Organizations across the world continue to deal with the significant impacts of a global financial crisis, a pandemic, supply chain disruptions, increasing cyberattacks and more. While many have relied on traditional business recovery to withstand these and other factors, this confluence of threats has shown that disruption can be prolonged and evolving. The paradigm for has shifted from ‘if’ disruption will occur to ‘when’ it will occur.
Traditional approaches to recovering after disruption are vital -- but they are no longer enough. Organizations need to ask: Are we proactively dealing with threats and risks? What do we need to do to build resilience? How do we know when we’re resilient enough? There are no quick or easy answers, but there are important steps your organization must take.
Focus on your highest priorities.
The organization should be building resilience into what enables them to achieve their strategic and operating objectives. This includes producing and offering their products and services to end customers, complying with regulations, satisfying investors, etc. The business impact analyses (BIA) is the best way to do that. However, traditional BIA approaches are often focused on the organization’s internal business processes, which is only part of the dependencies or value chain that produces the end product or service. A question to ask is, will this traditional approach help build resilience into all that is needed to produce that that product and achieve our strategic and operating objectives? A better focus for the BIA might be to identify the organization’s most important product and services offered to customers, and to make that supporting value chain, including internal business processes, systems, people, facilities, and third parties resilient.
Identify risks and threats that could impact your organization and the right mix of mitigation and response to reduce the impacts.
Half of the equation to building a resilient organization is being prepared for what may come. The first half is identifying the threats (known and unknown) and mitigating the risks they pose to your organization. This is done by identifying likely and plausible threats and scenarios that could impact your organization, assessing their risk, then implementing the best mix of preventive and reactive measures to mitigate the risk to within your organization’s risk tolerance. Once your measures are in place a vital step is to test them to determine how well they actually work to reduce the residual impacts to your organization.
Measure and monitor your progress in building resilience.
The question mentioned at the beginning of this blog - How do we know when we’re resilient enough – is an important one. I’m not sure an organization can be “too resilient” but I do know an organization can be not resilient enough. The answer only comes once you have set goals appropriate for your organization relative to its resilience and have metrics in place that allow you to measure and monitor status and progress. Examples include quantitative and qualitative impact tolerances, recovery time objectives, recovery point objectives, and residual risk compared to your risk appetite. These goals must also be aligned to your business goals. Once these resilience goals are set, it’s vital to test your capabilities, evaluate your responses in real situations, address gaps identified along the way, and continue to measure and improve.