 Hello and welcome to this session in which we'll discuss the concept of business resiliency and why do we need to learn about business resiliency? So first, what is business resiliency? Well, it refers to an organization's ability to adapt, withstand and quickly recover from disruption or crisis while maintaining its operation, competitive advantage and long-term viability. What does that mean? It means how fast a company can come back, get back under feet in case of a crisis, in case of a disaster, in case of an accident. What are we discussing here? Let's think about some disasters or accident examples. Some are natural, like earthquake, floods, fires, tornadoes, lightning, so on and so forth. Some disasters or accidents are human-made and those human-made, they could be unintentional or they could be intentional. For example, an unhappy employee might expose your data, might destroy some of the files. You could have a terrorist attack, something like 9-11 on the level of 9-11 that could disrupt your business. You could have hackers, viruses, loss of electric power, so on and so forth. All of those are accidents or disaster. Well, what do we do as businesses? What do we have to do in order to deal with those disasters and accidents? This is where the business resiliency comes into place. It's a proactive approach. Well, we know this could happen. So what do we know? What do we do? We identify potential threats, vulnerabilities and risks and implement strategies. And what do we do overall plan to minimize their impact, their impact on our business? We know there are hackers out there. We know there are cyber criminals out there. So what do we do? We identify their potential threat. We identify the risks that's involved for our business and we create strategies, part of the business resiliency plan, to combat, to be proactive in dealing with those risks. So a business resiliency plan can be to maintain or rapidly resume operation. Maintain means continue to operate the business or rapidly resume. Basically, if you're totally offline, you want to get back on your feet. And you want to get back on your feet, especially with the essential functions after a crisis incur, because you want to minimize those disruption, whether it's to your customers. And that's the most important because that's your lifeblood, your customers, your revenue, your employees, your stakeholders, whoever those stakeholders are, could be the community, could be your suppliers. And most importantly, you want to get back your reputation after that crisis. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation, as well as your accounting courses. My CPA material is aligned with your CPA review course, such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true, false questions, as well as exercises. Go ahead, start your free trial today. Now, business resiliency plan to have a proper business resiliency plan, we're going to identify four components to have a proper business resiliency plan. The first one is organization continuity planning. That's part one. This is part of the business resiliency plan, system controls, crisis management, and disaster recovery. Now, if you know anything about farhat, once I have a list of items, I'll go through each list separately. Now, each one of these lists will have a sub list. For example, organization and continuity planning will have a sub steps. We need to cover those sub steps. In this session, I'm going to focus specifically on the first component of the business resiliency plan, and that's organization continuity planning. What is organization continuity planning? Well, simply put, it's a planning. It's creating a plan. It's going to be abbreviated as OCP. OCP is the process of creating a plan. The first thing you have to have a plan. You have something on paper. You have to plan ahead to ensure that an organization can continue to function in case of a disaster or a major disruption. Are you planning for this? Did you brainstorm this idea? Did you talk to management? Did you strategize what are you doing about this? Because OCP is an essential component of risk management. You are involved. You are, you are facing risk. You have to identify the potential risks, list them, assess their potential impact. What impact are they going to have on your organization? Develop strategies to deal, to mitigate with those risks. So the goal is to, the overall goal is to, again, to minimize the impact of disruption on your organization and specifically the critical business functions. You want to restore those as soon as possible. How to get back online up and running the sooner, the better. And OCP typically involve the following steps. First is risk assessment. Two is business impact analysis. Three, development of strategies. Four, plan development and implementation. Five, testing and maintenance. Now, again, there's a list. I'm going to go through each one of these lists separately. Those basically simple definition and a simple example. One is risk assessment and is an audit student or a CPA candidate. You should know what risk assessment is. What is risk assessment? Identifying potential risk and their potential impact on the organization. Can you list the risks that you could face? Obviously, loss of data. That's a common risk for all companies. Cyber attack, that's a common risk for all companies. You could have specific risk. For example, if you're a food company, you could have food poisoning risk. If you're an airline company, well, maintenance, the risk of mechanical failure, those are risks. Then identify key business processes and the related risks. What are the key business processes to your business that helps your business keep running and running and serving the customers as intended? Determine the acceptable downtime. For example, in your business, can you afford to be five seconds down, five minutes down, five hours down or five days down? You need to know this upfront as part of your risk assessment. For example, if you are in the business of trading securities, for example, you run a platform, an online platform of trading stocks like Charles Schwab, they cannot afford their platform to be five seconds down. Simply put, they cannot afford it. Why? Because people trade instantaneously. So you cannot be downtime for five seconds waiting for people to execute their trades. For some businesses, you can afford to be five minutes down. Some businesses you could be afford to be five hours down. Some businesses you may be afford to be five days down and keep going, not a big deal. Okay, but you need to know what is the acceptable risk so you can respond to that risk. An example will be a financial institution conduct a risk assessment to identify potential threats such as cyber attacks, natural disaster and power outage on their electronic trading platform. Here, a company like this, they cannot afford to be offline very much, not even a few seconds or minutes. Why? Because they're an online trading platform, for example, for stocks. This is the first thing risk assessment. The second thing is you want to determine the impact. Now, you identified the risk. Now, what's the impact? How is that going to affect me? Determining the critical business functions that need to be restored following a disruption and the timeframe in which must be restored. Here what you are doing, you are determining how long it's going to take and what's the impact of this, for example, website outage, if my website is down, if I'm in an e-commerce company on my revenue and my customer satisfaction. What is the impact? Am I going to lose 10, 15, 20 percent? How is my reputation going to suffer? What is the impact? And based on the impact, I react. Now, the more important is the impact, the higher is the stake, the faster and the more expensive I have to invest in order to restore this service. Then you have to develop a strategy to do what? To mitigate those potential impact of disruption, because you know what the impact is. Well, what could be some strategies? Backup system. My website is down. I can migrate immediately to another website. If my suppliers, because let's assume during COVID, I had many suppliers and China was shut down, do I have an alternate suppliers? Do I have strategies when it is a backup system? Establishing offsite backup facilities. Well, if my main site went down, my main site, my main company went down, do I have a backup facility somewhere else? And we'll talk about those later on. Example, will the manufacturing company develop a strategy to mitigate the risk of supply chain disruption by identifying alternative suppliers and establishing a relationship with them? Basically, I have a strategy in case something happened to my supplier, let's assume a war political event and rest happened to my current suppliers. Do I have immediately supplier, other suppliers? Now I have to develop and implement the plan that outlined the steps that needs to be taken in the event. Now, what am I doing now? I have the plan. Now, how do I implement this plan? I have specific steps. For example, an IT company developed a detailed OCP plan that outlined the roles and responsibilities of employees in the event of cyber attack. And you want to make sure your employees are trained, they're aware of this. This includes, for example, step-by-step procedure for data recovery. How do I do this? How do I implement this? I have specific plan and implementation. Last but not least is testing and maintenance. You could have the best OCP plan, but what do you need to do on a regular basis? Because the threat changes, technology changes, your risks changes. So you want to test this on a regular basis and update it as need be so it remains effective and up to date. For example, an insurance company conduct regular OCP plan testing and update the plan based on the feedback and new risks identified and the risk assessment. So basically what we did here is we looked at one component of the business resiliency measure and that's organization continuity planning. In the next session where I will do, I would look at system controls. Now you have the plan. That's fine. You know what needs to be done. You know, you have it down on paper, all the steps. Now you need to take a look at your system controls. What controls do you have now that could mitigate those risks? This is what we'll talk about next. What should you do now? Go to Farhat Lectures and look at additional MCQs that's going to test your knowledge about these topics. Why? In order to really understand something, you have to practice it. How do you practice it? Farhatlectures.com. Invest in yourself, study, good luck and stay safe.