Budgeting for the Impossible: Enterprise Resilience Means Business
During the past decade, enterprise resilience has become a hot topic.
“What happens when fire strikes the manufacturing plant of the sole supplier for the brake pressure valve used in every Toyota? When a hurricane shuts down production at a Unilever plant? When Dell and Apple chip manufacturers in Taiwan take weeks to recover from an earthquake? When the U.S. Pacific ports are shut down during the Christmas rush? When terrorists strike?” The Resilient Enterprise
During the past decade, enterprise resilience has become a hot topic. Its meaning has grown from the original “business continuity and disaster recovery” moniker associated with IT data crashes. Today, the enterprise is viewed as an organism facing myriad risks including physical and logical, manmade and natural, external and insider. The scope of planning may be as local as the home office or as far reaching as the global supply chain.
Fusing these disparate and siloed plans into an actionable enterprise resilience program may be an organization’s greatest challenge. Far from security’s role in event response, the new goals of identifying and mitigating risks opens the door to discussions of preparing for and preventing the highly likely to making crystal ball forecasts of the unforeseen.
Enterprise Resilience’s broad definition includes business continuity, emergency management and disaster recovery for both physical and logical infrastructure and workforce protection. Revenue continuity is at the heart of the organism to remain open or get back up and running ASAP. Budget is the brain balancing necessity against luxury. As one CSO shared in the early days of our Security 500 Survey, “We plan for the worst case but get budget for the best.” Justifying enterprise resilience plans and programs is a significant challenge. Guesstimates of the actual costs of a disaster will vary widely, even after an event has occurred.
Since 9/11, the scope of security has expanded beyond its walls. Both the physical and enterprise perimeters are gone as organizations have taken a broad role in their communities. Enterprise resilience has become an all-hands-on-deck exercise where social media has changed communications and altered our definition of first responders. The complexity of resilience planning has increased as have the available resilience tools and resources.
As Duane Ritter, Vice President of Corporate Security at Cox Enterprises shares,
“Anticipating potential business interruptions and working to mitigate those threats from happening supports the business organizations to remain operational and reach their goals. Resilience and strategies and preparedness drills are critical for success. Accurate risk assessment and being prepared are the biggest contributions we can make to the organization and our people.”
The race is afoot as leveraging technologies and best practices to continuously identify threats and vulnerabilities, update and test resilience plans and communicate and drill with your stakeholders never ends.
And perhaps the most important learning among leaders is that the planning experience is more important than the actual plan. Because the interaction among your stakeholders through training programs and table top exercises creates relationships, identifies risks and reveals vulnerabilities. Creating the structure that facilitates the critical planning process to achieve successful execution is important for a successful outcome.
An interesting resource is The Resilient Enterprise(MIT Press) by Yossi Sheffi, in which he demonstrates how enterprises facing interruptions fare far better through resilience planning than the actions taken during a crisis. And further, your resilience program creates measurable benefits for your organization every day, disaster or not.
While most enterprises recognize that the investment in enterprise resilience is necessary, having a metric to show ROI benefits regardless of an interruption is a plus. CSOs are engaging their peers from legal, human resources, marketing communications and IT to create a holistic plan and response program for their enterprise. The use of mass notification technology to inform stakeholders has become a best practice for leading risk management and resilience programs.
David Shepherd, Chief Executive Officer of the Readiness Resource Group, an enterprise resilience consultancy shares, “You really do not know how well any plan will work until it is put to the test in a live situation.” Which can raise the logic of the brain above the desires of the heart in the C-suite: If you don’t know how well the plan will even work why invest so heavily in it?
An example is having a four person team, each with an area of expertise and responsibility. During drills, these four are together, in communication and leading the resilience process. Now tell one of the four, “You are not here, and you are out of communication with the group.” Then ask the three remaining leaders, “now what?”
That enterprise resilience drill works for everyday operations, not just during disasters.
The answer to “why invest in a strong enterprise resilience plan?” may be because the best plans have a measurable return to the bottom line.