The Three R's of BCM: Risk, Response, and Resilience

Written by Jim Tapscott
Find me on:

Cybercrime is a primary reason companies are planning for business continuity by focusing on risks, responses, and resilience.

Business continuity planning (BCP) has many complex components, as seen in the recent post, Achieving Resilience with an Integrated Risk Management Solution. To be successful, companies need to focus on the three R's of BCP: Risk, Response, and Resilience

Understanding these components lets companies plan properly, understanding each factor and the role it plays in protecting and preserving data and systems. Here is a closer look at each.

  1. Risk Management

Risk management is about anticipating and identifying potential disruptions to systems, data, people, and business operations. Identification is the core of risk management disciplines.

Risk needs to be identified within each sector of the enterprise. Today, much risk management focuses on cyber threats to technological systems. A thorough risk assessment plan also incorporates operational, financial, legal, strategic, and technological spaces.

Once each potential risk is identified, companies need to complete several steps.

  • What are the vulnerabilities and exposures that are a factor in those risks?
  • What are the consequences should any one of the risks materialize?
  • What is the likelihood of the risk occurring?
  • What are the best solutions to reduce the threat of each risk?
  • What risk abatement strategies are the most critical to pursue and implement?

Risk management plans need to consider what the top priorities are. In many cases, they focus rightly on maintaining business operations or minimizing financial impacts (both short- and long-term). Other priorities include keeping employees and locations safe, communication with customers and employees, and reputation management.

  1. Response Management

Any sound business continuity plan has to address the stark reality of how to respond to an incident. Often organizations put in place incident teams to respond to and manage the situations when they occur. 

Such teams have to have broad latitude to ensure that operations are maintained, losses are contained, and disruptions are minimized. These teams often include representatives from operational areas, information security, information technology, human resources, communications, and customer relations.

Plans need to be developed and followed closely during an incident in order to ensure all areas are considered and monitored for the duration of the crisis. Organizations are also well served by having a post-incident assessment that can help frame and, in some cases, make adjustments to both the risk and response phases.

Laptop - ransomware text.jpg

Resilience planning allows for companies to ensure that operations return to normal after a security incident or other threat.

  1. Resilience Management

Many wonder about the difference between business continuity and business resilience. There are important distinctions. 

The first one is the resilient organizations do not just recover from an incident. They improve their base, their process and ultimately future outcomes. In other words, they improve versus just recover.

Another critical distinction is that resiliency is about awareness. The more people that are aware of the company’s policies, objectives, programs the better. It leads to organizational competence, plan efficiency and program maturity. Awareness also correlates with integrated risk management efforts as interdependencies are uncovered and highlighted.   

Continuity Logic delivers technology that allows the best improvement over time through self-service and ease of customization. We are also focused on total engagement throughout your organization with unique features to guide users through the platform. Contact our team to discuss improving your program today.