The year 2022 saw the tapering off of the pandemic, the invasion of Ukraine by Russia, an ongoing wave of cyberattacks, continuing supply chain woes, and a renewed focus by organizations on identifying and protecting their most essential business processes. Read on to learn about the BCM year in review.
Related on BCMMETRICS: Global Turmoil Making You Ill? Try a Dose of Risk Management
Getting Back in the Air
This year, I’m glad to say, I returned to my prepandemic level of business travel. I flew 100,000 miles, visiting clients in Hawaii, the Middle East, and the U.K. as well as throughout the U.S.
Working remotely as a business continuity management consulting firm worked while it had to, but there’s nothing like visiting organizations in person. It’s the best way to get a handle on the organization, its culture, what their most important business processes are, the threats they face, and the current state of their BCM program. It’s also the best way to help them devise a roadmap to guide them in better protecting the organization and its stakeholders moving forward.
Over the course of a busy year, here are a few of the more interesting new trends and key themes I saw in business continuity management:
- Fighting the good fight. BCM professionals continue to fight the good fight in their effort to be heard by management, move things through webs of bureaucracy and overcomplication, and protect their organizations.
- The “we are too big to fail” approach. Unfortunately, a number of companies, especially the biggest ones, persist in taking a “too big to fail” approach to dealing with the possibility they might be hit with serious outages: We don’t have to bother with BCM. We’re so big, if anything goes wrong, we’ll just write a check to put it right. That’s fine for them if they like living on the edge. But what about the turmoil this approach can cause the people, organizations, and communities that are interconnected with them? One of these years, I hope to be able to write about the acceptance of the need for responsible continuity planning by even the biggest companies.
- The Great Resignation is no joke. There were so many think pieces about the Great Resignation this year, a cynic could be excused for accusing the newspapers of crying wolf. But according to my contacts, the Great Resignation was no joke. Many organizations have lost a lot of talent this year, whether through senior people’s retiring or younger ones quitting. We recently started an engagement at an organization hurting badly from the departure of many tenured veterans and the loss of a lot of intellectual capital. For many BC offices, dealing with these losses—and the vulnerabilities they create—will be a key agenda item for 2023.
- A new focus on efficiency. There’s a lot to be said for ruthless efficiency when it comes to BCM. One thing we saw at many of our clients was a new focus on identifying and protecting their core services —and only the core services. When you can only do so much, you must make sure that what you’re doing counts. Soft, lazy thinking doesn’t cut the mustard. Discipline and rigor are needed. Not every business service is equally important. Smart, disciplined BC requires looking under the hood and learning what counts most. This year, many companies seemed to recognize this need and embrace this approach.
- “Maximum intolerable downtime.” Related to the new focus on efficiency was the emergence of a new concept, maximum intolerable downtime (MID). It originated in the UK as part of the new Operational Resilience standards. It is like RTOs (recovery time objectives) but MID is a measure of how long the organization can absolutely, positively tolerate the absence of a business process before intolerable impacts occur. MID provides a real-world estimate of how long a process can really be down and will extend how soon processes need to be restored.
- The remote-work delusion. Here’s one we encountered almost everywhere we went. Managers often told us that since their employees were now working remotely, they didn’t have to do BC anymore. In fact, remote work reduces risk in some areas (by dispersing the workforce) while increasing it in others. People working at home can lose power, suffer network outages, expose confidential data to unauthorized people, get hacked, come under physical threat, and many other challenges. Certain threats from before the pandemic, such as ransomware attacks and the possibility that employee actions might cause reputational damage, persist even if most employees are working from home. Remote work has added some interesting new wrinkles to BC. It hasn’t made the need for it go away.
- The need for manual workarounds. This year made one thing clear: the old-fashioned manual workaround ought to be the next big thing. As the number of ransomware attacks increases, the need for companies to have manual workarounds for their critical business processes is greater than ever. Companies must be able to work without technology. And their workarounds need to be tested and practiced on an enterprise level.
- Supply-chain security is paramount. We’ve been talking about this for years; we even wrote an ebook about it. In 2022, the issue of supply chain security took on more prominence than ever. Many of our clients felt the pinch this year when a product or service they depended on was delayed or unavailable. Even worse for some was the total loss of a supplier. Organizations need to get in the habit of identifying and vetting their critical vendors, putting BCM language in their contacts, and lining up alternate suppliers in advance, just in case.
- The persistence of the misalignment between IT and the business units. Last but not least, one of the issues we saw repeatedly with our clients this year was the persistence of the gap between the IT department and the business units. At many companies, the gap between what IT can do in terms of IT disaster recovery and what the business units expect is big enough to drive a truck through. The ideal approach is, IT figures out what it can do, the business units figure out what they want, and these are compared and brought into alignment. At the least, IT departments should write up a one-page explanation of their IT/DR plan and communicate it on a regular basis. That way, if the IT/DR plan has to be implemented, the business departments might not be happy about the result, but they won’t be able to say they weren’t made aware of how recovery will occur and what it means to their business area.
Negative Trends and Positive Developments
2022 was an eventful year in the news and in BC. Along with somber developments on the international front, we saw impacts from staff shortages and supply-chain woes as well as the persistence of unhelpful trends such as the belief that remote work makes BC unnecessary and the lack of alignment between IT and the business units.
Among the positive developments was a new focus on efficiency and discipline, and the continued dedication of BC professionals everywhere in fighting the good fight on behalf of their organizations and stakeholders.
Check back after the holidays for our take on what 2023 is likely to bring for BCM professionals and the world of business continuity generally.
For more information on business continuity trends and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Home Alone: When Disasters Affect Staff Who Are Working Remotely
- The Retro Revolution: Why Manual Workarounds Are a BC Must
- Getting in Sync: Eliminating Recovery Strategy Gaps between BC and IT
- Global Turmoil Making You Ill? Try a Dose of Risk Management
- Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk