Improving organizational resilience: the real justification for business continuity
By Lyndon Bird.
Although the term resiliency is widely used in setting corporate goals, it is rarely defined in a way in which it can be meaningfully assessed. Traditionally business continuity has provided a proven means of reducing the severity of disruptive interruptions by understanding the operational priorities of the business, the infrastructure that supports them and the acceptable timescales for response and recovery. Business continuity practitioners have always argued that by taking a holistic approach to an organization, critical dependencies and single points of failure can be better identified and mitigated, thus leading to improved reliability and customer satisfaction. This might seem a reasonable assumption but it is hard to really prove.
This lack of objective proof has perhaps contributed to the often reported difficulties in achieving more substantial stakeholder buy-in for business continuity at the most senior levels in an organization. Perhaps this partly explains why the change in business terminology from business continuity management (BCM) to organizational resilience is happening so rapidly in many companies. Certainly key individuals promoting the resilience agenda see the opportunity to bring a new discipline into play at the strategic level as a game changer. Adaptability (rather than response) is becoming the new buzzword and traditional business continuity practitioners need to adapt to this new reality.
The construction of more and more detailed plans has failed to achieve the corporate goals for security and resilience that we as practitioners might have expected. The speed of business change makes the need for a more dynamic way of responding to crises ever more important, but as business continuity professionals we need to change the way we work: developing organizational resilience capability and the people skills needed to take control of unexpected events should be our primary goals. Good planning is still essential but not writing more compliance based procedural plans.
So what are the obstacles to implementing a successful organizational resilience plan? Firstly, getting support from the top of the organization and by this I mean not just budget, but rather the way the message needs to be enthusiastically and positively communicated from the top. Secondly, getting buy-in from the people who have to deliver the plans; this is predominantly the middle managers who are often already over committed and under resourced. Thirdly, making the risk look and feel real because if it is seen as just compliance then you will create a tick-box mentality.
To successfully address these obstacles, it is essential to properly understand how the business actually works and who the really influential players are, those whose opinions are sought and listened to. Find out what the real drivers of success are and what top management really worry about. Do not talk to senior management until you know what is important, any lack of company knowledge will ruin your credibility immediately so prepare well before you talk to them. Build awareness programmes and get your message right when you give presentations as the people who you need on your side are not interested in technical solutions, they want to know about what you can do to help them eliminate or reduce future business problems.
Organizational resilience is much more than recovery from disaster or serious incidents. It is the ability to identify and monitor risks to prevent them from happening in the first place, or at least minimise the impact. It is about the capability of the organization to deal with incidents that cannot possibly be predicted or adapt itself to changes in its external circumstances such as civil war in a key supplier country.
In some ways it is difficult to highlight companies who are good at resilience because by definition they will be the ones that handle problems, major incidents and even crises almost seamlessly.
The top challenge on the horizon for business continuity professionals is changing the mind-set of people both inside the profession and outside it. We have many excellent programme managers but there is not enough really innovative thinking going on. The enthusiasm for the idea of resiliency does give us a chance to articulate a wider strategic vision for our discipline. Thinking up relevant approaches to deal with issues that do not fit the old BCM model of physical disruption to assets is a real challenge: cyber resiliency must be high on our agenda as is mitigating reputational damage using social media.
It might be difficult but if we don’t do it, who will?
I am delighted to see Lyndon Bird as the BCI Technical Director engaging in the broader debate on organizational resilience. Having been involved in the development of the new standard on organizational resilience, BS 65000, due out in November, I do however think he has missed the point and that the BCI is trying to tie resilience under the wrong banner. Resilience is not a new ‘discipline’ and it definitely not a new ‘name badge’ for business continuity.
Resilience is a ‘state’ rather than a discipline and there are many disciplines that support the development of becoming a resilient organization – one of which is BC. Resilience involves dealing with disruption, uncertainty and change in a positive and proactive way. This is important in a short-term continuity context, but it is also key to building for the future. Combining these makes ‘survive, adapt and thrive’ the fundamental tenets of resilience.
The new standard clearly sets out guidance on how resilience fits together but it is wrong to see it as a new banner for business continuity. It sets out very well what the many parts are that support the development of a resilient organization. It will certainly enable much more strategic discussions and those resilience programmes we have conducted have had immense power in the language and concepts that can be used which are far more engaging at senior levels since they impact on the entire organization. Adaptability is one of the key facets – but not the only one – and as a term, it should not be used interchangeably with response; it is a much more far reaching concept of how adaptable the organization is in the face of disruption and change in many areas such as markets, economies etc– or the threat of change – as well as the shorter term response needs.
It is excellent to see the BCI engage but they would do well to ensure that the solid ground of business continuity remains their core and that the relationship with resilience in all its many facets is utilised; but accepted that it is not the same. Resilience is a ‘big term’ and may well not be suited to all organizations; it needs treating with caution and careful consideration of where it fits best. For many, BC will remain the best discipline for focus and our experience has shown that care must be taken to ensure the fit, language and desired outcomes are right.
Lyndon is to be congratulated for raising this issue, it will have a marked impact in the future and now is the time to understand what it could mean for business continuity professionals. It is also refreshing to see the BCI start to realise the importance of engaging with the C suite in recognising the need to develop the message at a strategic level. But, and there has to be a but, the article fails to appreciate that resilience is much much more than business continuity.
Resilience is definable and business continuity has an important part to play in delivering the response and protecting the organisation, the BCI would be better promoting the strengths of BC rather than pretending it can be everything to everybody. Please stick with "The capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident” this is critical and to match this to an organisation’s existing strategy is not easy and by all means stimulate the debate on how this fits with an ability to anticipate, respond and adapt to changing circumstances: because it does. But it is not a substitute.
Lyndon’s argument for a title change is well made, but I’m not sure that alone will better brief the uninitiated on the imperative for whatever we call it.
Of special interest for all is the case to include in BC/OR the principles of ISO 31000 Risk Management. This to better address and record risk likelihood, consequence and treatment (one key treatment in every case being a BC/OR plan).
Please keep the survey of title ongoing before the BCI moves on this one.
I fundamentally agree with the majority of the underlying points reflected in Lyndon Bird’s above article, which, I believe, will be the focus of the future for achieving business survival. But, unfortunately, I totally disagree with some of the associated comments.
Contrary to traditional teachings on business continuity by the prevailing BC authorities, should not business continuity begin with a thorough understanding of the marketing and financial drivers for the business as the first step? This will establish the profile of the income and cash-flows for key product and services for the business over time as the main focus for business continuity objectives, from which focused pre-incident planning for business continuity and resilience to maintain sufficient cash-flow can be designed.
Only through a knowledge of what and how income to the business is earned in the wider context can management begin to design a ‘business continuity management system’ for key functions that will enhance the resilience of the business to stay in business. This approach will effectively continue the business through the proper management of cash-flows during unplanned disruptions from a customer delivery perspective, whatever may be the cause of the disruption. This ‘scenario-neutral’ approach to ‘understanding the business’ will then improve the resilience to the business from any ‘cause’ of disruption.
Once management knows what needs to be ‘managed right’ prior to and post a disruption to normal operations to achieve the business continuity cash-flow objectives to maintain sufficient business income, the business will be able to continue to deliver during the period of restoration to normal service levels.
The approach of retro-analysing the impact of an identified disruption and applying probabilities to put the event into a risk matrix in a BIA for priority business continuity planning then pales into insignificance.
Focusing on identifying the causes of what could disrupt the organisation's normal activities, and then analysing the impact to develop specific responses to the incident does not appear to me to reliably address the ability for the organisation to effectively continue business from the multitude of disruption causes possible.
I have yet to see the reference for the need to review key drivers of marketing and financials for a business as the first stop for business continuity planning in any business continuity planning training materials by either BCI, DRII or NFPA Codes & Standards. Maybe this will change as the BCI moves more into definitions of ‘resilience’ and away from ‘continuity’?
It now seems to me to be becoming recognised more and more that the prevailing techniques for BC, which had origins from the IT industry, are increasingly outmoded in the wider world of industrial enterprise. The idea of assuming scenarios based on all hazards and designing specific response plans for a business, despite BC practitioners’ insistence that they take a holistic approach to the needs of businesses, does not hide the fact that BC decisions are still primarily developed from a technical review of the hazards and risks to a business. BCPs are still being established through identifying the hazards, the threats and estimating the degree of risk to the business, before deciding on the required action necessary to reduce the risk through mitigation in the BCP. Such an approach seems to continue to be supported in some of this article’s comments.
Only by enhancing the resilience of products and services to maintain a minimum level of deliverables to key customers from a knowledge of the financials, will pre-incident mitigation and improved flexibility at the time of a disruption enable the company to adapt to any disruptive event, whatever the hazard or however caused. Such business reviews are needed as a first step in the process, and before any technical review on hazards and risks are undertaken.
In Lyndon’s article Continuity Central clearly signals the need for a move in this direction. It also recognises that a significant shift in the skill set of the traditional BC practitioners, presumably those who have been trained by BCI, DRII and NFPA 1600 in the implementation of the old BCM approach, is going to be needed if the move into a future resilience model is to be achieved.
I agree with the need for the development more towards enhancing resilience of an organisation, as implied in the article. However, I do not believe this will be achieved without a change in the current approach to BCM, contrary to the response implied by some comments, or without changes in the prevailing teaching practises. This will require a change to the skill sets of BC practitioners. Perhaps such revisions will be introduced into the future as standards on BCM are constantly revised with new editions?
I agree with Lyndon’s comments and the way business continuity management needs to adapt to an ever evolving world. The business mantra ‘adapt or die’ is as prevalent for resilience professionals as it is for businesses. It is interesting that risk management has incorporated business continuity into its professional development programme and uses much business continuity language. It begs the question on how much risk management is incorporated into our professional development?
Would senior management engage better if business continuity was seen to directly support strategic aims and objectives and to provide, through horizon scanning and agreed triggers set in risk management, a warning mechanism, providing time for planning should existing plans be inadequate. Advanced organisations that have an embedded resilience capability, may be able to seize opportunities in addition to invoking protective activities – bouncing forward as opposed to bouncing back. To illustrate, an organisation that has a total loss of its call centre function may elect to initiate business continuity plans in the short term to protect reputation and assist in recovery. However, in the long term senior management may elect to outsource or joint venture the function if it presents greater opportunities.
Evolution is key to survival and growth and is as essential for individuals as it is for businesses.
Lynda Vongyer, business continuity director.
I fundamentally disagree for the following reasons and feel there is nothing new within this article:
1. It seems that some of the actions done in the name of resilience are exactly the same of the activities of the risk manager;
2. If there is a good robust incident management process and teams to manage the response they should be able to handle any incident, even one we have not planned for. This has always been the case;
3. There are some planned responses which need to be worked out prior to an incident. If the output of your BIA says you need to recover 100 call centre personnel within 24 hours this has to be a detailed pre-planned response. So for some foreseeable incident preplanning is required.
Charlie Maclean-Bristol FBCI FEPS
•Date: 11th September 2014 • UK/World •Type: Article • Topic: BC general