The level of disruption the COVID-19 pandemic brought is unprecedented in the modern era, however the multitude of disruptions and risks facing organisations continues to evolve. A single container ship blocking the critical Suez Canal severely disrupted global supply chains. Cyber attacks and fires caused major outages at data centres, US fuel pipelines and operational installations. Horrific train collisions in Egypt, Japan and Mexico, all highlighting the need for response and recovery planning.
The pandemic, globalisation and societies’ increasing reliance on technology have all demonstrated the importance of effective resilience as a focus for country and business leaders. Over 70% of the global business leaders participating in PwC’s Global Crisis Survey 2021,1 stated that their organisation has been negatively impacted by the pandemic.
1 Over 2,800 executives took part in the survey: https://www.pwc.com/ia/es/prensa/pdfs/Global-Crisis-Survey-FINAL-March-18.pdf
The potential impact of such developments on reputation and trust is why building resilience is increasingly considered a strategic initiative by boards and management of all organisations. Business leaders in the Middle East need little convincing of this: 48% of survey respondents from the region, compared to the global average of 30% in the PwC Global Crisis survey 2021, say they have paid significant attention to building organisational resilience and have already identified parts of their business in need of improvement in this respect.
Key resilience concepts such as Crisis Management (CM) and Business Continuity Planning (BCP) have evolved and have now been actively embraced by most organisations. Recent years have made clear, however, the need to adopt and integrate additional resilience disciplines.
The question for organisations is shifting from “whether” to “when” a major disruption will occur. Top management must take accountability for preparing responses to risk scenarios and driving resilience improvements across their organisations.
How organisations respond to and recover from disruption should be driven by a robust incident and crisis management capability, complemented by other resilience components, including cyber, third party and operational resilience. These are often brought together under the umbrella of business continuity.
Business Continuity Management (BCM) is the key driver of resilience within organisations and is guided by the global ISO22301 standard.
Across the region regulators are acknowledging the importance of embedding resilience and country-specific regulatory requirements include:
Kingdom of Saudi Arabia (KSA)
The general regulation of the National Cybersecurity Authority (NCA) calls for compliance with BCM good practice.
Specific BCM framework requirements for the financial services sector have been issued by the Saudi Central Bank (SAMA).
The National Emergency Crisis and Disasters Management Authority (NCEMA) is driving BCM improvement.
Risk management looks to put controls in place to protect the organisation, its resources and operations. However, there are often risks that may not be considered or controls that may not be possible or effective in preventing threats from materialising. BCM complements risk management by preparing for possible disruption if threats do materialise. It does this by developing resilience solutions for the resources the organisation requires, together with response capabilities if things go wrong.
In developing BCM capabilities, organisations should integrate various components relating to threat response and recovery and ensure they work holistically. This requires the formation of teams and plans to guide the responses to incidents, recover critical resources and manage impacts on the organisation. Those core components are:
Emergency response (where physical incidents impact the safety of people and assets)
Incident management and crisis management (tactical and strategic coordination, decision-making and communications)
Business recovery (where operations, functions and third party supply are disrupted)
Technology recovery (where information and communications infrastructure, systems and data are interrupted)
BCM aims to ensure the viability of the organisation by protecting against physical threats to operations as well as threats of a strategic nature. The latter may include, for example, legal or regulatory challenges that put operating licenses at risk, the emergence of disruptive technologies and business models, and pressures relating to sustainability.
Although many organisations have BCM programmes in place, they are often unprepared when real incidents occur. This is usually due to a siloed approach and limited integration of the core components outlined above. In many cases it will result from treating BCM as purely a box-ticking requirement instead of an integrated, holistic approach.
Building resilience is not a one-time activity and does not bear fruit overnight. Lessons learnt during a crisis are an opportunity to identify risk areas and improve capabilities and it is vital to stress test solutions and teams to be better prepared for next time a crisis occurs. It will also provide the confidence that, even in a worst case scenario, an organisation can navigate extreme disruption, protect its people and business, while building trust with its stakeholders, regulators and wider society.
Just as the organisation keeps maturing and changing, so should the efforts to build resilience.
Partner, Digital Trust, PwC Middle East
Tel: +971 (0) 56 480 2447
Director, Digital Trust, PwC Middle East
Tel: +966 54 675 1016