Seven Myths about Resilience Programs

Every day, businesses face challenges that can threaten their people, products, and operations. Cyberattacks, data breaches, critical infrastructure failure, natural disasters, and a myriad of other risks can lead to costly business interruptions and damage to brand reputation. Addressing these risks requires a proactive approach, with action plans in place for when the worst happens.

A strong business continuity plan can offer numerous benefits, including:

• Demonstrating the organization’s reliability, a critical market differentiator in a time of declining customer loyalty 
• Helping reduce losses during a time of business interruption
• Identifying and mitigating operational risks proactively, potentially avoiding business interruptions in the first place
• Developing a culture of preparedness that can help the organization respond to novel risks
• Complying with required regulatory guidelines within industries that mandate having a business continuity plan

But despite the benefits a business continuity program brings to an organization, there are still myths that stop some businesses from fully embracing their potential. Dispelling these misconceptions can help organizations take the steps they need to achieve their resilience goals while considering their business model, culture, and constraints.

Myth 1: All business continuity programs are essentially the same.

Every company operates differently, with its own business model, regulatory structure, customer expectations, and risk profile. The costs of maintaining a business continuity program will also differ from business to business and will be dictated by its design, which can include a bespoke structure, self-service tools, and templates. By understanding the risks and specific circumstances the business faces, leaders can begin to develop a program that fits the organization and its culture.

Myth 2: One plan can cover the entire organization.

Businesses are complex, with many stakeholders performing a wide range of functions. While an organization may have a consistent set of priorities and a uniform set of roles and responsibilities, addressing the needs of different parts of the business will likely require several plans to restore critical operations across the organization when disruption occurs.

Myth 3: Once a plan is in place, the business is ready for anything.

While planning is a key component of a business continuity   program, it’s equally important that there are discussions, training, and exercises that ensure the organization can execute the plan. For a program to mature over time, the business must establish processes to update and scale its resilience strategies as the organization changes and grows.

Myth 4: Experts can just write the plan for the business.

Risk and resilience are inherently social endeavors. Organizations need understanding and commitment from stakeholders to make a business continuity plan successful. Even the most technically sound program on paper can fall apart at the execution stage without the right people and knowledge in place to deliver the expected results.

Myth 5: The business already has insurance; there’s no need to have business continuity program.

Business interruption insurance is typically acquired through either a cyber or property insurance policy (or both). Lack of a business continuity program can actually limit an organization’s ability to get insurance or increase its insurance costs. While insurance can defray the costs of an incident, there are some impacts (e.g., reputational damage, loss of customers, less favorable contract terms, etc.) that are not insurable but will still have a negative consequence.

Myth 6: The business already has an IT disaster recovery program, so everything is covered.

IT disaster recovery focuses on the ability of the business to quickly restore IT capabilities; it doesn’t help the business continue to operate while IT is down. Considering the proliferation of ransomware attacks, business needs to consider how they can sustain critical processes while IT teams work to restore operations.

IT disaster recovery also only focuses on how to restore IT infrastructure and critical applications. It doesn’t consider other types of disruption, such as losses related to building access, people, key vendors, utilities, and equipment. Business continuity helps organizations prepare for a wider array of disruptions than IT disaster recovery plans alone.

Myth 7: The organizations must perform a business impact analysis (BIA) for the entire organization as the first step.

A BIA is a valuable planning tool, and traditional models recommend conducting one to identify critical business processes; however, most organizations can identify critical processes without conducting a full BIA. By embracing a series of business continuity planning sprints (by going through a complete business continuity planning effort for select processes within the business), companies can realize the value of risk reduction efforts more quickly, producing results on an accelerated timeline.