We all are on the Road to Resiliency, but do we know where we are?

Abstract:
Organizational Risk Management has evolved from pockets of action that secure, prevent, protect, and recover from business interruptions. Today, technology and good business attitudes are combined to go beyond responding to specific events to being flexible in the face of unexpected events and new challenges.  A word used lately to describe that evolution is Resiliency.  The word implies protective properties of physical entities, like properties that enable buildings or trees to bend to the wind instead of falling or breaking. However, what is resiliency when applied to an entity like a corporation? What makes an organization Resilient and how can executives conceptualize Resiliency to better organize risk management?

On the Road to Resiliency.
An organization that has basic strategies in place to address continuity of operations has embarked on the road to resiliency.  Organizations may find themselves on this road as a natural extension of performing common sense activities to protect specific things (like mission-critical data) or as part of a cohesive program to ensure, they are prepared to minimize and overcome potential business interruptions and to protect assets, including personnel.  In either case, how does management know where the company is on that road and where they need to be?

Definition
Being Resilient has several meanings.  While resiliency is now a popular term (Resiliency in the Gulf, Psychological Resiliency, Ecosystems Resiliency, etc.) there are several definitions of business resiliency:

  • “The ability to bounce back”;
  • “Organizations structured with multilevel capabilities to rapidly adapt themselves in response to unexpected events from natural or man-made events”;
  • “The ability of an organization’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.” (Continuity Central, April 2004.)
  • And many others;

Several models have been laid out to understand business resiliency: IBM’s Resiliency Layers, Eagle Rock’s Enterprise Resiliency Blueprint, Carnegie Mellon’s Resiliency Engineering Framework, ASIS Int’l Organizational Resiliency Standard, and others. These models overlap in that they all talk about managing risks, emergency preparedness, disaster prevention and mitigation, and planning and training to manage events that cannot be prevented. One model may be more suited to your organization than another model based on industry, size, and Risk Management practices in place. In all cases, however, being resilient is the result of:

  1. Meeting stakeholder requirements for continuity of operations
  2. Managing by prevention and recovery planning, and
  3. Measuring progress by the cost of risk (the lower the risk the more resilient your organization is)

What does this mean?

Meeting stakeholder requirements for continuity of operations. As a business entity, everything has a purpose.  By meeting stakeholder requirements, one is meeting business objectives, including profitability.  After all, if the organization is not profitable, it cannot function as a business entity, at least not for too long.  If the company does not maintain a sound reputation, clients are not going to continue doing business. Stakeholders include clients, employees, investors, and suppliers. Each group has an inherent set of requirements that the organization is bound to fulfill in order to be successful.

Managing by prevention and planning. It is a question of having the correct mind-set.  It is working from a particular point of view.  It is using prevention and/or mitigation planning activities that reduce the likelihood and impact of a disruption that could significantly affect its personnel, customers, and stakeholders.  Managing by prevention and planning is an approach focused on mitigating the affects of disruptions to the business achieved through an established framework that will include guidelines for implementation, and procedures to follow when a business interruption occur. Prevention reduces the probability of a bad event occurring, while recovery planning reduces the impact. These processes reduce risk, and a resilient organization is one that can adapt quickly to protect itself from unexpected events and move efficiently to recover from unavoidable events.

Measure progress by the cost of risk. Every process in the organization has a potential loss consequence and that loss is the cost of risk. This risk will be realized upon a business interruption.  You add to this cost the combined cost of preventive activities, insurance premiums, disaster readiness activities, and loss expectancies. By doing so, you are lowering your initial cost of risk.  The assumption is that by investing in mitigating activities you are lowering the total cost of risk.  The initial risk has been reduced. On an aggregate, the lower the total cost of risk, the more resilient the corporation is.
Resilient Structure
In the context of this vision of resiliency, it is worth understanding how resiliency is viewed within a corporation, as resiliency cuts across many organization, business, and technology functional areas:

  1. Strategy
  2. Governance
  3. Organization
  4. Supply Chain/ Service Relationships
  5. Process
  6. Information (Application & Data)
  7. Technology
  8. Facilities & Infrastructure

At the end of the day, either your company is resilient or it is not. If it is, strategies are devised to maintain its capabilities. If it is not, strategies need to be developed to bring your company there.

Contrary to initial thinking, this road to resiliency was never designed as a straight-line road.  The process started a while back with the idea that having a Disaster Recovery plan in place was all that was needed; today the reality is different.  Growth, mergers, competition, supply chain demands, security threats, natural threats, compliance, exposures, etc., have created a sense of urgency for your organization and thus, your environment.  Different structures and frameworks are required to address the needs of the organization. You are on the Road to Resiliency, but where?

 


About the Expert
L. Argee Mahecha is the BCM Practice Director at Eagle Rock Alliance. His focus is Operational Risk, Business Continuity Management, and Corporate Resiliency Programs.  His practice is centered on establishing and enhancing multi-layer Resiliency Programs at major corporations including work required to integrate mitigation, recovery, and continuity services, using assessment tools and roadmaps to achieve maturity.  He can be reached at lamahecha@eaglerockalliance.com or at (973) 325-9900 .