Are You Safe against VUCA?
Volatility, uncertainty, complexity and ambiguity characterise any business environment today. High time Indian enterprises did something about it, says Rohil Sharma
The types of challenges that an organisation faces these days are increasing. Organisations are potentially facing closure from cyber attacks and significant loss of business due to negative publicity in social media such as Facebook and YouTube. The significant negative impact on United Airlines over a video on YouTube (‘United Breaks Guitars’ by Dave Carroll) is a case study that is referred across organisations on the disaster what a single video on YouTube can do to the reputation of an established old-world economy company such as United Airlines.
In the wake of VUCA, the key challenge faced by businesses today is that new and varied threats continuously appear on the horizon, for which corporates aren’t prepared. Cyber attacks, social media negative publicity, electromagnetic attacks are no longer only a realm of Hollywood (Ocean’s Eleven), but a very probable event in the near future. Progressive companies need to prepare themselves to be able to build organisations that are resilient.
It is estimated that 75% of companies in existence today will face an incident in the next 18-24 months, which can potentially shut down the company. According to Gartner, of those companies that face these life threatening major disasters, 80% will shut down or go bankrupt in the following 24 months.
All this leads to the popularity of Information Technology Disaster Recovery (ITDR) and Business Continuity Process (BCP)/Business Continuity Management (BCM). Advanced practitioners of risk management closely look to integrate BCM and ITDR solutions into their enterprise risk management (ERM) programs.
Business Continuity Management System (BCMS) is frequently confused with Business Continuity Process (BCP), Disaster Recovery, IT Disaster Recover and Crisis Management (CM).
In layman terms, BCP is the plan for an individual department or function within an organisation. Each department such as Payroll, Marketing, Human Resource, etc., will have their individual BCP; consolidated together for the organisation these plans are referred to as the BCMS (BCM and BCMS are synonymous).
On the other hand, Disaster Recovery refers to civic plans at the government level, which manage catastrophic natural disasters such as floods, earthquakes and acts of terrorism impacting large number of humans. Information Technology Disaster Recovery (ITDR) is solely focused on the recovery of IT whether it is networks, data centres, servers or applications. Crisis Management’s focus is limited to the control of a particular event, which may be classified as crisis such as fire, bandh, riot or civil unrest that may impact an organisation.
ITDR started being used as a term in the 1970s, when for the first time, organisations such as Banks, Insurance Companies, and Airlines started to rely heavily on IT for their day-to-day operations. BCP and BCM evolved over the next couple of decades when organisations realised that while the core of their business maybe IT, the people and processes were equally important in the process of recovery; organisations realised that it was useless if the backup data centre recovered, but there weren’t trained people to operate those computers and applications. BCMS is far more holistic in its approach to business recovery and resilience.
Beyond resilience
Companies, typically under the banner of ‘resilience’, take measures like having a risk management function for risks that cannot be forecast. With VUCA here to stay, organisations need to decide to move beyond resilience and face the opportunities presented by the unexpected.
Unfortunately, VUCA preparedness is lagging in India when compared to others globally. Governments such as USA, UK, Australia, Singapore, the UAE, amongst other have standards on BCM, which mandate both government and private organisations to have plans and processes in place to ensure business continuity. A progressive and stable government at the centre in India should create BCM standards for organisations in India to follow and adhere to.
India, more than other countries, needs preparedness for VUCA. As a nation, we are in a geopolitically sensitive region. Our neighbours are known to revel in our misfortune and are known to encourage and support hostile acts of terror on our soil. We have seen attacks on our hotels, so what prevents a future attack on key BFSI institutions—or even an electromagnetic attack?
In all this, technology innovation is playing a big role. There are hundreds of startups as well as big companies that are bringing out very good products to mitigate the increased risks in VUCA environment. There are companies focusing on computer virus threat detection and prevention areas. These companies monitor the world’s network traffic pattern and can raise the preventive alarms before the attack can happen or release the solution just in case your organisation is victim of it.
There is another set of organisations that is educating the businesses and also providing solutions in the area of people, process and technology. They are bringing out technology features like continuous data protection/replication, single click restore, automatic fail over to another server, data replication at hardware array level. There are solutions available in the market, which can monitor all your data centres and give you dashboard kind of report indicating the health of the systems, disks etc.
Hardware vendors are manufacturing systems with built-in strong security, fault tolerant, resilient systems.
Other aspects include processes and people. Organisations need to plan for their day to day processes, which they follow in normal situation. To run their business smoothly and continuously, they need to plan for various triggers. These organisations also need to plan that how these processes can run smoothly from remote locations. Same is required from a people perspective. Are all the people in the organisation are safe and traceable? Who will perform what role? How can an appropriate alert reach in time to the appropriate person? Technologies are now advanced to such a great level that organisations can plan, track and simulate the situation in advance.
As the complexity of threats increases, the future of BCM/ITDR is in automation; no longer it is possible to work on traditional methodologies of BCM & ITDR. Attacks and incidents have never come with an appointment. Unfortunately, due to globalisation, we now work in a 24×7 environment; BCM and ITDR managers do not have the luxury of addressing issues during non-office hours, here automation allows them to address attacks from anywhere. The CIO, CRO and BC Head today need automation that gives them enterprise wide real-time visibility, availability check, manageability into their systems, processes and people via mobility.
The adoption of not only automation, but also that of fundamentals of BC, is extremely low in Indian organisations. In India, the MNCs with HQs overseas are the most advanced in BCM and IDTR, as they are driven from overseas. A small subset of Indian companies with global aspirations, and specifically those in the BFSI sector, which benchmark themselves against global giants are moving towards BCMS. In the Indian pharmaceutical sector, we are seeing some early adopters— primarily by mandates from the FDA. A bulk of Indian Large Enterprises and SMEs are yet to develop formalised plans for BC or deploy BC automation. Unfortunately, a nasty disaster only will motivate them. The silver lining is that hopefully they will take a generational leap and move directly to BC & ITDR automation.
Rohil Sharma is CEO of Perpetuuiti.