We all are on the Road to Resiliency, but do we know where we are?
By L. Argee Mahecha
Organizational Risk Management has evolved from pockets of action that secure, prevent, protect, and recover from business interruptions. Today, technology and good business attitudes are combined to go beyond responding to specific events to being flexible in the face of unexpected events and new challenges. A word used lately to describe that evolution is Resiliency. The word implies protective properties of physical entities, like properties that enable buildings or trees to bend to the wind instead of falling or breaking. However, what is resiliency when applied to an entity like a corporation? What makes an organization Resilient and how can executives conceptualize Resiliency to better organize risk management?
On the Road to Resiliency.
An organization that has basic strategies in place to address continuity of operations has embarked on the road to resiliency. Organizations may find themselves on this road as a natural extension of performing common sense activities to protect specific things (like mission-critical data) or as part of a cohesive program to ensure, they are prepared to minimize and overcome potential business interruptions and to protect assets, including personnel. In either case, how does management know where the company is on that road and where they need to be?
Being Resilient has several meanings. While resiliency is now a popular term (Resiliency in the Gulf, Psychological Resiliency, Ecosystems Resiliency, etc.) there are several definitions of business resiliency:
- “The ability to bounce back”;
- “Organizations structured with multilevel capabilities to rapidly adapt themselves in response to unexpected events from natural or man-made events”;
- “The ability of an organization’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.” (Continuity Central, April 2004.)
- And many others;
Several models have been laid out to understand business resiliency: IBM’s Resiliency Layers, Eagle Rock’s Enterprise Resiliency Blueprint, Carnegie Mellon’s Resiliency Engineering Framework, ASIS Int’l Organizational Resiliency Standard, and others. These models overlap in that they all talk about managing risks, emergency preparedness, disaster prevention and mitigation, and planning and training to manage events that cannot be prevented. One model may be more suited to your organization than another model based on industry, size, and Risk Management practices in place. In all cases, however, being resilient is the result of:
- Meeting stakeholder requirements for continuity of operations
- Managing by prevention and recovery planning, and
- Measuring progress by the cost of risk (the lower the risk the more resilient your organization is)
What does this mean?
Meeting stakeholder requirements for continuity of operations. As a business entity, everything has a purpose. By meeting stakeholder requirements, one is meeting business objectives, including profitability. After all, if the organization is not profitable, it cannot function as a business entity, at least not for too long. If the company does not maintain a sound reputation, clients are not going to continue doing business. Stakeholders include clients, employees, investors, and suppliers. Each group has an inherent set of requirements that the organization is bound to fulfill in order to be successful.
Managing by prevention and planning. It is a question of having the correct mind-set. It is working from a particular point of view. It is using prevention and/or mitigation planning activities that reduce the likelihood and impact of a disruption that could significantly affect its personnel, customers, and stakeholders. Managing by prevention and planning is an approach focused on mitigating the affects of disruptions to the business achieved through an established framework that will include guidelines for implementation, and procedures to follow when a business interruption occur. Prevention reduces the probability of a bad event occurring, while recovery planning reduces the impact. These processes reduce risk, and a resilient organization is one that can adapt quickly to protect itself from unexpected events and move efficiently to recover from unavoidable events.
Measure progress by the cost of risk. Every process in the organization has a potential loss consequence and that loss is the cost of risk. This risk will be realized upon a business interruption. You add to this cost the combined cost of preventive activities, insurance premiums, disaster readiness activities, and loss expectancies. By doing so, you are lowering your initial cost of risk. The assumption is that by investing in mitigating activities you are lowering the total cost of risk. The initial risk has been reduced. On an aggregate, the lower the total cost of risk, the more resilient the corporation is.
In the context of this vision of resiliency, it is worth understanding how resiliency is viewed within a corporation, as resiliency cuts across many organization, business, and technology functional areas:
- Supply Chain/ Service Relationships
- Information (Application & Data)
- Facilities & Infrastructure
Strategy. To address these exposures, different frameworks are established to bring a corporation to a level where the main objective is the maintenance of the status quo and the expanding of existing programs to address new situations and/or a growing environment.
Everything begins with strategy. The business strategy is your roadmap to achieve business objectives; accordingly, a resilient strategy needs to be designed to be in harmony with the business strategy. One achieves a level of being resilient once reactions (during an event) are planned, calculated and pragmatic instead of impulsive and “knee jerk” reactions. To use a roadmap analogy, you have arrived at the city of your destination, but not necessarily at the building you are looking for. The road to Resiliency is not a destination but a path that aims to get you there.
Governance. Once the strategy is defined, management support is essential for program success. The governance framework is a structure with representation from all areas of the business. This framework should be such that all business units and lines of business have a voice. Equally fundamental is the adoption or definition of a program management policy using as a foundation a recognized standard, any relevant standard, and supporting guidelines. What is important here is the use a structured framework so that all work will use the same structure and have the same reference point. The framework should address at this stage how to report progress during its development. While detailed metrics may be used, the management reporting approach should translate those metrics into value statements, which is the language senior management understands best. The governance framework should be in harmony with the strategy.
Organization. Organization plays a significant role in resiliency endeavors. Roles, responsibilities and accountabilities, as well as strong executive sponsorship, provide a fundamental basis for the development of the organization. An organizational structure (those that manage – those that do things) is required to provide a fundamental and transparent message to the company. Communications are equally important, as they will allow the providing of guidance to all participants and stakeholders, of the required awareness up and down the management chain and with internal and external stakeholders. Management reporting also plays a pivotal role, as the need is to report on the value and benefits of the program. Companies successful in tying accountability and responsibilities into job descriptions are one-step further down the road to embedding resiliency into the “fabric of the organization.”
Supply Chain – Why single out supply chain? – Why is it so critical? With concepts such as (1) just-in-time inventories, (2) the idea of minimizing your investments to address the movement and storage of raw materials, (3) work-in-process inventories and (4) finished goods, Supply Chain also encompasses the planning and management of all activities involved in sourcing, procurement, manufacturing, conversion, and logistics management. Supply Chain also addresses coordination and collaboration with channel partners, which can be suppliers, intermediaries, third-party service providers, and customers. How to minimize the risk to the supply chain is of paramount importance to most corporations. A resilient Supply Chain will guard against a major supply disruption that could potentially delay orders and result in loss of customers. In Supply Chain it all starts with an impact analysis similar to a BIA, and the most important outcomes of this analysis is an understanding of the interdependencies among supply chain elements. This is needed to adequately identify strategies for mitigating supply chain disruptions.
Process. This effort addresses the identification of those processes that are most critical for the organization along with the identification of minimum required functionality (processes, staff resources, key resources, and requirements) that will allow the company to continue operations during a business interruption. A business Impact Analysis is typically used to map the business processes to applications and then the applications to the technology infrastructure and facilities. This ensures that all physical requirements are identified, as well as all systems, networks, and data storage. This effort also identifies up and downstream dependencies so one can determine data synchronization. Identifying dependencies ensure that the correct availability techniques are applied to all critical processes and systems, not just applications. Business unit dependencies will highlight the recovery order of not only individual processes, but for end-to-end processes as well; for example, an “order–to–cash” process.
Information. Information aligned with business processes is generated by a combination of applications and data stores. Information is also distributed to multiple parties inside and outside the organization. The goal here is to ensure that information is managed so that the business is protected. Data back-ups need be considered, as well as the ability to recover and access one file or the entire data repository. Time also plays a key factor here, as not all data is required at the same time. Email is a key consideration not only as a communication tool but also as a transport of different files.
Technology. Technology priorities are translated from defined business priorities. This is an area of major investments required for the sole purpose of allowing the corporation to meet its business objectives. As with any other investment, there is a need to align those investments with resiliency objectives. When planning for resiliency all technology components should be considered (hardware, system software, middle ware, networks, telecommunication networks, etc.) The key goal here is to ensure that technology infrastructure is appropriately managed and has the right level of redundancy to ensure key business activities are protected to ensure continuity of operations.
Facilities. All company facilities have features unique to their locations. To achieve resiliency objectives, facilities and security activities should ensure adequate power, heating, and cooling. Facilities also address strategies to allow for work area solutions as part of work area recovery strategies; ensuring that “work-at-home” strategies are robust, and that the corporation is able to meet the requirements for virtual workspace if needed. In many organizations, Facilities also address Health and Safety capabilities.
So what can we do?
If your organization is on the road to resiliency, do you know where you are on that road? How close are you to being resilient? Do you know how to get there?
Now is the time to stop, to take a measure, and determine where you are; to determine your goal; to understand how far you are from your goal and to set up mileposts to gauge your progress on a periodic basis.
At the end of the day, either your company is resilient or it is not. If it is, strategies are devised to maintain its capabilities. If it is not, strategies need to be developed to bring your company there.
Contrary to initial thinking, this road to resiliency was never designed as a straight-line road. The process started a while back with the idea that having a Disaster Recovery plan in place was all that was needed; today the reality is different. Growth, mergers, competition, supply chain demands, security threats, natural threats, compliance, exposures, etc., have created a sense of urgency for your organization and thus, your environment. Different structures and frameworks are required to address the needs of the organization. You are on the Road to Resiliency, but where?
About the Expert
L. Argee Mahecha is the BCM Practice Director at Eagle Rock Alliance. His focus is Operational Risk, Business Continuity Management, and Corporate Resiliency Programs. His practice is centered on establishing and enhancing multi-layer Resiliency Programs at major corporations including work required to integrate mitigation, recovery, and continuity services, using assessment tools and roadmaps to achieve maturity. He can be reached at firstname.lastname@example.org or at (973) 325-9900.