Most organisations have business continuity and resilience plans, and those that didn’t prior to the covid-19 epidemic must surely have them now. The worldwide spread of the virus has brought home the need for more than one-off mitigation measures to deal with one-off problems (continuity), and moved the spotlight onto the need for a comprehensive, long-view integrated risk-management structure (resilience).
This has had significant implications for those in the operational/non-financial risk community, and in the way career paths are structured within the profession.
But first, it’s worth having a closer look at the field of continuity and resilience. ISO standard 22300:2018 defines business continuity as: “The capability of an organisation to continue the delivery of products or services at acceptable predefined levels following a disruption.” Disruptions can come in many forms, from changing legislation to key staff leaving or supply chain breaks and global pandemics. Any sensible business will plan ahead to – where possible – prevent such problems from occurring, and mitigate and recover from them should they do so. Audits and stress-tests can be carried out to see how business and output would be affected under various scenarios. (It is worth pointing out that such previously costly practices have become much cheaper and easy to implement with the advent of increased automation).
Meanwhile ISO standard 22316:2017 defines resilience as: “The ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.” In essence, this means how an organisation can cope with change over the longer-term – its ability to anticipate and adapt to broad-scale challenges, rather than react to shorter-term events.
Obviously there is a significant amount of overlap between continuity and resilience; for example, companies that managed to find ways of dealing with the effects of covid-19 may integrate what they learned into their longer-term business models.
Businesses can benefit from having continuity plans to deal with a variety of risks. Cybercrime, for example is a growing problem that requires a team of dedicated staff – but such a team should be integrated into an overall risk-management picture. Climate change is an area that falls more under the purview of resilience: it is a long-term problem that requires organisations to formulate long-term strategy.
Changing regulatory frameworks are also in important consideration. Take Environment, Social and Governance (ESG) as one example. Many jurisdictions around the world – either through regulation or listing standards – require a certain level of ESG reporting and disclosure from companies. Again, sensible companies will plan ahead for possible changes in such rules (which generally get tighter rather than looser), so as to mitigate damage. An awareness of the need to build such resilience is one of the factors driving the growth in risk management positions.
There are also various ways of planning to achieve continuity. An obvious example is the use of reinsurance to hedge against the economic fallout of storms or flooding. Meanwhile macroeconomic and geopolitical risks are constantly changing, and new, unexpected threats may occur at any time. These can be mitigated – to an extent – by close monitoring of the global and local situation, and preparing plans to limit damage as much as possible.
As more organisations become aware of the need for continuity and resilience planning and management, there is a growing requirement for risk professionals to take care of the matter. And the global coronavirus pandemic has only accelerated this situation. However there are not always enough feet to fill these very specific shoes; other changes around the world such as the introduction of the European Union’s General Data Protection Regulation have already greatly increased the demand for risk and compliance professionals.
As supply cannot always keep up with demand, many businesses are finding themselves having to redistribute their existing resources rather than making new hirings from outside, or when they do so, hiring candidates with less risk management experience. Candidates from areas such as internal control, audit and operations may well find new opportunities as the need for continuity and resilience management continues to grow.
A survey conducted in March by the Global Association of Risk Professionals found that almost 70 percent of members from 101 countries around the world said they expect their career opportunities to grow over the next year-and-a-half. Much of this is being driven by a greater understanding of the need for continuity planning as a result of the covid pandemic and increased cyber-security risks. Meanwhile the US-based virtual recruitment company recruiter.com, which monitors risk-management vacancies, has reported an almost 30 percent rise in such positions around the world since 2004. However it is likely that the actual figure is far higher than this as, apart from other considerations, it does not include businesses’ internal placements.
VIVIAN CHEN, Ashford Benjamin Ltd.