The Need for Organizations to Evolve ...
Nowadays, sophisticated man-made and technological services are an indispensable part of our daily life. Therefore, market leading organizations using these capabilities should by now have moved through “contingency to continuity” and more recently changed their thinking towards “resilience”.
This should mean that organizations which previously had adopted a “business continuity management” approach should by now be focused on “operational resilience”, thereby considering a range of subject matter areas to plan for “disruptive” events and prevent a “business disaster”.
What is a “Business Disaster”?
A “business disaster” has been described as being:
“Any unwanted significant incident that threatens personnel, buildings and/or the operational effectiveness of an organization, which requires special measures to be taken to restore the business back to normal.”
(Source: Home Office - How Resilient is your Business to a Disaster)
What are these “unwanted significant incidents”, and how could they impact on your organization? The following provides some non-exhaustive baseline scenarios for consideration:
a. Human Error:
- Lack of attention to detail;
- Misunderstanding of directions/ instructions;
- Pressure of home and/ or work;
- Stress related;
- Not taking advice;
- Lapse of security;
- Accidental damage;
- Insufficient/ inappropriate of training.
b. Natural Causes:
- Solar flare;
- Major storms;
- Tropical storm;
- Volcanic eruption.
c. Intentional Causes:
- Industrial action;
- Public Disorder/ Riots;
- Computer viruses
For every scenario, subject to the impact, they could be classified as a “business disaster”, each one requiring “special measures to restore the organization back to normal”, and as such creating a situation where there is likelihood of significant:
a. Loss of operating capacity;
b. Loss of capital or profits;
c. Loss of market share;
d. Loss of credibility and/or brand, image and reputation; and,
e. Impact on regulatory compliance with legislation or codes of practice.
For every “realistic” scenario that is listed, subject to the impact, each one could require “special measures to restore the organization back to normal”, and as such create a situation where there is a likelihood of significant disruption.
How can your Organization become Resilient against Disruptions?
A key factor in reducing the potential cost and impact to any organization’s operational structure following a “disruption” is to break this down into “mission critical” elements, such as “products and services”, and to consider the overall components that deliver each “process or procedure” end-to-end.
Maybe a definition for “operational resilience” should therefore be one that accepts the fact that products and services, and the supporting processes and procedures, will at some time fail, and therefore accepts that there is a need to:
“Resist and tolerate failure, and recover critical operational elements within a business acceptable time scale by planning and design.”
(Source: Survive! The Business Continuity Group - Communications Special Interest Group)
By taking such an approach, it would then be possible to accept that internal and external resilience planning and design is “key” to an organization preventing and, if necessary, manage a “business disaster”. And as such, it should also take into account the supporting infrastructure and its associated “capacity”, thereby enabling the organization to “prevent, adapt, respond to, recover and learn” from operational “disruptions”.
Which Strategic Approach could be used to achieve Operational Resilience?
The Seven R’s Resilience Healthcheck Approach:
One approach that GSDM uses in building operational resilience for clients involves the use of our “Seven Rs” methodology:
Responsibility is the organization, function and person who are responsible for delivering the Operational Resilience Programme, and establishment of a Resilience Programme Team that should include internal employees and external vendor representatives.
Readiness should have identified the potential of any significant disruption and / or physically damaging events that could impact upon delivery of products and services.
Resources requires an understanding of the requirements for managing and determining an acceptable level of capacity that needs to be in place to meet the level of readiness and is able to provide a return against the level of investment for the organization.
Response to deliver the acceptable level of capacity, using agreed procedures, requires identified roles and responsibilities, supported by escalation process based upon the organizational needs and operational management, and an agreed communications structure.
Recovery of the required capacity requires delivery of identified recovery time objectives, supporting information technology assets, contingency strategies, and consideration of what to do for other key areas where no resiliency has been provided.
Resumption to an agreed “business-as-usual” level that meets the capacity of the organization is necessary to validate what constitutes a state where the organization has achieved sufficient capacity to meet an agreed operational capability that will enable continuation of delivery for its products and services, that are able to meet stakeholder and regulatory requirements.
Review of the Governance arrangements, taking into account methods being used to monitor & measure any organizational disruption and / or physically damaging event, for initiating any improvements that should be made to current processes and procedures.
Where are most Organizations today in terms of Operational Resilience?
Most organizations want to believe that they are resilient to any type of “business disaster”. Most may have some third-party outsourced agreements in place, for which they believe that the “risk” has been transferred elsewhere for specific critical business operations, thereby extending their “supply chain”.
When the remaining in-house capabilities are considered, due to ongoing business change, whether “business transformation or process re-engineering”, leading to “staff reductions”, through to “mergers & acquisitions”, the “capacity” for any organization to manage the impact from disruptions will most likely be reduced.
Alongside such business changes, it should also be remembered that customers, suppliers, manufacturers and maintainers are also experiencing similar changes, thereby adding to the recipe for a “disruption”.
If we then add the final ingredients that can exist in current organizational thinking - “it will all be right on the night”, often supported by its companion “denial” – then anything could be possible, not least creating the components that could lead to a “business disaster”!
In summary: It is not if, but when, your organization will experience a significant disruption, with the associated impacts. In preparing for this, shareholders, board members and executives, as a whole, need to be assured that they have the ability to prevent, adapt, respond to, recover and learn from operational disruptions.
Steve Yates is GSDM’s Head of Resilience. He has decades of experience in assisting public and private sector organizations become more organizationally and operationally resilient. If you would like to know more about our resilience solutions, then please get in touch with us (firstname.lastname@example.org).