IT Disaster Recovery (ITDR) is about 40 years old and its younger sibling Business Continuity (BC) has passed the 30-year mark. The premise for ITDR was that we needed to be capable of dealing with the consequence of a specific computer related disruption. Business Continuity extended that reach to cover all critical functions and processes. Enterprise Risk Management (ERM) later added a holistic framework that covered all risks. With all of these established disciplines largely embedded in our companies, why then are we still so worried about Enterprise Resilience?
Perhaps the most obvious comment about this point is that emergencies, disasters, crises and catastrophes continue to happen despite the extensive control measures we have adopted. Does that mean that ITDR, BC and ERM have failed? Not at all; but they have only mitigated rather than eliminated the problems associated with disruptive risk. We have learned how to better deal with unexpected situations but we have also seen an escalation of the range of risks we face. Initially, most new threats were terrorist attacks on people and property but more recently the main issues are related to vulnerability across the whole gamut of cyber activities. The 24 hours global news networks and the instant impact from use and misuse of social media platforms have added to the tension, fears and perception of danger.
Over recent years the term “Resilience” has become increasingly popular, although often ill-defined. Operational Resilience and Organizational Resilience have both been used by some professionals to try and establish an over-arching discipline which encompasses risk, security and continuity at its core. However, some writers have challenged the value of this approach by asking “how can you claim to be resilient if you can’t even guarantee continuity”? Rather than merging other disciplines, they have tried to improve the value of BC by simplification of the traditional life-cycle and speeding up the entire process. Indirectly, this has given rise to another trend which many organizations have adopted which is simply to rename BC as Resilience.
I find that this attempt to just rebadge BC is very unhelpful. Traditional BC has clear objectives which can be measured, whereas resilience is an aspiration. We need to see resilience as a journey not a destination. Clearly, we cannot be resilient if we don’t know our risks, can’t protect ourselves through adequate security or are unable to respond to a disruptive incident. It is also obvious that the measures our various professional practitioners implement within an enterprise help make us more resilient. But (and there is a large but) – these techniques can only take us part of the way. Early pioneers of BC envisaged the growth of a wider discipline in which plans formed only part of the cultural changes needed for organizations to be better protected. However, in order for BC to achieve any real corporate buy-in it had to restricted to a set of measurable standards and packaged accordingly. Compliance had taken over from innovation. I believe the drive towards what we are now calling Enterprise Resilience is resuming that interrupted journey. It should not be closed down again by simply renaming what we already do.
The possibility of success in fully establishing a wider discipline is better now than previously. Firstly, technology has moved on and much of what was originally ITDR is now covered automatically by the way systems and services are designed to be resilient and accomplish virtual 100% availability. Secondly, individuals are realizing that they need to take responsibility for the continuity of their part of the enterprise. It is no longer just the DR or BC Manager’s job – it is in everyone’s interest to know what to do if something goes wrong. Finally, senior management seem to be getting the message at last – they understand that risks cannot be fully eliminated and new issues will constantly emerge. Static business continuity plans have value in terms of the thought process behind them and the solutions implemented but have less value as documentation to follow in a crisis situation. Most potentially existential crises that affect an enterprise are strategic in nature and must be handled at the highest level. They often require decisions based upon business priorities and corporate issues that are only fully appreciated by those operating at the C-Suite level. These might well vary based upon the prevailing business and political circumstances and are not necessarily as your largely operational BIA might suggest.
In fact, what makes an enterprise resilient is not so different from what makes an individual resilient – the ability to absorb change, the inner strength to deal with adversity and a clear understanding of what is really important.
I often suggest to executives concerned about their ability to deal with a serious business incident that they should work through a scenario that hits at the heart of their business values. Try extracting these values from corporate value and mission statements, see what is claimed in the annual report, find out how employees, clients and vendors really view you. At the time of BP’s Deepwater Horizon disaster, I asked executives in all sorts of industries what could happen to them that was equivalent in severity to that situation. That challenge led to different sorts of exercise programs being implemented. The final de-brief not only asked the normal questions about how the plan had worked but also looked at whether we had damaged or enhanced our reputation in the process. In other words, did we as an organization behalf how we were expected to behave?
A truly resilient organization knows what is really important to its credibility and that often might not be measurable in direct financial terms. It knows how to manage all its stakeholders in good times and bad. It always shows strong leadership, communication and consistency. ITDR, BC and ERM provide the essential tools but the quality of management under the pressure of a crisis is ultimately what makes the difference between success and failure.Recommended2 recommendationsPublished in