of things” • Automation and AI • “Big Data” Opportunity and need • Prepare for the unexpected • Use AI and Big Data to identify problems early and to respond • Collaborative resilience • Focus on capability • Black swan events • Contagion • Lack of control • Failure of traditional risk management
- 5. Floods Fire Loss of power IT failure Pandemics Without being complacent, because these are still real threats, they are comparatively obvious, relatively predictable, and we have tried and tested responses Drivers of change Deliberate disruption Terrorism Hacktivists Insider fraud Organised crime Governmental disruption These, by their nature, are initially hidden from us, and designed to exploit weaknesses in our awareness and response. They are not predictable and we have to find new responses Changing nature of risk – an increase in risks related to deliberate hidden disruptive actions (like cyber), which require better predictive and reactive approaches, as opposed to statistically and process driven approaches
- 6. Disaster Public reaction Political Reaction Legislation, Regulation*, and Standards** Focus on Compliance MORE or LESS likely to repeat? Rules vs Judgement Drivers of change Regulation and expectation *Regulators such as the Fed, FINRA, ECB, EBA, CBRC, PRA, FSA, MAS, BaFin **Standards, such as ISO 22301, 22313, 22316, 22320, 22398 x
- 7. What can we do about it? Better? or Different?
- 8. What are our choices? Better: Focus on what we do best? Area of improvement What needs to be done Planning for the unexpected • Anticipate disruption better - improve horizon scanning (intelligent key indicators, ‘intel’ from other departments, time out to think). • Focus on building capability, rather than process – plans should be fit for purpose, people need training and practice. Raise profile of BCM • Need to be able to present reports at Risk Committee level at least. Improved reporting of recovery capability. Keep it relevant to business operations. Avoid excessive detail. • When dealing with the business, make sure that conversations are relevant to the business. Avoid scaremongering. Capture war stories and benefits. Adapt. Working better with others • Build and maintain network and good working relations in firm, especially with areas of the business that may be called on at short notice in a crisis (e.g. security, HR, FM etc.). • Embed BCM into operational procedures where possible (making and holding people responsible for their own BCM). Better prioritisation • Use Strategic Business Impact Analysis (SBIA) to create overarching business priorities based on client related business processes (and not departmental priorities). Make people think rather than fill in forms.
- 9. What are our choices? Different: Aspire to something more Area of improvement What needs to be done Integrated and networked approach to Resilience • BCM needs to work effectively in conjunction with the other protective disciplines as part of a coordinated approach to Operational Resilience. • Develop the Strategic BIA (SBIA) into a tool that can be used across protective disciplines* to identify what matters in a firm and why – this should be a consistent basis for investment. Links to strategy and culture • Aspire to have more strategic influence. Develop an understanding of what else makes an organisation more or less resilient (governance, culture, innovation, situational awareness etc.). This is Organisational Resilience. • Develop and report on indicators/trends for Organisational Resilience. Use of technology • Better use of new technologies – understanding how new technology, especially AI, might be used to monitor ‘big data’ gathered and spot potential problems before they materialise (think of aircraft systems as an example). * Protective disciplines: e.g. Security, Risk Management, Crisis/Incident Management, Insurance, Compliance, Internal Audit etc. Standards: ISO22316, BS65000
- 10. 16/02/2018 © Martin Caddick END This document belongs to Martin Caddick. The document and any oral presentation accompanying it has been prepared in good faith. The material is intended to be general and educational. It is not intended to be advice for any specific organisation. No express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation. No responsibility is assumed for any reliance on this document or the accompanying presentation.
- 11. ISO 22301 Training Courses ISO 22301 Introduction 1 Day Course ISO 22301 Foundation 2 Days Course ISO 22301 Lead Implementer 5 Days Course ISO 22301 Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-22301-training-courses www.pecb.com/events
Editor's Notes
- Good afternoon. My name is Martin Caddick. I started in Business Continuity back at the time of the millennium bug, when I worked for Fujitsu, and I led Fujitsu Consulting’s European Y2K practice. I moved to Marsh, the insurance broker, in 2005, to rebuild their business continuity team, and was then headhunted to create and develop a Business Continuity and Resilience team for PwC in the UK. So, over the last couple of decades I must have seen my teams deliver well over a thousand business continuity projects for many hundreds of businesses, and I’ve seen a lot of different variations of good and bad and a lot of change. In this talk I will be reflecting on all that experience, and thinking about what the future is for Business Continuity.
- I want to start by looking backwards rather than forwards. If you’re going to try and predict the future you need to think about where we are now and how we got here. As Theodore Roosevelt said, “The more you know about the past, the better prepared you are for the future”. What has happened in the past, shapes people’s attitudes and perceptions. And this is very true for Business Continuity. The pictures on this slide represent some of the events that have driven the development of Business Continuity. And let me flag up at the very outset just how reactive businesses and government are to disasters. This is NOT a good thing. Collectively, we are NOT proactive or structured in how we plan. Where we are today in BCM is the result of a series of reactive responses, which has left us with unbalanced capabilities. So – let me work my way through the history. BCM started to develop from the 1970s in different countries in different ways and for different reasons. For example, countries like Japan and New Zealand developed plans for coping with earthquakes. Businesses in areas prone to flooding tended to have flood plans. Fire regulations encouraged businesses to have evacuation plans. But these were really incident management plans (and perhaps some restoration plans) and tended to be linked to Facilities Management. They were not true business continuity plans. Perhaps the big exception to this was in the UK where the IRA bombing campaign in the 1990s switched from military targets to economic targets with attacks like those on the Stock Exchange, The Baltic Exchange, and Canary Wharf. And this meant that London businesses – especially in the financial services sector - started to plan for keeping their business running in the face of direct damage caused by bombs or indirect disruption such as caused by exclusion areas. But it was the Year 2000 bug that really changed everything. Y2K was indiscriminately global and was something that everyone had to take seriously. Y2K highlighted a couple of key things. Firstly the level of dependency business has on IT – and not just business, but also the rest of us… We all rely on IT – drawing out cash, shopping, internet services. Secondly it highlighted the need to prioritise. With Y2K you couldn’t fix everything and didn’t want to fix everything – you needed to concentrate on what was important. So a good legacy of Y2K was an approach – the BIA (the Business Impact Analysis) – which prioritised our efforts and also systematically inventoried what we needed to fix. Another important legacy was the acceptance of the need for contingency plans – what you do, if IT (or other service) is not available. A bad legacy of Y2K was that it placed BCM too close to IT, with IT often retaining responsibility even today. Meanwhile the lessons learned by London as a result of IRA activity where not applied elsewhere until the 9/11 attack on the Twin Towers – which was similar to the London IRA bombs except much greater in scale and global impact. Since then, we have seen a steady stream of terror attacks in Paris, Brussels, London and Manchester, Madrid and Barcelona, Stockholm, Moscow, St Petersberg, Berlin, Munich, Nice. I think the impact of these attacks is that any business based in a large city recognises the need to have plans that cope with ‘Denial of Access’ situations – meaning they need plans for alternative locations or working at home. Plus they have to plan to work alongside Emergency Services in a Command and Control structure. The next scares that changed BCM were the Bird Flu scare of 2005 and Swine Flu in 2009. These never materialised to the extent feared, but they did highlight to businesses that they rely just as much on people as they do on IT and premises. So as a result, HR departments were involved to a much greater extent, and BIAs focused more on identifying critical individuals or groups. We also saw devastating storms – Katrina in 2005 and Superstorm Sandy in 2012. To some extent this reinforced traditional BCM needs – workplace recovery, restoration, supply chain – with an added ingredient of looking after your workforce – for example, Rolls-Royce ended up housing many of its workers in its factories in the south of the US, flying down generators and shipping food and supplies to help them out in a wonderful demonstration of employer responsibility. But what was different in more recent storms such as Sandy is the growth of social media as a means of keeping track of staff and indeed, of communicating with them. This reinforces the need for the involvement of HR again, now alongside communications staff. The Financial Crisis of 2008 presented BCM with different challenges. Few leaders in the financial sector saw the crisis as being in any way related to BCM. But the regulators certainly saw the crisis in terms of Resilience. They were very worried that the failure of an institution (like Leemans) might cause major sector-wide disruption. So regulation with introduced to ensure that operations that were critical to the sector were able to carry on business even if their parent businesses failed – so-called living wills were required to ensure this. The process FS businesses went through was almost exactly like Business Continuity – but the work was usually done by teams set up for that purpose and which ignored the existing BCM teams. This represents a huge problem faced by BCM professionals – they – we - are not seen as strategic or high-powered, if indeed we are thought about at all. We are left in FS with an unresolved situation – a situation where Resilience requires a better, more joined up, approach and is a real concern in the minds of regulators, but efforts to improve resilience are STILL seen too often in very operational terms – mainly IT and Compliance - and not in terms of culture and decision making. Finally we have cyber. This takes us back to IT again, with an overlay of security. The response to the cyber threat has been high profile and expensive, driven by national security agencies - and it distorts other forms of resilience. Once again, we risk overdeveloping one form of defence and missing other threats that are not currently top of mind.
- So – to summarise and move on: BCM is reactive. BCM doesn’t get Executive buy-in unless something is seriously wrong, and then the focus is on that issue (like Cyber now) to the exclusion of building more comprehensive, consistent, and balanced capabilities. I wrote out a list of all the short-comings that we are left with that I could think of, and I am sure that you can think of more. I tried to arrange that list under some headings, as shown here. The headings are Governance Approach; and Image They are, of course, all interrelated. Let’s just run through a few of these. Under Governance …. Ownership of BCM (and Resilience) within the business varies widely. Where does BCM fit? We have seen that BCM sometimes sits under IT, sometimes Risk. Or Security. Or Compliance, or Internal Audit, or Facilities Management, or HR, or Health & Safety. There is no conventional place to put BCM, and it ALWAYs suffers from a degree of bias depending on where it sits, because the people who manage it see things just from their own perspective. An added danger is that BCM can suffer from corporate politics – instead of focusing on how to work across protective disciplines, poor governance sees the protective disciplines squabbling amongst themselves for budget and influence. BCM is not a board concern. Boards are bored by BCM. It’s never interesting to them unless something goes wrong, and then their interest only relates to what has gone wrong, and who to blame, and sometimes the wrong lessons get learnt (Compliance is an example, which I will come to later) BCM is managed too low in the organisation. This follows from the previous point. BCM managers are middle managers and do not carry enough clout. They are not consulted about big projects or strategies, and resilience is often an afterthought. (Burtons example) Lack of consistent investment. Investment is patchy. BCM as a function is too vulnerable to cuts, being viewed as non-essential: and expenditure tends to focus on specific issues that are top of the mind (like cyber, like all the examples in the history of BCM) rather than on creating an overall capability. The problems of governance are related to the problems of Image, which are: Firstly, BCM is seen as a dull cottage industry. This is often our own fault – we report lots of detail and report on progress rather than relating BCM to the business. It can quickly seem like we are building up mini-empires of people who do not seem to contribute anything to the business. Secondly, BCM is seen as operational, not strategic. Many colleagues want to see BCM stay in its box – what does it have to do with Strategy? The answer, of course – potentially quite a lot – a resilient business can take more risk, and a good understanding of resilience means you make better decisions and get greater rewards. This is true. But try explaining that to the CEO or the Head of Strategy. And finally, there are the shortcomings with the Approach to BCM. And there are a number of legacy problems here too. Plans tend to relate to offices and not business activities. This is a legacy of threats against locations (like terrorism). This shortcoming causes a strong tendency to dumb down BCM and to plan based on operational things rather than strategic priorities. Next, BCM planners tend to turn their approach into a repeatable process – a methodology - defined by standards, so they can meet compliance requirements. This takes the emphasis away from intelligent decision making at the point of impact – which is what we want – and as a result we over-plan and obstruct decision making in a crisis rather than helping it. The approach to planning is reactive rather than proactive – we are shutting the stable door after the horse has bolted. This is partly driven by a blame culture – “we must make sure it never happens again” - rather than by a proper reflection on what can be learnt and by a balanced approach to the possible. Finally, there is a lack of integrated approach or response – business defences are divided across many functions – such as HR, FM, IT, Communications, Security - as well as Risk and BCM. It’s not good enough – too much time is needed to communicate and coordinate without clear direction – both in a crisis and during the planning process.
- So there is a lot to contend with. Where we are is not good enough. And it has a lot to do with being backward looking. We now need to look forward. We need to understand what we are contending with now and in the future. What trends are making a difference and are likely to continue to do so? I’ve picked just three mega-trends that stand out to me. But you all need to think this through for yourselves, and identify what is going to change in your own sector and your geography. The first of my picks is, or should be, very familiar to you – but it is still worth highlighting. That is the trend of Globalisation and Technology. This is a mix of high speed connectivity, big data, the internet of the things, industry 4.0 (industry 4.0, which is sometimes referred to as the 4th industrial revolution, is the ability of Artificial Intelligence (AI) to automate much more – such as factories, and services. A consumer example is self-driving vehicles). I don’t propose to describe all the factors in detail, but the effect is that businesses sit within complex inter-dependent systems. When something goes wrong in such systems, the effects of contagion multiply the impact many times over. And you often have no management control over supply and services that your business depends upon (for example if you have outsourced your IT or business services [Bank credit card example)]. When you outsource, you pass management control to someone else, but the risk is still yours, whatever the contract says. The next point is really important to understand. Because of this interdependency, complex systems are far more vulnerable to completely unpredictable risks – so-called black swan events. Many risks in complex systems are completely unpredictable both in terms of likelihood and in terms of impact. And because of this, traditional risk management approaches, which rely on likelihood and impact, simply do not work. So a change of approach is needed to prepare for the unexpected. An updated approach that has at least the two following features: * An approach that focuses less on specific risks and more on the capability to respond, come what may. I’m talking about well-informed on-the-fly decision making, instead of predefined plans. * An approach for working with partners in the network to understand each of your responsibilities, and the limits to which that extends. This means joint planning. But this evolution is not all bad. Big data and AI in particular, offer the opportunity to identify indicators and trends early, AND to respond early, to prevent a disaster occurring. The best analogy for this is an auto-pilot that monitors all the controls and status of an aircraft and stops it stalling and maintains trim, leaving the pilots to deal with executive and completely left-field events. That’s what 21st century resilience systems should be doing.
- The second of my picks relates to the balance between relatively random accidents and deliberate targeted acts that cause disruption. To be honest, both have always existed, and I am not certain that there is a change in the relative volume of each. But what I can say is that BCM and indeed the risk industry has historically focused on the accident side. Floods, fires, IT and utility failure, pandemics are all relatively predictable – both in terms of likelihood and impact. The insurance industry covers these well. Without being complacent (because these are still very real threats) they are comparatively obvious, relatively predictable, and we have tried and tested responses. By contrast, the interconnectivity and technology we’ve just been talking about has attracted the interest of criminals, activists, and governments as opportunities to target specific businesses. This sort of disruption by its nature, is initially hidden from us, and it is designed to exploit weaknesses in our ability to recognise it and respond. These threats are not predictable and we have to find new ways to protect ourselves, to detect the attacks, and to respond. The prescription for dealing with this though is the same as before: that is … 1. Focus on the capability to respond, come what may 2. Work with partners in the network - joint planning. 3. Use big data and AI to automate early warnings and response
- The third and last of my picks relates to regulation and expectations. There’s a sort of negative cycle of reaction in the aftermath of a disaster – whether it is something like the Grenfell Tower fire, or the 2008 Financial crisis, or terrorist attacks. Something goes wrong, and there is an outcry and usually something of a witch hunt “Who should we blame?” Politicians and leaders say “This must never happen again!” Regulators and legislators draw up new rules that mandate approved behaviours and processes, but these often go too far and even become counter-productive Meanwhile, everyone becomes obsessed with compliance to the new regulations, rather than making sure that the right decisions get made next time at the time. Do you think that this cycle makes future incidents more or less likely? [Pause] I think they make them more likely. You are taking away the element of judgement and replacing it with rules. Most serious incidents I can think are caused or made worse by failures of judgement combined with false compliance (in other words, complacency induced by inaccurate or inadequate reporting). This is the great problem of our times. Too great a focus on compliance – compliance to regulation is not resilience. Many Regulators have a more sophisticated understanding of the issues than we give them credit for. They recognise that, not only is there too much regulation, but also whenever regulations are introduced, businesses fixate on compliance with the letter of the law, rather than take on board the objective of the regulation, often to the detriment of that objective. Many regulators have settled on a question led approach rather than explicit regulation – They try to drive accountability and thought, by requiring the leadership of business to respond to questionnaires and then feeding back their commentary. But trying to guide our response in this way is like trying to thread a needle wearing boxing gloves and welding goggles. Personally, I would recommend that you try to build a constructive dialogue with relevant regulators, not seeing them as the enemy. We need to note the power of social media nowadays. It was initially, perhaps, an incredibly powerful way of exposing the truth, but is now an equally powerful tool for disinformation used to feed the fears and prejudices of the credulous. How this will evolve I can’t tell, but what we need to understand, is that it acts as a multiplier in terms of impact. Regulation and legislation is often driven by public reaction – which evolves far more quickly and unpredictably now, with social media. In general terms, the first time an incident happens, there is a degree of understanding and forgiveness – an attitude of “there but for the grace of God go I”. But if it is not the first time it has happened, that understanding can evaporate very quickly. Expectations are higher. Look at BP and the Gulf fire, or the Grenfell disaster. When you add malicious intent into the mix– such as Russian fake contributions on Twitter following the Manchester bombing, and you get a very unpredictable and combustible situation, which, when applied to a business, could quickly spiral out of control.
- So – if we are agreed that we are not where we want to be – what can we, as Business Continuity professionals, do about it? I think that, broadly there are two courses of action. Firstly, if you believe that our role and influence is constrained, and is going to stay that way, and that we will never have the opportunity to solve the bigger issues (and nor should we) – then the question is how can we do what we already do better and in a more relevant way? Or, secondly, if you believe that we can redefine our roles, or persuade our leadership to redefine their approach – then, what can we do that is different?
- Let’s look at doing what we already do better first of all. This is particularly for those of us who believe that BCMers are not, nor will ever be, anything more than a specialised risk mitigation function. Those who believe that we just need to make sure that we play our part well. Bearing in mind everything we’ve looked at before, I think that there are four areas we should be concentrating on. These are: * Planning for the unexpected * Raising the profile of BCM * Working better with others Getting our priorities right Actually – this applies to everyone, not just to people who are scoping their roles narrowly. So what do we actually need to do? Firstly – anticipate disruption better – and we can do this by improving horizon scanning, which can be done by picking intelligent key indicators, and by gathering intelligence from other departments who are likely to see emerging problems before we do, and also by taking time out to think about what is going on now and in the future – maybe team brainstorming sessions or sessions done with other departments. Secondly - focus on building capability. Just following a process that ends up with detailed plans is not good enough. We depend on the capability of people to understand their roles in a crisis, and who are able to make good decisions in a crisis. That means training and exercises, using scenarios that are different, and challenging, and this is more important than detailed plans. Next - we need to improve our reporting. Our reports should be seen at the Risk Committee level at least. But to do that, and to stay on their agenda, we need to make sure that our reports are relevant. We need to avoid excessive detail. The reports need to be relevant to business operations. And most of all, the reports must give a true picture of the ability of the business to withstand and recover from a crisis, rather than being some kind of programme progress report. Talking about making our reports relevant to the business, that means conversations with the business trying to understand their issues and challenges and adapting our approach so that it is more relevant to them. The business is a great source of war stories which we need to capture, including where BCM has helped them. But we should avoid scaremongering, which can work in the short term, but undermines your credibility in the longer term. {Y2K Bird Flu} So a priority is to build and maintain as good networks as you can, and good working relationships in the firm; especially with areas of the business that may be called on, at short notice in a crisis (like security, HR, or FM). Communications is an especially important area in view of what I have been saying about Social Media. On no account should you take on responsibility for building all the plans and keeping them up to date. Quite apart from the impossible amount of work you end up with, this stops people from thinking about BCM and internalising it, which in turn means that they don’t recognise BCM situations quickly enough when they arise. Instead, you need to aim to embed BCM into operational procedures where possible (making people responsible for, and holding them accountable for, their own BCM). Finally you need to get away from departmental BIAs, and instead use Strategic Business Impact Analysis (SBIAs) to understand the overarching business priorities based on client related business processes (and not parochial departmental priorities, like reporting requirements and internal SLAs). Make people think, rather than fill in forms. So these are some ways to do what we do better – and become better able to respond to unpredictable events.
- Now I want to look at doing things differently. And specifically it is about raising and changing the role of BCMers and taking a broader, more strategic, role. This is more of an evangelical path, and it is a path to follow if you already have influence with the decision makers in the business, and a path to follow, if you ever get the opportunity to influence the decision makers. It may not be as difficult as it might initially appear because the need to do this is what is driving the emergence of Resilience. But it is vital to understand that Resilience is NOT just a rebadged form of BCM. Nor is it just about the various Protective Disciplines working together. It is well worth reading the British Standard BS65000 on Organisational Resilience, and also getting the ISO standard 22316. The BS is perhaps slightly more comprehensive and is aimed at decision makers – it’s an educational document as much as anything else. The ISO is slightly narrower, but it does represent a consensus view, from across the world, on Resilience, and will be the de facto international document on the subject. There are three areas that I have picked out, to concentrate on. These are: * Developing an integrated and networked approach to Resilience * Embedding resilient thinking into corporate strategy and culture * Making use of new technologies to do some of the things we could not do in the past So – once again – what does that mean in practice? BCM needs to work effectively in conjunction with the other protective disciplines as part of a coordinated approach to Operational Resilience. This means that there needs to be shared governance – not necessarily shared reporting lines – but protective disciplines need to be accountable to a single point, probably the risk committee. And decisions need to be made, taking account of the plans and priorities of the other protective disciplines, working together wherever necessary. To do this, you need to have a shared view of what matters most. The Strategic BIA (SBIA) (together with Risk Appetite) are the best mechanisms I’ve seen for achieving this. So the SBIA needs to be developed into a tool that can be used across protective disciplines to identify what really matters in a firm, and why – this should be a consistent basis for prioritisation and for investment. We need to aspire to have more strategic influence. We touched on this on the previous slide, but we are taking it further here. Because, we need to develop an understanding of what else makes an organisation more or less resilient. So we need to understand the role of culture, of innovation, of governance, or how to improve the organisation’s situational awareness and so on. These are not protective disciplines. This is as much to do, with what the organisation is, as opposed to what the organisation does. This is Organisational Resilience, as defined by the standards I mentioned earlier. Following on from that we need to develop and report on key indicators and trends related to Organisational Resilience. The truth is that we might develop an excellent understanding of resilience ourselves, but unless you can find ways to report on the status of the resilience of the business in meaningful ways, your understanding will not be shared by the business. Having a meaningful Resilience dashboard that is shared with the executive is perhaps the single most useful thing we can do. Finally, the new technologies that are a factor in increasing our vulnerability can also be used to our benefit. I have not had the chance to really sit down and think about what the technology can offer, and indeed it is probably best done by someone more up to date than I. But even I can see that if we can apply some Resilience AI to the mass of corporate indicators and data available, we should be able to use that, not only to get some early warning of emerging issues, but also to automate some pre-emptive actions that may help block, or contain, any damage. I really think that this could be a game changer. [auto-pilot example]
- So I think I have covered a lot of ground – there is an awful lot for us to contend with. And it is clear to me, that where we are, is not good enough. But I come back to the title of this webinar – “What is the future for Business Continuity?” Business Continuity has, in fact, achieved a great deal. And if you believe that we stay with what have been working on – that we stay in our box – then there is still a lot more that we can do to improve. It has a lot to do with being more proactive and less reactive. However, if we chose that path, we will be like Insurance or Health & Safety – that is, although important and necessary, we will remain a back water, a specialist area, rarely seen at the top table. And maybe that’s OK. And probably that is the path that most businesses will go down. But personally I think that BCM offers the business more than that – because uniquely we look across the whole business and we try to determine what matters most and work out how to keep that going. That makes it more than, and different from, Health and Safety, or Insurance, or Security, or Compliance for that matter. And I believe that the concept of resilience is an idea whose time has come – there is a broad recognition in the market of a need to coordinate Protective Disciplines better and to address some of the things that make us more resilient that are not to do with protective disciplines, like culture and behaviour for example. If you believe that we can be more to the business, then this second path is the one to choose. “Resilience” has become something of a buzzword, and IT and Security and Compliance and HR and everyone else all have their own view of Resilience. But we have an opportunity to play a leading part in making businesses more Resilient, and I think we should try to take it. Well, thank you very much for listening to me - that wraps the presentation. I hope it was interesting and thought-provoking for you. We have time for some questions and answers now, which Erita will pass through to me. And if any of you have any follow-up questions, feel free to get in touch on the email address on this last slide.