From early 2020, businesses around the world collectively experienced the impacts of COVID-19 where there were business disruptions and even stoppages imposed by government regulations in a bid to contain the pandemic. This disaster put an incredible strain on the national economy and had global impacts on the supply chains industry; as an example, when China, the world’s factory, was impacted, global supply chains were affected. This tested the efficiency and strength of Business Continuity Plans (BCP) in organisations when disruption of common resources such as their workforce, supply chain, materials, transportation, and communications arise. Many organisations without a BCP or contingency plan also scrambled to put in “quick-fix” plans to counter the issues faced.

As we move into 2021, we explore what are the potential risks and top scenarios in the coming years and review our plans and ask “is there a need to review our plans that have served us well in 2020?”

2021 Risk Scenario and Profiling - Looking ahead by looking back

The core objective of any risk management system is to ensure the organisation endures whatever circumstances it may face during the course of business. As we look into planning for the upcoming year and ahead, we took reference from various reports such as Insurance Reports, the Global Risk Insights by the United Nations Security Council and other risk focused reports to sense on the key risk concerns.

Covid-19 is still the top risk.  In 2021, it is high likely that the operational risks and business continuity concerns will still revolve on the topic of COVID-19. Though there are vaccines developed, with many countries having already started vaccination exercises for their citizens, many hope that this will slow the spread of the virus. However, it is expected to take 12 to 18 more months before we start to see the numbers in control or declining and another 2 to 3 years for recovery back to pre-COVID times. In total, the pandemic could take up to 5 years from outbreak till recovery.  

In recent months, there is a call for concern regarding the emergence of new mutated COVID-19 strains such as N501Y (Africa, England) & E484K (Africa, Brazil). These new strains are more infectious and have the potential to spread faster than before. Many governments have been quick to re-imposing lockdowns to curb the spread. With the infection rate growing daily, COVID-19 will still be a top risk to watch out for in 2021 both affecting businesses and our daily lives.  We believe more mutation of the virus is likely to happen and the challenges of effective vaccines are likely to continue for a while.

Changes in global economics.  The economic policies from governments around the world will also become a major focus in the beginning of 2021. The trade war between two top economic powerhouses, US and China will continue for the foreseeable future. With the changes in leadership of a few leading governments, there will also be more uncertainties as we wait to see the direction of the new governments. How, then, does this impact business continuity and how about your supply chain?

There is also a false sense of security for many people. Thoughts of “we have survived 2020 and the pandemic, there is no need to make any further changes to our recovery strategies”. It is important to note that with the successes of implementing Work-from-Home (WFH) strategy and other contingency plans, it is still crucial to conduct exercises to better improve these existing plans and to counter other scenarios that have not yet been tested in the past year. So far, majority of the major decisions are still made on the country level. Once we have moved to the recovery phase, business continuity planners are expected to take over and make these decisions. Are you ready for this? In the prolonged Pandemic crisis that has lasted for months and is projected to last even longer, businesses should consider how to survive a double crisis such as a typhoon or social unrest or even cyber-security outbreak.  Always Expect the Unexpected.

Cyber-Security as an Emerging Risk. With the many changes to workplace operations involving the Work-from-Home strategy and the other contingency plans, there exposes many organisations to vulnerabilities involving Cyber-Security as employees work from less secure networks and having to bring more work operations online. Email phishing is also a growing threat with more people relying on a higher volume of emails, a less vigilant employee may just let a cyber threat slip in through the cracks. An effective IT strategy driven by management and leadership is one of the primary enablers to ensuring resilience. What is your recovery strategy and has it been put to the test?

A quick poll with over 50 participants showed that the top 3 risks that most concerns risk and business continuity practitioners are most concerned with Infectious diseases (87%), Cyber Security (85%) and Supply Chain breakdowns (62%), with Political unrest & demonstration (45%) coming in at a close fourth choice. Prolonged crisis complications and threats are also increasingly included as a top 2021 risk scenario. Risks and threats are also highly industry-specific, and it is recommended to discuss within your team, the senior leadership and industry-peers, to identify the top risks pertaining to your organisation and industry.

Continue strengthening and updating your Business Resiliency Programmes to fit into the New Normal

Though we are 1 year into this New Normal of the COVID-19 world, there are still many unknowns– How long will the pandemic last? When will it peak? And when will subsequent waves hit? What we do know is that the COVID-19 related risks are unlikely to decrease substantially in the short run.

Especially now, we cannot let our guards down and get complacent about our business resiliency programmes. We used to encourage BC professional to plan for “Just in case” (JIC) but with the current environment we have to start considering the “It will happen” mentality. There must be efforts made to further strengthen them and meet the changes in business models in this New Norm. It is evident that organisations with adaptable business continuity programmes fared better and were more resilient than other organisations – a clear indicator of the competitive advantage of business continuity. The Good news is that we now see higher awareness and attention on Risk and resilience from the Senior Management and Board of Directors (BOD).

We recommend considering the following to strengthen your BCP:

1. Your programme should be consequence-based rather than hazards-based –
   It is simply not feasible to have one plan for each incident or scenario. Having more scenarios means that it is more difficult to maintain and too time-consuming to be effective. The key to a good Business Continuity Programme is to be flexible to cater to the various consequences such as loss of staff, loss of resources, equipment, data, critical applications and many others.

2. Involve Management in the Business Resiliency process –
   Ensure the Board are involved in the process and made aware of the essential versus non-essential services so there are no conflicts between the management and the business management team during an incident. Leverage on the increased awareness and spotlight on business resiliency to increase management support and ensure buy-ins. Capitalise on the enhanced visibility of business continuity as a result of COVID-19 to push for more support for business continuity and related plans and activities.

3. Certification and Transition to ISO 22301:2019 –
   If you are certified with ISO22301:2012, it is suggested to upgrade and transition to the revised 2019 standards. Being certified to the latest certification standards will ensure that your organisation’s programme and plans are aligned and relevant to today’s business environment.

4. Your Work-From-Home (WFH) Strategy –
   Most office-based workers have adopted a remote working model during the pandemic. If WFH is to be your organisation’s only back-up for loss of workplace, ensure that the employee agreements, policies, processes, security, regular testing, and insurance are in place as well as the technology and the leadership and management practices to make it work effectively and securely.

And importantly, one of the most important points to build up your business resiliency is:

5. Conducting Resiliency Exercises for your Top Risks in 2021 –
   One key component in the Business Continuity (BC) Lifecycle that cannot be ignored is validation. It is vital to test the viability and workability of your plans or new policies. Conducting BC exercises can be done with different types of exercises and tests such as call tree exercises, tabletop exercises, walk-throughs, functional tests and live simulations.
   
   Identifying your top risks would allow you to better craft the best exercises to better ensure that the objective of the exercise can be met. This is not just a paper-exercise but an opportunity to test your resilience capability in the COVID environment.
   
   A quick poll of 50 participants shows that the most popular exercises that were conducted in 2020 were call-tree exercises, tabletop exercise and live simulation. This shows that even in the conditions that we are in with COVID-19, we can still conduct exercises. Some of the key considerations would be to adhere to the local regulatory guidelines such as safe management measures, social distancing and wearing of masks, avoid mass gatherings in one location.
   
   Be sure to make use of technology to increase engagement through online simulation tools and to collect their responses and ease the exercise process. Another technological tool to take advantage of is emergency notification tools to reach all staff and collect responses quickly with instant reporting.

Conclusion

In a nutshell, a disruption in business operations and services, whether from a pandemic, natural disaster, a terrorist strike, a cyber-attack or a simple glitch, can seriously reduce your revenue and even do long-term damage to your business image. Taking reference to our current situation, nobody expected COVID-19 to have such a disastrous impact on a global scale. We need to aim to be flexible and adaptable, to have a strong business resiliency programme to pull through even the toughest situations.

It is recommended to think of the risk profile in the long term and not just year by year. As a prepared organisation, long term planning is needed to ensure the resiliency of an organisation. Plan for smaller 3-year milestones and a major milestone for your 15-year risk cycle to achieve your set risk profile. Get your Board of Directors and Senior Management to be on board and expand your business resiliency while there is a high awareness of risk and business continuity currently. When you and your organisation always adopt an “It will happen” mentality and be always prepared for the worst, you have a solid business resiliency programme.

About the Writer: Henry Ee, FBCI, CBCP, ACTA
Henry Ee is the Managing Director for BCP Asia (www.bcpasia.com). He is a certified professional with more than 25 years experience in the business resilience industry. Henry has developed business continuity and crisis management programmes across many different industries including Healthcare, Financial, Manufacturing, the Public Sector and many others. Currently Henry holds many voluntarily positions including Vice-President of RIMAS, Chairman for BCI Singapore Chapter, SEA chairman for IAEM, Member of UNISDR. He was also recently involved as a Technical Expert in the International Standards Organisation (ISO) for Business Continuity and Resilience and was involved as a working group member for Enterprise Singapore and SBF's Guide on Business Continuity Planning for COVID-19.

He can be reached at: henry@bcpasia.com
His LinkedIn profile: www.linkedin.com/in/henryee/