How Resilient is Your Organisation to a Business Disaster?

Post written with Steve Yates, Chairman of the Resilience Association.

Ensuring business continuity and resilience should be the priority, if not already the norm.

---

2019 was sadly a catastrophic year for certain industry sectors, with too many organizations going “bust”, in some cases a short time after their financial accounts had been cleared by top auditing consultancies.

It is public knowledge some of these names stand behind known financial and audit downfalls (resulting in significant financial fines) offering their advice on areas which led to their downfall.

As sophisticated financial services are now an indispensable part of our daily life, the Bank of England (BoE)/ Prudential Regulation Authority (PRA)/ Financial Conduct Authority (FCA) are currently putting in place a more robust regulatory framework for firms and financial market infrastructures (FMI’s).

To this end, they have recently published a joint discussion paper on Operational Resilience, and more recently are bringing forward their policy proposals; “Building the UK’s financial sector’s operational resilience”.

For all organizations that had previously adopted a “Business Continuity Management” approach, the focus for them should now be “Operational Resilience”, thereby taking into account a range of operational subject matter areas, similar to the financial sector, where they are able to prepare for disruptive events” thereby preventing a “business disaster”.

What is a “Business Disaster”?

A “business disaster” has been described as being: “Any unwanted significant incident that threatens personnel, buildings and/ or the operational effectiveness of an organization, which requires special measures to be taken to restore the business back to normal.” (Source: Home Office – How Resilient is your Business to a Disaster)

What are these “unwanted significant incidents”, and how could they impact on your organization? The following provides baseline scenario headings for consideration:

a) Human Error

• Lack of attention to detail;
• Misunderstanding of directions/ instructions;
• The pressure of home and/or work;
• Carelessness;
• Stress-related;
• Not taking advice;
• Lapse of security;
• Accidental damage;
• Insufficient/ inappropriate of training;

b) Natural Causes

• Fire;
• Flood;
• Lightning;
• Solar flare;
• Tornado;
• Major Storms;
• Tropical Storm;
• Hurricane;
• Earthquake;
• Volcanic eruption;

c) Intentional Causes

• Terrorism;
• Vandalism;
• Espionage;
• Industrial action;
• Demonstrations;
• Public Disorder/ Riots;
• Computer viruses
• Corruption;
• Fraud;

For every “realistic” scenario that is listed, subject to the impact, each one could require “special measures to restore the organization back to normal”, and as such prevent a situation where there is a likelihood of significant:

• Loss of operating capacity;
• Loss of capital or profits;
• Loss of market share;
• Loss of credibility and/or brand, image and reputation; and
• Impact on regulatory compliance with legislation or codes of practice;

How can an Organisation become Resilient against Disruptions?

A key factor in reducing the potential cost and impact to any organization’s operational structure following a “disruption” is to break this down into “mission critical” elements, such as “products and services”, and to consider the overall components that deliver each “process or procedure” end-to-end.

Maybe a definition for “operational resilience” should therefore be one that accepts the fact that products and services, and the supporting processes and procedures, will at some time fail, and therefore accepts that there is a need to: “Resist and tolerate failure, and recover critical operational elements within a business acceptable time scale by planning and design” (Source: Survive! The Business Continuity Group – Communications Special Interest Group)

By taking such an approach, it would then be possible to accept that internal and external resilience planning and design is “key” to an organization preventing and, if necessary, managing a “business disaster”. As such, it should also take into account the supporting infrastructure and its associated “capacity”, thereby enabling the organization to “prevent, adapt, respond to, recover and learn” from operational “disruptions”.

What Strategic Approach might you Consider Adopting to Achieve Increased Resilience?

The Seven R’s Resilience Health Check Approach

One approach that you might consider in building operational resilience capacity for your organization could involve the use of the “Seven Rs” methodology:

1. Responsibility

Responsibility should be taken by an identified board-level function within the organization, who takes ownership of Operational Resilience that is supported by a Programme Team, and Governance arrangements.

2. Readiness

Readiness should identify the potential for any significant disruption and/or physically damaging events that would impact upon delivery of products and services and establish plans accordingly. 

3. Resources

Resources should identify sufficient requirements that are necessary for managing an acceptable level of operational capacity to meet the criteria for readiness and agree on a return against the level of investment made by the organization.

4. Response

A response should deliver acceptable levels of capability, supported by an escalation process and procedure based upon the organizational management needs and agreed internal and external communications.

5. Recovery

Recovery should identify contingency strategies against identified recovery time objectives, provide supporting information technology assets and consider other key areas where no resiliency has been provided.

6. Resumption

Resumption should be to an agreed “business-as-usual” level that is able to achieve a state where sufficient operational capacity is available for the continuation and delivery of the organization’s products and services, whilst meeting stakeholder and regulatory requirements. 

7. Review

A review should follow Governance arrangements, taking into account methods being used to monitor & measure any organizational disruption and/or physically damaging event, initiating any improvements that should be made to current processes and procedures.  

Where are Most Organizations Today in Terms of their Journey towards Resilience?

Most organizations want to believe that they are resilient to any type of “business disaster”. Most may have some third-party outsourced agreements in place, for which they believe that the “risk” has been transferred elsewhere for specific critical business operations, and as such may be protecting the organisation’s “supply chain”. 

When considering the remaining in-house capabilities, due to ongoing business change, whether “business transformation or process re-engineering”, perhaps “staff reductions”, through to “mergers & acquisitions”, the “capacity” for any organisation to manage the impact from disruptions will most likely be reduced.

Alongside such business change, it should also be remembered that customers, suppliers, manufacturers, and maintainers are also experiencing similar changes, thereby adding to the recipe for “disruption” to your organization.

If we then add the final ingredients that do exist in current organizational thinking – “it will all be right on the night”, often supported by its companion “denial” – then anything could be possible, not least the point that I raised at the beginning, the fact that it could lead to a “business disaster”!

In summary: It is not if, but when, your organisation will experience some form of disruption, alongside which there will be a range of associated impacts. In preparing for the consequences, shareholders, board members and executives, as a whole, need to be assured that, within any organisation, there is in place the ability to prevent, adapt, respond to, recover and learn from operational disruptions such that the organisation has in place “operational resilience”.

At Reason, we know that shareholders, board members and executives require more robustness: we are delighted to invite you to discover how the “7R’s” Resilience Health Check could assist your organisation.

---

Steve Yates (FBCI, CBCP, FICPEM, MEPS) is the Chair of the Resilience Association (RA). He has decades of experience in assisting public and private sector organisations to become more organisationally and operationally resilient.

If you would like to know more about our Resilience Praxis (7R’s Resilience Health Check), then please get in touch either way suits you best :

email: contact@reasonmakesense.com  or  info@resilienceassociation.org

Contact forms: reason or Resilience Association

Call us directly: Jean-Pierre, reason: 07506485030    Steve, RA: 07462866954

Thank you for your time and interest.

Please join us by subscribing to our Blog. Posts are occasional and written as thoughts come.

Please leave your comment at the bottom of this page to continue the reflection on this post.

If you are looking for a reliable, independent professional consultancy to assist you in getting through the mist and the storm and cutting through an often artificial complexity, please do get in touch with us for an informal discussion, or write to contact @ reasonmakesense .com (please remove spaces)

Get in touch to discuss freely; reason will Make Sense, with you and for you.

---

A few words about Reason

Share this post

• Mail
• Twitter logo to @ReasonPraxis