Authored by: MS. Mpho Modisane, IRMSA Risk Intelligence Committee
In recent years, many more organizations have established Business Continuity Management Programmes (BCP’s) which define the different processes (suggestion to utilise the wording of ‘process’ rather than ‘system’ due to general, but not always, confusion around BCP and DRP) of avoiding and recovering from potential disasters to their business.
With the number one goal of a Business Continuity Plan (BCP) serving to allow for continuation of operations while recovering from a disaster, the key component of the success of BCP’s relies on the organization’s resilience programme.
The Business Continuity Institute defines Resilience as the adaptive capacity of an organization in a complex changing environment.
Resilience is the more mature aspect of recovering from disaster which is the ability of an organization to uphold its functions regardless of drastic changes in the internal and external environment.
Therefore, in their quest to achieve greater maturity in response to and recovering from disasters, an organization must consider a tailor-made resilience program to enable continuation of business under adverse circumstances.
In their annual Africa Resilience survey, Ernst and Young (EY) discovered that although majority of African Organizations have good BCPs; they in addition require a matured resilience programme to reduce the likelihood of exposure and recover from disruptive events when they happen.
The conclusions from the survey indicate that approximately 72% [Level 2 – Level 5] of the respondents reported that their resilience programme can assist in recovering business operations after a disaster.
Of that number, 5% is certifiable and 28% can recover all critical functions within approved Recovery Time Objectives.
Only 28% either cannot recover operations or the respondents do not know the maturity level of the programme.
Over 64% of the aggregated participants have indicated an alignment of their companies BCM resilience solutions, to international best practices, i.e. ISO 22301, ISO 22316, BS 65000, ISO 27031, the Business Continuity Institute Good Practice Guidelines 2013 and/or COBIT.
Of the 64% approximately 10% have specified that their companies are aligned to BS 65000 i.e. a Guidance document on organisational resilience.
The EY survey further rated the resilience maturity of the sampled organizations in line with international standards on a five-point scale, with five being the most mature level:
Can recover all critical functions with approved recovery time objective
Can recover some critical functions with approved recovery time objective
Can recover limited business processes via information and undocumented processes
Cannot recover from or survive a disruption (programme does not exist)
With the survey having revealed that 5% of the sampled organizations have reached level 5, 28% level 4, 24% level 3, 15% level 2 and 10% level 1 maturity of business resilience. The remaining 18% of the respondents indicated level of resilience unknown.
What this indicates is that although 72% of the respondents reported that their resilience programme can assist in recovering business after a disaster, only 5% have their risk management sources spread beyond the scope of traditional risk methods.
The need to be multinationally resilient:
The complication with any organization operating multinationally is that the nature of disasters become foreign, away from the home country.
The best assurance any organization can get against unknown material disruptive events is to align with international standards both at policy level and implementation.
A multinationally resilient organisation can reduce their vulnerability through adopting a resilience programme which gives them the opportunity to recover all critical functions within the approved Recovery Time Objectives.
As a risk professional have you considered that:
MEDIA CONTACT: Rosa-Mari, 060 995 6277, email@example.com, www.atthatpoint.co.za
For more information on IRMSA please visit: