Is it just me, or is “resilience” the new buzzword?
The concept seems straightforward in a personal context; building up the psychological fortitude to bounce back from all of life’s bumps and bruises.
But what exactly does it mean for a business to be “resilient”?
We hear a lot of business leaders and highly trained business continuity, crisis management, and security professionals asking this same question. While everyone can agree that resilience is important to their business, there seems to be much less accord about precisely what it entails.
Perhaps that’s because it’s the inherent nature of resiliency to mean something different for every organization. Its precise parameters and components are shaped by its context. Every business has different experiences, threats, and resources so why should any resiliency program look the same as another?
Still, at Brygthpath, we think there are fundamental components that every business should have in place if they want to make good on their resiliency imperatives.
Here’s our take.
What is resilience?
According to the International Standards Organization (ISO), organizational resilience is:
“The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
But like a lot of standards-based definitions, this leaves a lot to read between the lines.
At Bryghtpath, we think of resilience as a group of capabilities that supports an organization’s ability to solve big problems, continue operations, protect its assets, and most importantly, protect its people.
On a practical level, this is achieved with basic blocking & tackling—implementing certain key components in a logical way to prevent, plan for, respond to, and recover from disruption.
These core components consist of:
- Business Continuity
- IT Disaster Recovery (or Technology Continuity)
- Crisis Management
- Enterprise Risk Management
- Information Security
- Physical Security (or Global Security, or Corporate Security), including travel safety & security, Intelligence, & workplace violence prevention
- Crisis Communications
- Life Safety and Emergency Procedures (Evacuation, First Aid, Shelter-in-Place, etc.)
While these components are the building blocks of resiliency, they don’t stand separate and alone. The cross-organizational coordination of each of these components is equally if not more important. While each component might substantially reside with one particular part of the organization (i.e. IT is the primary driver of IT Disaster Recovery and likely InfoSec), a good resiliency program must ensure that each organizational component and their respective piece of the resiliency puzzle are cross-coordinated and aligned with the organization’s overarching resiliency objectives.
In implementing each of these resiliency components, an organization should also have key metrics in place, including an understanding of enterprise-level risks (including regulatory and compliance) and what controls are available to address those risks, along with business continuity and disaster recovery metrics to track and measure your program’s performance and maturity.
And of course, no resiliency program would be complete without the actual plans—Business Continuity Plans, IT Disaster Recovery Plans, and a Crisis Management Plan and Framework with applicable annexes for Crisis Communications and Information Security Incidents (i.e. Ransomware, etc.).
In the long-term, each of these components and their elements layer upon one another to build a culture of resilience—a way of thinking, acting, and planning within your organization that helps your organization better respond to change, disruption, and crisis. And while the value-add of improved organizational resilience is often thought of in the limited context of responding to the bad, it often helps organizations develop new capabilities that help them do more good—engaging in communities, building new partnerships, and exploring the new business opportunities that follow.
I think we can all agree that resilience is a good thing. Still, many businesses struggle with resiliency. Here’s what we commonly see from our clients.
Lack of Resources
Planning for resilience is not an easy lift. It requires a tremendous investment of capital and a strong commitment throughout the organization, which usually begins at the top. Unfortunately, many business leaders fail to understand its true value.
Understandably, it’s hard to justify spending on resilience when there is no direct return on investment. Especially in light of so many other competing priorities. As a member of the board or C-suite, it’s easy to see resilience as yet another internal insurance policy that isn’t really necessary—until you’ve had to cash in on that policy.
Senior leaders and managers often progress through an organization with experience in only one particular organizational silo. As a result, they have a one-dimensional understanding of resiliency and lack the cross-functional interactions that they need for a holistic understanding of resilience.
For example, a functional leader in information security has likely spent most of their career as an information security engineer or manager. They’re an absolute expert in this area, but have minimal knowledge about business continuity, crisis management, and physical security.
This lack of perspective within each part of the organization can make it hard to achieve alignment between the various resiliency components. Cross-coordination efforts are also often confounded by internal politics and competition within the organization.
But resilience doesn’t care about organizational silos and interdepartmental politics. Much like all pieces of the body must work together to walk, eat, work, and rest, the organization is only as resilient as each organizational unit and its willingness to collaborate.
Resiliency is a team sport.
Many times, organizations forget to start with the basics. In resiliency planning, that includes things like conducting a business impact analysis, shoring up physical and IT security, and creating relevant business continuity plans. Still, many businesses start with the Ferrari when all they need is a thing with wheels.
I get it though. The resiliency planning process can seem overwhelming. Choosing a technology solution or investing in a spendy piece of equipment can make you feel like you’re making real progress towards your resiliency goals. But at the start, the best solutions are likely the simplest.
For example, if you’re just starting up a crisis communications program, an overly robust (and expensive) emergency notification platform can be frustrating and underutilized. Start first by figuring out the messages you need to send, why it needs sending, to whom you need to send them, and what the recipients need to do with that information.
Then layer on the appropriate technology solutions as needs and resources permit to simplify, enhance and accelerate the process
Resiliency Best Practices
If we had the golden answer for how to achieve optimal organizational resilience, we would have put it in a package, made our fortune, and retired to a Caribbean Island by now (OK, well maybe not to a hurricane-prone tropical island).
All kidding aside, we CAN point to a few key things that will help you push through the roadblocks we’ve identified above.
Identify an organizational champion
We’ve written in the past about the need for every business continuity program to have an executive sponsor—someone who serves as a sounding board between the steering committee and senior leaders, and who serves as a champion for your business continuity program.
This is even more true when it comes to resiliency. Every organization needs a leader with the organizational savvy to cut across silos, champion the cause of resiliency, and ensure that resilience is embedded into your organizational culture. They don’t need to be a resiliency expert; just someone who can tell the story when it needs to be told.
Develop the right talent
We talked earlier here about organizational silos. When mid-level and senior leaders are brought up in one discipline, they only have the ability to see resiliency planning through a singular lens. This impedes the ability of various components to achieve alignment towards resiliency planning objectives.
Having a talent strategy that moves people across silos and allows for the cross-pollination of skills, capabilities, and understanding can help facilitate the cross-departmental coordination that is fundamental to resiliency planning. Deliberate investment in talent will pay guaranteed dividends towards your organization’s resiliency objectives.
Put first things first
A pearl is not grown overnight. Nor is resiliency. Both require time and trust in the process to yield a cultured and extraordinary result. Yet we must all start with the basics.
When it comes to resiliency planning, we recommend that you start with these basics, and mostly in this order:
- Implement Life Safety and Emergency procedures
- Implement Physical Security controls
- Implement Information Security controls
- Design a Crisis Management Framework & Plan
- Create applicable Business Continuity Plans
- Create IT Disaster Recovery Plans
Other components, like Crisis Communications and Enterprise Risk Management, can later be layered on top of or aligned with these fundamentals, as is relevant to your organization and where it’s at in its resilience journey.
Building a mature resiliency program is complex and takes time. There’s simply no way to skip ahead. But taking meaningful steps in the right order will ensure you get a good start.
Resilience is many things. But most of all, it is more than the sum of its parts.
Having a resilient business not only ensures that you can recover from the next crisis; it builds the culture of innovation and collaboration that can take your business to the next level.
Is your business ready to strategically leverage resiliency to survive, grow, and thrive? Bryghtpath can help. Learn about our approach to Business Continuity in our Ultimate Guide to Business Continuity and our approach to Crisis Management in our Ultimate Guide to Crisis Management and then contact us today.