Introduction
Recent global events, such as the Crowdstrike incident and the UK riots in early August 2024, serve as stark reminders of how swiftly unforeseen circumstances can disrupt business operations. These unpredictable occurrences are not new; numerous examples have emerged over the past five years, aside from the COVID-19 pandemic.
With increasing geopolitical tensions impacting exports, the conflict in Eastern Europe, shifting climate patterns and the rapid advancement of AI technology, the likelihood of further “unpredictable” or Black Swan events remains high.
Safeguarding Against Unforeseen Disruptions
While it’s impossible to anticipate every potential scenario, is it feasible to prepare for virtually any eventuality? We believe it is, or at least come very close to it. This approach distinguishes Business Resilience Planning from traditional Business Continuity.
Comprehensive Preparation typically involves an event/threat-based strategy. This works well for known risks and is usually addressed through Risk Assessment during the initial Analysis phase of Business Continuity Planning.
However, this method has inherent limitations. Firstly, it only covers identified threats, leaving us vulnerable to “unknown” risks. Secondly, attempting to account for every possible scenario can quickly overwhelm the Business Continuity Process, often leading to disengagement.
Addressing the Unknown
Universal Preparedness requires a shift in approach, focusing on operational functionality and adopting an “event-agnostic” stance.
Let’s clarify the fundamental concepts:
A business delivers its products or services by utilising its Assets and Resources. These encompass tangible physical assets, intangibles like brand reputation, external resources such as supply chains and distribution channels.
Time is the critical factor in resilience planning.
When Preparing for Any Scenario, rather than fixating on specific threats, we should concentrate on two key aspects:
- Maintaining our ability to deliver products/services through the continuous availability of our Assets/Resources.
- Understanding our Disruption Tolerance: determining the consequences of service interruption over varying time periods.
Disruption Tolerance
In Business Continuity (BC), we consider the Maximum Tolerable Period of Disruption (MTPD), which focuses on major events that could potentially “kill” the business. However, even minor “outages” can cause long-term damage and impair future business opportunities by triggering a resilience response in customers.
Consider a business model built around a single supplier solution for efficiency and cost control. Even a brief outage from which the business quickly recovers might prompt customers to consider dual supplier strategies to enhance their own resilience.
Thus, in addition to the MTPD, there’s an earlier point at which the model experiences damage — a point where customers begin to react. ARM Plus term this the Initial Point of Customer Reaction (IPOCR).
Customer Response to Disruption
The IPOCR marks the moment when customers start to react to service interruptions.
Major vs. Minor Disruptions
While the MTPD drives BC Objectives and Program Design, understanding the IPOCR allows us to consider the impact of smaller disruptions that can trigger resilience reactions in customers. These lower-level disruptions may be more frequent than major events. For instance, ARM Plus recently worked with a business that came within two days of being unable to supply its product due to a cyber-attack on a key component supplier.
Shaping BC and Resilience Objectives
For example, Company A has three product channels with the following MTDPs and IPOCRs:
Product Channel 1:
- MTPD: 8 weeks
- IPOCR: 2 weeks (potential 30% sales loss)
Product Channel 2:
- MTPD: 10 weeks
- IPOCR: 3 weeks (potential 25% sales loss)
Product Channel 3:
- MTPD: 12 weeks
- IPOCR: 6 weeks (potential 35% sales loss)
Understanding both MTPD and IPOCR allows us to assess asset and resource recoverability more effectively. In the case of Product Channel 1, a 2-week tolerance for disruption instead of 8 weeks may significantly alter BC and Resilience requirements, objectives, and overall program design.
Resilience Through Swift Recovery
The key to resilience lies in the ability to recover assets/resources within the IPOCR, regardless of the cause of unavailability.
Once MTPD and IPOCR are established, we can evaluate the Recovery Time of our Assets/Resources. Using IPOCR as a benchmark, rather than MTPD, allows for a more nuanced approach to threat assessment and risk reduction based on the criticality and recoverability of Assets/Resources.
This article is provided by our risk partner Arch Risk Management Plus. Please speak to your Arch contact about our Risk Management services.