Business Continuity & Operational Resilience – Is it the same? Part 2

Guest Authors:

Andreas Bryant, Business Continuity & Resilience Specialist, BMO Global Asset Management (EMEA)

Ashley Goosman, Business Continuity & Crisis Management Manager, Liberty Mutual Insurance

In part two of our series on Business Continuity & Operational Resilience – Is it the same, we are sharing why we think the field will evolve from a mandate-driven methodology to a strategic decision-making mindset, how we can convince stakeholders, and how to future-proof business continuity practice. If you missed part one, we encourage you to go back to the last edition and check it out.

Evolving from a mandate to integrated strategic decision-making

Evolving from COVID-19 and other recent events is a growing understanding that board-level decision-making is key to successful organizational outcomes. Boards and senior leadership are pivotal to guide the tactical arms of the organization in confirming critical services. By governing the process from the highest levels, they also lend support and allocate the right resources to achieve aligned activities. Most of all, they provide leadership in empowering the organization to become more adaptable and crisis resistant.

They also recognize that they should link domain owners to collaboratively achieve the resilience mandate. Often, domain owners focus on their areas of expertise. It makes sense, but the bigger picture can get obscured. Domain owners risk missing critical response or recovery actions because they do not make connections to other business units. Ensuring the governance model holds boards and top management accountable through regulatory efforts, encourages companies to look beyond their internal compliance efforts to consider third parties, including crucial supply chains.

However, outsourcing work has increased over the past few years. There is a growing recognition that a business cannot functionally recover alone. Many traditional companies, like the insurance industry, began to offshore elements of their core activities. They no longer conduct essential tasks in-house as was often done in the past. Reliance on technical tools has decreased processing times for many activities but increased overall exposure across threat scenarios. Understandably, businesses made these strategic decisions to save costs and focus on attracting talent in an increasingly competitive marketplace. The downside of this approach is that it left many core industries vulnerable to increased risk.  This is where the importance of strategic decision-making in mitigating exposed portions of the business grows in importance.

How we convince stakeholders

With the myriad of challenges facing organizations today—from market competition, social unrest, climate change, and other risks concerns, it is daunting to pivot from traditional perspectives on preparedness or crisis response. However, many forward-thinking organizations realize the return on investment and value of supporting an operational approach to resilience. It is vital to survey business functions and detail processes across the service continuum to obtain organizational strength.

The problem is domain owners are often too involved in the details of a problem through their specific lens to look at the situation holistically. Individual disciplines are often overly concerned about more information and cannot see the big picture. Embracing an operational approach can fix this because it intrinsically illuminates the higher-level view. It engenders participants to dig deeper by testing against plausible and stretch scenarios. Once completed, process gaps are identified and in theory, solved using a continuous improvement loop. Controls are put in place and tested across critical service lines to strengthen the organizational whole.

COVID is a perfect example of why no single discipline can exist alone and should be working together to obtain organizational plasticity. We have learned to be more trusting of each other and reliant on each other’s expertise. No part of a business was untouched by the pandemic, and operational resilience leads should parlay this lesson. Now is the time to cultivate, develop internal structures, and imbed best practices

Future proofing

Risk analysis emerging from COVID-19 highlights the growing vulnerability of power and network outages as more employees work remotely. Additionally, we know that cybersecurity threats are trending aligned with this recovery strategy. No longer is recovery reliant on internet technology, although it is a crucial aspect of resiliency. Instead, companies must shift to embrace this cross-domain process to future-proof and mature their resilience strategies.

The increased interest in applying operational resilience arises from taking protective measures to safeguard customers from interruptions. Instead of relying upon recovery strategies after the fact, it seeks to protect the customer and organization from harm in the first place. Taking this forward-leaning approach reminds me of the shift that took place in FEMA’s operations post-Hurricane Katrina. Before the event, FEMA would become involved when invoked by the state government to provide resources not locally available. Post-Katrina, the agency realized that response times were woefully inadequate. To better prepare for future events, they adjusted to working with states to identify risk sooner and pre-position assets.

We see operational resilience as a similar mindset, where the goal is to mitigate impacts before the crisis. Leveraging this approach will not stop incidents from occurring. Done well, it will strengthen organizations, enabling them to bounce back faster from business interruptions.

Summary

We agree that building upon the foundational strengths that business continuity offers is valuable to any company. The foundation of the work is identifying risk concerns, business assessment, threat mitigation, emergency response, and identification of swift recovery procedures. Additionally, practitioners provide crisis management expertise based on a cross-functional approach. Rather than being anxious that business continuity’s worth decreased throughout the pandemic, we instead see the growing usefulness it brings to building a resilient organization. Risk mitigation is a crucial denominator of operational resilience, but business continuity already provides a framework for organizational resilience that any business can understand the importance. 

Bonus Key considerations and tips

Below are some key elements to consider when faced with the question how you add value & will you still add value post-COVID:

1. Act as the source of gathering critical information across all business processes, presented in a way that highlights prioritization of resources required to conduct an essential business process.
2. Challenge the status quo.  Asking the “why and what-ifs”, can we improve our operating practices to remove single points of failures.
3. Consider the BIA like a spider web, it’s a powerful tool to link all the dependencies, identify gaps and build workarounds. As a Business Continuity practitioner, you are the spider coordinating of the information and helping the business to connect linkages to understand risk. When possible, advocate shadowing key business units to help you understand the customer journey and how each process supports the delivery of each process. This internal data is valuable and if captured correctly, it can support real-time (or close to) strategic decision-making, this is valuable to business leaders.
4. Dashboards are an alternate way to display useful BCP information. It is a fascinating way to present information and it has been found to be precious during Crisis Response. There is no denying that Boards and Executives love an exemplary flow chart, so consider making the data qualitative and valuable to support our agenda whilst satisfying theirs. Dashboards are an alternate way to display useful BCP information. It is a fascinating way to present information and it has been found to be precious during Crisis Response. There is no denying that Boards and Executives love an exemplary flow chart, so consider making the data qualitative and valuable to support our agenda whilst satisfying theirs. Consider leveraging dashboards or flow charts as an alternate way to display useful BCP information to link planning to crisis response. There is no denying that Boards and Executives love an exemplary flow chart, so consider making the data qualitative and valuable to support our agenda whilst satisfying theirs.
5. Build BC frameworks that are flexible enough to adapt our response to various interruptions considering the appetite, legislative requirements, and business appetite at a holistic level. By this, I mean we are not married to a specific department or process but are flexible in approach.
6. Our work connects the dots and ways of mitigating damage, across departments and the people within. We act as the conduit between them, understand what keeps them up at night and build a picture of how things function to find gaps in capabilities and learn where the vulnerabilities are.
7. Drive the awareness of your recovery capabilities and methods throughout the organization ensuring all staff understands how we respond when disaster strikes. This builds resilience and prepares the workforce for business interruptions.
8. Develop exercising and testing programs designed to stress test and improve upon inadequacies. It is vital to rehearse our response to interruptions.

Co-Author, Ashley Goosman, will be speaking on day-3 (October 7, 2021) of The 6th Annual (Virtual) International Crisis Management Conference.