How has digitization changed the role of the business continuity and resilience professionals?

I think it has helped improve things, we are no longer bound by the old-fashioned brick and mortar and paper and pen. We now have that capability (that we really enhanced through COVID) of expanding our VPN capacity. This means people who previously might not have had the capability to work remotely now have that functionality. I look at what has happened with online meetings. I mean, that truly exploded with COVID as more and more organizations just moved to online meetings. I do not think we can ever close that door again.

I remember when I started my career, for example, traders had to fill out physical trade tickets to trade stock and then they needed to take it out there, get out of their seat, and send it off to somebody, fax it off to a broker in New York. And so, I look at the technology now and it has just made our lives seamless in that regard. In that sense, I hope that the evolution continues.

The market for e-commerce and digital services has grown a lot. What are the new challenges or opportunities associated with this?

I think some of it is still a cultural change. You are always going to have some people in an organization who like doing things the old way, and so to make that shift as we go into new types of technologies, there will always be somebody who resists. I also think that organizations need to stop and take a look at resources. You know, it is great that we moved to all these platforms, but do these IT departments truly have the right amount of staff to be able to support this? And where are they with single points of failure? When COVID hit, of course, the big thing that everybody was really truly concerned about on their teams was potential loss of life. When we started to look at some of the IT teams, we realised some of them were very small. Also, some relied on aging pieces of technology which represented single points of failure. So, I think we need to make sure that teams are staffed, or they have the right operating procedures and that when they do build out these new technologies they are considering what additional staff they might need in order to support it. There is also an additional never-ending theme for anybody in any line of work and that is budget. It is great to go out and buy all these new technologies, but if you do not have the right resources to help maintain it, train people on it and then work on the upgrades, then it is still always going to be a challenge. Budget is always going to be top of mind and making sure that you have the right amount of money.

In this day and age, IT security is also going to be something that we need to be really concerned about. Right now, we are approaching that time of the year that is full of religious holidays. These contexts offer several opportunities to malicious actors, who can exploit specific themes to craft phishing emails. So, I think it is also just about being mindful of that and having good cybersecurity hygiene.

Finally, you must remain agile. It takes time to go get a new system and bring it into place and fully integrate it into an organization. Still, soon enough you will have something new coming on the horizon that you’re going to have to consider. That is part of being agile, getting ready for that next great technology.

Which software can help the organization make become more resilient?

I think that whether you like the business continuity tools that are out in the marketplace or not, they are very helpful in their own way. Business continuity teams are traditionally lean and small, yet they keep getting asked to do more and more. So, I do think it is important for an organization to have an emergency notification tool and a business continuity management planning software. I think the new thing that has not received enough attention in the business continuity profession is report writing. I know in the past few companies where I worked executives were really embracing business intelligence software to look at executive dashboards.

I think it is important that business continuity professionals figure out how to take relevant data and report it in an appealing and agile way to top management. Otherwise, you are going to be sitting there opening up individual files and counting, and teams do not have the luxury of that time. But I also think you have got to find champions, allies, and facilitators within an organization that can help you retrieve the right data and work through the reporting.

Moving to a different topic, which is regulation. Lately, there has been a lot of new regulation coming out on resilience such as the operational resilience policy in the UK. To what extent do you think this helps or does it add a layer of complexity to resilience?

I think it adds a layer of complexity. I think that the rules and regulations are needed. Please do not get me wrong, but I think it is complicated to have a regulatory body that is not completely aligned on terminology. Sometimes, they include elements under the business continuity umbrella that do not pertain to business continuity. Or they may give ownership of traditional business continuity activities to other functions. Sometimes when executive management read the briefing on a new regulation, they see an unrealistic version of business continuity. However, realizing that there are other teams within your organization that support you is important as it helps deal with this type of challenges holistically.

There is an issue of language. There is need for a common body of knowledge. I know at one point in my career I read something that referred to disaster recovery, but when you really read it, they were talking business continuity. And so again, if you are using the wrong term and then you hand this over to somebody, that is a subject matter expert, they will teel you that is not part of their area of expertise. However, it is hard to explain that to your compliance team or executive management, which is why we need clearer language in resilience legislation.

How can you establish a sound resilience culture in your supplier base?

I think it is important to go beyond Tier one. Organizations might have their top twenty vendors or service providers they strongly rely on – such as technology, or human resources – but those vendors will also rely on other companies. We all have to realize everyone relies on somebody else to run their business and help them be successful.

I do not necessarily think it should be responsibility of the business continuity management teams alone, but it needs to also tie into the procurement and legal department, for example, when you are onboarding a customer or vendor. Collaboration is key to understand what the relationship is going to be like, what the vendor’s capability is to be able to help the company get back on their feet if something happens and ultimately make an informed decision before someone signs on the dotted line for a contract renewal or a brand-new relationship. Furthermore, reviewing vendors relationships and the risks associated with them is something that it needs to be done annually. We are headed for financial downturn and a year from today, a company might not be fluid in cash, and therefore they are not going to be able to provide certain services to you even though you are engaged in a three-year contract.

Is there a topic that you believe should receive more attention and that is being a bit overlooked perhaps?

Yes, I am going to go with one that Gianna would have really appreciated and that is that we still have to consistently get business continuity into the C-Suite and it is still not there. I think that in this day and age, if you are relying more on your people and your technology and your processes, it is great to have a chief information or technology officer in the c-suite. This is how you bring all the different components of technology or information security together and present them at the highest levels. The question is then how do we do this for business continuity and many other resilience practices that do not get that visibility? I believe the future lies in the creation of chief resilience officer roles, which can provide a holistic approach and talk to top management.

Have you seen that happen? I mean the creation of chief resilience officer roles?

No, but it has been talked about for quite some time now. I do not know of any organization that has a Chief Resiliency Officer. Within the profession, but it has never gotten to that level. Sometimes it is embedded into the Chief Information Security Officer, but it has a strong cyber perspective.

It is a daunting task, because even if resilience professionals deal with a whole range of issues, they usually belong to small teams. So, a hypothetical Chief Resilience Officer could end up being someone who sits at a C-Suite level but only manages less than 20 people.

Do you have any tips for upcoming professionals?

Yes, come join this profession. It is a fantastic journey. I have been doing this for almost 30 years now and I still remember I got asked to do this because I was living in Boston at the time and we were doing two office moves out of two older buildings in Boston, going into one of the new high rises that was being built down on the waterfront and I got asked to put together these plans. I had no idea what they were asking me to do, but it sounded fun, and really interesting and I said yes. Then, six months later there was an opening for a corporate new position called Business Continuity Management, and I can tell you I had no idea what I was signing myself up for, but it is been a fun ride and I look at how the industry has evolved and I look and see where it still needs to continue to go and knowing that this is still going to be a critical position within organizations.

People should come join this profession because it is still something that I hope in time becomes part of the curriculum at universities and colleges that people could get an undergraduate degree in it as opposed to just learning about it after going to university or going to get a Master degree and getting certified. The profession is changing, we need to involve new people and include new skills in a range of community-level activities, whether it is updating the ISO standards, the BCI good practice guidelines, the DRI professional practices, we still need people to help educate newcomers with webinars, writing articles, and contributing at conferences.

 

Author: Gianluca Riglietti.

 

If you liked this interview, you may enjoy reading this one.