Our continuity and resilience experts provide insight on “Investing in Resilience” for BCAW2019.
In support of Business Continuity Awareness Week 2019, Daisy’s team of continuity and resilience consultants each provide their thoughts around “Investing in Resilience” – with some food for thought, some insight and some tips on where to start, there is something for everyone…
Petra Morrison, Business Continuity Consultant
Petra Morrison takes us into a future of “organisational resilience utopia” and considers how a ‘business-as-usual’ approach to resilience today, can help to get us there.
Organisations seeking longevity should normalise today’s ‘Plan Bs’
Take a moment to envision a positive near future – that across the entire world we have mastered the art of organisational resilience and achieved new norms. Imagine the various and game-changing conditions that organisational resilience has brought: water security, food security, fuel security, supply chain security and more. Humanity’s basic needs are met, climate is in balance, demand and disposable income has increased and the markets for your products and services have been opened up in a truly global way. Imagine the world you want your children’s children to be born into.
In this future, will the loss of a building or datacentre still be able to knock your organisation for six, allowing your competitors to take your market share? It shouldn’t. Invest in resilience today. Fortify your foundations. A ‘business as usual’ response to what are currently regarded as exceptional or crisis events can increase your organisation’s ability to bounce back faster, even instantaneously, allowing competitors no opportunity at all. It is time to demote today’s known and classic threats by investing in the normalisation of ‘Plan Bs’. Often the exceptional events currently planned for are loss of a workspace, IT system failures and data centre failures. However, our customers no longer regard these as exceptional and have very little tolerance for outages – so neither should you, now or in the future. Faster transfer to alternate workspaces and faster switchover to alternate technology needs to become second-nature, built into the very fabric of operating models, no longer difficult to implement at time of need and not tacked-on ‘just in case’. Current ‘Plan Bs’ need to move out of the crisis folders and into process operating manuals, with seamless switching practiced often, daily testing and proving internal resilience. This can be done using existing assets and partnering with third parties (like Daisy). Investing in this way can create a resilient foundation for agility and longevity and may also release limited continuity and recovery resources to address the new risks that the future will bring.
Dare to embrace organisational resilience as corporate social responsibility. Dare to build solid foundations now for the positive future you envisioned and the future that your organisation and your children can thrive in.
David Davies, Business Continuity & IT Service Continuity Consultant
David considers how the threat of a cyber breach helps break down the barriers to investing in resilience. David identifies some common barriers you should be aware of and ends with some advice on what activities you can undertake to help you to be prepared for a breach.
Cyber Threat – A pressing need to invest in resilience
In your organisation, do you find broad agreement in the importance of resilience, but see challenges transforming that agreement into urgency, action, investment and continued focus over time?
A variety of barriers typically present themselves, including: The person championing resilience may be in a silo of the organisation and not able to convince other areas. Budget can be difficult to obtain, and priorities can lie elsewhere. Even if investment is made, there’s the danger that it’s reduced after the first year.
Human factors can also be barriers. The subject of resilience itself is so broad it can prevent people from grasping what they are protecting the organisation against, and the threat becomes vague. Secondly, as most potential crises are high impact but low probability, they can slip from focus and become obscure matters to be prepared for at a later date.
The threat of cyber-attack presents us with a pressing reason to break all of the above barriers. It gives all organisations a clear threat to prepare against that could happen at any time. I’d recommend that if you haven’t run a cyber-attack exercise with your crisis management team, do it. Make the scenario plausible by first running workshops with your IT and Information Security specialists to get a clear understanding of how a cyber-attack could take place at your organisation. Use the momentum to achieve investment in resilience.
II’s also key that organisations don’t see cyber-resilience as only about prevention. It’s important that organisations are prepared to manage their recovery from a breach. Have a recovery plan and arrangements, including a separate IT network to recover office staff and IT into, and secure offsite backups which have many generations, to recover from before the point of infection.
Eugina Pierre, Business Continuity Consultant
Eugina explains how collaboration is key in achieving resilience within an organisation
Resiliency is underpinned by synergies as a result of collaboration in an organisation.
In order for resilience to be effective and consistent, it requires pivotal parts of the organisation such as IT, Business Continuity, Information Security, HR etc. to take a holistic and joint approach to achieve an organisations resilience objectives. No one part of the business can deliver resilience to its optimum level.
Not to mention, third party suppliers that also play a critical part in the end-to-end delivery of service and products, so should also be included in the resilience programme.
As a result of the collective deliverables which need to be achieved in order for resiliency to exist, the key departments need to be identified and then each of their direct input and efforts are required. Consequently, this can pose challenges to the BC manager when trying to seek investment in resilience from the board and the departments required. There may not only be a reluctance from the board to allocate funds, but also resources in connection to staff and time required from each department.
Due to the nature of most organisations, return on investment is the principal focus in relation to the implementation of any new process or programme. Therefore, it’s imperative that the BC manager does not expect the board or key departments to accept resilience as a discipline in the first instance. The BC manager should first look to raise awareness and educate the board and key departments on the disadvantages and risks the organisation may face as a result of not being resilient. This could be by conducting exercises and current state assessments to identify areas of improvement in relation to resiliency. This will then help the key departments to naturally understand the risks associated with the lack of resilience and counter the absence of immediate return on investment.
Once resilience is adopted by the key departments and implemented across the organisation, over time the BC manager should look to raise awareness and educate staff at all levels and with critical third party providers. This will help to ensure that resilience is further embedded into the culture of the organisation and not treated as a one-off project.
Craig Hilton, Business Continuity Consultant
Craig advocates a ‘top down’ approach to resilience and outlines the key steps to start you on your journey.
Investing in resilience from the top down
In order to protect an organisation, businesses need to invest in resilience to ensure that vital functions can continue to operate. One of the ways of achieving this is by implementing a business continuity management (BCM) programme, with support from the very top down within the organisation.
However, before any effective business continuity (BC) programme can begin, it must be clear that management understand the importance of BC and the benefits it can bring. Board members must identify the need to improve not only the BC capability, but also crisis communications, information technology (IT) and Disaster Recovery (ITDR) processes. Management also need to ensure this commitment by mandating a common strategy and approach and allocating an adequate budget.
Once strong drive and commitment is obtained, several actions need to take place, for instance:
- Implement a standardised approach, which can be easily adopted and rolled out across all departments
- Assign BC roles & responsibilities to manage and support the BCM programme. The assigned resources need to establish, implement, operate, monitor, review and improve the programme
- Implement a business continuity risk management framework and use of a common risk register to better understand and control current operating risks and highlight where recovery and resilience strategies might be needed
- Define executive sponsorship and management ownership by implementing a BC policy document
When these items have been completed the rollout can begin in earnest.
One of the key phases of any BC programme, which is critical in understanding where resilience is required, is the completion of a business impact assessment (BIA). The BIA output promotes effective BC by identifying critical processes and the resources required to enable critical processes to continue. This will also enhance the operational resilience levels by creating synergies as a result of central and consistent focus of the business critical requirements.
On completion of the BIA, the process of making the business resilient can really begin, as organisations will have the required amount of data to help them determine effective BC strategies. When these strategies have been implemented they will enable the organisation to resume and recover critical activities at a specified minimum acceptable level. However, once implemented, strategies cannot stand still as they need to be regularly reviewed and improved upon and develop in-line with the business’s needs.
The final phases of implementing BC include planning and exercising. This is to ensure strategies and plans are in place and provide the resilience the organisation is seeking.
Russell Williams, Principal Consultant at Daisy
Russell pulls no punches when it comes to the importance of resilience! Here, he explains what it is and why every organisation needs it:
In a 20-year career within business continuity, never have I seen a move to transform our industry more than I do today with the drive to create ‘Resilience’ within organisations.
I am constantly asked what is Resilience, and why should I invest in it? Well, the first part of the question means different things to different organisations, but at its core it comes down to a truly integrated and inclusive approach across many previously standalone disciplines, previously working in siloes, to protect what your business values from whatever it might be vulnerable to, and hopefully improve the way you operate in the process.
In response to the second question, my reply is usually – why on earth wouldn’t you? Do you want to be the person who has to explain why you weren’t prepared?
Resilience, like many risk based disciplines, is seen as a hard sell, nobody really thinks it could happen to them, but it can and it will – just read the papers, these things happen every day to organisations that should have been better prepared.
There are so many reasons why it is important to be resilient; Legislation, reputation, financial, and many, many more, but none more important than protecting your people and your customers.
There are too many things that can disrupt your business; Physical infrastructure failure, technology failure, cyber-attack, data breach, supply chain failure, issues with your people, the list goes on. The impact of any one of these could be disastrous and have long term, business changing implications. It is imperative that you identify these issues and mitigate them in as far as practicable, but also that you are prepared to respond effectively when the inevitable happens.
Of course, this requires an investment, not just monetary, but of significant time and effort. Resilience needs to become the fabric of your organisation. You need time to identify and design mitigations, the funds to source, implement and maintain them. But it doesn’t stop there. More time is required to make sure everything works and everyone knows what to do – education, awareness, training, testing and constant improvement is always required. And then just when you think you are on top of things, something else will come along, a new project or product, or a new risk or vulnerability, true resilience never stops – but this is usually a small price to pay when considering the alternatives.
Colin Jeffs, Head of BCM Consultancy at Daisy
Colin explains why the starting point for investing in resilience is a thorough understanding of your business:
“Don’t be afraid to gather and decipher data. Time and effort invested saves pain and frustration in the end!”
Resilience can take many forms from a simple backup generator to a fully-furnished standby office, or from a manual workaround to high availability for systems and data.
Understanding why resilience is needed and where your resilience priorities are is crucial to ensuring that not only the most critical elements of your business are protected but also in preparing and delivering a robust and compelling business case for any spend.
Often, it is glaringly obvious where resilience is required and why, but it is becoming more and more difficult to secure funding for resilience when there is no obvious payback. It is in these cases that understanding of your business in detail and knowing what is ‘truly’ critical and ‘why’ it is critical, pays dividends when asking for funds to put resilience in place to protect it.
Being able to say what the impact would be on the organisation should a specific function, IT system or process fail, brings to life the realities of suddenly not having it available and the subsequent consequences that brings. Those individuals who approve spend can suddenly see the consequences thus making the decision to approve spend far easier.
Risk and compliance can also be very powerful allies when looking to obtain spend for resilience. They normally have a seat on the board and are very influential. Tapping into these resources and skill sets can often provide a different slant on why resilience is important and why the organisation should invest in resilience.
Every organisation has all the information it needs to make such decisions, but often lack the skills or the time to obtain and analyse it effectively. Don’t be afraid to ask for help in performing such an important job as it could be the difference between getting funding and using it in the ‘right’ areas versus failure of a service and impacts that are simply not acceptable to the organisation, or worse still, damage it.