In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses what is resilience?
The concept seems straightforward in a personal context; building up the psychological fortitude to bounce back from all of life’s bumps and bruises.
But what exactly does it mean for a business to be “resilient”?
We hear a lot of business leaders and highly trained business continuity, crisis management, and security professionals asking this same question. While everyone can agree that resilience is important to their business, there seems to be much less accord about precisely what it entails.
Topics discussed include how to think about organizational resilience within a large, complex organization – and how to go about putting it into place across the organization.
Related Episodes & Blog Posts
- Blog Post: What is Resilience?
- Blog Post: Plan-Do-Check-Act and your Business Continuity Program
- Blog Post: Business Continuity Standards: How each can help you
- Episode # 121: Metrics for Success in your Business Continuity Program
- Episode #123: Plan Do Check Act and your BC Program
Episode Transcript
Hello and Welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath. And in today’s episode, I want to talk about the question, what is resilience? Is it just me or is this the new buzzword of 2021, resilience?
The concept seems straightforward in a personal context, building up the psychological fortitude to bounce back from all of life’s bumps and bruises. But what exactly does it mean when we talk about a business being resilient? We hear a lot of business leaders and highly trained business continuity, security, crisis management, risk management professionals, information security professionals asking the same question.
And while everyone can agree that resilience is important to their business, there seems to be a lot less agreement about precisely what it entails. Perhaps it’s because it’s the inherent nature of resiliency to mean something different for every organization. Its precise parameters and components are shaped by its context. Every business has different experiences, threats, and resources. So why should any resiliency program look the same as another?
Still, here at Bryghtpath, we think there are fundamental components that every business should have in place if they want to make good on their resiliency imperatives. So here’s our take. What is resilience? Well, according to the International Standards Organization, ISO, organizational resilience means the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives, to survive and to prosper. But like a lot of standards-based definitions, that leaves an awful lot to read between the lines.
Here at Bryghtpath, we think of resilience as a group of capabilities that supports an organization’s ability to solve big problems, to continue their operations, to protect their assets. And most importantly, protect their people. On a practical level, this is achieved with what we think of as basic blocking and tackling, implementing certain key components in a logical way to prevent plan, for respond to and recover from disruption. Those core components typically consist of business continuity, IT disaster recovery, crisis management, enterprise risk management, information security, physical security, or you might call it global security or corporate security. And we include in that travel safety and security and crisis communications.
While these components are the building blocks of resiliency, they don’t stand alone or separate. The cross-organizational coordination of all of these components is equally, if not, more important. While each component might substantially reside within one particular part of the organization, for example, IT may be the principal owner of IT disaster recovery and probably also owns information security. A good resiliency program will ensure that each organizational component and their respective piece of the resiliency puzzle across coordinated and aligned with the organization’s overarching resiliency objectives.
In implementing each of these resiliency components, an organization should also have key metrics in place, including an understanding of enterprise scale risk, such as regulatory and compliance risk, and what controls are available to address those risks, along with business continuity and disaster recovery metrics to track and measure your programs performance in maturity. And of course, no resiliency program is complete without actual plans, business continuity plans, IT disaster recovery plans and a crisis management plan and framework.
And usually as we think of those in a mature way with applicable annexes for crisis communications and a data incident or information security incident like ransomware. In the long term, each of these components and their elements layer upon one another to build a culture of resilience, a capability of resilience, a way of thinking, acting, and planning within your organization that helps your company better respond to changes, disruption, and crisis.
There are, however, resiliency roadblocks. I think we can all agree resilience is a good thing, but many businesses struggle with this idea of resiliency. Here’s what we commonly see in terms of roadblocks. First, a lack of resources. Planning for resilience is not an easy lift. It requires a tremendous investment of capital and a strong commitment throughout the organization, beginning at the top. Unfortunately, many business leaders fail to understand the true value of resilience.
Understandably, it’s hard to justify spending on resilience when there’s no direct return on investment, especially in light of so many other competing priorities in organizations today. But as a member of the board or C-suite, it’s easy to see resilience as just another internal insurance policy that isn’t really necessary, until the time comes and your critical moment strikes and you have to cash in on that policy.
The second roadblock we see as organizational silos. Senior leaders and managers often progress through an organization with experience in really only one particular organizational silo. As a result, some tend to have a one-dimensional understanding of resiliency and they lack the cross-functional interactions that they may need for a holistic understanding of resilience. For example, a functional leader in information security has probably spent most of their career as an information security leader or engineer, or manager. They’re an absolute expert in that area, but they have minimal knowledge about business continuity and crisis management or in physical security.
That lack of perspective within other parts of the organization can make it hard to achieve alignment between the various resiliency components. Cross-coordination efforts are often confounded by internal politics and competition for resources and egos within the organization,. but resilience doesn’t care about organizational silos and interdepartmental politics. Much like all pieces of the body must come together for us to walk and eat and work and rest, the resilience of each organizational unit is only as effective as that of the entire organization.
Companies also overthink resilience. Many times organizations just forget to start with the basics. In resiliency planning, that includes things like conducting a business impact analysis, shoring up physical and IT security, and creating relevant, effective business continuity plans. But many businesses will start with the Ferrari when all they really need is a thing with wheels that goes.
But I get it. The resiliency planning process can seem overwhelming. Choosing a technology solution or investing in a spiny piece of equipment can make it feel like you’re making real progress towards your resiliency goals. But at the start, the best solutions are likely the simplest. For example, if you’re just starting up a crisis communications capability in your company, an overly robust and expensive emergency notification platform could be frustrating and underutilized. Start first by figuring out the messages you need to send, the audience that you need to send them to, and what the recipients need to do with that information. What is it that you’re wanting them to do? And then layer on the appropriate technology solutions as needs and resources permit.
I want to conclude by talking a bit about resiliency, best practices. If I had the golden answer for how to achieve optimal organizational resilience, I would have put that in a package made my fortune with it, and retired to a Caribbean Island by now, maybe not into a hurricane-prone one. But all kidding aside, I can point to a few key things that can help you push through the roadblocks that we’ve identified.
The first is to identify an organizational champion. You need somebody in your senior leadership ranks that gets it. We’ve written in the past and talked in the past about the need for every business continuity program to have an executive sponsor, someone who serves as a sounding board between the steering committee and senior leaders, and who serves as a champion for your business continuity program. This is even more true when it comes to resiliency. Every organization needs a leader with the organizational savvy to cut across silos, champion the cause of resiliency, and ensure that resilience is embedded into your organizational culture. They don’t need to be a resiliency expert, just someone who can tell the story and champion the cause when it needs to be told.
The second best practice is to develop the right talent. We’ve talked earlier in this episode about organizational silos. When mid-level and senior leaders are brought up in just one discipline, they only have the ability to see resiliency planning through a singular lens. This impedes the ability of other components to achieve alignment towards your resiliency objectives. Having a talent strategy that moves people across silos and allows for the cross-pollination of skills, capabilities, and understanding can help facilitate the cross-departmental coordination that’s necessary for resiliency planning. A deliberate investment in talent will pay guaranteed dividends towards your organization’s resiliency objectives.
I have a personal example of this during my time at my previous employer. I spent most of my career in retail loss prevention and then later in corporate security, but within the same kind of security organization. And my leadership deliberately put me in assignments that positioned me to have a broader cross-organizational view of what was going on across the organization. I came out of a role where I was working primarily on crisis management issues back at the time of Hurricane Katrina. And for two and a half years, I worked on essentially running the technology portfolio for the entire legal organization at my employer, including corporate security, which was part of the general counsel’s purview. That gave me a strong insight look at how our technology organization built, managed and recovered systems.
Later on when I was promoted to oversee business continuity and crisis management, I had a unique perspective about the role that technology played as a force enabler in the organization, but also the need for better technology continuity, disaster recovery capabilities in the organization. That cross-organizational work that I did positioned me for greater success in the ability to cut across silos at the organization. You need the same kind of talent strategy within your organization to move your leaders across the different resilience and capabilities and give them this broader organizational view.
The third best practice is to put first things first. Stephen Covey used to say when he talked about The 7 Habits of Highly Effective People, one of the habits was, highly effective people put first things first. We don’t grow a pearl overnight and resiliency does not show up overnight either. Both of these require time and a trust in the process to yield a cultured and extraordinary result. But we have to start with the basics.
When it comes to resiliency planning, we recommend you start with the basics and mostly in this order, life safety and emergency procedures, physical security controls, information security controls, design a crisis management framework and plan, create a clickable business continuity plans, create applicable IT disaster recovery plans. Other components like enterprise risk management and crisis communications can be layered on later on top of these fundamentals as it’s relevant for your organization and where you are in your resiliency journey. Building a mature resiliency program is complex and it will take a time. There’s simply no way to skip ahead. But taking meaningful steps in the right order will ensure that you get off to a good start.
I’ll wrap up by saying that resilience has many things, but most of all, it’s more than the sum of its parts. Having a resilient business, not only ensures that you can recover from the next crisis, but it builds the culture of innovation and collaboration that can take your business to the next level. Is your business ready to strategically leverage resiliency to survive, grow, and thrive? We can help you. That’s it for this edition of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Be well.