Today, Organisations must be strategically adaptable, operationally aware and tactically capable to respond to the impact of any change. The one discipline that predicates impact upon business capability is Business Continuity Management. Business Continuity Management can be used as a central facilitator to build resilience and sustainability.Download an Insight
Organizations have recognized business continuity management as a response to disruptions in order to continue operations at acceptable predefined levels. However, with growing threats, disruptions, and attacks, the time has come for a more dynamic response to disasters. That comes in the form of organizational resilience.
Resilience needs to be grown from a management-driven approach (as defined by ASIS SPC1 2009) to a culture practiced across the organizations (as defined in the guidelines released under ISO 22313). Resilience, as a goal, can be enhanced by integrating and coordinating various disciplines in an organization: strategic, tactical, and operational. Organizations can explore different methods for remedial responses and find the ideal approach to embed resilience through business continuity.
Defining How Organizations Look at Resilience
Resilience is dictated by operational demands, and the ability to respond to these demands determines an organization’s business continuity maturity. The need for organizations to break out of all operational silos and develop an ecosystem with resilience embedded at every layer of the organization is key to being prepared to respond to any disruption.
The ability to respond to a change in the market and get the product out before competition is inherent in any successful business. Customers, suppliers, regulators, and competitors all affect an organization’s capability to continue in business. Therefore, organizations need to keep an eye on the stability of its business facilitators including suppliers, raw materials, manufacturers, distributers, sites, and assets to develop a holistic framework of preparedness and readiness.
Resilience is a continuous requirement and no organization, person, network, or system can be absolutely resilient. An organization should be strategically adaptable, operationally aware, and tactically able to respond to any external or internal event. Resilience can never be static, it is constantly changing.
Identifying Resilience Indicators with BCM
Using business continuity functions, organizations can identify resilience indicators specific to their business. Once identified, these indicators interact with each other to establish a network which can bounce back from the most disruptive events. Few indicators for building a resilient organization are:
- People engagement
- Situational awareness
- Change readiness
- Relationships and network
Developing a Resilience Program: A Bridge Between Continuity and Resilience
Few questions that need to be asked while developing a resilience program:
- Who are the people responsible for making decisions and responding to changes in the event of a disaster?
- What are the legislative requirements of the organization?
- Who are the interested parties (both internal and external)?
- What are the safety and security needs of the employees?
- In the event of a disruption, what is the risk appetite of the organization; how will the business plan change?
- How to ensure business at the right time in the right quality to the right people?
- What are the organization's recovery objectives?
- Is there a budget in place to address resilience requirements?
According to a paper published by Business Continuity Institute (BCI) on “Organizational Resilience”, the various disciplines involved in developing a resilience program should focus on the following tenets:
- Anticipation: threats, insurance awareness, strategic risk, operational risk, financial risk, business continuity
- Protection and planning: security, information assurance, health, safety and environment, insurance, governance, compliance, and audit
- Response: crisis management,communications, IT disaster recovery, business continuity
- Recovery: business continuity, insurance, leadership, HR, IT, and work area DR
The common element across these disciplines is business continuity. Utilizing the BCM process not only provides the necessary linkages to all critical process and functions but also provides a central repository of information across the organization.
Building a Resilient Organization Model with BCM
The BS 65000 standard provides guidance on achieving enhanced organizational resilience and articulates the benefits of doing so. It provides guidelines to enhance crisis management and business continuity management practices by integrating these into a wider resilience program. Additionally, BS 65000 references other activities including risk management, horizon scanning, and change management.
Traditionally, organizations use ISO 31000 and ISO 22301 standards to address the need for organizational resilience. The growing need for organizational resilience demands a correlation between risk management and business continuity management system models. Establishing a channel of communication between BCM and Enterprise Risk Management systems provide the means to develop a comprehensive resilience program.
Maintaining the Resilience Program
Integrating Business Continuity Management program into the resilience program will enable organizations to not only be ready for an event but also continuously exercise recovery measures.
- Engage the upper level management/leadership to create and propagate organizational resilience strategies as stated in the BS 65000 standard.
- Set up measures to monitor the bridge between Risk Management, Business Continuity, and IT DR.
- Conduct thorough risk assessments and business impact analyses to identify critical processes and functions
- Develop a model for assessing resilience measures in place
- Use a Governance tool to track enterprise wide risks, business continuity needs and compliance to resilience measures.
Exercising the Resilience Program Regularly at:
- Business Function Level
- Operational Business Unit Level
- Organizational Level
- Across the Supply Chain
Any disruption-cyber-attacks or physical disruptions - affects business continuity. Keeping the focus on organization resilience, while developing recovery strategies, will go a long away in building an organization which is prepared and ready for any event.