Resilience professionals around the world… you are a victim of your own success! If your business is resilient (whether by effective planning or pure luck!) you will find that it becomes increasingly difficult to capture the imagination (and attention) of your boardroom.
“It’s just a shame we haven’t had a big incident recently isn’t it?”
Working in what is often considered as a loss centre is tough…I can’t count how many times I have heard that sympathetic statement from senior management when resilience isn’t getting the attention it deserves. Although I remember all too well being flavour of the month during floods, IT failures and employee walkouts. My mobile and inbox were buzzing from virtually all levels of the organisation.
Following those incidents, I would often refer back to them to reinforce the message of resilience and maintain our leadership buy in (usually until about a year later by which point the next hot topic or initiative is in full force). The business memory is incredibly short term in my opinion. You can spot the changes as they happen. The glazed look from the management during briefing sessions, the unattended meetings, and the un-responded emails. Keeping the business on board with resilience activities in peace time is for me one of my long-standing challenges. How do we go about demonstrating value and benefit?
I’ve experienced (and adopted) a few different ways when trying to promote value. Over the years I have tried to combine them all to produce a ‘resilience reporting dashboard’ which at the very least makes it a good start. However, it still feels to me like it needs to evolve to the next level. I’ve explained each approach individually below to show you how I arrived at my recent attempts.
1. The output approach
I assume like many of my peers I have this typical default approach / bad habit which often tends to focus on the overall work undertaken and the ‘effort’ involved. I would regularly report the following to leadership:
- Number of desktop exercises undertaken
- Number of call tree cascade tests
- Number of work area recovery tests
- Number of crisis management simulation events
More often than not there would be a huge amount of engagement time, document reviews, planning workshops and subsequent output for each and every one of those bullet points, literally hundreds of hours of work. However, what does that really tell the leadership? It would appear to be very little in my opinion.
2. The risk approach
I then took a slightly different approach, deciding to focus on key risk indicators (KRIs). I would regularly report to leadership and rather than highlight effort I would flag if something wasn’t done and comment on the risk of not doing it. For example:
- Percentage of desktop exercises undertaken against monthly target
- Percentage of call tree cascade tests undertaken against monthly target
I suppose really all I was doing here is just the opposite of activity reporting and with a monthly target installed. It is useful insofar as highlighting what hasn’t been done but it really doesn’t go any further in explaining to the business the real value.
3. The speed and efficiency approach
In another organisation I’ve tried to focus on performance to help demonstrate value (more specifically incident management with this one). I would report monthly into a senior management team on things like
- Increasing speed of response
- Reducing the time taken to close an incident
- Reducing time taken to establish root cause
- Reducing time taken to implement corrective actions
- The leadership did seem to like this method because they like tend to like anything done fast at the best of times, however it still doesn’t necessarily capture much value.
Unfortunately, the concept of value is frequently linked to, and mistaken for ROI (return on investment). This is a widely used business term in which a calculation is made based on the overall expenditure of a product/service/system against its potential or actual financial yield. However, resilience activities are an overhead or at the very most an unofficial insurance policy. But what if it never happens? It’s just a shame you haven’t had a recent incident eh?
Ultimately anyone can report on output, efficiency and risk if you combine the above methods and you can find someone willing who is half decent at PowerPoint and Excel. However, capturing ‘value’ is an extremely difficult thing to achieve. The term itself is subjective and will often depend on your sector, the organisations risk appetite, your C-suite sponsors background and interest among many other different factors. I personally haven’t arrived at the next level but I’d be ready and willing to thrash out a few ideas with anyone who wanted to!
Luke Bird MBCI is an Information Security Analyst at Clydesdale Bank, and previous winner of the Newcomer of the Year Award at the BCI Global Awards.