Building business resiliency in today’s complex organizations is like trying to put together a championship team. It is comprised of many inter-related moving parts: owners to support a common goal to succeed; a general manager to oversee team operations and ensure recruitment of the right coaches; a head coach and assistant coaches to develop the best players and provide an effective game plan the team can execute; and a roster of players that are well prepared to perform when the time comes. To get it right, this level of teamwork requires coordinated resources, effort, and sometimes trial and error.
Similarly, building a resilient organization also requires significant coordination. It requires a common goal for the board of directors and C-level executives to build a resilient organization; designated champions with the authority to drive this resiliency initiative throughout the organization and help clear obstacles; And a leader to execute a coordinated plan working with corresponding leaders and their teams across business operations, IT, risk management, compliance, third-party management and other departments..
While building a resilient organization can seem like a daunting task, a well thought plan and playbook can make all the difference. We recommend you consider the following areas in creating your resiliency playbook:
Aspects of your organization that are most critical to ensure they are resilient. It is important to determine which of your customer-facing products and services and supporting business processes would have the greatest impact on your organization if they were interrupted for any reason. First, identify which products and services are most critical; then determine the negative impacts – or impact tolerances -- your organization would be able to absorb. This should account for the duration of the disruption (recovery time objective), as well as the impact on other business metrics. For example, if your organization was not able provide that product or service, how much revenue could you afford to lose or how many transactions could you afford to not process before the impact becomes intolerable to the business. These impact tolerances are important drivers in determining which resiliency and recovery strategies your organization puts in place.
Risks that could impact your organization. It is important for your organization to have methods to identify and understand which risks could affect the achievement of your business objectives, as well as the likelihood of the occurrence of those risks. This can help your organization understand to what extent the risks need to be dealt with. It is also critical to identify the scenarios (combinations of risks or threats) that could impact the business, such as a pandemic that results in loss of key resources, loss of customers, regulatory restrictions, and more. This is more than assessing and managing one type of risk, it is also identifying those ‘perfect storms’ that combine multiple risks and threats that could negatively impact your organization.
Understanding your third-party risk. Third parties can play an integral role in helping to achieve your business objectives, yet today’s supply chains and third-party ecosystems are becoming increasingly complex. In building business resiliency, it is critical to identify, understand and track your third parties, particularly those that support your organization’s most critical products and services. Once you know who your most important third parties are, it is vital to understand the vulnerabilities they present and their resiliency capabilities and gaps.
The importance of business and IT recovery. The best assumption is not “if” your organization will experience a disruption at some point, but “when” there will be a disruption. Starting with the parts of your business that are most critical, consider the potential disruptive scenarios and risks and whether you have resiliency and recovery strategies to recover your business and IT functions. This extends to people, locations, data and any other elements that are vital to running your business. These strategies must be translated into concrete plans and tested against the scenarios you have defined.
Tracking your business resiliency progress and gaps. There are many moving parts in an initiative to build resiliency into the way your business operates. It must be managed like a cross-organization project until it becomes “muscle memory” for your organization. Tasks, assignments, issues, gaps and next steps must be tracked, assigned owners, driven to resolution, and reported. This discipline is required to successfully implement a program of this magnitude.
Business resiliency is difficult to build and maintain without the help of automation. Archer is purpose-built to help organizations of all sizes and scope quickly deploy the standards-driven industry best practices needed to establish effective business resiliency. For example:
Archer Business Impact Analysis helps you determine which of your business processes are most critical, including the supporting infrastructure, so you can protect and recover what is most important to your organization.
Archer Risk Catalog allows you to record and track risks across your organization and establish accountability for those risks. It lets you take a top-down, qualitative approach to assessing inherent and residual risk and enables a three-level rollup of risk, from a granular level up through enterprise risk statements.
Archer Third Party Catalog allows you to document all third-party relationships, engagements, and associated contracts, as well as the business units and named individuals in your organization that are responsible for each third-party relationship.
Archer Business Continuity & IT Disaster Recovery Planning enables you to document and test business continuity and IT disaster recovery plans with a coordinated, consistent, and automated approach to recovery, allowing you to respond swiftly in crisis situations.
Archer Issues Management lays the foundation for your business resiliency program, enabling you to manage issues generated by multiple groups and establish accountability, workflow and reporting to improve the management of findings, remediation plans and exceptions.
Building resiliency for your organization requires shared objectives, dedicated ownership, leadership buy-in, cross-functional coordination, consistent execution, and, well, resilience! Learn more about Archer’s approach to Building Business Resiliency.
Patrick Potter is a subject matter expert who works with customers, analysts and partners on integrated risk management best practices, as well as provides strategic input into the development and marketing of Archer.