What about Resilience?

Risk, Business Continuity and Resilience - are we getting the landscape right?
 
Business Continuity, Resilience and the Rhinos ear
 
Imagine trying to describe or just outline what a Rhinoceros looks like to someone when you have only have seen a small part of the whole animal yourself, perhaps just a foot or an ear.
 
Three toed camel or a resilient  Rhino? When you haven't seen the whole thing it makes it awkward at best, perhaps even impossible. Its certainly rather tricky eh?  You could end up with a Donkey, a three toed Camel or indeed a host of bizarre critters. To describe a Rhino properly you have got to step back and get the whole picture. (We know this is usually done with elephants, but we prefer a rhino for this analogy...  its an ear thing!)  
 
We’re using this example to illustrate one of the most interesting topics emerging across the Risk and Business Continuity Sectors  - Organizational Resilience! 
A lot of people are talking about it and the discussion underway is really interesting. 
 
The Continuity Forums' position is that clearly Organizational Resilience is highly desirable. If more of our companies and social infrastructure were more resilient a huge amount of disruption would be avoided and lives and, of course, business would run far smoother. Organisations would be likely to make better informed decisions and have capabilities that align with thier interests help minimise disruption and losses. 
 
Back in 1999, our Chairman created the Tagline “creating Continuity... building Resilience...” where business continuity management was the activity and resilience the outcome and this something that we stand by today. By defining what was needed to maintain "business operations" and taking measures to ensure that disruption to the vital processes was minimized we knew they would be potential for a real economic benefit to be delivered.  The success seen in developing Business Continuity has validated this view completely and through the knowledge gained over the past 13 years we all know more can be done.  
 
There is a (relatively) new kid on the block though that has the potential to raise the bar again and its called Organizational Resilience. Hurrah I hear you say - Lets use the experience gained and help businesses and communities cope even better - lets all be Resilient!   Hold your horses a second folks ... there is a problem and its simple one. Resilience can mean a lot of different things to different people and when it comes down to it to get the best resilience we all have to understand that context is everything. 
 
Formula for resilience A materials scientist or an engineer will define Resilience using a formula  that describes “the ability of a material to absorb energy when it is deformed elastically, and release that energy upon unloading”.  This is great - you can measure Resilience repeatedly using a consistent method and compare results.
 
But what about our kind of resilience?
   
Across Academia, Business and Government the equation is not so clear, but they all know what they mean when they describe it.  The trouble is all the definitions all vary to greater or lesser degrees once you get into the detail. Frequently, these differences are associated with the perspective of the 'expert' doing the defining. The Homeland Security Review of 2010 placed Resilience front and centre as a vital tool to provide security against terrorism. This how Resilience was defined: “(the ability to)... Foster individual, community, and system robustness, adaptability and capacity for rapid recovery;” 
 
Good definition in one sense, but the context doesn't fit the wider expectations or map onto the organisational landscape well.  Security is a resilience issue, but as with the Rhinos‘ ear its not the whole picture. Security threats, Financial Risk, disasters, disruption, Cyber & ICT risk all need managing if we are to create real Resilience.
 
Another part of the issue is illustrated by the various standards that cover or include Risk.
 
ISO 22301 covers Risk and ISO 31000 manages Risk too, ‘usually’ in a financial or project context. ISO 27001 helps manage ICT Risk and ISO 27031 delivers BCM in the ICT space. There are standards for security to reduce and manage threats (risks) and lets not forget the supply chain! What about Reputation Risk, that's important - doesn’t it need addressing too? Over the past year the three most used ISO standards covering Quality, Environmental Mamagement and ICT (ISO 9000, 14000 & 27000) have all started their review process and each is revisiting the Risk Aspects.  
 
Our point isn’t that there aren’t standards, it’s that the standards that are there aren’t really being used (or perhaps it would be more accurate to say aligned) in the right way to give us an integrated approach to these specialist areas. If they were they could pretty easily flex and combine to deliver the right level of Resilience needed for each individual organizations needs. 
 
We believe building real Resilience comes from getting the context right for your organisation. Understanding what resilience is and how it ican benefit your organisaiton (or Community) requires some thought.  Most people and, especially business leaders, can articulate what their organisation does. They use language and examples based on their corporate vision and mission statements, along with illustrations of the values and principles that underpin the organisation. This is part of their sales message and vast amounts can be spent communicating these to customers and stakeholders. 
 
When you ask the top management of almost any business or organisation just how important Risk Management or Resilience is to them the answers will place them as a top 5 priority in more than 15 serious studies over the past year. If you fine tune the analysis critical major resilience topics such as Cyber, Climate and Supply Chain Risk feature in the top three in 93% of studies*. Clearly those at the top of the organisation take risk, resilience and their responsibilites pretty seriously, but this doesn't seem to translate too well to the broader outcomes we all too often see.  
 
Take Cyber Risk, for example.  For decades our dependance on ICT Networks has been growing and now it's at the very heart of most organisations across the public and private sectors. The technology has delivered huge benefits, launched new industries and changed the way most of us live. However, as our use and integration of technology into our lives has developed old risks have found new vectors to threaten us (i.e. crime - fraud and theft) and new risks have emerged such as attacks on our Infrastrucuture form both internal and external sources. Governments and independent experts are all warning of the very real threat posed to our business and communities by the lack of action by millions of organisations around the world in implementing appropriate Risk Controls, mitigation and security measures. Yet these organisations are run by the very same people that are reporting they see Risk and Resilience - even cyber risk - as a top priority. So why the mismatch?  
 
The AIRMIC "Road to Ruin" report, produced by Cass Business School, found that there were consistent issues - that resound with our experience - that negatively impact on real capability covering:
  • A lack of Board skill & NED control of Risk
  • Risk Blindness
  • Poor Leadership
  • Defective Communication
  • Excessive Complexity
  • Restrictions on Risk Reporting - Glass Ceilings & Silo's 
These factors are all embedded issues at the very top of the organisation and they contribute, either directly or indirectly, to the false confidence observed in so many of the C-Suite in their usually flawed understanding of their organisations real capabilities.  
 
Link to BSI Web Shop That's a sweeping statement that might be unfair on some, but it is pretty indicative of the situation for most. How else can you explain that something like 90% of those organisaitons that take credit card payments don't comply fully with the regulations imposed through the PCI DSS standard.  
 
Surely the boards of card issuers and payment infrastruture providers would want their customers to have even this basic level of protections ... wouldn't they? Could it be they don't know or, worse, don't care? Having compliance in place enables the use of Credit Card payments and taking it away would definitiely have an impact any business using it.  
 
Compliance with the PCI framework is not going to 'solve' all the big Cyber Risk issues, but who can deny it will deliver some of the capabilities needed in an organisation to better management Cyber Risk and contribute to its overall resilience. It's one part though of a wider framework that could be applied to manage Cyber Risk in the context of the business better.
 
Scale this up and spread it out across other areas of operations and you start getting a picture of what the priorities in your organisation should actually be. The US retailer, Target, has discovered just what is at stake when you suffer an attack (you can read more here)   
 
This is just one example of how Risk Blindness, Poor Leadership and Defective Communication from the board impact on the activities of those trying to manage Risk in the organisation.    
 
What is clear though is that if you know what is really important to you and your stakeholders - and can connect this to the vision and mission of your business - this is the starting point for a framework for what Resilience in your organisation would look like, which then directs the creation of the right level of protection that fits with your needs.  
 
Focusing on principles and outcomes is the way forward 
 
We have some great tools at our disposal, but we'd contend that we need to use them better and make sure they are being using in the right place.  Risk, Continuity, Security and Crisis Managers have developed industry knowledge to very high levels of capability and we have standards of good practice in all these areas that can help direct them. What is often cited as the MAJOR issue though is the 'buy-in' from the board and others across the organisation.  Is this because they don't care or is it that they don't yet know enough about our work to really understand the value?.  I think it's an understanding problem and that, as an industry, we suffer from some of the factors that affect the board shown above, but that is another discussion.
 
Perhaps the way forward is to rethink the engagement.  Instead of managing risk (and therefore resilience) in departments, we start at the board and with those mission statements and corporate values mentioned earlier. So let's ask just one example question of an imaginary board to see how they might react.
  • Do you respect and value your customers data security and how can you evidence this? 
  •  
  • In the digital age signing up to a level of data security and treating customer information as is a core quality critieria is a principle that almost everyone would accept as not only reasonable, but essential. 
I doubt that many CEO's would answer that they didn't care and I think that most readers would agree with me, but lets look at the evidence part of the question; how might your board answer this? Would it be: 
  • a) We comply/align with industry good practice through NIST/HMG/ISO and verify our capabilities and our partners through regular testing and updates that are reported to the board each Quarter.  Our Risk Management and IT teams work together to prioritise activities including working with various notification bodies to ensure our customers data is secure. All employees are trained in our Cyber & IT Risk Policies as part of our on-going efforts to ensure the capability of our overall Resilience Management.  (Copies of last quarter summaries attached).  

or

  • b) Hmmm... we have an IT department and we leave them to get on with this stuff (mostly). Who would want to hack us anyway?
Which of these two answers would you and your Board prefer to hear from a critical supplier or partner?  If you started asking the question today would you know how your suppliers/partners would answer? Some of you will, but government and most experts wouldn't be so worried if so many didn't!
 
Extreme Weather, Climate Adaptation and the Supply Chain risks could all be questioned in similar ways with similar responses.   
 
By stressing the strategic principles and values of an organisation and linking these more effectively and transparently to the skills and departments that need to work on them, Boards can start showing leadership and will be directly addressing the shortcomings identified in AIRMIC/Cass Business School study.
 
More importantly for them and their stakeholders, they will be driving a major leap forward in capabilities that reduces disruption, saves them money and gains value by living up to current responsibilities.    
 
Organisational Resilience is not just a flowery concept.  It's a way for the executive management to assess and align resources in the best way to help support the achievement of objectives in the most efficient way.  It sets the landscape and context that supports the organisations activities and levers the skills and capabilities needed to improve organisational performance.
 
Organisational resilience is a vital next step in management thinking that underpins pretty much every other process and resource used. Building Resilience takes time and focus, though the return on investment can be very significant especially when you are in the midst of a crisis, but getting the context and alignment is absolutley essential.
 
Clear direction and leadership, strongly voiced from the Board, along with openness and commitment is essential to make sure that you don’t confuse a Rhino with a Donkey and that you get real Resilience! 

The whole thing looks pretty tough now!

UPDATE 
 
The British Standards Intstitution (BSI) guidance is now available.  
 
This standard is intended to provide advice on how organisations can understand what resilience capabilities are needed to support the achievement of thier business strategy.
 
The Continuity Forum is interested to hear the views of all stakeholders in industry and across the public on this initiative.  If you would like to know more please get in touch with us directly.  
 
* Continutiy Forum Research 2013

Link to BSI Web Shop

 


 
If you would like to comment on this article or would like to submit one of your own please do get in touch HERE!