The latest buzzword these days is “Resiliency,” which for all intents and purposes is really nothing more than a new term for business continuity planning (BCP) in the private sector and continuity of operations planning (COP) in the public sector. The dictionary loosely defines Resiliency as: “An ability to recover from or adjust easily to misfortune or change.” Any good consultant will tell you that it is important to reinvent programs or create a new term periodically so you can sell the same thing all over again…but just packaged a little differently.
Pundits will argue that resiliency is much broader and more encompassing than simply focusing on continuity alone. However, if you really study the underlying intent of the philosophy upon which BCP and COP are based…it fits squarely within the definition of resiliency. After all, the foundation of BCP and COP programs focuses upon the full range and scope of risks the enterprise faces, the potential impacts of those risks and the factors that can be deployed to mitigate those risks.
ISO 22301 outlines the international standards for Business Continuity Management Systems (BCMS) required for a company to prepare for a disruptive activity, event or incident. At the end of the day, most will agree that misfortune and change which is the core to the definition of resiliency are definitely disruptive to the norm. The process one utilizes in developing BCP and COP are captured within ISO 22301, so we will focus more on an abbreviated overview of the process rather than providing a complete detailed step-by-step guide.
Probably the most important first step an organization should take in developing their BCP/COP program is to conduct an inventory of all of the enterprise’s processes, assets and resources (PAR). No one has the time or resources to boil the ocean, so once the inventory has been completed, the next step involves prioritizing the PAR list from the most critical to the least important. Typically this step in the process breaks the PAR list into three different categories: CRITICAL – a PAR that the enterprise cannot survive for more than a day or two without; IMPORTANT – a PAR that the enterprise must have back in operation within a week or two to provide support to the Critical PARs; and, finally, BENEFICIAL – this final category encompasses the “nice to have” PARs, which the enterprise can function without for a significant period of time. While PARs designated as BENEFICIAL contribute to the overall morale of the workforce or the long-term effectiveness and efficiency of the enterprise, these BENEFICIAL PARs typically encompass areas in which savings can be quickly generated from if the enterprise is forced to find cost savings. In essence, this step of prioritizing PARs is the foundation for conducting a business impact analysis for each item cataloged in the PAR review.
Once the PAR review and criticality assessment/business impact analysis have been completed, the next step is to look at the types of risks that the enterprise faces and how they affect the top two categories of PARs. Many organizations utilize a four by five axis risk matrix that rates both Severity (Negligible to Catastrophic) and Probability (Unlikely to Frequent). The resulting risk matrix identifies those risks which require the most focus for purposes of mitigation. Determining the appropriate level and approach to mitigation involves determining which specific risks that the enterprise invests in countering, which risks that it can transfer to a third party (insure against) and those risks that they simply have to just accept because the nature of the risk. In cases where the risk is one that they simply have to accept, most enterprises will establish a reserve or contingency fund to deal with the issue should it arise.
It is important to think of resiliency in a holistic manner, which is why the PAR review is so vital in effectively addressing an enterprise’s risk portfolio. By engaging all elements of the enterprise in the process, the full scope of the risks the organization faces becomes much clearer. Those very same elements must also have a solid understanding of what steps they must take to not only mitigate a given risk, but also to muster the appropriate resources necessary to regain momentum and resume “business as usual” in a timely fashion.
Identifying an enterprise’s most vital processes, assets and resources; understanding their vulnerabilities, building a structure of sound mitigation solutions and crisis response protocols is critical to the viability of the enterprise. Conducting routine exercises and performing at least annual reviews to identify changes that could result in new or different risks results in an enterprise that will not only survive, but will likely thrive.
About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity.