WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Will resilience replace risk and continuity?

By David Evans

Is the world of risk, continuity and crisis about to change as new concepts and approaches linked to resilience gain momentum or are we seeking solutions to the same old stories repacked through a different language?

Protecting organizations is big business, or at least it should be, as no one wants to fail and few if any executives can wish to face the negative impact of serious disruption or crises. In general, crises are expensive for organizations to handle, derail the best-laid plans and generally threaten the reputation of the top people in the business. Added to which there is a mix of guidance, regulatory requirements, employee concerns and shareholder expectations to address.

Is resilience the ROI?

There are opportunities in resilience for a positive return from the investment in managing risk and establishing continuity and response in an organization that go beyond the obvious elements of protecting the organization and ensuring minimum disruption to the core activities. These programmes will retain focus on the strategic aims and values of the organization and help embed a proactive risk culture. Central to this are the activities that contribute to managing risk, not simply from a perspective of identification and governance but from the active engagement in prevention and response. From establishing continuity and response in an organization, through to strategic crisis programmes: in practice they all help to build cross business engagement and effectively manage critical activities, improve communication and horizon scanning, build relationships and improve efficiency.

BUT, and there is a but, organizations do not want to spend time and resources building ever more complex processes to handle concepts and ideas that may never cause problems. At a simplistic level this seems obvious but it does appear to result in a situation where this year’s ‘must do’ risk drives the thinking.

If there is no coordinated continuity, risk and crisis programme then there is a real danger that each element will draw increasing resources and yet fail to deliver improvement. The reality, if we go the more piecemeal route, could be a desire to have basic compliance arrangements in place then continually attempt to bolt on specific procedures as and when deemed appropriate.

2014 may be remembered as the year of the cyber risk, with the focus for response, continuity and crisis moving in to the world of hackers. Who knows what next year’s theme will be, but we can be sure there will be a theme and it will result in more corporate anxiety and procedures.

The result is a patchwork of processes, some of which are good, others less so. What is often absent in this scenario is the time and resources to embed the principle, establish the capability and competence and fully test the systems and the people before moving on to the next problem.

But it’s OK, we have standards!

In theory help is at hand in the form of a full suite of standards from risk through continuity to crisis and resilience. All have standards (BS 112000, ISO 31000, BS 13500, ISO 22301), which guide users on their application. But like members of the same family it feels they are close relatives who are not talking to each other.

This places the emphasis back on the practitioner to determine how best to use limited resources to achieve a complex outcome of change across an organization. No one wants to fight for a business continuity budget only to find the risk management or crisis systems are then exposed for lack of investment or coordinated activity.

Unite and lead

If the future vision for sustained business success does lie with organizational resilience then all of these specialist subjects need to be developed and built into the cultural foundations of the organization. To achieve this requires an integrated approach.

So, who out there in the business continuity community is for risk managers talking about business continuity and governance specialists understanding the deeper fundamentals of crises? Maybe this is what will make the difference but will business continuity professionals take the lead?

Make a comment

The author
David Evans is Crisis and Resilience Consultant at Corpress LLP. Contact him at
David.Evans@corpress.uk

Reader comments

This excellent article by David Evans really hits the nail on the head. I have just returned to the office after a meeting with a very intelligent and savvy senior manager, trying to convince her that she needs to create a business continuity plan for the part of the business for which she is responsible. She is not objecting to the principle, but fears duplication with the risk management and compliance agendas also vying for her time and attention.

How often do we hear managers complain that they complete the latest update of their risk register, business continuity plan, and quality assurance return or similar only to receive little or no feedback after the event?

Enough is enough folks! The guilt lies firmly in the hands of those practitioners who commit the cardinal sin of talking up their industry to make themselves feel more valued. We need a new focus. Whether the right term is ‘resilience’ is yet to be seen. I like the word but I am familiar with the governance world. Our customers may not understand what we mean. Maybe we call it ‘survival’. That is one thing we all want – whether an organisation is in the profit, not-for-profit or charity sectors survival is key; for most if not all managers, survival is key.

Hmm. Head of Survival – will that catch on as a job title? How about this for an opening line for a meeting – “Hello, my name is XXX and I want to help you and your department survive despite the challenges that life throws at you”. Maybe a bit crass but likely to arouse a degree of curiosity… Follow this up with a brief review of the timeline of an incident:

business as usual > incident > emergency response > business recovery

and you are into a discussion about how risk management might reduce the likelihood or impact of the incident and how the emergency response and eventual recovery may be the legacy against which the department and manager are judged. All this can be done without even using the phrases ‘risk management’ or ‘business continuity planning’.

The challenge is, “How many professional risk managers and business continuity managers are willing to take such an approach?”

Paul Hirst, MInstLM, CMIIA.

With regards to your interesting article on ‘Will resilience replace risk and continuity’, as a BC professional, I am of the view that organizational resiliency is becoming very relevant, especially in the financial services and insurance landscape.

Very similar to ‘enterprise risk management’ which was the rage several years ago, ‘resiliency’ is now trending in the risk and BC community but can anyone give a spot-on description of what exactly is it? Taking a next step, can anyone even describe how to go about implementing it?

While many practitioners still stick to managing risks and ensuring continuity of critical operations, this practice is becoming more and more myopic. For years, organizations have been addressing merely internal issues by having mitigation plans which are achievable within their capabilities.

When new threats occur, organizations have been mostly reacting to them instead of proactively preparing for them. In other words, we are still very comfortable in our cocoons, thinking that incidents will not happen to us and, if forced to assess the threats, somehow it seems justifiable to think that the likelihood of occurrence is very low.

A resiliency framework and model is necessary to move ahead and look beyond the horizon scan. It makes sense that this framework encompasses risk, BC, strategy planning and re-engineering functions. Where, traditionally, risks are identified measured and monitored using lead and lag indicators based on internal data, we now need to look at external factors and trends and begin to anticipate future scenarios.

A STEEP analysis would be useful as a start. Coupled with internally assessing SWOT, scenario planning and developing action plans to prepare for threats before they occur, organizations can then begin to see what lies beneath the iceberg.

Having said all these things, I believe that countries' regulators need to start the ball rolling with guidelines and requirements for risk and BC practitioners to seriously implement resiliency. Emerging risks are wickedly teasing us (look at the threats of terrorism, cyber attacks, Ebola etc), we can no longer wait for them to happen before we act. It's time to act before they happen to us!

Chris Liang

•Date: 10th December 2014 • UK/World •Type: Article • Topic: BC general
UPDATED 15TH JANUARY 2015

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here