This paper by Gert Kogenhop, (Hon.) MBCI, looks at the latest definitions of business resilience, describes the structure of a business resilience management system, and explains why sharing and collecting information is at the heart of a resilient organization. The paper says that the use of software underpins solid business resilience practice, enforcing both the mandatory and optional elements of policy compliance and process management. Software delivers consistency, conformity, efficiency, analysis, modelling, reporting, easier workflow management, cost savings, and clearer governance.
Abstract
This paper discusses the benefits of tooling as an enabler for resilience management, specifically business resilience. Business resilience entails the integration of different areas of expertise in a joint effort to secure the future of an organization in a dynamic environment. It requires the right balance of risk management, information security and data protection, business continuity management and crisis management. To ensure that each area of expertise can operate independently within a coordinated framework, the right structure is essential. Much like a carpenter needs a hammer, the business resilience manager requires the right tools. Attention must be paid to collaboration, information sharing and balancing the right level of integration. While the tooling process will not be a panacea for the various challenges facing the business resilience manager, it will, however, be an enabler: it is beneficial, has deliverables and supports management and control.
Introduction
Many organizations that have implemented a risk, crisis or business continuity management system do so by creating lots of Word and Excel files, supported in many cases by databases, and using PowerPoint or other office software to support the information flow. In some cases, SharePoint is used to make the system more robust and to create a secure environment for storing documents, calculations and other data components. Some larger organizations have built their own system or tool to fulfil their specific needs, but in most cases, these tools are difficult to maintain, let alone develop further in an ever-changing environment with evolving rules, regulations, requirements and demands. Organizations must ask themselves whether they have created a resilient management system that is ready to be used when required, or whether they have simply found the easiest way to meet the requirements of a document management system.
Every organization is exposed to risks. Many are generic, like IT outage, building fire, utility issues or extreme weather; others are specific, resulting in a risk set particular to the line of business, be that chemical production, software development, construction, data management or baking bread. Location also has an impact on risk; for example, risks will differ between organizations located close to an airport, major waterway, chemical plant or oil distribution facility. Risk management, both enterprise and operational, is a must for organizations and, generally speaking, it is reasonably well managed, especially in larger organizations where the use of integrated risk management tooling is common practice. This approach consists of a set of practices and processes to support and improve decision making and performance. It delivers an integrated view of how well an organization manages its specific risk set. The world - especially the business world - is changing at a rapid and accelerating pace, so it is essential to keep one’s eye on the ball when it comes to major issues such as climate change, Brexit and the so-called ‘trade war’ between the USA and China.
In today’s world where everyone depends on information technology, information security and data protection are important elements that demand attention. In this regard, the European Union (EU) directive ‘Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union’ and the General Data Protection Regulation (GDPR) are important drivers. IT dependency makes organizations vulnerable and as such must be addressed and managed. Indeed, an IT outage can result in anything from a major disruption to the collapse of an organization - something that would have been almost unheard of 40 years ago.
It is far too easy for serious disruption to develop into crisis. For this reason, crisis management and business continuity management are the prerequisites of a well-run organization; indeed, in some countries they are even legal requirements. Being unprepared is simply unacceptable, and any ‘plan’ to act ‘when the time comes’ is not just poor business practice, but frankly irresponsible and unworkable.
Read the complete paper (PDF)
This paper is published with permission of the Journal of Business Continuity & Emergency Planning.
The Journal of Business Continuity & Emergency Planning is the authoritative journal on business continuity and emergency planning - publishing peer-reviewed articles and case studies from some of the world’s leading business continuity, risk and resilience experts. To receive an exclusive 20% discount on subscriptions which includes both print and online versions, subscribe and enter the code CCJBC20, when completing the form at: www.henrystewartpublications.com/subscription/jbcep
