Key Insights Blog

Read the latest insights from our experts on GRC and risk management

7 July 2020

Risk management planning for business disruption

We’re in the middle of a devastating global crisis caused by a microscopic entity. Who saw that coming? Bill Gates, for starters. As organisations overcome the initial shock and get to grips with protecting employees and productivity, attention will turn to the future. There will be many lessons. Perhaps the most important is that very few risks can’t be anticipated. COVID-19 is an unwelcome but timely reminder of the importance of up-to-date business continuity planning (BCP).

So what’s the key to effective BCP? The below considerations will help ensure your business is prepared for the expected and unexpected.

Identify the risks

What risks are you planning for? Some will be obvious. Many will hide in the details. Start with whoever knows the most about each business process and use workshops or questionnaires to find out what could negatively impact your business. This will help you to produce a risk register which will feed into your business continuity plans.

Identify what risks you can. However, it's impossible to determine all risks specifically. Instead, consider the impacts of unexpected generic events, for example, the loss of access to office buildings, connectivity and resources. Organisations that planned for spiked demand in service desk requests and remote connectivity were better prepared for COVID-19.


Create a controls framework

Enterprise and BCP risk assessments will form the basis for your controls framework, which should be monitored to ensure you can successfully detect, prevent or mitigate the impact of each risk.

When creating your controls framework, you should:

  • Be proactive. BCP is not merely a matter of deciding what to do if something goes wrong. Your plan should build up business resilience now to accelerate your return to business-as-usual practices after a disruption occurs.
  • Get buy-in. Continuity planning is a business-wide activity which depends on the input and backing of numerous employees. Your plan should be clear and concise and signed-off by all relevant stakeholders.
  • Train often. When disaster strikes, your team should automatically know what to do. There’s no substitute for regular training. Ensure control owners understand the purpose of control testing and how it improves risk management and business continuity.
  • Test and test again. Will your carefully designed response actually work? Increase your confidence with periodic testing, which will help you to refine your approach and ensure your measures are realistic and appropriate to the size, nature and complexity of your organisation.
  • Review regularly. Risks evolve. How fast will depend on your business and sector, not to mention the economy, environment etc. However, it’s a good idea to revisit the plan whenever implementing a business process change that could impact your risk profile. For example, when transferring a service desk unit to an offshore location

Conclusion—you can always be ready

Any risk to your strategic objectives is worth identifying, preparing for and mitigating. Both business continuity and enterprise risk management should work together to limit interruption to critical business processes. Involve operations stakeholders in the creation and regular testing, training and review of your business continuity plans to maximise their effectiveness.

It may be impossible to completely avoid the impact of crises on the scale of COVID-19, but you can ensure your business is better prepared to protect employees and establish a competitive advantage.