Is resilience really the next big step forward for the business continuity profession? Betty A. Kildow, FBCI, CBCP, attempts to separate the hype from the reality when it comes to this controversial subject.
There are great time demands on business continuity professionals who are developing and managing programs, often to the extent that we seldom have time to stop and consider the bigger picture of where our profession stands, where we are going, and the relevancy of new developments and trends. A case in point is the increasing interest in resilience and its relationship to business continuity management programs.
This article is a combination of facts, opinions, and musings on the condition of BCM and also resilience, written from one person's perspective with the hope that it will initiate thought, reflection, and discussion of these two related topics.
Things change, and generally speaking, that is a good thing. Quoting Bertrand Russell, "In all affairs it's a healthy thing now and then to hang a question mark on the things you have long taken for granted." W. Edwards Deming made an even stronger call for change, "It is not necessary to change. Survival is not mandatory." Over the thirty-year history of business continuity (previously business recovery) we have seen significant changes and improvements as our profession has evolved, as we have risen to the challenges of increased requirements and a growing list of risks and threats.
Think of your business continuity program and how it is changing. Ask yourself:
- Is your organization's business continuity program continually improving, maintaining the status quo, or falling behind?
- Has there been measurable progress and improvement within the past year?
- Has consideration been given to new approaches to business continuity planning, new strategies, new tools?
Yet, blindly following a trend or adopting the latest big thing may not serve your organization well. John Luke, Jr. tells us, "Change simply for the sake of change is an abdication of leadership." It is up to us to sort out the wheat from the chaff.
All the while, one thing remains the same. The success of each organization ultimately depends on end customer satisfaction. Maintaining that satisfaction requires establishing and maintaining the capability to recognize, mitigate, prepare for, manage, and recover from disruptions through an integrated enterprise-wide business continuity program.
And what of the new terms that have continued to come down the pike such as sustainability, enterprise risk management and, more recently gaining interest, resilience? The words resilience and resilient are increasingly found in articles and presentations, as well as in the marketing for business continuity related products and services.
What is resilience? Do we know? Is it another buzzword? Is it a term du jour that we opt to latch onto? Is it just a marketing phrase? Or is it the next big thing? Is your resilience the same as my resilience? Does your organization's definition of resilience align with resilience expectations of customers and other interested parties?
We can't see into the future and, today, the boundaries of resilience are not clearly defined. It is not yet seen as a discipline, and seems to lack the necessary agreement among practitioners to recognize it as such.
If we explore its meaning, we find that we have a multitude of choices from a vast array of sources. Dictionary definitions include:
re·sil·ience - noun: the ability to become strong, healthy, or successful again after something bad happens; or ...speedy recovery from problems: the ability to recover quickly from setbacks; elasticity: the ability of matter to spring back quickly into shape after being bent, stretched, or deformed.
To quote the World Economic Forum's Global Risks Report (2011) resilience is "...the ability of a global supply chain to reorganize and deliver its core function continually, despite the impact of external and or internal shocks to the system."
"Resilience as a concept seems to have a strong relationship with the notion of stability - a resilient organism or organization is one that remains stable (or close to stable) in the face of perturbations or is able to return to the equilibrium point quickly after a perturbation impacts upon it.” Denis Smith and Moira Fischbacher (The changing nature of risk and risk management the challenge of borders, uncertainty and resilience).
Or perhaps is resilience a new skill we must master? "Whatever the source of a risk or disruption, what matters is how we deal with them. When surprises are the new normal, resilience is the new skill." Rosabeth Moss Kanter (Harvard Business Review, July 17, 2013).
Our professional organizations are suggesting that resilience may serve us well. "It is recognised by many in the wider resilience community that both the individuals within it, and the professional bodies representing them, will need to grow their relevant skills and develop closer links with the other related disciplines. The resilience challenge for the BC profession, is aimed at both promoting the changes needed to move the profession forward and challenging us as practitioners to develop and enhance the additional skills required to meet to achieve the resilient future." Bill Crichton, Membership director of the Business Continuity Institute and Chair of the 20/20 UK Group.
I believe that true resilience is not achieved by temporarily focusing on only the latest and greatest thing to appear on the horizon whether that be big data, supply chain risk, conflict minerals, the use of metrics, or today's hottest topic, cybersecurity. Rather, it is considering the latest trends and findings, considering their impact on and relevance to your organization, and thoughtfully and appropriately incorporating them into your business continuity program to the benefit of the organization and its stakeholders.
So, some questions as we think about resilience:
- Is resilience enough in today's business environment?
- Has resilience become another accepted term of choice to describe the processes around risk management and business continuity?
- Is it a goal, or a discipline, or a practice?
- Is it becoming a catch-all without well-defined boundaries?
- Is it possible that resilience might dissolve the lines and silos that prevent a true enterprise-wide approach to risk management?
- Do we need a new definition for resilience?
- Do we need resilience at all?
- Does the current interest in resilience mean that BCM, like the dodo bird, is heading toward extinction?
What, then, is the relationship between business continuity and resilience? We may ask, is business continuity management a prerequisite for resilience? One way to answer this question to is ask three questions. Is a resilient organization:
- Capable of functioning at the highest levels in all aspects of its operation and continuing to meet its goals come what may?
- One whose operations and employees are flexible and prepared to manage disruptions?
- Able to achieve its mission in spite of any type of disruption or large or small disaster?
If the response to any of these questions is yes, having a comprehensive business continuity program would seem to be a prerequisite for any organization seeking the right to identify itself as resilient.
Conversely, we may also ask, is resilience a requisite for improving business continuity capability? Consider four questions. Does a world-class business continuity program:
- Proactively manage new risks and threats?
- Include all areas of the enterprise and coordinate with related programs?
- Remain open to consideration of new approaches, strategies, and technology?
- Always consider the best current and future interests of the organization?
If the response to any of these questions is yes, resilience would seem to be a prerequisite for continual improvement of a business continuity program.
What we may find is that the goal is actually an integration of the two. If that is the case, I believe we can likely agree on some basic principles and requirements, none of which is new to BCM:
- It is no longer only about unplanned or catastrophic events;
- Must be a living process;
- Must be an enterprise-wide system that includes all business units and external stakeholders;
- Must allow rapid adjustment to organizational changes;
- Must be a collaborative effort;
- Must be orchestrated across multiple levels of the organization;
- Must be open to doing things other than the 'way we have always done them.'
If we opt to move toward resilience, we must begin with three all-important basic steps. First, reach agreement that resilience is a desired and achievable goal. Then, determine how the organization will define resilience. These initial steps are symbiotic. You may first determine that resilience is a goal, then define resilience for the organization, then, based on the agreed-upon definition, reaffirm that resilience is still the desired goal. Alternatively, defining resilience may be your first step.
Once that is done, the third critical step is to ensure that the selected definition of resilience is understood and applied uniformly throughout the organization.
Following are six steps that lead to resilience. If, as you read the details of these steps, you find yourself thinking that there isn't much here that is earthshattering or new. You are correct. The steps are not momentous; they are the reapplication of business continuity best practices. Like continuity, resilience requires a coordinated, preemptive, and innovative business-based approach.
1. Proactively identify and manage all risks
- Conduct regular risk reviews; include external as well as internal risks.
- Don't forget the ‘outliers’ - cybersecurity, regulations, reshoring. Do not assume that these risks are someone else's problem - or yours.
- Monitor the needs of customers and other stakeholders to ensure meeting their needs and requirements in a timely way - regardless.
- Work closely with all business units to incorporate business continuity in their operations. For example, work with Procurement to develop a process to consider continuity capability when selecting new suppliers and during the contract renewal negotiations with existing suppliers.
- Address risk as an integral part of process redesign and new product and service development. Identify and mitigate risks well before a new product or service is introduced or a new process is implemented.
- Don't rely only on hind casting to identify risks. In addition to looking at past events, look at new risks. "It's because they watch the numbers from the past instead of feeling the air and the energy around them. When there are signals from the outside world saying 'Pay attention - the wind is changing!' we shut the window and tune the signals out." What a Lie!: Numbers are the Language of Business Liz Ryan, CEO and Founder, Human Workplace (blog 2/2015).
2. Make continuity / resilience part of strategic planning
- Include business continuity as an agenda item for every strategic planning meeting.
- Consider continuity / resilience implications in decisions at all levels.
- Incorporate continuity / resilience requirements in the change management process.
- Include risk management in new product and service development - not as an afterthought.
- Continue to seek a seat at the C-Suite table.
3. Have comprehensive plans - and permission to go off-book
- Develop appropriately detailed, workable plans. Include guides, checklists; detailed procedures only where needed.
- Establish criteria for going around or beyond written plans. Think in terms of basic processes. Establish built-in capacity to reorganize processes and procedures when necessary to allow faster action. Every disruption and disaster is different; train and empower people to use their good judgment to make decisions based on the specific situation.
4. Consider the value of a standard that addresses continuity and risk
- For example, ISO-22301: Societal security - Business continuity management systems - Requirements May 2012 was developed to help organizations minimize the risk of significant operational disruptions and is steadily gaining favor as the world's first international standard for business continuity management.
- More businesses (52 percent up from 2014's 44 percent) use ISO 22301 as a framework with an additional 17 percent reporting a shift to ISO 22301 this year. This data suggests the growing maturity of the standard. (Business Continuity Institute Horizon Scan)
- Caveat - Even when using a standard, continue to view BCM as strategic and essential to the organization's welfare, not simply a compliance/check-the-box requirement to gain certification.
5. Build a program not just to continue but to advance and improve - even when disaster strikes
- Give consideration not just to recovery from disruptions, but proactive, structured and integrated exploration of capabilities during and following the disruption.
- Build in change readiness and forward thinking. Plan to adapt to changing circumstances which may have damaging effects on the ability to survive even after the crisis has passed.
- Avoid complacency; continually search for improvements. Apply innovation rather than the way we have always done this.
- Include procedures to fully capture AND act on lessons learned from exercises, tests, and actual events and the experiences of other organizations.
6. Create a culture that promotes resilience
- Address and develop human resiliency.
- Delegate authority to make decisions when disasters occur.
- Establish internal and external working groups and other ways to exchange information, trends, red flag warnings.
- Be truly open to considering new ideas, new approaches from others including those not assigned ongoing business continuity responsibilities.
- Establish a shared true north to be certain everyone is on the same page about where we are going and the best course to get there. The result is a unity of purpose and a shared ongoing commitment.
- Apply the organization's true north:
- Pre-Disaster - proactive mitigation built into each planning process
- During - coordinated capability to learn and to adjust during the event
- After - application of lessons learned to make improvements and strengthen resiliency.
- Get risk, continuity, disaster recovery and related business units speaking the same language:
- Coordinate selecting the most appropriate risk mitigation technique for each risk that crosses business unit lines. Establish well-defined responsibility. Define and clarify ownership and scope, boundaries and interdependencies, and areas of responsibility.
- Communicate - talk with each other.
As with any initiative or program there are five important steps to developing an enhanced business continuity program and/or organizational resilience:
- Understand where you are today
- Determine where the organization needs to go
- Develop a plan for getting there
- Get the right people involve
- Adapt, be resilient while building resilience - there will be changes, challenges and setbacks along the way.
Business continuity is not broken, becoming extinct, or falling by the wayside. It is simply continuing to evolve, grow, and improve. Things change, and our profession, like species, to survive and become more robust, must continue to learn, adapt, and adjust. The goal must be to continue to evolve and morph and perhaps at some point in the future, even be absorbed by a more all-encompassing, universally recognized and accepted approach to managing all threats to the health and well-being of our organizations.
I believe that we need to continue to be creative, thoughtful, and open to considering new approaches. Keep in mind what business continuity was at its inception and what it is today. While it is not prudent to react to and act on each new idea that comes along, to continue to better meet the needs of a rapidly changing world and global business environment, exploration of new and perhaps contrary suggestions is essential. Heed the warning of American humorist and writer Will Rogers, "Even if you're on the right track, you'll get run over if you just sit there."
Resilience will not be the last next big thing. Be ready to consider whatever may come along next and what role it may play in your BCM program. For me, a more immediate consideration is whether to change my title to Business Continuity Management & Resilience Consultant, Trainer, Speaker, Author.