Organisational Resilience is a group of management disciplines that ensure an organisation can achieve its objectives in the face of adversity.
A number of components of Organisational Resilience come together to protect the organisation from harm. Various models have been presented attempting to describe the relationship between these components, for example, Some Thoughts on Resilience by Leslie Whittet and the model put forward by ICOR.
These models depict Organisational Resilience as a collection of components. Each component is a management and professional discipline in its own right, with its own philosophical basis. Clarity of Component relies on both the person fulfilling the role (their expertise and alignment to the component) and the application of the component within an organisation to deliver purpose-built capabilities and business-driven Organisational Resilience. Lack of Clarity of Component can reduce Organisational Resilience and leave an organisation exposed to the unknown. The moment the organisation gains Clarity of Component will be the moment that the organisation heads down the road to Organisational Resilience.
This article focuses on three Organisational Resilience components: Risk Management (RM), Emergency Management (EM) and Business Continuity Management (BCM).
In principle, the key attributes of these components are:
- Risk Management – planned, considered, likelihood, what could happen, scenarios.
- Emergency Management (EM) – immediate, structured, reactive, containment, preserve life.
- Business Continuity (BC) – disruption will occur, restart procedures, resuming business operations through the replacement of resources.
Philosophically, BC is fundamentally different from Risk and EM. Unfortunately, due to personalities, company politics or a lack of expertise within the organisation, one discipline is often found to influence, drive and overpower another. For example, when a Risk Manager drives BC there is a strong focus on:
- Planning based on considered scenarios. The risk is that under this philosophy, the organisation is exposed to all the threats that were not and could not be considered. Some of these threats may even be Black Swan Events.
- Reducing the risk of disruption to an acceptable level. The risk is that when a disaster does strike, it may not be acceptable.
When an EM drives BC there is a strong focus on Standard Operating Procedures for responding to the devastation event: to protect life, property and the environment. Very little consideration is given to the process for restarting business operations.
The BC capability of many organisations is driven by managers with a risk or emergency management background. These managers are not cognisant of the limitations or boundaries of their organisational resilience component and directly influence the way BC is undertaken within the organisation. This creates blurred lines between components and a lack of clarity over component purpose. The reasons for this are many and include:
Ignorance – the manager believes they understand BC even though they have never been exposed to the philosophies of BC.
Internal Politics – one senior/executive M=manager needs to expand their portfolio by including BC but doesn’t care how.
Personalities – a manager with a loud voice needs to be seen as knowing and owning everything and needs to do it their way.
Old Dog Syndrome – a Manager has always done it that way and is so set in their ways they are not open to new philosophies.
Additionally, there are ‘foundation stone’ attributes that are simply not considered. This contributes to the blurring between the various Organisational Resilience components. These include:
- Cultural Integration
- Communication and Awareness.
The irony here is that, if these missing components were considered and included in the organisation’s Organisational Resilience landscape, they would assist the organisation to recognise that they lack Clarity of Component and run the risk of being exposed to the unknown.
Risk Managers try to anticipate all the possible things that could go wrong and then identify, analyse, evaluate and treat the risks. They:
- Identify events that could have adverse outcomes on objectives
- Determine the level of risk via consequences and likelihood
- Evaluate existing controls
- Decide if the resulting Risk Rating represents an acceptable risk or not and deal with unacceptable risks.
They concentrate on:
- Consequence: e.g. loss of $1,000,000 per day, 12 people injured in Hospital and four people dead, lost 12.5% of market share
- Likelihood: use statistical probability or an esoteric scale, which has limitations as it relies on large sample sizes, consistent behaviour and guesswork.
Risk Managers differ from Business Continuity Managers as they:
- Perform risk assessment before business impact analysis – BC Managers use the BIA to identify the mission-critical business function and then undertake a focused (cost/effort effective) risk assessment on just the critical functions instead of performing a Risk Assessment to identify all risks.
- Use Maximum Acceptable Outage (MAO) as the recovery target without clarity of definition
Creating a recovery capability to meet the MAO is risky as there is no contingency. What if, for reasons not considered or due to circumstances on the day, you don’t recover by the MAO? A breach of the MAO is unacceptable and jeopardises the organisation.
Using Risk Management alone without Business Continuity Management and Emergency Management results in increased risk as all scenarios cannot be considered in planning: mitigation strategies cannot ensure that an organisation can recover and resume operations, and there is an inherent lack of flexibility to dynamically respond to situations.
Emergency Managers concentrate on supporting people and community by preventing, preparing for, responding to, and recovering from emergencies. They:
- Eliminate or reduce the incidence or severity of the emergency by taking measures to ensure communities, resources and services are capable of coping with the effects of the emergency
- Codify actions to be followed during and immediately after an emergency
- Support the community by rebuilding the physical and restoring the emotional/social
- Think of how to get there quickly and what to do when they arrive
- Are not focused on disruption to themselves.
Commercial businesses and organisations typically do not have an Emergency Manager by true definition. They have an Incident or Crisis Manager and label them as Emergency Manager. True Emergency Managers are those who are focused on external and life-threatening emergencies.
The Emergency Services Organisations do a fantastic job and have Standard Operating Procedures to be followed when an emergency is declared, but Emergency Managers are not typically focused on the disruption to their own organisation. They are not focused on the continuation of service delivery and can’t be expected to understand and address the needs of the relationship between the organisation and its customers. Emergency Managers differ from Business Continuity Managers as they:
- Think about the immediacy and respond to the unfolding devastation that is threatening life
- Worry about the business restart later and make it up as they go along
- Rely on the experience of staff to get through
- Don’t consider a return to Business As Usual (BAU).
Using Emergency Management alone without Business Continuity Management and Risk Management results in missed risks, including emerging/creeping risks such as pandemic and financial risk, the inability to sustain service delivery and the potential threat to long-term livelihood of the organisation, as Emergency Management addresses the immediacy and response to an unfolding devastation, but does not consider business resumption and restoration to BAU.
BC determines the BC Strategy to develop and implement the BCM response (procedures) and coordinate the BCM program throughout the organisation by understanding the organisation and its requirements. They:
- Establish the scope and Governance structure for the program of work
- Perform Business Impact and Resource Dependency Analysis
- Consider costed options for meeting business requirements
- Turn strategies into capability supported by procedures
- Prove and improve the BC capability through exercising, maintenance and review
- Assume a disruption will strike i.e. likelihood is definite
- Consider organisation structure and geographic spread, business functions and their time sensitivities, resources and their survival quantities
- Ensure BC capabilities reflect the needs of a changing business
- Identify the resources that will be lost and develop restoration strategies
- When disruption strikes Business Functions stop producing their output, the recipient of the output suffers pain and the organisation then suffers pain
To avoid failure (politically or operationally), business functions must be restarted within the right timeframe, with the right capacity or resources at a suitable location.
Using BCM alone, without emergency and RM, results in missed opportunities to mitigate risks, increasing the exposure to danger.
When considering Operational Disruption:
- RM is about reducing exposure to something that might happen – PREVENTION
- EM is about evacuation and communications – IMMEDIACY
- BC is about recovering from something that will happen – CURE.
Each component must be driven by its own philosophy and methodology. Clarity of Component is required to ensure that an organisation is protected from the unknown. Be clear about your focus and ensure that your Organisation is protected.
Foresight beats hindsight. [Every time].