Organizational resilience and business continuity: bringing clarity to a confused profession
- Published: Wednesday, 03 February 2016 10:15
By John Robinson, FBCI
Resilience is very much a hot topic in the business continuity profession, but there seems to be very little agreement about what we mean by resilience; where it sits in relation to business continuity management; and what its scope should be. This article aims at bringing some clarity and will explore the following questions:
- What exactly, is resilience and do we share a meaningful definition, or is it just hype?
- Does it have enough value or substance to differentiate it from what we already have?
- How much resilience do we need or is it OK to be vague about it?
- Where does resilience naturally sit within the organization? Does it make a difference?
- What does a resilience programme look like and where should we look for guidance?
In 2014, the British Standards Institution (BSI) published BS 65000 ‘Guidance on Organizational Resilience’. In its wake, waves of business continuity managers have been transformed into resilience managers, following the trend or perhaps pre-empting the arrival of ISO’s 22316 resilience offering, due in April 2017. But have things really changed or did resilience just become fashionable? Are we seeing a re-branding, a seized opportunity to balance-off rarely needed business continuity with more general defences that regularly add material value, or is it inevitable evolution?
In its introduction to BS 65000 BSI states that resilience is “…a strategic objective intended to help an organization survive and prosper …the ability to anticipate, prepare, respond and adapt… to minor everyday events to acute shocks and chronic or incremental change”. There is of course much more in the document and the introduction alone runs to four paragraphs, but at first reading are you convinced? Try the following test:
Imagine you are fortunate enough to spend 30 seconds in the executive elevator with the CEO, who asks about your current role. You explain it using the above definition, wondering … does she think the money well-spent? Her reply might be “…interesting, I love the work you guys in risk do”. Risk? It may not be what you want to hear: it sounds as if the capability should already exist elsewhere.
If resilience is real, different and valuable, deserving of definition as a stand-alone discipline, then we need to focus harder on the fix it provides: and we need to spotlight the part of organizational machinery that has been overlooked, the innovative step that makes it a competitive necessity, or the commercial advantage it brings.
The essence of resilience is of course real. Think of it as a desirable organizational property, like compliance or liquidity. Viewed in this way it is a quality and a metric, so our notional resilience score grows as we improve our proactive and reactive responses to events, allowing strategy and operation to run smoothly through any disruption. However, in this sense it is passive, manifesting as a collection and analysis of data farmed from multiple practices, including business continuity.
So is it different or innovative? Here’s an analogy. The Queen’s driver apologises politely after her Rolls-Royce bumps through a pothole. Of course, almost all of the shock is absorbed, even if an eyebrow is raised; however, standards are high and much is at stake. The driver reports the pothole, keeps calm and carries on. Compare this with a driver on the Dakar Rally with suspension set hard and completely accepting the pummelling he and the vehicle will take, with constant risk to car and driver. Both situations are acceptable from both a risk and resilience point of view, as the success criteria for each are different.
From a pure risk governance standpoint, the suspension in the Rolls may not need to be perfect and we might not seek to insure against the effects, however the added benefit it brings aligns with the Palace’s overall commitment to excellence. This level of performance is expected, it is part of the brand perception and experience – not just for Her Majesty – but for all her stakeholders, including UK plc. For an organization’s CEO, one would hope the point of acceptable resilience lies somewhere between Royalty and the Dakar - ensuring the organization enjoys a safe and secure, but better than tolerable ride.
And therein lies my elevator pitch. From within compliance, risk management delivers the governance brief that keeps directors and officers honest. It may also have a mandate to deliver discretionary improvement, up to a point. Resilience takes us beyond this and toward excellence, improving productivity and adding value, optimizing, filling-in gaps and ironing-out inconsistencies. It provides a tough but voluntary second skin that protects and attracts; positioned in this way, resilience becomes real, different and valuable.
Resilience is attractive because it implies additional certainty, stability and longevity potentially beyond that which the governance remit permits - up to the point where stakeholders demand it, whereupon it becomes governance.
Resilience promises to help us market, sell, retain customers, satisfy regulators and attract and retain high grade employees. An organization with high levels of resilience can reasonably expect to suffer less downtime, become more productive, more reliable and more efficient. It has the potential to benefit all stakeholders and is potentially culture-changing, creating new confidence, pride, loyalty and competitiveness, building reputation and organizational value.
Most organizations already enjoy some level of managed resilience, from cottage industries that use the cloud to back up their work, to global corporations with dedicated functions. However, perhaps the greatest beneficiaries are those whose markets demand undiluted excellence, yet whose scale, complexity, threat profile and rate of change sporadically open up new areas of inconsistency, vulnerability and duplication. For these entities, it makes more sense to formalise the benefits a resilience focus might bring; defining roles, objectives, budgets and accountability. Simply, in these cases the potential return on investment (ROI) is greater.
Resilience incurs cost and demands accounting, measurement and analysis if we are to convincingly demonstrate positive and sufficient ROI. We can account with precision for tangible measures such as perimeter fencing, anti-virus software and business continuity plans. But can we detect and factor-in present but nonetheless paid-for capabilities, such as the incidental selection and design of resilient assets and the application of sound practices by staff? Each makes a guessed-at resilience contribution and incurs a not necessarily proportionate cost.
It suggests we need a system that allows us to detect, understand, assess and record resilience so we can account for any value it brings.
In the same way that we as individuals take risks that suit our role, personality, situation, beliefs and available information, so every organization has its own characteristic risk appetite. Often complex and shaped by multiple opinions and data, the aim is to create an appetite statement that reflects stakeholders’ propensity for risk-taking, expressing it in a way that others can consistently interpret and apply as they go about their work. So is there any justification for a separate resilience appetite?
Consider risk appetite; this is often expressed as a matrix of risk types - financial, political and so on – with levels expressed in words and numbers to allow approximate equivalence and accumulation between types. An organizational entity or asset can then find itself profiled in a particular set of type cells according to the residual risk it attracts, possibly implying a need for attention. These matrices are inevitably generalised, designed for high-level consumption and deal well with big risks with large margins for error. They offer a consistent frame of reference, but can or should they support the additional fine-tuning and optimization that seems to characterise resilience?
We could view resilience as the optional treatment of residual risk, since the latter already reflects all we have done to reach acceptable toughness. Optimize risk and we maximize our return; do it badly and we waste money or risk unacceptable exposure and a governance breach. However, this means we may take steps to reduce protection if measures applied appear to be in wasteful excess. Resilience on the other hand offers a mechanism to permit desirable protection, and this overlays risk management. Think of it like plastering a rough brick wall – the plaster should in-fill imperfections and create a smooth, resistant finish that protects and impresses at acceptable cost. Continuing the metaphor, resilience appetite becomes an expression of the quality and depth of plaster to be used, and reflects the approach and expertise required of the plasterer in achieving a specified result.
So yes, we could benefit from appetite-like success criteria and these could help us answer the question “how much additional toughness do we want?” If used, they should tell us how far the organization is prepared to go beyond the governance brief in the interests of excellence. It should allow for the level of resilience to be standardised, but potentially variable, considering soft variables, such as convenience, desirability, trend, brand benefit and so on.
In terms of expression, we need to keep the approach simple and compatible with statements of risk appetite so the two can work together. One approach might be to define a resilience target marginally above accepted risk, plus by a required return on investment and a set of interpretive principles.
Where does resilience naturally sit within the organization?
Risk management is described in ISO 31000 as ‘coordinated activities to direct and control an organization with regard to risk … the effect of uncertainty on objectives’. Paraphrasing, it provides measurement, control, corrective and reporting capability covering all aspects of risk for the entire organization; including non-operational aspects such as commercial, political or socio-economic risk. BS 65000 differentiates from risk by focusing on outcomes and qualities, such as coherence, adaptive capacity, and resulting strength or toughness. Arguably, risk management encompasses these but does not make them a primary focus or attempt to quantify them: they are after all, simply desirable effects of all-risks management.
Business continuity also has a whole business remit, but addresses a subset of risks, handling critical disruption preparation and recovery. Under ISO 22301, BCM seems to address similar management system-related areas implied by BS 65000 (being informed approximates to context, setting direction to leadership and so on). Also, the popular bounce-back image associated with resilience seems firmly rooted in the ability to recover, suggesting BCM as a natural home. However, ISO 22301 does not focus on the multi-disciplinary integration (coherence) and proactive hardening of capabilities (strengthening) implied under BS 65000, so unless modified, it won’t necessarily deliver resilience in the sense intended. Whereas BS 65000’s definition of resilience includes recovery as a mainstay and therefore if the BS standard is adopted, resilience should include BCM.
Governance risk and compliance (GRC) represents another related corporate function. In this context, it is generally responsible to stakeholders for control - overseeing the system used to ensure the residual risks faced by the organization align with its appetite. It supervises all activities, investments and behaviours that reduce loss of all kinds and which improve compliance with internally and externally imposed requirements. It often defines management systems generally, operates at a very high level and reports directly to the board.
For my money, and this goes for all management systems-based disciplines, GRC or a similar function should provide the unified umbrella spanning all operational areas. It makes little sense to have separate machinery to do essentially the same job. Within this regulating machinery, risk provides oversight and reporting of all risks, resilience perhaps provides operational risk improvement and optimisation, and BCM management of catastrophic risks, each a subset of its precedent. There are undoubtedly arguments for and against this, and a myriad of arrangements needed to satisfy the interests of every organization.
BS 65000 offers an interesting and helpful read, pulling together organizational qualities that position resilience management as a discipline in its own right. The following paraphrase the main headings contained in the document, and note that they have approximate parallels with ISO 22301, the corresponding ISO headings shown in brackets. This is unsurprising, as resilience might be delivered conveniently via a Deming management system.
- Foundation (governance, accountability, leadership, culture, vision and purpose)
- Situation awareness (context)
- Direction (leadership and planning)
- Adaptability (improvement and anticipation/horizon-scanning)
- Strength (operations – resistance and recoverability)
- Assessment, validation and review (performance measurement)
There are two areas of immediate interest. The first is the interestingly titled ‘Bring coherence’, in which the document lists some twenty operational disciplines that support resilience. It then sets out a general basis for integration, information sharing, and collaboration. This seems a fundamental positive step and suggests that resilience has wider boundaries, interests and relationships than BCM currently enjoys. It also hints at the role of a resilience manager spanning many organizational silos, as both business continuity and residual risk specialist.
The second ‘Strengthen the organization’ seems to lie at the heart of what must be done to make us resilient and should place us in a position to prevent, withstand and recover from pretty much all disruptive events, major and minor. The section is generalised, offering only lines of activity such as prevention, protection, preparation, recovery planning and human behaviour. However, the full scope of the resilience remit becomes clearer when one combines the multi-disciplinary coherence aspect with the extensive realm of proactivity implied in the strengthen section.
Applying BS 65000’s definitions, I can see resilience as a measurable valuable commodity, perhaps a discipline, but I still find it difficult to disentangle it fully from risk, other than as a convenience.
Becoming resilient should not differ significantly from the adoption of any new organizational ethos, discipline or management system, other than to-be-expected subject-matter variation. Here are some broad-brush steps I would expect to take:
1. Get top-level backing. Market the resilience concept internally by stimulating interest and understanding. Broach the topic with senior figures and influencers and set out clearly, briefly and memorably why and when it will benefit the organization. Provide clear evidence, backing up your pitch with financials. Secure an influential sponsor to champion the cause and build/nurture (potentially many) necessary relationships.
2. Write the business case. Once you have conceptual acceptance, establish clear quantified terms of reference to maximise your chances of success. These include setting scope and objectives, highlighting principles, assumptions, constraints and risks that affect the programme, outlining what will be delivered, to what level and by when in the short and long term (a programme plan), a summary of the methods to be applied, the resources required, the costs involved and the financial and other benefits the organization will enjoy. Get it reviewed and accepted, ideally at the highest level.
3. Develop an approach. If converting from BCM or evolving a new resilience function, you need to deliver the concepts you have proposed. This means completing the activities and building the necessary management and operational machinery. It includes:
- Draft and gain sign-off on a mandate that gives you authority to proceed
- Agree a resilience target or appetite, including maturation over time
- Define roles, processes and procedures that deliver the resilience system
- Identify resilience owners and engage, communicate and train them
- Resource the programme with people, tools, expertise and funding
- Build measurement and reporting systems.
4. Create a Framework. Create an auditable document that sets out how resilience will be managed, implemented and sustained across the organization (scope), including the approach summarised above. Make it answer the question “how will we ensure and communicate success?” A possible approach is to embed resilience within a proven framework and use this to provide the wrap-around management system that defines the programme.
5. Roll-out. Measure resilience and use the resulting map to focus and drive activity. Use it to represent the risk requirement, current resilience and appetite. Cover the ground in different ways, for example:
- Schedule periodic reviews, area-by-area
- Monitor the risk register for positive or negative divergence against risk appetite, including change when it occurs. Overlay the map with the resilience target and identify areas where the gap is greatest and prioritise these for attention
- Monitor risk and resilience trends, including technologies, environments and behaviours, providing recommendations to business.
6. Repeat and improve.
Interestingly, and depending on remit, these may all be present within risk. If so, they potentially only require changes to existing policy, scope, framework, roles and procedures.
I mentioned earlier that BS 65000 offers a basic maturity model as a means of assessing the resilience of an organization. It provides 24 questions under six of the sub-section headings mentioned earlier in this paper, and these address resilience at the management system level. For example, it asks: “are we satisfied that our approach to resilience is coherent and is embedded within the organizational vision”. It’s a great question… provided you know how to answer it.
Undoubtedly, these headings represent creditable attributes, but they need to be quantified so the organization can associate value with them. My approach to this is summarised as follows:
- Extend the risk register to allow resilience to be included
- Quantify cost and contribution, allowing return on investment to be estimated
- Associate register entries with assets allowing their resilience to be measured
- Define performance indicators for resilience attributes.
The benefits of this kind of approach are that the resilience function becomes more directly accountable for its achievements and better able to say “…resilience for plant A increased by 17% as a result of x, y and z. Its ROI is between 5 and 10%. Recovery capability for London office is 97%”.
The key findings in this paper are set out below:
- We need a definition to position resilience within the organization. This could be “…maximizing ROI in risk and continuity over and above our governance obligations”.
How would the CEO respond?
- We need a resilience appetite if we are going to manage it effectively. Resilience is defined here as an added-value discipline – almost along the lines of a commercial USP (unique sales proposition). But how far do we go? We potentially have a basis for setting resilience targets, based on achieving a minimum ROI and attainment levels for other indicators.
- If we have a target, we need a resilience measurement and management toolset that allows us to detect, understand and record inherent and planned resilience, tangibles and intangibles, so we can then map, report and improve our capability.
- Business continuity has adopted resilience as its preferred way forward, possibly determining its position. However, I believe there is a strong overlap with risk management that will resolve differently in different organizations, depending on terms of reference.
- ISO 22301 seems to offer an appropriate management system framework and migration ought to be convenient if you can’t wait for the resilience ISO. Notably, the BCM standard already incorporates aspects of resilience, requiring plans to include both tolerance (maximum acceptable outage) and resilience safety margin (recovery time objective).
For me, the need for resilience is best expressed via the Rolls-Royce analogy I offered earlier. It shows there are at times opportunities to benefit from risk-reducing measures for the sole reason of demonstrating excellence. The question remains, in your organization is there enough valued opportunity available to allow resilience to stand alone, to the extent where it justifies separate definition and resourcing? This alone may be a good reason for pairing it with BCM, ensuring it can maintain objective critical focus that might be otherwise lost within risk as a whole.