The Colonial Pipeline attack displayed the need for operational resilience. What can businesses learn from the event to be better prepared?
By: Alex Toews
The last two years have seen countless disruptions, including the pandemic, ransomware attacks and supply chain issues. This year, the Colonial Pipeline was attacked, presenting a daunting wake-up call. Although organizations felt prepared for disruption with adequate plans in place, the breach highlighted the necessity for integrating third-party management into plans, especially when critical infrastructure is at stake.
Following the attack, reactions ranged from concerned citizens stocking up on fuel in plastic bags to the Biden-Harris Administration mobilizing a federal response. Adding to mass hysteria, the Energy and Homeland Security departments found public transportation would be affected in only three to five days if the shutdown continued. Later, the CEO of Colonial Pipeline announced a whopping ransom of $4.4 million was paid to resume normal operations.
As 2021 ends, it is critical to reflect on this year’s shortfalls to prevent making the same mistakes. What should businesses take away from the Colonial Pipeline attack? How can they prepare to protect their company and assets to ensure a similar attack does not cause mass disruption in 2022?
The substantial cost of overlooked operational resilience
If disruptions over the last year have taught us anything, it’s that operational resilience is no longer an option; it is necessary. Resilience plans that prioritize ‘high impact/high probability’ situations must also consider ‘high impact/ low probability’ situations. Many of the disruptions we have seen over the two years that caused widespread disruption across society have been high impact/ low probability. The Colonial Pipeline attack, a global pandemic, and supply chain shortages that range from cardboard to semiconductors all have one thing in common. If you asked someone in December 2019 about these situations, they would be labeled ‘high impact/low probability’.
Reflecting on these occurrences displays that ‘high impact/low probability’ situations can happen – and are happening. Yet, many organizations are still not investing adequate time and resources to build robust resiliency plans which integrate third-party risk factors. The risk landscape is evolving, and so should organization’s resiliency plans. Organizations can no longer rely on historical data to inform their resilience and continuity plans. Historically, only preparing for highly likely situations was enough. Today is a different story. It has become increasingly evident that one event can cause a ripple effect throughout global communities, industries, and businesses, leaving behind a devastating trail.
The time is now for leaders to take the reins and use the Colonial Pipeline attack as a driving force to ramp up operational resilience and build upon critical business value. Implementation of a robust operational resilience strategy ensures that businesses never falter to deliver on their promises to customers and partners despite the disruption. The ability to consistently deliver on brand promises, despite any external disruption, grows into customer trust, which can set a business apart from its competitors. In turn, this competitive edge can positively affect market share and reputation. With the appropriate strategy and plan, risks can present as an opportunity for growth.
Establish third-party risk management with limited resources
Third-party disruptions do not discriminate based on the size of an organization. The Colonial Pipeline attack demonstrated the importance of third-party management and resilience for organizations of every size. Still, understandably, organizations don’t have unlimited resources to dedicate to these projects and plans. First, leaders should critically analyze a list of all third-party vendors used by their organization and prioritize those with the largest impact. When resources are limited, it is impossible to offer all vendors the same level of effort. When vetting vendors to form new third-party relationships, prioritize implementing an adequate due diligence and screening process to assess risk. The business can then identify which third-party vendors have the most significant impact on their essential business services. Evaluating third-party vendors in this manner can help manage expectations and prioritize resources.
Once identifying the most critical third parties, ensure your business fully understands and assesses its risk profile. When analyzing risk profiles, consider all risks, including cyber, financial, and regulatory. To confirm your preparedness, ask yourself: what happens if disruption affects a critical third party? Would we still be able to deliver on our brand promise to customers? What would our recovery time be if the worst possible situation were to occur? The answers to these questions should guide your journey to building a robust resilience plan. The goal of establishing third-party resilience is to ensure your business can continue delivering on its brand promise despite disruption regardless of if that disruption affects the company directly or indirectly through third-party vendors.
Effective resilience requires third party management
Recent disruptions such as the attack on the colonial pipeline have exposed the shortfalls of traditional resilience plans. Organizations can now see the potential impact these disruptions can have on assets, people, the supply chain, and third-party vendors. Without adequate incident preparedness or third-party management, you are opening the door to bear the adverse ripple effects after a critical disruption.
When designing your preparedness and proactive plans, be sure to proceed with caution. Do not assume that your third-party vendors have implemented the same amount of time and due diligence to risk management and resilience as your company does. Create and implement your resilience strategy with the understanding that your third-party vendors are an extension of your business, affecting your brand’s ability to deliver on its customer promise. Approaching resilience with this mindset helps you understand the critical nature of conducting adequate due diligence on vendor resilience plans.
Proper preparedness does not simply mean having plans in place for when a disruption occurs. Preparedness means having the appropriate proactive mitigations in place to prevent the disruption from affecting financials or customers. To ensure minimum disruption, plans must be thoroughly tested under different scenarios to ensure effectiveness. Proactive and reactive plans provide your business with true resilience for when the next disruption occurs.
The COVID-19 pandemic set a prime example of the power of operational resilience. Throughout the pandemic, some companies continued delivering on their business promises to customers without so much as a hiccup. Due to forward-thinking agile resilience plans, some companies succeeded while their competitors lagged in the dust. By placing third-party risk management at the core of their resilience plans, if one aspect of the supply chain failed, the business was able to pivot – and quickly – to ensure customers experienced no disruption in services. Resilience should not be approached as a ‘have to do’ but as a tool to drive value. Recent events have shown the detrimental outcomes of subpar preparedness and how they can ripple outside your business or industry.
Set goals for 2022
The next disruption is already on the way. Today is not a matter of if a disruption will happen. It is simply a matter of when it will occur, who will directly be affected, and how it will impact your business. The Colonial Pipeline attack demonstrated that one singular successful phishing attempt or bad link can cause systems to crumble. As we enter 2022, ask yourself, are we prepared? No organization exists in a vacuum, and no organization boasts a supply chain that is too small to fail. Today, every organization is a part of a larger global web of suppliers and vendors. One single event that affects a single supplier will spread across the web, inevitably affecting either you directly or your vendors. To best prepare for this, invest in a robust resilience plan that includes third-party assessment and supply chain scenario tests. This investment will help your long-term reputation and build trust with customers, partners and stakeholders. Now is the best time to assess where you stand today and what steps you need to take for a more resilient and prosperous 2022.
Alex Toews is a Chicago-based Risk Solutions Manager within Fusion Risk Management’s product management and solutions practice. With extensive experience working across different industry verticals, Alex’s professional experience has included driving methodology and program framework creation for many risk-based competencies such as: enterprise risk, operational risk, vendor risk, compliance, internal audit, corporate governance, regulatory requirements/expectations, and program/project management.