Matching governance to context

November 2019 Security Services & Risk Management

Business continuity and resilience have become important items on the board agenda for very good reason. We are living in a volatile, uncertain, complex and ambiguous (VUCA) world with accelerating change and putting plans in place to avoid or overcome disasters is critical to any organisation’s sustainability.

However, says Michael Davies, CEO of ContinuitySA, affordability is always an issue. Companies therefore have to apply limited business continuity budgets in the best possible way. “As business continuity is ultimately a governance, risk and compliance issue, ‘King IV’ is a good guide. One of the important concepts it introduced was proportionality, and this concept of matching governance to the organisation’s particular context is crucial,” he says. “Proportionality is key in balancing budgetary realities with the imperative to build the organisation’s ability to cope with change and recover from disasters.

“This is particularly true in a world where the threat landscape is constantly shifting: planning for every threat is beyond the resources of any organisation.”

King IV’s emphasis on proportionality is part of its overall shift towards a qualitative approach, moving beyond ticking the box to encouraging boards and executives to apply their minds to how to achieve desired outcomes. Thus, all the recommendations made in King IV are intended to be scaled in accordance with the size of the organisation’s turnover and workforce, its resources, and the extent and complexity of its activities (Institute of Directors in South Africa, ‘Report on corporate governance for South Africa 2016’ (King IV), p 37).

In line with this thinking, Davies says that it is important to realise that every business continuity plan is unique because each organisation is individual and has different requirements to other organisations, even if they are in the same industry. Thus, for example, a smaller organisation with fewer resources would have a very different approach to a large, well-resourced financial institution that is strongly regulated.

Understand what’s important to your business

The starting point is always to spend time identifying the organisation’s critical areas based on the minimum service levels acceptable to its clients. This approach, together with a risk assessment and a business impact analysis, would then guide the development of the business continuity plan.

Michael Davies.

An important consideration that often gets overlooked is the physical context in which the organisation operates. For example, an organisation could be adversely affected by strike action or a fire occurring at the premises of a nearby company – this is particularly true of an office/business park. More positively, a small organisation might find that locating itself in a well-run mall or office park allows it to piggyback on some of the landlord’s business continuity provisions, such as security, backup power and water.

Data protection is obviously one of the key considerations when it comes to business continuity. Thanks to advances in technology, there is a range of options available to suit an organisation’s requirements. At the one end of the spectrum, there is the high-availability real-time backup that a bank or stock exchange would require; at the other, a daily replication stored either in the cloud or at a separate data centre.

“In a globally connected world with increasing cybercrime, the important thing about data protection is that the backup needs to be segregated from the network because hackers are often present on the network for a considerable time before detection, thus putting backups at risk,” Davies says. “Because of the need for segregation, tape backups or backups to segregated devices are making an unexpected comeback in some companies.”

Proportionality also plays a role in determining each organisation’s approach to the other big consideration: the need for an alternate site. For example, organisations with call centres will typically require an alternate site, but an organisation with multiple call centres might be able to failover between them. By contrast, professional staff are likely to be able to work from home or remotely much more easily, although there will always be back-office functions that require a common physical location.

Davies says that outsourcing offers a way for organisations to develop the right mix of business continuity services for their particular needs. “In choosing which options suit your organisation’s particular business continuity needs, outsourcing has much to offer, not least because it provides access to experts with experience who can guide you as you identify what truly needs to be done, and how,” he says. “It also helps reduce costs by effectively syndicating the fixed costs relating to alternate data centres and work areas.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Visualise and mitigate cyber risks
Security Services & Risk Management
SecurityHQ announced its risk and incident management capabilities for the SHQ response platform. The SHQ Response Platform acts as the emergency room, and the risk centre provides the wellness hub for all cyber security monitoring and actions.

Eighty percent of fraud fighters expect to deploy GenAI by 2025
Security Services & Risk Management
A global survey of anti-fraud pros by the ACFE and SAS reveals incredible GenAI enthusiasm, according to the latest anti-fraud tech study by the Association of Certified Fraud Examiners (ACFE) and SAS, but past benchmarking studies suggest a more challenging reality.

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.