printer friendly version

Are you prepared for multinational risks?

In recent years, many organisations have established business continuity management programmes which define the different processes of avoiding and recovering from potential disasters to their business.

With the number one goal of a business continuity plan (BCP) serving to allow for continuation of operations while recovering from a disaster, the key component of the success of a BCP relies on the organisation’s resilience programme.

Resilience defined

The Business Continuity Institute defines resilience as the adaptive capacity of an organisation in a complex changing environment. Resilience is the more mature aspect of recovering from disaster which is the ability of an organisation to uphold its functions regardless of drastic changes in the internal and external environment.

Therefore, in their quest to achieve greater maturity in response to and recovering from disasters, an organisation must consider a tailor-made resilience program to enable continuation of business under adverse circumstances.

Resilience statistics

In its annual Africa Resilience survey, Ernst and Young (EY) discovered that although majority of African organisations have good BCPs, they also require a matured resilience programme to reduce the likelihood of exposure and increase their ability to recover from disruptive events when they happen.

The conclusions from the survey indicate that approximately 72% [Level 2 – Level 5] of the respondents reported that their resilience programme can assist in recovering business operations after a disaster. Of that number, 5% is certifiable and 28% can recover all critical functions within approved Recovery Time Objectives (RTO). Only 28% either cannot recover operations or the respondents do not know the maturity level of their programme.

Over 64% of the aggregated participants have indicated an alignment of their companies BCM resilience solutions, to international best practices, i.e. ISO 22301, ISO 22316, BS 65000, ISO 27031, the Business Continuity Institute Good Practice Guidelines 2013 and/or COBIT. Of the 64%, approximately 10% have specified that their companies are aligned to BS 65000 i.e. a guidance document on organisational resilience.

The survey further rated the resilience maturity of the sampled organisations in line with international standards on a five-point scale, with five being the most mature level:

With the survey having revealed that 5% of the sampled organisations have reached level 5, 28% level 4, 24% level 3, 15% level 2 and 10% level 1 maturity of business resilience. The remaining 18% of the respondents indicated an unknown level of resilience.

What this indicates is that although 72% of the respondents reported that their resilience programme can assist in recovering business after a disaster, only 5% have their risk management sources spread beyond the scope of traditional risk methods.

The need to be multinationally resilient

The complication with any organisation operating multinationally is that the nature of disasters become foreign, away from the home country. The best assurance any organisation can get against unknown material disruptive events is to align with international standards both at policy level and implementation.

A multinationally resilient organisation can reduce their vulnerability through adopting a resilience programme which gives them the opportunity to recover all critical functions within the approved RTO.

As a risk professional have you considered:

• Business continuity management and resilience are a subset of risk management, both disciplines are a critical part of mitigation of certain risks.

• Sooner or later your business could grow multinationally. At some point in your business there’s contact with global customers or business partners. Have you considered your organisation’s exposure as a result of these relationships?

• Your employees might travel outside your home country exposing them to multinational risks. Have you added an emergency repatriation plan in your resilience programme?

• Some of your business recovery sites are sitting elsewhere in the world. Have you considered resilience backup if a disaster hits your recovery?

• For a multinational business, what infrastructure challenges in the other country similar to the local water and electricity challenges experienced in South Africa could impact on overall business continuity?

• For a multinational business, given the rise of cyber risk which holds no political boundaries, has the business considered the impact of system failure and the link to their cyber risk management controls?

• Is your business focusing on generic disaster scenarios or specific scenarios which may have a higher probability of occurrence such as power outages (local), political unrest depending on the economic state of the foreign country?

The most responsible decision of any organisation would be to be aligned with international business resilience standards and formally adopt these as part of the risk management and business continuity program, because in spite of everything, we are all part of the global community.

For more information on IRMSA please visit https://www.irmsa.org.za/

Share this article:

Further reading: