In today’s unpredictable world business resilience and ability to respond to external forces is tested multiple times in a variety of ways; whether through necessary transformational change, the need to weather tough market conditions, the cyber threat landscape, or actual physical attack; so your board will undoubtedly have devised disaster recovery plans to predict and counter these possibilities.
Business resilience goes beyond traditional risk management and re-frames the practice of resilience in new ways. It’s not just about ensuring that you can survive an unforeseen event or the loss of a critical system; it’s about ensuring that your organisation has the pre-emptive capability to respond to change and seize upon opportunities presented to it.
The best definition I have found comes from the British Standard on Organisational Resilience (BS 65000) which defines resilience as: “The ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruption in order to survive and prosper”
Survive and Thrive
There are two critical words in this definition; not only ‘surviving’, but ‘thriving’. This definition is crucial as it builds on best practice in business continuity, information security and risk management. Individually each is worthy of investment; but they are often seen as necessary evils or drains on resources in ensuring that risks are managed and compliance objectives are met.
While this is of great importance to avoid unforeseen disasters or security breaches, organisations can go further to ensure that resilience is established in ways that allow them to realise real business value. This may mean gaining competitive advantage in a market place increasingly focussed on cyber security measures, the ability to respond to sudden trends in an evolving market, or being able to continue servicing clients while competitors struggle with a volatile supply chain.
Three Key Functions
The best practice standard outlines three key functions which should be focussed on as you set out on your resilience journey.
Operational and Customer Resilience – This function ensures that all critical business processes are defined, to ensure they are robust and free from single points of failure. This is often best put into the context of the customer and the services they deem critical. Will these services survive the loss of a key system or site? Rehearsal of continuity processes is central to ensuring a disaster can be endured and customer service maintained to safeguard your reputation.
Supply Chain and Partner Resilience – It is essential that resilience goes beyond your own boundaries and extends to the whole supply chain as well as your critical partners. Disruption to a key third party could leave your customers negatively impacted and put a sudden stop to your operations. This means ensuring that due diligence is effective and your supply chain can accommodate the flexibility required to service a big order or a new tender. Furthermore, the resilient organisation needs to ensure their suppliers can safeguard critical information.
Information and Cyber Resilience – We live in a digital world with an ever increasing cyber threat; data protection legislation mandates that organisations safeguard personal information or face costly repercussions. Those that can demonstrate effective information resilience, continuity and security give themselves a competitive edge in their market.
While certifications are not an essential element of a resilience programme, drawing from best practice standards like ISO 27001 (Information Security), ISO 22301 (Business Continuity) and ISO 9001 (Quality Management) provides an effective structure to identify risks and opportunities while establishing robust governance and continuous improvement processes.
Four Essential Elements
Every effective resilience programme considers the following:
Leadership – Maintaining a clear vision, safeguarding reputational risks and managing finances and resources is vital in maintaining competitive advantage.
People – Developing a resilience culture supported by training and engagement with all stakeholders; never forgetting the customers’ point of view.
Process – Focussed on the three key functions, this involves supply chain due diligence, information management, business continuity and process mapping.
Technology - Ensuring that we consider the evolving horizon, pursuing innovation and building in capacity to adapt to unknowns and ensure cyber resilience.
It’s about the journey not the destination
It’s important to remember that this is a continuing journey, so we must favour a culture of resilience over a temporary project or initiative. Starting the process is about forming a team that are committed to the long term voyage.
With the team in place we believe that you first must know where you are to work out where you are going. The BSI resilience benchmarking tool is a great first step in identifying existing areas of strength and weakness. Armed with this knowledge, resources can then be targeted on areas of the greatest value. Some changes lie ahead, but embrace them rather than being afraid of them.
“Change is the essential process of all existence” (Spock, Season 3: Episode 15)