Enterprise & Market Resilience during COVID-19 - Middle East Forum (Session 3): Business Continuity Management and Cyber Security Resilience This was the third edition of the Middle East Forum series by Protiviti Member Firm on Enterprise & Market Resilience during COVID-19. The focus of the session was on how Business Continuity and Cyber Security imperatives are changing during these times of COVID-19 and what can be expected when the business conditions improve. The present situation has driven business leaders, companies and Governments to be more proactive and search for innovative solutions to maintain the continuity of operations and address the increase in cyber security challenges. Held under Chatham House rules, the session facilitated participants to ask questions during the panel discussion. Key Takeaways It is important to take an ‘agile’ approach to risk assessment and treatments. Business continuity will evolve/ fuse with operational resilience and ERM programs of organizations going forward. The threat vectors have changed significantly in the wake of COVID-19 and organizations need to constantly evaluate threats on a ‘near’ real-time basis. To facilitate real-time decisioning for threat analysis and response scenarios, data and analytics will increase in relevance and organizations will need to invest in strengthening capabilities in this area. Some key risks that will increase in significance will be related to third party, cloud adoption, supply chain and treasury. The changing face of Business Continuity during COVID-19 As threat vectors have changed rapidly, it has become more difficult for companies to assess and address the impact of new response measures. Covid-19 situation has provided varied outlooks and testing scenarios for Business Continuity Management. Our first panelist, coming from a regulatory background, shared his perspectives on the three main phases of response i.e., stabilization, normalization, and optimization. During the stabilization phase, safety and security of employees as well as stakeholders, and maintaining a minimum level of business operations were the key areas of attention. Now, as organizations are adapting to the new normal, companies are reviewing their third party contracts and increasing their procedures for digital identification and verification. Further, they are also evaluating opportunities to optimize system infrastructure and remote working productivity. Business Continuity Management aims to protect and effectively guarantee the normal functioning of the three pillars of the organization, namely people, process, and technology - by ensuring prevention, detection, and response controls implementation. Now, more than ever, there is a need to develop this in an agile manner with testing embedded as part of the plan formulation. A key risk to be addressed from a BCM point of view is third party resiliency (extending to vendors, service providers and supply chains). Companies should evaluate their contracts from risk and resiliency stand point, provision adequate resiliency measures within supply chain ecosystem (example: having suppliers from multiple regions), and conduct scenario analysis and BCM exercises for disruptions caused due to third parties. Cyber security risks have increased significantly A number of cyber security risks have gained prominence during COVID-19, For instance, social engineering, critical services disruptions, remote working risks related to connectivity and access. We polled the business leaders on the forum and over 56% indicated that the cyber security risk profile has indeed changed significantly post COVID-19. The CISO of a large bank on the panel addressed some of these as new risks, since no organization was prepared for such a prolonged remote working scenario involving almost the entire workforce. He further highlighted that in the office premises, there are established deterrent controls such as physical security and supervisory oversight that dissolve in a remote working situation. Hence, organizations have begun creating a renewed risk assessment and threat profile for the COVID-19 scenario and are directing their attention on not just external threats but internal threats as well. Needless to say, information leakage is emerging as one of the biggest threats. This also resonated with the audience as well with the poll indicating that phishing emails at 23% and data privacy risks at 24% are the top cyber security risks. The role of data and analytics in resilience The Chief Digital Officer of a large business group agreed that almost all organizations across the world have been caught unprepared in the pandemic. Although, those organizations who had invested into data and analytics pre COVID-19 have generally fared better in their speed of response compared to others. Data will be playing a key role in operational resiliency plans for the organizations. A few ways of leveraging data and analytics are scenario planning, forecasting and better visualization of operational data. There are some quick wins from a data perspective that organizations can leverage. For example, they can create teams focusing on data across various functions. This strategy has helped retail businesses to leverage data in whatever shape and form it exists in the organization to make decisions and move businesses forward. Another way could be by way of leveraging employees as ‘citizen data scientists’ for their specific areas. Data champions and architects need to work around discovering citizen data scientists in their organizations and leverage their skill sets. While data and analytics are critical in all areas of the business, it was interesting to note that most business leaders believed that Finance/ Treasury and Technology/ Digital will leverage data and analytics the most. An interesting usage of data and analytics at one of the organizations in Europe was discussed, where Human Resources team monitored employee motivation/ engagement by correlating behaviors and conduct in virtual meetings. Operational Resilience is the name of the game Business Continuity plans need to merge with Operational Resilience plans, as the lines between high severity disasters and operational risk events blur. New scenarios need to be tested and decisions towards new investment should be made to align with operational resilience. This was also agreed by forum participants, as they polled that the most likely changes to BCPs post COVID-19 will be around integration with risk management framework and more testing/ exercising. Cloud as a means to enable resilience The panelists agreed that disruption necessarily brings innovation to enterprises. They discussed how cloud can be used to build resiliency. While the remote working infrastructure is already on cloud, the technology platform also presents opportunities for organizations to evaluate improved resiliency. As one of the panelist, a Chief Digital Officer, talked about a real life example where a cloud solution was implemented in his organization within 4 days – just in time for the relaunch of their malls. These timelines were not imaginable in pre-COVID19. In Summary While COVID-19 has caused significant discontinuities for businesses, it has also provoked them to challenge their assumptions and reinvent few, if not all, aspects of their organization. It is time for to accelerate adoption of cloud, analytics and digital not just for core business functions but also for better resiliency planning and cyber security measures. Read more about the panel discussions from our earlier resilience forums sessions in the series Learnings from a Virtual Forum for Business Leaders in the Middle East - Session 1Regaining Confidence with Digital, What Next? - Session 2What do Finance organizations have to prepare for? - Session 4Unlocking Value from Data - A Financial Services Perspective - Session 5Tackling Workforce Challenges During and Post COVID-19 - Session 6