Improving organisational resilience
Everybody is concerned about being more resilient. We all see it as something we want to be personally; but what it precisely means hasn't been defined.
So said Lyndon Bird, technical director of the Business Continuity Institute (BCI), speaking at the ITWeb Business Resilience 2014 event at Montecasino this morning.
"It can be loosely defined as the capacity of an organisation to anticipate, respond and adapt to change in order to survive and prosper, during times of incremental change, sudden disruptions and external circumstances."
He said ISO 22301 defines business continuity management (BCM) as "the capability of an organisation to continue delivery of products and services at acceptable pre-defined levels following a disruptive incident".
According to Bird, benefits of organisational resilience include the adaptability to changing circumstances, improved competitiveness, improved effectiveness, coherent policy making and strategy development, agility in decision-making, protecting and enhancing reputation, and improved business culture, transparency and shared values.
From a BCM perspective, these would be monitoring threats and impacts, protecting value-creating activities, having the capability for effective response, a holistic process, a framework to protect interests of stakeholders, protecting brand and reputation, and embedding values into the organisation.
In this way, he said organisational resilience is the evolution of business continuity. "Business resilience practitioners are experts in how you are going to deal with the consequences, not the risk itself," he explained.
Speaking of whether crisis management is really different, he said an "incident" or "disruptive event" has the potential to escalate to a "crisis" which can cause a business to fail. BCM controls that escalation.
Moreover, the capability to manage such incidents is expected by customers, employees, stakeholders and all interested parties, which is BCM's main purpose. "Crises are often not caused by physical incidents, but they can be in BCM. Crises might result from factors beyond what is reasonable to consider, such as Black Swan events, which are unpredictable, rare, but nevertheless high impact events. Dealing with consequences, not causes, is pure BCM."
Public private partnerships
The US Department of Homeland Security and the Federal Emergency Management Agency have prompted the concept of public private partnerships since Hurricane Katrina, recognising that top-level emergency planning still has limitations. "Central control is too inflexible, does not respond quickly and cannot fully address basic needs of the affected population. Government has unlimited powers but in reality, few direct resources, as these are all in the private sector, for example food, shelter and suchlike."
In a disaster situation both sides pull together but they do not co-ordinate their planning and activities in normal times. Community resilience is a key objective for emergency managers, but has little commercial benefit for retailers, banks and large transport companies.
Conventional BCM is not the same as emergency management, he said, but resilient communities do help everyone continue with their activities.
He said there are some negative perceptions around BCM. Firstly, that it is mainly about technology recovery. In addition, that it is only for large companies, is expensive, is just for regulated businesses and its primary purpose is compliance. "Therefore, some think it has little direct operational benefit, and has only a negative effect on the bottom line."
Bird said these people need to bear in mind that plans are operational, capabilities are strategic. "Processes and priorities change very rapidly, and incidents may be outside the planning assumptions. In addition, plans might not be accessible or time available to read them and senior management will generally ignore the plan detail during a crisis.
"There are some very real benefits. It improves operational resilience and hence performance, helps management understand complexity and dependencies, improves customer experience by protecting delivery of goods and services and managing expectations. In addition, it should provide input to strategic decisions on acquisitions or restructuring although it rarely does. It provides a key element of effective corporate governance."