Bonus Chapter: Andrew and Michael’s Plan for Felder in 2022


In March 2021, I published my book on the Business Continuity Operating System (BCOS). About two-thirds of the book chronicles a fictitious life sciences company named Felder Corporation and its journey to implement a business continuity and operational resilience program that achieves the right level of resilience.

In the book, Michael Taylor is the newly minted program manager, with the program sponsored by Felder’s Chief Financial Officer, Andrew Preston. By the end of the fable, Felder had just celebrated the first anniversary of its program after having successfully responded to Hurricane Cooper.

This article is a bonus chapter, written as I reflect on the past 18 months as increased cyberattacks, unprecedented supply chain disruptions, and the COVID pandemic continue to surge. With this increasingly complex risk landscape, many lessons learned have been realized senior leadership engagement (and expectations) have never been higher.

This bonus chapter picks up on December 15, 2021 as Andrew (program sponsor) and Michael (program manager) meet to discuss plans and prioritization for the upcoming year.

The following conversation is a fictitious summary of the many conversations I’ve had with dozens of global organizations and their C-suite program sponsors, board members, and the many leaders of resilience programs regarding their views of 2022 priorities.

Consider using these topics to engage your leaders and set priorities for 2022 and beyond.

Get The Business Continuity Operating System Book by Brian Zawada


Things Have Changed

December 15, 2021 at 4:00 PM ET

Michael kicks off the meeting. “Thanks for meeting with me Andrew, I really appreciate it. As we conclude the year, did you get a chance to review the pre-read for this meeting, where I documented what I called the ‘2021 Resilience Year in Review’?”

“I did. Thanks for putting that together, Michael. The program’s key performance indicators and key risk indicators look good, and I like the recap on prioritized vulnerabilities that have been closed and project work that’s currently underway. Overall, great progress this year. And all I hear about are our customers’ favorable comments too.”

Andrew continued. “With that said though, I’d like to recap a discussion I had with the Board last week. They shared a few questions they want an update on in late January during an upcoming session with the Board’s Risk and Governance Committee.”

Andrew passed a piece of paper across the table to me. The paper was mostly white space with five topics listed:

  1. Single point of failure identification and treatment
  2. Plausible scenario prioritization
  3. Situational analysis of our supplier’s suppliers
  4. Cyber response preparedness
  5. Practice and learnings

“This is the list of topics where we’ve been asked to comment.”

Andrew continued with his description of each.

“First, specific to our in-scope products and business services, we’d like you to summarize our most pressing single points of failure, and our readiness should any be disrupted. In other words, where do we lack recovery strategies for single points of failure?”

“Second, in our work to espouse some of the leading operational resilience principles, we’ve worked to capture severe, yet plausible scenarios that are most concerning to our leadership team. The Board would like to learn about this list and your feedback on our exposure for each.”

“Third, the Board is well aware of the work you did specific to shoring up our third-party risk, identifying single points of failure and the exposure we face specific to each third party. They would like you to focus on the top ten suppliers and understand if we have visibility into their suppliers. In other words, are we ok or are we in trouble when you look one level deeper?”

“Fourth, the Board is aware of the work you led to mature our cyber response capabilities and the strategies put in place to enable a timely response. They want to hear about what’s next, as well as some of the outcomes from our October Crisis Management Team exercise.”

“And lastly, building on the learnings from the cyber response exercise, they want to hear about our learnings from all 2021 exercises and the exercise plans for 2022. I got the impression they have an expectation of exercising more, as they are hearing that other organizations have greatly increased their exercises and tests. One Board member asked about which of our named plausible scenarios haven’t been exercised yet.”

After asking if each topic made sense – and Michael nodded that they did – Andrew raised one last point.

“At the end of the first quarter, the Board also asked that we engage them to discuss their role in a crisis. We agreed that two members of the Risk and Governance Committee would meet with you at the end of March to review a detailed plan and seek their input. So, let’s make sure we’re prepared.”

Michael smiled and commented that he would be prepared for both the board presentation in January and would share a draft Board crisis management plan detailing roles, responsibilities, and expectations in advance of the February meeting.

Now it was Michael’s turn, and he asked Andrew, “Can we discuss my ‘top ten’ list of requests made by other members of the steering committee, as well as some ideas I have gathered from my peers?”

This time Andrew nodded, and Michael passed a piece of paper his way with ten topics noted. But before sharing the list with Andrew, Michael crossed off three items because they overlap with the Board requests.

  1. Business service complexity reduction and substitutes
  2. SPF treatment
  3. Enhancing Felder’s digital model
  4. Channels
  5. Customer and patient journey mapping
  6. Risk intelligence sourcing and application
  7. Severe, yet plausible scenarios
  8. Staffing
  9. What if and so what modeling
  10. Cyber response

After passing the list to Andrew, Michael began his introduction.

“I wanted to share with you ten ideas, or concepts, that I’d like to weave into the program in 2022. As you can see, three of them overlap with the Board’s requests, so I’ll skip those right now. But here are the other seven.”

“This first one has come up a lot lately, as an extension of the many supply chain crises plaguing so many organizations, including our own. As we work with our customers on new therapies, or creating new manufacturing processes, how do we minimize the complexity and slow the introduction of new processes, methods, suppliers, materials, and so on into our work? Unless absolutely necessary, how do we add resilience considerations in our R&D efforts. And how can we prepare approved substitutes when a key supplier part or material is unavailable? I see this as a key opportunity for improvement, as do many of our competitors in the life sciences industry.”

Andrew was taking notes on the piece of paper I gave him, and I could see he put a “!” next to this topic.

After he stopped writing, Andrew asked, “Let’s meet with Shannon and her Operations team on this, as well as her R&D team, to see what they think. Not sure why I hadn’t really thought of this, but I think there’s a lot of potential value here.”

Michael then continued with the third item on his list. “About 18 months ago we invested in resilience management software, and we’ve gotten a lot of value from it. You’ve heard me mention to the steering committee that it has helped us build a digital model of the organization that helps identify up and downstream relationships that we can query when a disruption hits, helping us respond faster. I really want to reinforce the use of this information during tests and exercises to make sure our teams are comfortable using the platform in a crisis. And this leads to the fourth item on my list.”

Michael paused for about five seconds to let Andrew catch up with his notes.

“The fourth item is what I’ve labeled ‘channels’. This is another COVID-19 lesson learned. Many organizations experienced disruptions to the ways in which they engage their suppliers and customers. In other words, we might be fine, our customers might be fine, and even our suppliers may be operating normally. But what happens to the ways in which we reach our customers, patients, and suppliers? We have significant dependencies on ports, clinics, and numerous logistical channels, to name a few. I think we need to better capture these dependencies as an opportunity to enhance our digital model of the organization.”

Andrew then added, “I’m actually surprised we haven’t captured that, I kind of assumed we had. So, I’m very supportive of this effort.”

Michael then added an explanation for the fifth item on his list. “Another area that I wish I had covered early on in the program is what I labeled ‘Customer and Patent Journey Mapping’. In many ways, this is another expansion opportunity of the end-to-end map, where were adding customers and patients, linked to products and business services, connected with channels.”

Andrew observed, “If we’re adding suppliers’ suppliers, customers, patients, and channels, it feels like we would have a complete picture of how we operate.”

Michael nodded and then continued. “And with this more complete digital model of the organization in our software, what some called an ‘end-to-end’ map, we can then do number six on my list. We can begin to pull in risk and threat data and overlay that on our digital model, which helps us react faster and more intelligently when key parts of our value chains are affected. We can even automate the alerts to different people in our organization.”

Andrew added another “!” to my list, this time next to number 6.

Michael then introduced the eighth item on this list. “There were a few times during the pandemic we got lucky in terms of staffing. The Omicron variant hit us hard in many areas, and I thought we could have done more to understand minimum staffing requirements, alternate sources of staff by skillset, and strategies on how to shutter less critical processes and staff the most essential. We capture some of this in the BIA, but I think we can do better.”

Michael than concluded with an introduction to number 9. “In many ways, the ninth item on the list is a summary item. If we improve our digital model and integrate risk intelligence, we’re better able to respond and minimize impact. Our software has functionality to show a visual of relationships and we should start using this functionality and impact reporting during exercises – and real events.”

Andrew put down his pen, which is when I noticed he’d taken a lot of notes. “This is a great list, and you have my full support. I think we should put the entire steering committee through a similar discussion to get their feedback and support. But overall, between your list and the Board’s request, we have a great list to finalize our 2022 program plan.”

Get The Business Continuity Operating System Book by Brian Zawada


Brian Zawada

Chief Strategy Officer

Brian brings more than 25 years of experience managing and building world-class, global business continuity programs to his role as Chief Strategy Officer for Castellan. Outside of his work with Castellan and its clients, Brian previously served as the Head of the United States Delegation to ISO Technical Committee 223, the authors of ISO 22301. Brian contributed to ISO 22301 and led the project team that created ISO 22317, the business impact analysis standard, and ISO 22331, the business continuity strategy determination standard. Brian is a frequent author and speaker, currently serving on the Editorial Advisory Board of Continuity Insights magazine. Brian previously served as the Business Continuity Institute US Chapter Board President and as the President of the Northern Ohio Chapter of the Association of Contingency Planners. Brian is certified as a Fellow of the Business Continuity Institute. In 2020, he published his first book The Business Continuity Operating System. Brian is also a two time Lifetime Achievement award winner from CIR (2021) and the BCI.

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.