Let’s face it, in today’s world it has never been more important to ensure your organisation has good levels of resilience. With everything from an increasing frequency and magnitude of extreme weather events, to supply-chain shocks, to global health scares, wars and cyber-attacks, we live in a world of growing uncertainty and threats to business. But what to do? What does “good resilience” even look like? How is it achieved? By whom and when? How much time and effort should be spent on it? How do you know when you’ve got it?
These are just some of the questions many organisations ask, but in obtaining answers, two things are fundamental:
- Understanding the business – what are its key priorities, the drivers for its success, and the technologies that support it in achieving those priorities
- Understanding the threat – an awareness of the threat landscape and how it can impact the business
That understanding underpins the risk-based approach that’s essential to employ in building resilience, because it enables the business to understand which of its assets are more worthy of protection than others i.e. the assets that enable it to deliver its products/services to its customers; the assets that enable it to process the revenues it needs to remain viable; the assets that are going to be of higher value to both the business and any threat actors, and the assets that, in the event of their loss or disruption – in the aftermath of a cyber-breach for example – are going to result in heavy regulatory or legal penalties.
This risk-based approach enables the business to identify its vulnerabilities, categorise and manage risk and decide what it needs to do about them.
A foundational route towards effective understanding of the business can be the Business Impact Analysis (BIA). This has been at the core of many organisations’ resilience-building programmes, because it can:
- Help define priority activities – identifying the activities that support the production, delivery and availability of the business’s products and services.
- Identify the internal & external services and assets the priority activities require for continued operation.
- Identify vital data assets (VDAs) – data that can directly and significantly influence the business’s overall performance, both financially and non-financially.
- Assess the impact of a disruption on operations, customer service, reputation, regulatory compliance, finance, partners and staff.
- Identify and prioritise the recovery needs for priority functions in terms of resources, assets and technology support.
Understanding the threat involves having a well-informed situational awareness of the threat landscape, ranging from the physical environment to socio-economic and political issues, legal and regulatory challenges, not to mention information security and cyber issues (and this is by no means an exhaustive list!). Such awareness, along with understanding the impacts of potential threats and an understanding of its vulnerabilities, are key in helping to define an organisation’s risk appetite and what measures it needs to consider to address those threats, and respond to them effectively.
Sadly, it’s routine for organisations to find themselves bogged down in ineffective resilience programmes, because the reality is that many simply don’t have in-house resources or expertise needed to undertake these fundamental activities. This can result in the wrong capabilities being developed and wasted effort in terms of resource and budget.
Hiring a competent internal resilience professional can be problematic and expensive, and it may not be possible (for budgetary and other reasons) to provide that individual with the wherewithal needed to do their job properly.
That’s why it’s important to look for help from external specialists who have a proven track record of delivering such expertise, either by providing a complete “package” of help in building resilience from the ground up, or in assisting in very specific areas where there are skills gaps or insufficient resources for particular activities.
Redcentric’s consultants can help you identify and define priorities and the assets that are critical, as well as the likely impacts following loss or disruption to these assets. We enable you to visualise your organisation’s risk appetite and how it should adapt to the ever-changing threat landscape. We’ll support you in identifying the vulnerabilities, how best to apply resources to build better resilience and provide a roadmap for how to get there. Book a call with a cyber expert.
