Although the term resiliency is widely used in setting corporate goals, it is rarely defined in a way in which it can be meaningfully assessed. Traditionally business continuity has provided a proven means of reducing the severity of disruptive interruptions by understanding the operational priorities of the business, the infrastructure that supports them and the acceptable timescales for response and recovery. Business continuity practitioners have always argued that by taking a holistic approach to an organisation, critical dependencies and single points of failure can be better identified and mitigated, thus leading to improved reliability and customer satisfaction. This might seem a reasonable assumption but it is hard to really prove.
This lack of objective proof has perhaps contributed to the often reported difficulties in achieving more substantial stakeholder buy-in for business continuity at the most senior levels in an organisation. Perhaps this partly explains why the change in business terminology from business continuity management (BCM) to organisational resilience is happening so rapidly in many companies. Certainly key individuals promoting the resilience agenda see the opportunity to bring a new discipline into play at the strategic level as a game changer. Adaptability (rather than response) is becoming the new buzzword and traditional business continuity practitioners need to adapt to this new reality.
The construction of more and more detailed plans has failed to achieve the corporate goals for security and resilience that we as practitioners might have expected. The speed of business change makes the need for a more dynamic way of responding to crises ever more important, but as BCM professionals we need to change the way we work – developing organisational resilience capability and the people skills needed to take control of unexpected events should be our primary goals. Good planning is still essential but not writing more compliance based procedural plans.
So what are the obstacles to implementing a successful business resilience plan? Firstly, getting support from the top of the organisation and by this I mean not just budget, but rather the way the message needs to be enthusiastically and positively communicated from the top. Secondly, getting buy-in from the people who have to deliver the plans; this is predominantly the middle managers who are often already over committed and under resourced. Thirdly, making the risk look and feel real because if it is seen as just compliance then you will create a tick-box mentality.
To successfully address these obstacles, it is essential to properly understand how the business actually works and who the really influential players are, those whose opinions are sought and listened to. Find out what the real drivers of success are and what top management really worry about. Do not talk to senior management until you know what is important, any lack of company knowledge will ruin your credibility immediately so prepare well before you talk to them. Build awareness programmes and get your message right when you give presentations as the people who you need on your side are not interested in technical solutions, they want to know about what you can do to help them eliminate or reduce future business problems.
Business resilience is much more than recovery from disaster or serious incidents. It is the ability to identify and monitor risks to prevent them from happening in the first place, or at least minimise the impact. It is about the capability of the organisation to deal with incidents that cannot possibly be predicted or adapt itself to changes in its external circumstances such as civil war in a key supplier country. In some ways it is difficult to highlight companies who are good at resilience because by definition they will be the ones that handle problems, major incidents and even crises almost seamlessly.
The top challenge on the horizon for BCM professionals is changing the mind-set of people both inside the profession and outside it. We have many excellent programme managers but there is not enough really innovative thinking going on. The enthusiasm for the idea of resiliency does give us a chance to articulate a wider strategic vision for our discipline. Thinking up relevant approaches to deal with issues that do not fit the old BCM model of physical disruption to assets is a real challenge – cyber resiliency must be high on our agenda as is mitigating reputational damage using social media. It might be difficult but if we don’t do it, who will?