Journal of business continuity & emergency planning最新文献

Civil disorder has always plagued humanity, with violence being triggered by real or perceived grievances, rumours and speculation, and internal or external agitators. The risk to people, communities, businesses and the rule of law is not isolated to a particular country or society. The propensity for violence and how it is incited is, however, an evolving threat with the advent of the 'modern riot'. The causes of violence centre on economic and social injustice, sports- and event-related riots, a reaction to police or security forces and political unrest. As the US nears the contentious 2024 elections, the failing trust in the three branches of government combined with external global tensions and conflict, threats from domestic extremist groups, a rising acceptance of violence as a means of settling political disagreements, hostile nation actors and international terror groups that exploit societal instability create fertile conditions for widespread violence. Exacerbating these factors are the risks from artificial intelligence (AI) deepfake, rapid mass communications, the citizen journalist, prominent influencers amplifying grievances and inflammatory media reporting. This convergence of exacerbators and accelerants for political discord offers the potential for serious security risks and significant business disruption.

Resilience is deeper than maintaining a company's operations and services in the face of significant disruptions. It is the ability of a business to withstand, pivot and continue to grow in the face of a significant threat. To achieve resilience, companies must have an integrated, end-to-end understanding of how a specific threat magnifies the risks identified on their risk register, and what measures are needed across the enterprise to address the amplification of those risks. This paper details how the need for a holistic approach is especially important for cyber crises, compared with other types of crises, because they tend to have more broad-ranging impacts and complexities, such as: unclear timelines, lack of public empathy, unpredictable human threat actor(s), as well as a broader set of internal and external stakeholders that need to be engaged. Unlike other crises, cyber crises have the potential to magnify most - if not all - of the risks on the risk register. As such, cyber resilience requires ensuring that key stakeholders, whether shareholders, customers, regulators, business partners, employees, etc, stay resolute in their faith in a company and its leadership's ability to navigate the increasingly complex issues related to cyber risks and how these issues are addressed enterprise-wide, not purely seen through the lens of technical or operational resilience. To achieve cyber resilience, organisations must develop and implement programmes that integrate both the technical and the broader business measures needed to limit fallout, demonstrate leadership through cyber crises, and deepen trust regardless of the potential severity of the impact.

During and subsequent to a natural disaster, there is an expectation that certain elements of society will continue to operate with a degree of normalcy. For example, it is expected that emergency medical services will continue to function and remain reliable for the community served. Expectations such as these are based on the presumed reliability of government and the assumption that those responsible for the relevant infrastructure will have made plans to ensure it remains functional and taken steps to mitigate known weaknesses. The COVID-19 pandemic provides a case in point. Specifically, data captured during the pandemic are now the subject of ongoing review and analysis, and the findings from such studies are being used to inform planning and preparedness for the next public health disaster. This particular study was conducted in response to circumstantial evidence indicating that frontline workers in the healthcare profession may share some of the same ambivalence towards transmission mitigation as seen in the general population when confronted with new and emerging communicable diseases. This is a concern, as when medical personnel are either unable or unwilling to take reasonable steps to protect themselves and their patients, it undermines the readiness of the essential service. To explore this situation in greater depth, the study examines the real-time responses from a sample of frontline personnel interviewed during the pandemic. The results indicate that there are a number of opportunities to improve workforce readiness to assure reliable continuity during the next outbreak, epidemic or pandemic.

Continuity of operations for government is an evolving philosophy, much like exercises and after-action reports. Continuity continues to identify areas for growth and improvement as more people become involved in the conversation. This paper briefly describes the evolution of continuity in the USA and its application in the State of Texas. Moving forward, it discusses the application of the concept of 'whole community continuity' as the driving force of the Continuity Council in Texas, which focuses on preparedness at all levels, from individuals to private industry, to all levels of government.

Enterprise security risk management (ESRM) has continued to gain global acceptance as a management philosophy for the development and implementation of an enterprise-wide corporate security programme. As organisations continue to rebuild and recover from COVID-19, the value of assessing the resilience of an organisation through regular testing of its response to events has gained prominence. There are opportunities to link the development and implementation of a risk-based approach for designing a security programme, to assessing an organisation's resilience to future events. Organisations can benefit from the complementary approaches of ESRM and organisational resilience once the commonalities are identified and embraced. This paper expands upon the ESRM management approach, linking the concepts of ESRM to the design of a resilient enterprise.

Operational resilience lies between operational risk and business continuity. This paper provides a view on the implementation of the operational resilience framework, and its relationship with operational risk and business continuity. It analyses the similarities and differences between these exercises and how management information from these exercises can be leveraged and aligned. The paper also provides answers to three important questions: (1) What pushed the international regulators to add additional oversight? (2) What benefits and challenges are brought by operational resilience? (3) Why is it important to harmonise operational resilience within the international regulatory landscape?

The impact of every crisis has the potential to cascade throughout an organisation's operations, supply chain and market ecosystem. To properly understand and mitigate this ripple of dynamic risk, business continuity, security and risk management leaders need to know where to focus their attention. Looking at historical threat data provides a clearer picture of the risk landscape, helping leaders better anticipate and plan for the future. To date, however, there have been challenges in this process. As the volume of data about critical events continues to grow at an alarming rate, sifting manually through data puts organisations - and business continuity - in jeopardy. This paper discusses the value of historical threat data and innovations in data-mining technology that can unlock the true power of historical data for informed, strategic decision-making and better outcomes during a crisis.

While a natural disaster or related threat may impact an organisation at some point, it is more likely (even inevitable) that it will be the victim of a cyber attack. The solution to being better prepared for these imminent attacks is to undertake more lightweight and frequent incident response (IR) exercises to help build capabilities and community through a tighter, recurring cycle of planning, conducting and assessing. To boost the facilitation of IR exercises, organisations must leverage the established relationships between business continuity management (BCM) or resilience staff (both of which are familiar with business continuity and disaster recovery exercises), and their information security office. As BCM will ultimately be involved in response and recovery after a cyber attack, it is intuitively more effective to collaborate with BCM in advance. Indeed, it has been substantiated that BCM engagement improves incident response time and reduces incident response costs. This paper concludes that involving BCM or resilience departments in IR exercises contributes to more effective responses to actual incidents.