Emergency Response, Disaster Recovery, Business Continuity, Crisis Management and the latest and all-encompassing buzzword – Enterprise Resilience. These are all terms that have evolved over the years, but in the end, they are all basically doing the same thing. They all simply create a different label for managing the risks an enterprise faces.
Many of the big consulting firms spend a lot of time “educating” senior executives and boards on the significant risks associated with Black Swans. A Black Swan event or occurrence is something that deviates beyond what is normally expected, is extremely difficult to predict and is typically prohibitively expensive to counter or prevent. These “educational” sessions are really nothing more than poorly disguised marketing ploys that do a disservice in their attempts to frighten an enterprise’s leadership into spending money chasing Black Swans.
The real focus of those tasked with the oversight and managing of the enterprise’s risk portfolio should be on dealing with the flocks of White and Grey Swans. Managing the full scope of incidents which are more likely to occur and have a demonstrable impact on the enterprise produces a significantly higher ROI.
Many organizations deploy substantial resources building elaborate plans that sit on a shelf and gather dust. There are bookshelves and websites full of guides, processes and standards focused on business continuity/resiliency, plus thousands of consulting firms eager to have you spend precious resources on their “solutions.”
Having had responsibility for business continuity/resiliency programs as a CSO, there was one approach that always worked effectively: keeping it simple. Here’s the approach we found to be consistently successful:
- Prepare an inventory of the Processes, Assets and Resources (PAR) in each function across the enterprise (including third-party support and supply chain partners).
- Prioritize each PAR by the importance/criticality to the business by conducting a Business Impact Analysis (BIA) of each PAR.
- Require periodic updates of PAR listings and BIA reviews related to any change in conditions.
- Establish the following teams: (Note: some enterprises chose to combine these teams.)
– Incident Response Team responsible for the initial handling of an incident;
– Crisis Management Team to handle overall management of an incident;
– Crisis Communications Team to handle messaging to employees, customers, government agencies and the press; and
– Business Resumption Team dedicated to getting the business functions back up and operational as soon as possible.
- Develop and map a standard methodology for managing the process, which must include all the steps outlined above, as well as conducting an after-action review/root cause analysis to update and improve the process, and, hopefully, putting in place measures to prevent another similar incident from occurring.
- Routinely conduct table-top exercises and drills to ensure that business and functional leaders as well as the various teams thoroughly familiarize themselves with the process and understand their roles and responsibilities.
As with anything else, familiarity is key. When the process of managing the risk of disruptions becomes second nature, the entire process of managing an enterprise’s risk becomes ingrained, and the enterprise will be managed more efficiently, effectively and more profitably.