VUCA Spells Doom For Businesses, Boom For BCM


Volatility, Uncertainty, Complexity, and Ambiguity (VUCA) characterize any business environment today. The types of challenges that an organization faces are increasing. Today organizations are potentially facing closure from cyber-attacks, significant loss of business due to negative publicity in social media such as Facebook and Youtube. The significant negative impact to United Airlines over a video on Youtube (“United Breaks Guitars” by Dave Carroll) is case study studied across organizations on the disaster that what a single video on Youtube can do to the reputation of an established old world economy company such as United.

The key challenges faced by businesses today in the wake of VUCA is that new and varied threats continuously appear on the horizon for which corporates aren’t prepared for. Cyber-attacks, Social Media negative publicity, Electromagnetic attacks are no longer only a realm of Hollywood (Oceans Eleven) but a very probable event in the near future. Progressive companies need to prepare themselves to be able to build organizations that are resilient.

Over the decades (since the ’70s & ‘80s) when VUCA is consistently growing. The continuing increase in VUCA has led to an increased recognition that new and previously unconsidered risks are emerging all the time. Even the most risk-aware organizations are likely to experience low-probability but high-impact events that can fundamentally change businesses and even entire industries.

An established statistic states that 75% of companies in existence today will face an incident in the next 18-24 months which can potentially shut down the company. According to Gartner, of those companies that face these life threatening major disasters, 80% will shut down or go bankrupt in the following 24 months.

All this lead to Information Technology Disaster Recovery (ITDR) and Business Continuity Process (BCP)/Business Continuity Management (BCM) have become more popular.  Advanced practitioners of risk management closely look to integrate BCM and ITDR solutions into their enterprise risk management (ERM) programs.

Business Continuity Management System (BCMS) is frequently confused with Business Continuity Process (BCP), Disaster Recovery, IT Disaster Recover and Crisis Management (CM). In layman terms, BCP is the plan for an individual department or function within an organization. Each department such as Payroll, Marketing, Human Resource, etc. will have their individual BCP, consolidated together for the organization these plans are referred to as the Business Continuity Management System (BCMS); BCM and BCMS are synonymous. On the other hand, Disaster Recovery refers to civic plans at the government level to manage catastrophic natural disasters such as floods, earthquakes etc., but now include acts of terrorism impacting large numbers of humanity.  Information Technology Disaster Recovery (ITDR) is solely focused on the recovery of IT whether it is networks, datacenters, servers or applications. Crisis Management’s focus is limited to the control of a particular event which may be classified as a Crisis such as fire, or bandh, riot or civil unrest which may impact an organization.

ITDR as a term first started being used in the 1970s when for the first time, organizations such as Banks, Insurance Companies, and Airlines started to rely heavily on IT for their day-to-day operations. BCP and BCM evolved over the next couple of decades when organizations realized that while the core of their business maybe IT, the people and processes were equally if not more crucial to recover; organizations realized that it was useless if the backup data center recovered, but there weren’t trained people to operate those computers and applications. BCMS are far more holistic in their approach to business recovery and resilience.

Companies typically, under the banner of “resilience,” take measures like having a risk management function for risks that cannot be forecasted. With VUCA here to stay, organizations need to decide to move beyond resilience and face the opportunities presented by the unexpected.

Unfortunately VUCA preparedness is lagging in India compared to others globally, Governments such as USA, UK, Australia, Singapore, the UAE, amongst other have standards on BCM, which mandates both government and private organizations have plans and processes in place to ensure Business Continuity. A progressive and stable government at the center in India should create BCM standards for organizations in India to follow and adhere to.

India more than other organizations needs preparedness for VUCA. As a nation we are in a geo-politically sensitive region; our neighbors are known to revel in our misfortune and are known to encourage and support hostile acts of terror on our soil, we have seen attacks on our hotels, what prevents a future attack on key BFSI institutions, or even an electromagnetic attack.

In all this, Technology innovation is playing a big role. There are 100’s of startups to big companies are bringing out very good products to mitigate the increased risks in VUCA environment. There are companies who are focusing on computer virus threat detection and prevention areas. Which monitors the world’s network traffic pattern and can raise the preventive alarms before the attack can happen or release the solution just in case your organization is victim of it. 

There are other set of organizations who is educating the businesses and also providing solutions in the area of People, Process and technology. They are bringing out technology features like continuous data protection/replication, single click restore, automatic fail over to another server, data replication at hardware array level. There are solutions available in the market which can monitor all your data centers and give you dashboard kind of report indicating the health of the systems, disks etc.

Hardware vendors are manufacturing the systems with built in strong security, fault tolerant, resilient systems.

Other aspect is Process and People. Organization needs to plan for their day to day processes which they follow in normal situation. To run their business smoothly and continuously, they need to plan for various triggers and how these processes can run smoothly from remote locations. Same is true from people perspective. Does all the people in the organization are safe and traceable? Which people will perform what role? How the appropriate alert can reaches in time to the appropriate person? Technologies are advanced to such a great level where organization can plan this, track this and simulate the situation in advance.

As the complexity of threats increases, the future of BCM/ITDR is in automation, no longer it is possible to work on traditional methodologies of BCM & ITDR. Attacks and incidents have never come with an appointment, unfortunately due to globalization we now work in a 24×7 environment, BCM and ITDR managers do not have the luxury of addressing issues during office hours, automation which allows them to address attacks from anywhere. The CIO, CRO and BC Head today need automation that gives them enterprise wide real-time visibility, availability check, manageability into their systems, processes and people via mobility.

Unfortunately the adoption of not only automation but also the fundamentals of BC in Indian organizations is extremely low. In India the MNCs with HQs overseas are the most advanced in BCM and IDTR as they are driven from overseas. A small subset of Indian companies with global aspirations, and specifically those in the BFSI sector who benchmark themselves against global giants are moving towards BCMS. In the Indian pharmaceutical sector we are seeing some early adopters, primarily by mandates from the FDA. A bulk of Indian Large Enterprises and SMEs are yet to develop formalized plans for BC or deploy BC automation. Unfortunately a nasty disaster only will motivate them. The silver lining is that hopefully they will take a generational leap and move directly to BC & ITDR automation.