How Business Continuity Management Can Be Enhanced With Cyber Risk Quantification

Have you ever felt like everything around you constantly changes and things move too fast? You’re not alone.

Developing superior customer experiences, expanding into new markets, and embracing digitalization, are just three of the opportunities that successful businesses strive for. The success of a firm now depends as much on its ecosystem as on its own core talent. Having a clear understanding of which operations are outsourced, the partners and third-party vendors that provide them, and the impact to your firm should those partners fail, is the first step to managing those risks.  

That’s when Business Continuity Management (BCM) becomes crucial for every organization.

This article describes the key features of successful BCM and also introduces the way in which considering cyber risk quantification (CRQ) alongside BCM can enhance both processes, and lead to more robust risk management and organizational resilience.

‍

Key Takeaways

1. Business Continuity Management is Essential for Survival: BCM plays a crucial role in keeping core business functions running during disruptive events.
2. Cyber Risk Quantification Enhances Business Continuity: CRQ strengthens BCM by providing confidence in scenario planning, validating potential financial impacts and probabilities, and helping organizations quantify risks in clear monetary terms, leading to more informed decision-making.
3. A Positive Feedback Loop Between CRQ and BCM: Sharing results between CRQ and BCM processes creates a positive feedback loop, where each process supports and improves the other, enhancing organizational resilience and risk management strategies.
   

The Drivers of BCM

Business Continuity Management is part of a broader picture of organizational resilience. BCM helps you understand core business processes and how to keep them running through disruptive events.

This practice plays an increasingly important role due to three major trends:

• International business: Whether targeting customers in new markets, or moving manufacturing to less expensive sites, international business can increase exposure to new regulations, geopolitical uncertainties, and extreme weather events.
• Digitalization: Increased dependence on IT systems and global connectivity means that an outage can cause unprecedented disruption. The ever increasing frequency of cyberattacks means that digital disruption is a “when” not an “if”.
• Ecosystem dependencies: As the reliance on partners and vendors expands, it is important to prepare how the business can continue. Are they are as well prepared as you?

Given these challenges, business continuity management is more than just a nice to have; it is a necessity.

‍

What could go wrong?

Business continuity events can be categorised into four common scenarios:

• Unavailability of IT Systems: This is huge, especially given our reliance on technology. A business can slow down or stop altogether if systems fail due to a cyber-attack, malfunction, or even human error.
• Unavailability of Physical Premises: If a natural disaster or fire strikes your premises, your team might lose access to your physical space. In this case, having a backup plan for remote work or alternative production facilities is paramount.
• Unavailability of Key Personnel: Sometimes, the people you depend on the most may not be available. Whether they are ill, or win the lottery and quit to live on a desert island, in an emergency you must know who else can step in for them and keep things running or even ensure that their expert knowledge is shared in advance.
• Unavailability of Suppliers: Supply chain disruptions can have a significant impact. It’s crucial to have backup plans and alternative suppliers if a critical supplier cannot deliver.

The relative importance of each of these scenarios will vary depending on the nature of your business; conducting a risk assessment will show where to focus.

‍

OK but what does that mean for the business?

Core to the risk assessment is assessing the business impact for each scenario. Let’s consider a company that manufactures, sells, and services washing machines as an example to explore what this means.

• The factory where the machines are made is highly advanced, containing automated computerised production lines. If these systems or the factory building are not available, then no new machines can be made. Having no new machines to sell can quickly impact revenue.
• The company’s website is hosted by an outsourced IT service provider. The website lets customers place orders, but for follow up services they must telephone the service centre. If this website is not available, then the company cannot take online payments.
• The office where serivce operations are managed from is in a different country. Here service advisors receive phone calls from customers and engineers, and organise maintenance visits. If the telephony system is not available then customers have no way to contact the company to check on deliveries, repairs, or engineer call-outs.

Determining which of these situations is the most important to the company depends heavily on the business model: for example does the company prioritise (or even make more money) selling new devices, or in providing excellent service in aftersales? To find this out, cyber security teams will likely need to speak to stakeholders outside of the IT department in the wider business.

However, conducting this analysis is worth it. Understanding the most likely and impactful scenarios for your business means that you can set targets for how long an outage can be tolerated, more easily prioritise the continuity and recovery of those processes during an incident, and have greater credibility when talking with business stakeholders.

‍

Continuing Business and Recovering Operations

Understanding common business continuity scenarios and their potential to impact your business then leads to the next stage of business continity management: planning a response to disruption. This can consist of two parts - ensuring critical operations can continue during disruption, and recovering losses during the interruption.

In the example of the washing machine company above, the folllowing could be taken into account for continuity and recovery planning:

• maintaining reserves of completed product to meet demand when production is interrupted;
• prioritizing the production of the most profitable or highest demand products if production capacity is limited;
• maintaining alternative processing systems (cold/hot standby) for critical systems that can be used if a primary system is not available;
• working extra shifts after recovering from an incident to make up lost production capacity or clear a backlog of support requests.

The combination of continuity and recovery strategies that best suit the company will depend on the business model, but will likely be a combination of technological and operational.

‍

How Cyber Risk Quantification Empowers Business Continuity Management

There is a symbiotic relationship between cyber risk quantification and business continuity planning. Risk quantification can significantly benefit from business continuity planning by understanding what risks to quantify, and the parameters of those risks and mitigations. Business continuity planning benefits from quantification by putting dollar figures on potential impacts, and defensible probabilities on likelihoods.

Key questions addressed from cyber risk quantification are:

• What are realistic disruption scenarios?
• How long might systems and business processes be down?
• What is the impact of cyber risk on revenue and profit?

Cyber risk quantification improves organizational preparedness against cyber threats by:

• Attaching concrete monetary values in dollars and euros for potential impacts and threat scenarios;
• Linking quantification results to continuity planning and testing, enhancing stakeholder confidence:  does your business continuity testing show that you can recover within your recovery target? Great! let’s adjust the input assumptions of the quantification accordingly.
• Bringing abstract cyber risk topics to life through real-world scenarios.

In addition, CRQ supports strategic planning by:

• Developing and validating scenarios through the feedback loop between business continuity and risk quantification;
• Provides confidence in financial risk exposure and operational ability to manage risks;
• Informs risk appetite and helps prioritize improvements in business continuity processes.
  ‍

Benefits of Integrating CRQ In Enterprise-Wide Risk Management

Integrating cyber risk quantification with broader risk management processes and effectively communicating findings using business continuity scenarios helps explain cyber risks in familiar business language, focusing on business consequences rather than technical details.

This integration facilitates the collaboration with other risk stakeholders (e.g., operational risk specialists, strategic risk specialists), aligns cyber risk reporting with other risk categories, and uses similar metrics and reporting methods (e.g., Value at Risk percentages) to align with non-cyber risk categories.

In addition, you can communicate your findings and recommendations more effectively to key stakeholders, especially C-level and the boardroom by combining BCM and CRQ outputs: “I know you’re worried about this scenario, I assess that the potential losses are X-dollars with Y-probability, and I’m confident of this because we have conducted detailed business continuity planning and tested those plans.”
‍

Frequently Asked Questions on Business Continuity Management and CRQ
‍

Why is Business Continuity Management (BCM) essential for companies today?

BCM is crucial for companies to maintain core business functions during disruptive events, such as IT system failures, supply chain disruptions, and natural disasters. It ensures that organizations can continue operating and minimize downtime, which is increasingly important due to globalization, digitalization, and ecosystem dependencies.

‍

How does Cyber Risk Quantification (CRQ) enhance Business Continuity Management (BCM)?

CRQ enhances BCM by providing concrete monetary values for potential impacts, allowing organizations to prioritize risk mitigation efforts. It helps validate business continuity plans by linking financial outcomes to specific disruption scenarios, making the planning process more strategic and data-driven. It also provides defensible probabilities about the likelihood of an event.

‍

What are the benefits of integrating CRQ into enterprise-wide risk management?

Integrating CRQ into enterprise risk management helps explain cyber risks in business terms, aligns risk reporting with other risk categories, and facilitates collaboration between different risk stakeholders. This approach ensures that all enterprise risk factors are evaluated consistently and supports more informed decision-making at the boardroom level.

‍

What is the relationship between cyber risk quantification and business continuity planning?

There is a symbiotic relationship between cyber risk quantification and business continuity planning. CRQ is improved by taking business continuity planning into account to identify the most critical risks to quantify, while business continuity planning benefits from CRQ by validating the potential financial impacts of different scenarios, creating a positive feedback loop that strengthens risk management.

‍

How can organizations use cyber risk quantification to improve their resilience against cyber threats?

Organizations can use CRQ to attach monetary values to potential cyber threats, develop realistic disruption scenarios, and test their business continuity plans against these scenarios. This proactive approach not only boosts preparedness but also helps organizations prioritize their investments in cybersecurity measures that offer the most significant impact on resilience and operational stability.

‍

Final Words

Business continuity management is important in keeping your organization safe and running. Integrating BCM with Cyber Risk Quantification can yield more robust insights for improving organizational preparedness and supporting strategic planning at the C-level and boardroom.

There is a positive feedback loop between BCM and CRQ, where

• Risk quantification is improved by taking business continuity planning into account to understand what risks to quantify; and
• Business continuity planning benefits from quantification by putting dollar figures on potential impacts and defensible probabilities about the likelihood of an event.

The symbiotic relationship between cyber risk quantification and business continuity planning further drives robust risk management and organizational resilience.

‍