The term “Resiliency” has become commonplace in discussions about Business Continuity Management (BCM). Resiliency is often portrayed as the goal of BCM. But Resiliency is usually ill-defined. It means one thing to the CIO, but may mean something quite different to the CRO.
If Resiliency is the “new normal” (as some have proclaimed), it is important to understand just what Resiliency means – and define “normal”.
What is Resiliency?
The term Resiliency has its roots in medical terminology; the ability of a patient to recover from illness, injury or surgery without adverse effect (returning to ‘normal’). That definition doesn’t imply a timeline for returning to normal, just the ability to do so.
The Oxford dictionary defines Resilience as “The capacity to recover quickly from difficulties; toughness”. That is more in line with BCM goals (recovery from disruptions) and implies a short, but definite timeline (quickly). We can probably all agree on that – for now.
But first, we need to agree on what normal means. Again, the Oxford defines normal as: “Conforming to a standard; usual, typical, or expected.” To para-phrase, if our goal is Business-as-Usual (BAU), then Resiliency must imply returning to BAU. We know that is not always possible (if your building is ‘pile of rubble’, then ‘as usual’ is an unattainable goal).
What is Resiliency’s Goal?
Enterprise Risk Managers believe resilience implies reducing Risk to Zero, and that Resiliency is the ability to fend off all threats in order to continue Business as Usual (no risks results in no need to recover).
We’ve already established that BAU, in all cases, isn’t an attainable goal. Reducing risk to zero, while theoretically plausible, is operationally impossible. No amount of redundancy, high availability, mitigation or money can fully protect an organization against any & all disruptions. Reducing risk to zero, being impracticable, we need a different tool to attempt to achieve resiliency. If returning to normal is a fallacy, then we should define the new normal to return to.
We need to focus on “ … customers and shareholders expect products and services to be delivered despite disruptive events” . To achieve that goal we must be able to effectively respond to any disruption. The definition of effectively is inherent: our response must assure delivery of our Products and Services.
Achieving Resiliency Redefined
So, we’ve given ourselves a new definition of Resiliency: The capability to effectively respond to any disruption, to meet our stakeholder’s requirements of continuing to deliver key Products and Services within acceptable timeframes.
A Different Approach to BCM
To accomplish that we need a new approach; the old ‘industry standard’ approach of Risk Assessment/BIA leading to BC Plans ain’t sufficient. Plans must be effective in meeting the new goal; and our organization must be prepared to manage the implementation of those Plans. Just having Plans doesn’t make an organization ‘resilient’. Those BC Plans must be effective. They must be:
- Viable – designed to meet the timeframe goals of restoring Products & Services in any disruptive incident.
- Sustainable – they must change with changes to the organization
- Repeatable – tested to prove their viability, regardless of the conditions.
But achieving Resiliency under the ‘new normal’ doesn’t rest solely upon Plans. To effectively recover delivery of Products and Services, we must also be able to manage the response. We must have a process in place to assess the situation, invoke the necessary Plans, alert the Responders, monitor their activities, resolve issues – and report the status of recovery to the stakeholders whose acceptable timeframes are our goals.
Accepting Resiliency as a goal is useless until we define what resiliency means to our organization. We must embrace the new normal, redefine our recovery objectives, and develop both viable Plans and an Incident Management process to assure we can achieve resilience.