Security & Business Resilience / Security Leadership and Management

How to Add Resiliency to Your Risk Management Strategy

The latest buzzword these days is “Resiliency,” which for all intents and purposes is really nothing more than a new term for business continuity planning (BCP) in the private sector and continuity of operations planning (COP) in the public sector.

The latest buzzword these days is “Resiliency,” which for all intents and purposes is really nothing more than a new term for business continuity planning (BCP) in the private sector and  continuity of operations planning (COP) in the public sector. The dictionary loosely defines Resiliency as:  “An ability to recover from or adjust easily to misfortune or change.”  Any good consultant will tell you that it is important to reinvent programs or create a new term periodically so you can sell the same thing all over again…but just packaged a little differently.

Pundits will argue that resiliency is much broader and more encompassing than simply focusing on continuity alone. However, if you really study the underlying intent of the philosophy upon which BCP and COP are based…it fits squarely within the definition of resiliency. After all, the foundation of BCP and COP programs focuses upon the full range and scope of risks the enterprise faces, the potential impacts of those risks and the factors that can be deployed to mitigate those risks.  

ISO 22301 outlines the international standards for Business Continuity Management Systems (BCMS) required for a company to prepare for a disruptive activity, event or incident. At the end of the day, most will agree that misfortune and change which is the core to the definition of resiliency are definitely disruptive to the norm. The process one utilizes in developing BCP and COP are captured within ISO 22301, so we will focus more on an abbreviated overview of the process rather than providing a complete detailed step-by-step guide. 

Probably the most important first step an organization should take in developing their BCP/COP program is to conduct an inventory of all of the enterprise’s processes, assets and resources (PAR).  No one has the time or resources to boil the ocean, so once the inventory has been completed, the next step involves prioritizing the PAR list from the most critical to the least important. Typically this step in the process breaks the PAR list into three different categories: CRITICAL – a PAR that the enterprise cannot survive for more than a day or two without; IMPORTANT – a PAR that the enterprise must have back in operation within a week or two to provide support to the Critical PARs; and, finally, BENEFICIAL – this final category encompasses the “nice to have” PARs, which the enterprise can function without for a significant period of time. While PARs designated as BENEFICIAL contribute to the overall morale of the workforce or the long-term effectiveness and efficiency of the enterprise, these BENEFICIAL PARs typically encompass areas in which savings can be quickly generated from if the enterprise is forced to find cost savings. In essence, this step of prioritizing PARs is the foundation for conducting a business impact analysis for each item cataloged in the PAR review.

Once the PAR review and criticality assessment/business impact analysis have been completed, the next step is to look at the types of risks that the enterprise faces and how they affect the top two categories of PARs. Many organizations utilize a four by five axis risk matrix that rates both Severity (Negligible to Catastrophic) and Probability (Unlikely to Frequent). The resulting risk matrix identifies those risks which require the most focus for purposes of mitigation. Determining the appropriate level and approach to mitigation involves determining which specific risks that the enterprise invests in countering, which risks that it can transfer to a third party (insure against) and those risks that they simply have to just accept because the nature of the risk.  In cases where the risk is one that they simply have to accept, most enterprises will establish a reserve or contingency fund to deal with the issue should it arise.

It is important to think of resiliency in a holistic manner, which is why the PAR review is so vital in effectively addressing an enterprise’s risk portfolio.  By engaging all elements of the enterprise in the process, the full scope of the risks the organization faces becomes much clearer. Those very same elements must also have a solid understanding of what steps they must take to not only mitigate a given risk, but also to muster the appropriate resources necessary to regain momentum and resume “business as usual” in a timely fashion.

Identifying an enterprise’s most vital processes, assets and resources; understanding their vulnerabilities, building a structure of sound mitigation solutions and crisis response protocols is critical to the viability of the enterprise. Conducting routine exercises and performing at least annual reviews to identify changes that could result in new or different risks results in an enterprise that will not only survive, but will likely thrive. 

 

About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jerry Brennan

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+