I have been involved in disaster business resilience since the 1980's. In that time, I’ve seen it go through the phases of disaster recovery, business continuity and now business resilience. Y2K (remember that?!) gave it a major boost – then nothing considerable happened. Terror campaigns in the UK and USA then the pandemic 'flu scare in 2006-7 also kept it in the C-suite's mind.
Again the number of organisations directly impacted by these were relatively small.
Then came the financial crisis of 2008 squeezing the budgets of both governments and large financial institutions who had been previously big investors in business continuity. As nothing such had happened despite the above “crises” it seems that senior management felt business continuity was an area ripe for savings.
Team sizes were slashed and investment cut. Business Impact Analyses (BIAs) were largely abandoned as expensive, resource intensive exercises that in a fast changing business world were out of date before they had written up their results. The way of identifying the benefits of investing in business continuity had been axed arguably accelerating its decline.
However, in the same period the complexity of organisations and their supporting IT systems has increased. Outsourcing/strategic alliances resulting in supply chains that span the planet are common and legacy IT systems are stitched into new, end user facing web channels. Added to this, the rate of change is accelerating as organisations try to address greater demands for flexibility from the consumer or citizen whilst fending off new entrants in the private sector or budget cuts in the public sector.
Looking around at the organisations I deal with, it seems that everywhere business resilience professionals are struggling to do more, with less. The threats are still there, events such as terrorist attacks and severe weather are happening almost weekly.
So why aren't we seeing a resurgence of investment in business resilience?
Partly I suspect that the impacts of realised threats are not widespread enough to overcome the perception that the risks are small, won't happen to 'us' and anyway they're 'someone else's problem' (such as the government or an outsourced supplier). This, coupled with a marketplace which is stagnant in many areas, means there is a reluctance to invest money in the “insurance” of business resilience.
So, how can we, as business resilience professionals, address this?
Well we have to take up the challenge of doing 'more with less'. We have to be able to tackle the increased rate of business change, increased complexity and get back to a realistic understanding of the real business needs without employing large and expensive teams to plan for and manage our way through crises.
In other areas of work, organisations have exploited automation to improve efficiency. Look at the Industrial Revolution tackling human manual work and the computer revolution of the 1950s and 1960s reducing the cost of administrative effort. When did you last see a typing pool or payroll clerk with a tabulating machine?
Sure there have been software packages to automate data gathering and the administration of the Business Continuity Management System, but is that where the costs lie?
Are there better approaches emerging that could help us with the information gathering and contextual analysis plus the more efficient handling of adverse events?
We are starting to see these come through. It's early days yet but I am sharing my thoughts on developments as well as some ideas on approaches to get investment in these made available on my Business Continuity Awareness Week webinar on the 18th May. I invite you to join today.
Tony Perry is a Senior Managing Consultant at IBM.