Security & Business Resilience / Security Leadership and Management

How to Add Resiliency to Your Risk Management Strategy

The latest buzzword these days is “Resiliency,” which for all intents and purposes is really nothing more than a new term for business continuity planning (BCP) in the private sector and continuity of operations planning (COP) in the public sector.

The latest buzzword these days is “Resiliency,” which for all intents and purposes is really nothing more than a new term for business continuity planning (BCP) in the private sector and  continuity of operations planning (COP) in the public sector. The dictionary loosely defines Resiliency as:  “An ability to recover from or adjust easily to misfortune or change.”  Any good consultant will tell you that it is important to reinvent programs or create a new term periodically so you can sell the same thing all over again…but just packaged a little differently.

Pundits will argue that resiliency is much broader and more encompassing than simply focusing on continuity alone. However, if you really study the underlying intent of the philosophy upon which BCP and COP are based…it fits squarely within the definition of resiliency. After all, the foundation of BCP and COP programs focuses upon the full range and scope of risks the enterprise faces, the potential impacts of those risks and the factors that can be deployed to mitigate those risks.  

ISO 22301 outlines the international standards for Business Continuity Management Systems (BCMS) required for a company to prepare for a disruptive activity, event or incident. At the end of the day, most will agree that misfortune and change which is the core to the definition of resiliency are definitely disruptive to the norm. The process one utilizes in developing BCP and COP are captured within ISO 22301, so we will focus more on an abbreviated overview of the process rather than providing a complete detailed step-by-step guide. 

Probably the most important first step an organization should take in developing their BCP/COP program is to conduct an inventory of all of the enterprise’s processes, assets and resources (PAR).  No one has the time or resources to boil the ocean, so once the inventory has been completed, the next step involves prioritizing the PAR list from the most critical to the least important. Typically this step in the process breaks the PAR list into three different categories: CRITICAL – a PAR that the enterprise cannot survive for more than a day or two without; IMPORTANT – a PAR that the enterprise must have back in operation within a week or two to provide support to the Critical PARs; and, finally, BENEFICIAL – this final category encompasses the “nice to have” PARs, which the enterprise can function without for a significant period of time. While PARs designated as BENEFICIAL contribute to the overall morale of the workforce or the long-term effectiveness and efficiency of the enterprise, these BENEFICIAL PARs typically encompass areas in which savings can be quickly generated from if the enterprise is forced to find cost savings. In essence, this step of prioritizing PARs is the foundation for conducting a business impact analysis for each item cataloged in the PAR review.

Once the PAR review and criticality assessment/business impact analysis have been completed, the next step is to look at the types of risks that the enterprise faces and how they affect the top two categories of PARs. Many organizations utilize a four by five axis risk matrix that rates both Severity (Negligible to Catastrophic) and Probability (Unlikely to Frequent). The resulting risk matrix identifies those risks which require the most focus for purposes of mitigation. Determining the appropriate level and approach to mitigation involves determining which specific risks that the enterprise invests in countering, which risks that it can transfer to a third party (insure against) and those risks that they simply have to just accept because the nature of the risk.  In cases where the risk is one that they simply have to accept, most enterprises will establish a reserve or contingency fund to deal with the issue should it arise.

It is important to think of resiliency in a holistic manner, which is why the PAR review is so vital in effectively addressing an enterprise’s risk portfolio.  By engaging all elements of the enterprise in the process, the full scope of the risks the organization faces becomes much clearer. Those very same elements must also have a solid understanding of what steps they must take to not only mitigate a given risk, but also to muster the appropriate resources necessary to regain momentum and resume “business as usual” in a timely fashion.

Identifying an enterprise’s most vital processes, assets and resources; understanding their vulnerabilities, building a structure of sound mitigation solutions and crisis response protocols is critical to the viability of the enterprise. Conducting routine exercises and performing at least annual reviews to identify changes that could result in new or different risks results in an enterprise that will not only survive, but will likely thrive. 


About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jerry Brennan

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.