What about Resilience?
Business Continuity and Resilience are we getting the landscape right?
Imagine trying to describe or just outline what a Rhinoceros looks like to someone when you have only have seen a small part of the whole animal yourself, perhaps just a foot or an ear.
When you haven't seen the whole thing it makes it rather awkward or perhaps even impossible. Its certainly rather tricky eh? You could end up with a Donkey, a three toed Camel or indeed a host of bizarre critters. To describe a Rhino properly you have got to step back and get the whole picture. (We know this is usually done with elephants, but we prefer a rhino for this analogy... its an ear thing!)
We’re using this somewhat silly example to illustrate one of the most interesting topics emerging across the Risk and Business Continuity Sectors - Organizational Resilience!
A lot of people are talking about it and the discussion underway is really interesting.
The Continuity Forums' position is that clearly Organizational Resilience is highly desirable. If more of our companies and social infrastructure were more resilient a huge amount of disruption would be avoided and lives and, of course, business would run far smoother and along the way potentially saving vast amounts.
Back in 1999, our Chairman created the Tagline “creating Continuity... building Resilience...” where business continuity management was the activity and resilience the outcome and this something that we stand by today. By defining what was needed to maintain "business operations" and taking measures to ensure that disruption to the vital processes was minimized we knew they would be potential for a real economic benefit to be delivered. The success seen in developing Business Continuity has validated this view completely and through the knowledge gained over the past 13 years we all know more can be done.
There is a (relatively) new kid on the block though that has the potential to raise the bar again and its called Organizational Resilience. Hurrah I hear you say - Lets use the experience gained and help businesses and communities cope even better - lets all be Resilient! Hold your horses a second folks ... there is a problem and its simple one - Resilience can mean a lot of different things to different people and when it comes down to it to get the best resilience we all have to understand that context is everything.
A materials scientist or an engineer will define Resilience using a formula that describes “the ability of a material to absorb energy when it is deformed elastically, and release that energy upon unloading”. This is great - you can measure Resilience repeatedly using a consistent method and compare results. But what about our kind of resilience?
Across Academia, Business and Government the equation is not so clear, but they all know what they mean when they describe it. The trouble is all the definitions all vary to greater or lesser degrees. Frequently, these differences come from the perspective of the 'expert' doing the defining. In the Homeland Security Review of 2010 placed Resilience front and centre as a vital tool to provide security against terrorism. This how Resilience was defined: “(the ability to)... Foster individual, community, and system robustness, adaptability and capacity for rapid recovery;”
Good definition in one sense, but the context, Security, presents a problem similar to the Rhinos‘ ear i.e. its not the whole picture. Security threats, Financial Risk, disasters, disruption, Cyber & ICT risk all need managing if we are to create real Resilience.
Another part of the issue is illustrated by the various standards that cover or include Risk.
ISO 22301 covers Risk and ISO 31000 manages Risk too, ‘usually’ in a financial or project context. ISO 27001 helps manage ICT Risk and ISO 27031 delivers BCM in the ICT space. There are standards for security to reduce and manage threats (risks) and lets not forget the supply chain! What about Reputation Risk, that's important - doesn’t it need addressing too?
Our point isn’t that there aren’t standards, it’s that the standards that are there aren’t really being used (or perhaps it would be more accurate to say aligned) in the right way to give us an integrated approach to these specialist areas that could unite to deliver the right level of Resilience needed for each individual organizations needs.
We believe building real Resilience comes from getting the context right and this is where a framework for what Resilience actually is would be really useful, enabling the creation of the right level of protection for your needs.
This way you won’t confuse a Rhino with a Donkey and you’ll get real Resilience!
If you would like to comment on this article or would like to submit one of your own please do get in touch HERE!