Over the past few years I have noticed an increasing level of conversation around BCM’s (Business Continuity Management) value, and an angst that we, as an industry, are losing our relevancy. I have seen a lot of articles describing BCM’s ROI and ROV, as well as improving efficiency, selling BCM to leadership and so on. While all of this is important, I think maybe we’re missing the larger point; that is, organizations and leadership are increasingly losing their appetite for ‘recovery’. Polishing, marketing and streamlining ‘recovery’ is like working on a solution to a problem that many executives refuse to acknowledge. As one executive told me, “If we need to recover, it’s already too late.”
Now don’t get me wrong, recovery is, and will always be, a critical aspect of what we do. But from a messaging perspective in this 24/7 global marketplace world, being the ‘recovery’ people is becoming more and more like the folks who close the barn door after the horse has escaped. I believe this sentiment has been growing – consciously or not – within our industry for some time.
It is my firm belief that the ‘Organizational Resilience’ approach came about in order to address this very idea – that we need to take a proactive, risk-based approach to disruption as opposed to only focusing on recovery. However, based on a study I conducted at the end of 2017; I found that Organizational Resilience has two primary challenges:
- There is no consensus within the community on what Organizational Resilience means. There is not even broad agreement on whether Organizational Resilience is different than BCM, or simply a new name.
- There are really no processes or tools that are specific to OR – even though we might like the idea of taking a risk-based, preventative approach, our practice is all recovery based (i.e. BIA, BCP, DRP, Exercises, etc.)
In spite of these issues, I believe that Organizational Resilience is the road we need to take to stay relevant in a changing world. After I conducted the study and realized what was missing, I added some new tools and processes to my program that specifically address availability in addition to recovery. However, perhaps just as important, these new components clearly and measurably demonstrate our value in terms of what many executives want – prevention of disruption and high-availability. I call this framework the ‘Engaged Matrix Model of Organizational Resilience’, or EMM.
Engaged Matrix Model
The EMM has 3 phases (and several new tools) and has the ultimate goal of eliminating disruptions altogether by identifying and proactively mitigating potential Business Disrupting Risk (BDR). In this way we are addressing the two reasons for declining perceived value described above: 1) focus on reducing or eliminating disruption (as opposed to recovery) which in turn 2) brings our value from ‘when and if’ a disruption happens, to an everyday availability value. To accomplish this, we are leveraging – and then elevating – the amazing tools and skillset that BCM has developed over the last 30 years – namely, the BIA, BCP, DRP and validation exercises.
Phase 1 – Compliance: This phase creates a BCM program that would pass any program audit; the regular and sustained performance of the traditional BCM activities (BIA, BCP, DRP, exercises, etc.). However, this phase’s true value is in creating a network of engaged business partners who have truly accepted ownership of the basic tenants of resiliency risk. Because the later components will depend both on this network and the evolution of these activities, it is critical that this step is performed with business engagement and training in mind. This, in and of itself, produces enormous value, as it results in a program that is truly scalable, sustainable and can be maintained by a fraction of the resources many traditional programs require.
Phase 2 – Readiness: Again, this phase has two primary goals, one apparent and the other less so. The obvious purpose of the readiness phase is to create true recovery capability. Where the compliance phase exercises are focused on validation of the recovery plan, ‘readiness’ focuses on ‘muscle-memory’, speed and efficiency. However, it is human nature that when something is mastered, shortcuts are sought, which brings us to the less obvious result and our first new tool – the Impact Absorption Plan. It is customary to hold an after-action review following an exercise in order to discuss what went well and where improvements can be made. However, in this program we take one additional step, we discuss how the scenario-based interruption might have been proactively addressed in such a way that the impact would not have resulted in the need for recovery. We call this ‘Impact Absorption’ and we add the ‘Impact Absorption Plan’ to our toolkit. This plan might be as simple as developing a cross-training regimen, but the important aspect of this is that we are declaring, through a formal process, that we are moving away from recovery and into reducing disruption.
Phase 3 – Resilience: The stated goal of this phase is to reduce, as much as is humanly possible, actual disruptions by proactively identifying and mitigating Business Disrupting Risks (BDR). While we have plenty of other risk groups tasked with a similar mandate, there are few – if any – programs that can reach the level of granularity and develop as much engagement and cooperation with the business as BCM has been able to do. If the ‘Compliance’ phase has been built correctly, there will be no other operational risk groups (including ERM and GRC) who can compete in the operationalization of risk identification and mitigation as this program. However, we are not trying to compete – instead we need to be clear that we are partnering with these other risk groups. I sometimes refer to this phase as an ‘Operational Risk Service Provider’ to drive home the role we play.
We start with a formalized process to work with individual risk groups to leverage their expertise, policies and controls, but then we transform the BIA into something else. I have called it a couple different things, but for now, let’s call it ‘BIA+’. This is the regularly conducted BIA, but with the addition of operational risk control questions. In almost all cases, being able to regularly provide quality, organization-wide but department or process specific risk control data will quickly make the corporate Resiliency group a critical dependency.
Next in this phase we utilize our planning skillset to develop ‘Business Disrupting Risk Plans’ (BDRP) designed to assist the business in developing strategies to address the gaps in their risk control profile. Finally, we utilize our validation exercise expertise in validating the Resiliency Risk Mitigation Plans which can be then recorded on a scoreboard tracking the organizations shrinking population of business disrupting risks. This, in turn, will result in fewer actual incidents to recover from.
My company’s mission statement does not even mention ‘recovery’; we are all about helping the business absorb impacts and avoiding business disruptions. We absolutely do still have a fully ISO22301 and FFIEC compliant resiliency program, and we are primed and ready to recover, but if value is, as I suggest, derived largely from the opinions of our customers (i.e. executive leadership), then my metrics (ROI/ROV) are going to include what is valuable to them, availability, and not only on what the traditional BCM tools were designed for, recovery.
Recommend0 recommendationsPublished in