I read an article yesterday by Dan Bailey. It is called “Is resilience the most appropriate direction for Business Continuity Management?”
The link is to a password protected part of the DRJ site, but they have a lot of good material so it is worth registering.
Dan is unsure about what resilience means. He likens it to a rubber band that bounces back after it is stretched to its limits.
He believes this meaning of resilience suggests you should be able to bounce back from tough economic times – but does not see this as the domain of BC.
Dan goes on to assert that Enterprise Risk Management is responsible to provide resilience – which I cannot agree with. Granted a lot of companies put BC under the RM function, but that does not equate to addressing the bigger picture of reslience.
My point about this article is essentially summed up in the picture, resilience has to be about when the rubber band breaks, not just when it is stretched.
A robust rubber band will absorb a lot of stretching and bounce back. That is one aspect of resilience. It is the aspect that I believe is really being talked about in the BCI definition of BCM. If that was all that resilience entailed then the ERM approach may well suffice.
A resilient rubber band should be able to adapt after the break – because the break is the disruption, not the stretching. Similarly an enterprise that is truly resilient will be able to weather hard economic times. Agility, adaptability and an awareness of the situation they are facing are attributes that can be used for a range of disruptions.
Risk Management (Enterprise or otherwise) will never address all these aspects.
What is you view? Is resilience the most appropriate direction for BCM?
An Enterprise Risk Management (ERM) program is more than a rubber band bouncing back. It is first off, a pro-active program to identify internal and external risks of all types that can impact the organization. It includes ways to respond, efficiently, expeditiously, and economically if the “rubber band” breaks – where to go, what to do to meet SLAs and maintain reputation, even if the “break” is caused by a vendor (including “money vendors” – lenders), competitor, market, or anything else usually (and incorrectly) seen as “beyond the control of” the organization.
John Glenn, MBCI
Enterprise Risk Management practitioner
http://JohnGlennMBCI.com
Thanks for the comment John, and Happy New Year to you.
I suspect we disagree about the nature and scope of Risk Management. I have read some of your material where you talk about “ERM aka BC”. Personally I don't see them as the same thing.
I cannot see how any form of Risk Management can identify all the risks. Therein lies one of the problems we have been discussing here. Resilience is about being able to deal with an event that you did not previously believe to be possible (the Black Swan event) as well as all those White and Grey Swans we had given some thought to.
Glad you have joined the conversation. Do you see a need to discuss what resilience is, or do you see that as being included in the broader Risk Management world?
What about Dan's original question – is resilience an appropriate direction for BCM to proceed?
“I cannot see how any form of Risk Management can identify all the risks.”
jg: True, but risk management is two-pronged. 1-ID risks. 2-Develop responses (to impacts). Impact is more generic (e.g. building closed because of Risks A, C, and W). There always will be what I consider the “ubiquitous other” risk, the “Black swan” event.
“What about Dan's original question – is resilience an appropriate direction for BCM to proceed?”
jg: I see it, as you suspected (“or do you see that as being included in the broader Risk Management world?”) as integral to a comprehensive risk management program, and if the RM program is less than comprehensive, it's not much of a risk manegemtn program [g].
BTW, I often refer to ERM as “BC on steroids” – I think too many BC practitioners are myopic; they fail to look at possibilities (positive and negative, “what if's”) beyond the facility or organization. I foresaw planes crashing into buildings before 9-11-01 and financial difficulities (albeit not on the current scale) long before the most recent “bust.). BUT, no matter how prescient the practitioner, you're still correct: that even with input from ALL the experts, no one can ID all the risks.
Another opinion from the ether. I do believe that resilience is an appropriate direction for BCM, when and where this is possible. This is achievable for IT systems using existing technology, for near-synchronous mirroring of data and at least two sites at geographic distance from each other, with automatic failover to the remaining site . Resilience of this type is “designed-in” rather than applied at the time of the outage (which is the traditional home turf of DR and BC).. However, the necessary changes to achieve resilience are not merely technological, they are organizational as well, and therein lies the rub. So far, few organizations have adopted “resilient” structures such as splitting critical functions and locating them in different climate/geographic zones. Also, the maintenance of a traditional hierarchical model prevents the dissemination of critical information through the organization and thus weakens the ability to respond when critical staff are “unavailable” following an incident.
We have a great many “gray swans” to deal with in BCM or Risk Management that are relatively obvious when looked at through the correct analytical and psychological viewpoints. A reasonable way to see these is to look at BCM/Risk Management KPI's. Some of these are dead giveaways of a gray swan nest. But as these are rarely applied, the gray ones are effectively black swans.
When you widen the focus from just BCM and extend it to Risk Management, encompassing not just the financial risk control disciplines, but including all of the control disciplines that seek either to lower the probability of a disruptive incident or minimize its damage when it does present, you get an idea of the scope that I think is reasonable. This is particularly important for self-induced interruptions related to infrastructure failures (lack of appropriate maintenance) or succession planning and cross-training, as well as a number of others. The way that we run our organizations is just as important as the risk management methodologies that we use.
Which is not to say that planes will never fly into buildings again, or that suicide bombers will never appear on Wall Street…or Main Street. One of the favorite targets of the Islamic extremist bombers in Paris in the 80's was crowded low-cost retail stores. Lots of innocent folks there, and some of them were Islamic. Perhaps we cannot anticipate all of the Black Swans associated with the cascading events we see in many major disasters, but we can do much better than we do today.
Thanks for dropping out the ether Kathleen. And a Happy New Year to you also.
We are on the same page with the need for resilience to be designed into the enterprise, and for it to be applicable to all aspects of People, Process and Technology.
Also agree with your comments about Gray Swans and their nesting habits.
Do you see RM and BCM as being distinct disciplines, that can often complement one another, or are you of the BCM is a subset of RM school?
Also, with your comment about the technology – the traditional turf of DR is after the event. BCM (when practiced as BC Management not BCP), should address the IT disciplines of Availability and Continuity (DR). In this context BCM should be looking at the kind of solutions you describe.
Glad you have joined the discussion. I look forward to your views on other posts.