Three out of four companies (73%) are updating their business continuity plans to prepare for a crisis. However, just 5%, feel prepared to assess, manage, and recover from a future unknown and unpredictable risk event.

These are among the findings of a new Riskonnect report. The report surveyed more than 300 risk and compliance professionals worldwide about the new threats facing organizations today and how they are revamping their risk management playbooks to navigate uncharted territory.

Could You Be Doing More?

Most companies today rely on piecemeal business continuity plans that are either built in silos or fail to consider the cascading nature of risk. The problem with these approaches is that issues that seem unrelated or isolated to a specific department can spread to create bigger disruptions and bring the business to a screeching halt. Unless everyone across the organization is working from the same playbook, business continuity plans are created in vain.

The other common gap with business continuity planning is a lack of alignment between stakeholders on risk tolerance. Say an organization is planning for a potential ransomware attack. Executives think the organization can get the network back up and running within a few days. In reality, however, IT needs weeks. The problem: the stakeholders never conferred.

This lack of alignment among key stakeholders is all too common. One of the ways organizations can overcome this challenge is by facilitating risk workshops. Indeed, an encouraging 37% of organizations say they are conducting risk workshops today.

These workshops get all relevant stakeholders in the same room to have real and productive conversations about the organization’s preparedness, tolerance, and action plan for specific risk events. Using the ransomware example, important points to talk through include:

  • What would happen if the business were hit with a ransomware attack today?
  • How much downtime can be tolerated?
  • How long would it take to get back up and running?
  • Would we consider paying the ransom – and what are the implications of both paying and not paying?
  • How, what, and when would we communicate to customers, partners, employees, and investors?
  • What other risk events could cascade from this event and hurt the organization?

Other measures surveyed companies are taking to prepare for crises include:

  • Continuously re-evaluating their risk environment (66%)
  • Assessing crisis response plans (64%)
  • Preparing leadership to manage unexpected crises (53%)
  • Collaborating with cross-departmental stakeholders (51%)

“Risk management is about managing uncertainty. When the business becomes uncertain, that’s where the ability to sit in the control tower, understand what’s approaching, have visibility on what might happen next – including the peripheral effects – and how that could impact the business is what gives you a firm risk-visible foundation to define response strategies. Then you can use these strategies to adapt and pivot according to the way a particular situation plays out.”

– Bob Bowman, Sr. Director, Chief Risk Officer
Risk Management, Enterprise Data Governance
The Wendy’s Company

Close the Gap to Improve Resilience

While companies are finally changing how they govern, prioritize, and oversee risk, the majority (63%) have not simulated their worst-case scenarios, which most respondents said revolve around natural disasters, cyber threats, and geopolitical risks.

This finding is surprising considering how many “worst-case” events have happened over the past few years – the pandemic, supply-chain disruptions, and bank failures, to name a few. Organizations have been hit with or witnessed many disruptive events that at their core were known and predictable, and yet most still do not prioritize robust scenario planning or testing.

Specifically, the Silicon Valley Bank collapse was a near worst-case scenario for many businesses. Despite the scale and global economic impact of the collapse, nearly (42%) of those that said the collapse was relevant to them have not made subsequent changes to their risk management strategy. Scenario planning is a key part of risk management and needs to be incorporated into strategies going forward to build resilience.

Successful business continuity plans are not a one-and-done exercise. They are regularly discussed, practiced, revised, and – above all – coordinated across the business. Do that, and you’ll have an invaluable playbook to keep the business running just when you need it most.

For a complete look at the survey findings, download The New Generation of Risk report, and check out Riskonnect’s Business Continuity & Resilience solution.