Building organizational resilience
In 2020, business operational resilience is the utmost important aspect of worldwide business, be it small or global enterprises and no matter what part of the world they operate from. Defined as the emergent property of an organization exhibited when it continues to carry out its mission after disruption, that does not push it beyond its operational limit. Never in modern history, organizations have taken serious thought and investment in making their business operations resilient to disruptions. The organization meets its overall mission only when every individual high-value service in the organization meets its mission. Each service constitutes people, information, technology, and facilities – a critical event can disrupt any one of them impacting the service and eventually overall organization mission.
A Critical Event can be anything that causes a business disruption, from operational disruptions like IT outages and supply chain disruptions to catastrophic man-made events like active shooters or natural events like earthquakes or severe weather or Pandemic like Novel Coronavirus (Covid-19). In fact, these events have been on the rise for the last 10 years, on any given day some part of the world has always had some critical event impacting Business in that area. With a deeply interconnected Global Economy, the impact of Business on one side of the world can cause business disruptions all across the world, even if they were not directly exposed to Critical Events. The cost of inaction or poor preparation remains steep, results in lost productivity, eroded corporate reputation, instability in supply chain management, and lowered revenue.
In highly complex worldwide risk events, reliance on humans to collect data, connect modules, interpret threat data is impossible to manually visualize, track and process all information affecting your organization. Without technology, you cannot be proactive in mitigating the risks and impacts; at best one would just react. Unfortunately, many organizations still rely on manual processes of collecting data, trying to implement business continuity based on a very narrowed understanding. This is where Critical Event Management (CEM) comes in handy in helping various roles in an organization such as security, operations, risk management, crisis management, and IT professionals to be proactive than reactive during critical events.
This guide will help you better understand, How CEM Works, How it helps business, How to initiate the CEM strategy, and finally how to quantify business resilience.
How CEM Works
Critical Event management addresses both the strategic side of business resilience which starts with identifying business risks, business continuity planning, forming crisis management teams, and the tactical part of implementing business continuity, which starts with situation awareness of global risk events, assess which assets get impacted, launches response teams to implement business continuity plans, crisis communications, response team collaborations, and post-mortem analytics. Zapoj Critical Event Management product- Zsuite is an AI-powered comprehensive end-to-end critical event management platform that enables organizations to predict, act, orchestrate, communicate and collaborate during any critical disruptions to business operations.
Following are the 5 pillars of Critical Event Management
- Risk Intelligence Risk intelligence provides thousands of data feeds across weather, protests, social media, dark web, and hyper-local safety feeds to curate, filter, and categorizes risk events. Data is visually organized to easily understand risk event location, type of risk, data source, and severity so that security teams can take a faster response to threats in order to avoid false positives and make better decisions.
- Correlation of assets and threats CEM software aligns risk events to assets using a dynamic correlation engine that combines static location, expected location, and last known location of people and assets. CEM can take this a step further by considering time elements to determine who or what is impacted by threats, in order to reach them faster and more decisively.
- Orchestration of business continuity plans and incident management Automated workflows ensure that even when you or your team is not watching for threats, the system is going to do for you. SOPs, communications, and action plans can be automated and orchestrated during a crisis in order to speed up response and ensure that the appropriate action is taken for a particular threat.
- Unified communications and collaboration The unified communications component of the critical event management system allows front-line workers to collaborate and communicate via chat rooms, web conference war rooms, securely share relevant documents and update task status.
- Data-driven analytics With CEM, metrics are built-in throughout the process to ensure the right action is taken by the right people, at the right time, and to understand how effective actions implemented were and how you can do better in the future.
How CEM Adds Value to your Organization
- Reduce losses from business interruption.
- Lowered costs from IT downtime.
- Decreased losses from property damage.
- Averted costs of lost employee productivity.
- Global risk events situation awareness and their impact on business operations.
- Increased security team productivity through freed up time for higher-value tasks
How to Initiate the CEM in your organization
- Leadership Initiative Build alliances across the chief security officer (CSO), chief information security officer (CISO), and chief information officer (CIO) at the very least. Combining the experience, insights, and intelligence from across the organization makes it possible to quickly understand the root cause of an event and ensures a rapid response and operational continuity.
- Identify key assets and risk areas During every event, a resilient organization will know where employees, travelers, visitors, offices, manufacturing facilities, and other critical assets are located. It’s also critical to know how they are interconnected and the dependencies between them. Beyond knowing the location and interdependencies, organizations also need an idea of how much it will cost if these assets are impacted by an event. For instance, perhaps a critical business application goes down resulting in thousands of dollars in losses every minute. It’s important to calculate losses based on the overall use case, such as how many employees are going to be impacted.
- Risk Intelligence data sources It’s time to pull all of your risk information together into one place to streamline your threat assessment process. Align sources, information, and evaluate the risks and the impact to your organization across five key asset types: People, Buildings, IT Systems, Supply Chain, and Brand/Reputation. Your data sources should be vetted and verified, involving geo-targeted intelligence related to weather, terrorism, and other potential disruptions. Verified sources and analysis eliminate the noise and enable you to generate the most impactful information while eliminating false positives.
- Communication and Training The primary goal of business continuity planning is to efficiently restore operations through predetermined, systematic processes and procedures. However, in order to minimize the impacts and rapidly respond to operational hindrances, companies must ensure business continuity communication methods and procedures are clearly defined and functional. Communication planning is an intricate part of preparedness and any continuity process. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy.
How to quantity CEM outcomes
If you can’t measure something you can’t improve it, this is applicable to business resilience also. Since CEM is all about improving the business resilience of organizations, the capability maturity model in place quantifies where organizations stand now, identifies gaps, assesses what needs to be done to improve it, provides a timeline for improvements, and tracks the progress with data-driven metrics. CEM-CMM positions operational resilience in a process improvement view. Let’s talk about CEM capability maturity model stages
- Adhoc Stage: As part of organizational Security – Business continuity , Crisis Management and IT ops are silo managed with individual tools and processes. No CEM software is used to implement, all tasks are manual and paper based, teams have limited knowledge of important assets for successful business operations. At this stage any business operations disruption response is slow , uncoordinated ,unstructured, eventually leading to revenue loss and brand value at stake.
- Reactive stage: At reactive stage organizations would have started using basic CEM technologies like emergency notifications, aligned with all teams responsible to implement Business continuity and crisis management under CEM practice. Assets (People, Facilities, supply chain , IT infra and services and Information) needed for business services to meet their goals are defined as well . But identification of risks and correlation of assets is still a manual human task. Technology is used only to alert response teams and the implementation scope is still at the departmental level.
- Managed stage: At this stage organizations have taken CEM seriously, more and more business units started implementing CEM strategies. Most importantly end to end CEM software is used to replace manual operations with automated risk identifying but the limited correlation with assets, alerts are multi-channeled with escalations and audits at every stage.
- Proactive stage: At this stage organizations are matured with CEM and implemented best practices for all business services. All identified risk operations are automatically correlated with assets and alerts are sent based on staff schedules. Mobile devices are used to send alerts based on context and location awareness.
- Optimized Stage: At this stage organizations should have implemented CEM across organization wide with dynamic altering , automation with orchestration , data driven analytics to understand gaps and continuous improvement.