The Emperor’s New Clothes – A study of Organizational Resilience & BCM

By Scott Baldwin |2019-04-05T08:30:48+00:00February 17th, 2019|4 Comments

Although the term ‘Organizational Resilience’ (OR) has been around for decades, it’s only been the past few years that it really began to become popular within the Business Continuity Management (BCM) world. I was among the throngs of BCM professionals who’s imagination and interest was captured by this new idea. Many changed their identities and titles to reflect this new focus. Likewise, I felt compelled to do so, but I first needed to understand what exactly ‘Organizational Resilience’ was, and in particular, the ‘how’ of integrating BCM into OR. However, as I found out, this was easier said than done. In an excellent article on the subject, John Robinson describes this : 

“In 2014, the British Standards Institution (BSI) published BS 65000 ‘Guidance on Organizational Resilience’. In its wake, waves of business continuity managers have been transformed into resilience managers, … But have things really changed or did resilience just become fashionable?”

This triggered two questions in me: The first, “why did so many of us in BCM feel this pull to be a part of OR?”, and the second, “how do traditional BCM activities look different when integrated within an OR framework?”. Or, as John questioned (paraphrased), does BCM within OR even represent a material difference than BCM alone?

As someone who has spent the last 20 years in Silicon Valley working at some very iconic companies, the answer to the first question seemed apparent to me. While business processes and practices have undergone a complete and exponential change over the last 25 years, BCM has continued to grow at a relatively slow pace. Where there used to be the concept of ‘after hours’ or ‘end of the day’, we now have evolved into a ‘follow the sun’ model with continuous 24/7 business operations. The juxtaposition to that are traditional BCM practices, which are, in many ways, still focused on using 25-year-old methodologies.

I believe that within many of us there is, at some level, a concern that BCM (a profession that we all love and are passionate about) is becoming irrelevant. Additionally, the return on investment that BCM is designed to provide to the business is progressively shrinking – both in perception and, sadly in many regards, in reality. We are seeking something to transcend the current profession and bring it back to something that is of unquestioned value. Many practitioners have hope that Organizational Resilience is our “Moses”, guiding us out of the continuity wilderness of irrelevancy, and into the promised land.

Great! But, wait… um. What?

However, the answer to my second question, the one about “How BCM is performed differently within an Organizational Resilience framework” has proved to be more elusive.

When asking colleagues and other BCM professionals about BCM and OR (which includes reading standards, white-papers, manifestos and best practices guides), I have received really great descriptive responses. Words like ‘holistic’, ‘integrated’, ‘cultural DNA’, and ‘engagement’ were all very common, and I ate it up. I love this stuff and I’m ready to buy in. It’s only the next level, ‘the prescriptive’, or the ‘how’ of integrating BCM into OR framework – that I became flummoxed. Nowhere could I find clear, measurable instructions on how to perform BCM activities unique to being within an OR framework.

Last year, I attended a Business Continuity class offered through Buckinghamshire New University, which for the final project, we were instructed to write a research paper on any aspect of Business Continuity that was of interested to us. I jumped at the chance to use this opportunity to dig deeper into the subject of “how to integrate integrate BCM into an OR framework”. However, due to the lack of ‘official’ information on the subject, I decided that instead of looking for ‘The’ answer, to look only at how colleagues around the world performed the OR version of BCM.

Research and Data

The focus of my research was to find answers to the following through a survey of my colleagues:

  1. How confident were my colleagues in their level of understanding of BCM & Organizational Resilience?
  2. Is BCM performed any differently within a OR framework than as a stand-alone BCM practice?
  3. Finally, if there are any differences in way of practice, what were they?

Data Results

Respondent Background

Respondents: 198 responses received. While not a huge sampling, I believe it is large enough to provide some interesting insights, and to provide the ability to validate or negate my own anecdotal experiences.

Geographic Distribution: North America (US, Canada & Mexico) (56%), UK (25%), India (8%), APAC (4%), Middle East (4%), EU (3%). The remainder came from India (8%), Asia/Pacific & Middle East (both 4%) and Europe (3%). As might be expected, the makeup roughly mirrored my Linked network at the time.

Respondent’s Areas of Expertise: 92.73% of respondents selected ‘Business Continuity’ as one of their areas of expertise, followed by ‘Crisis Management’ (67.3%) and BC/DR Compliance/Governance (64.5%). ‘Resilience’ came in 4th at 55.5%.

Formal Training in Organizational Resilience: The next question had to do with whether or not the respondent had any formal training in Organizational Resilience.

As the chart shows, the majority of respondents (58%) answered ‘Yes’ – they had received formal training in Organizational Resilience.

Breaking that down by region showed that the 2 most significant regions in terms of sample size (North America and UK) are almost identical. The areas with smaller sample sizes vary greatly, but cannot be considered representative due to their small sample size.

Confidence Level: I next asked for the respondent’s confidence level, on a scale of 1-10, of their understanding of ‘Organizational Resilience’. In other words, when hearing the term, how confident were they that they knew what was being discussed.

The results showed a high level of confidence that the respondents understood what the term ‘Organizational Resilience’ means. The average confidence level was 8.1/10, with the highest in the UK at 9.1/10.

BC/Organizational Resilience Details

BCM Within an Organizational Resilience Framework vs. Without: The next question asks the respondent whether or not BC is practiced in any way differently when positioned within an Organizational Resilience framework vs. how it is practiced outside of an OR framework.

Keeping in mind that 93% of the respondents felt they had an expertise in business continuity, and that, on average, they had an 8/10 confidence level in what Organizational Resilience is, I found the number of ‘I don’t know’ answers interesting. The wide distribution between ‘Yes’ (43%), ‘No’ (25%) and ‘I don’t know’ (32%) is also telling as it shows a lack of consensus among experts on the role BCM plays within OR.

Another interesting data point is the difference in the percentage of UK respondents who answered ‘Yes’ to the question (26%), versus those of the North American respondents (52%). This appears to be one of the only areas in which practitioners from these two locales are significantly different.

Give me examples…

My final question was asking for specific examples of how BCM was conducted within an Organizational framework. Obviously, 25% of respondents had already indicated that there is no difference, but I was keen to learn how the 43% of ‘yes’ – and even the 32% ‘I don’t know’ – respondents answered. This question was open ended (a text field) which makes clear categorization and graphing of the results difficult. However, there were three areas that the answers, generally speaking, fell into:

  1. I don’t know (or look at the manifestos, best practices, white-papers, etc.)
  2. The difference is not in practice, but more about where the BCM program is situated, i.e., interconnecting BCM with other operational risk areas from a strategic perspective.
  3. BCM within Organizational Resilience has more of a focus on risk mitigation and impact avoidance than BCM alone (which is more recovery based)

While the second two categories were closer to what I was looking for, concrete examples of tactical activities were still illusive.

Analysis

I have always believed that a ‘thing’ is not real unless it can be measured. So, without concrete steps and/or quantifiable milestones, can we really say that Organizational Resilience is anything more than a mere description of an idea? I don’t have the answer to that, per se, but I do think that it is an idea that is not fully developed and matured. Obviously I was hoping to learn and understand the components that I could implement and would, therefore, lead me to becoming an Organizational Resilience practitioner. However, I don’t believe this was a waste of time, or even a negative outcome. Through the haze of competing (and sometimes conflicting) professional practices, I think a moment of clarity on this subject resolved itself to me, and two points were driven home:

  1. Whether or not BCM/Organizational Resilience is a ‘real’ practice or not (meaning a practice with a measurable, prescriptive methodology), it is an idea that has much energy and support behind it. It needs to manifest within the profession.
  2. Now that the gap in measurable, practical methodologies around BCM/OR have become apparent (or at least, have done so for me), the door is wide open for us to focus our energy on the measurable, repeatable, tactical steps on which we can build a future of our profession upon.

Conclusion

I am still a huge fan of Organizational Resilience. I believe that it is the future of our profession, and that BCM can and will represent the foundation of, and central component around which all other aspects of OR will revolve. In most organizations, it is the continuity program that has the widest and deepest reach into the business. We own the most generalized and widely conducted risk assessment of any operational risk area. The risk profile we develop (currently providing the RTO/RPO) can easily be adapted to be inclusive of all operational risk areas and can provide a global risk profile for all of the business areas we engage with. In short, I believe we are poised to make a groundbreaking change to how operational risk is perceived and practiced, and I am excited to be part of it.

Recommended1 recommendationPublished in Research & Reports

About the Author: Scott Baldwin

Scott Baldwin is currently the Director of Enterprise Resiliency at Symantec, where he oversees the global Business Continuity and Disaster Recovery programs. Scott specializes in creating sustainable, risk-based resiliency programs for global, multibillion dollar high-tech companies. Before Symantec, he worked at Bay Area based companies including Safeway, PayPal and Charles Schwab, and most recently, designed and implemented the global resiliency programs for eBay and Synopsys. Additionally, Mr. Baldwin is serving on the national board of the Association of Continuity Professionals (ACP), North America’s largest resiliency professional organization.

4 Comments

  1. David Lindstedt May 1, 2019 at 4:56 pm

    Great article, Scott. I agree with so very many of your points. In particular, I suspect that the enthusiasm which BCM practitioners are investing in Resilience stems from their growing dissatisfaction with the BC profession and, as you said, the ‘…hope that Organizational Resilience is our “Moses”, guiding us out of the continuity wilderness of irrelevancy, and into the promised land.’
    But I wonder about your conclusion. If it is entirely unclear (as you rightly argue) in what way BCM could somehow morph and become more valuable within an OR framework, why should we expect or hope that OR is the answer to BCM’s problems? What about OR will solve the problem you noted that “traditional BCM practices, which are, in many ways, still focused on using 25-year-old methodologies”? Why deviate from your original intuition that the Emperor is simply not wearing any clothes? (The current situation reminds me of the general call, about five year ago, that BCM should simply merge itself under the general direction of Enterprise Risk Management.)
    There IS something of significant value to the work of BCM professionals — but that value is not going to emerge simply by aligning itself within Resilience. If BCM is becoming irrelevant, it will take a reformulation of its practices (such as with Adaptive BC) from WITHIN the discipline, not imposed from without.

  2. […] The Emperor's New Clothes – A study of Organizational Resilience & BCM – Ri…Although the term 'Organizational Resilience' (OR) has been around for decades, it's only been the past few years that it really began to become popular within the Business Continuity Management (BCM) world. […]

  3. Lynnda Nelson May 9, 2019 at 3:07 pm

    Hi Scott, thanks for your article. I too as part of the International Consortium for Organizational Resilience (ICOR) have struggled with BCM practitioners (and others) having OR in their job title but they do nothing differently than before.

    ICOR has been working since 2005 to share knowledge on OR, provide education within individual disciplines that build a more resilient organization, and to certify those with knowledge and experience in delivering OR.

    With the publication of ISO 22316 Organizational Resilience Principles and Attributes in 2016 (which essentially replaces BSI’s 65000 standard), OR has finally been defined and recognized globally. ICOR has since identified required competencies to be a leader in organizational resilience https://www.build-resilience.org/cred-path-2.php as a second path to certification that complements our technical path developed in 2006. https://www.build-resilience.org/cred-path-1.php

    It is time that organizations (and the individuals within them) really understand what OR entails and not just use the term as a replacement for BC or any other individual risk-based discipline.

  4. Mark Armour July 29, 2019 at 5:50 pm

    Great work Scott and I particularly applaud your insight.

    One statement, in particular caught my attention as it is indicative of a larger trend that I have seen within the profession: “BCM within Organizational Resilience has more of a focus on risk mitigation and impact avoidance than BCM alone (which is more recovery based)”. This tendency within the discipline to focus on prevention rather than recovery concerns me. With all of our resources steadily moving towards making the Titanic unsinkable, who will bother to make sure there are enough lifeboats?

Leave A Comment