Today I thought I would start to lay the foundations of my own thinking on this subject. Previously I have posted about the work of the Resilient Orgs project in New Zealand and some aspects of the High Reliability school.
I don’t see a lot of value in offering one of the dictionary definitions as a starting point. The term ‘resilience’ is not new, it has just recently become fashionable to use it everywhere. A range of disciplines use the concept, including psychology, engineering and ecology. So as a result we have a number of different definitions to start from, all of which have value when considered in their proper context.
In order to address resilience in an organisation, we need to address the resilience of the different components that make up that organisation. For the sake of a starting point, let us say that an organisation is made of People, Process and Technology.
We also know that an organisation does not exist in a vacuum, so we need to include an assessment of the environment – and especially in todays world, an organisation is more and more reliant on its supply chain and public communications infrastructure.
I have a degree in Social Sciences, majoring in Sociology. So I guess it is not that surprising that I would start talking about resilience in terms of how groups of people act, and that I would look at the people aspect as being a significant part of the picture.
As well as looking at the resilience of these components, we need to consider the context we are assessing ‘resilience to’ – no entity can be immune to all threats. And the degree to which we can claim something is resilient (especially in the Technology space) is a function of how much we are willing to invest in resilience.
Finally, for today, traditional Risk Management will not adequately identify all aspects of resilience – nor drive the implementation.
It is not enough to be resilient to High Probablility/High Impact events. We need to be resilient to Low Probability/High Impact events too. To truely claim being resilient we need to have some capacity to respond to those Black Swan events – the threats that generally are not currently included in our risk frameworks.
If this is of interst to you, please subscribe and see how it unfolds in future posts.
This is indeed an interesting subject.
Resilience is the new “Fab” of BCM, a way for BCM to reinvent itself because it’s been about 20 years since the “old” BCM of current thinking came of age. I hear too much about resilience here and resilience there – but with nothing really done about it. I think that everyone agrees that resilience is the way to go and this is proven by so much literature on the subject.
The biggest stumbling block to obtaining resilience is about timing. If you get the timing right then you are able to move to a more resilient solution – a win-win for any organisation. The biggest obstacle about implementing resilience is getting the timing right around the following areas:
-Fixed property (the buildings from where we operate) are either tied into fixed lease periods or owner managed. The first move to resilience is to ensure that you have the right “purpose built” property. Most often moving property portfolios is difficult, cumbersome, expensive and “we are okay with where we are”. The best time to approach this is if the organisation will be going through a property consolidation or restructuring phase. The problem is that property manager’s focus on the building and that is it. There is a budget to get the building right with little or no input from business.
– Built in technology infrastructure – tying into buildings is the fixed investment in technology. I’m not talking about data centre stuff, but rather the call centre infrastructure that is normally housed within the building and the associated network and infrastructure in place in-building to reduce latency. Normally to be in a position to move, the cost vs benefit comes into play and one has to take into account the end-of-life of the technology and when it will be replaced. No business will want to incur additional expenditure or take a write-off of infrastructure before it’s required. You have to get the timing of building moves in line with infrastructure replacement time-lines.
– Application technology – this is the most cumbersome to overcome. The reason for this is that many organisations still operate legacy systems that traditionally do not support a true resilience IT architecture. Yes we have seen active-active implementation on storage devices but that about stops there. In order to move to true resilience, the application architecture must be modified in such a way that you can have two instances of the application running and that the data is copied immediately across sites. It sounds simple, but very difficult to implement. Especially in complex organisations such as banks – its not a question about just one application but its also the underlying architecture of moving data from one system to the next that will eventually end up in a payment system transaction somewhere in the depths of the data centre. To redesign this in a complex organisation is where the biggest challenge lies. I believe simple organisations have a greater chance of success around this than complex organisations. To get this right, a proper architecture landscape must be presented; business must adhere to these requirements and must understand that this will be a journey. In addition, the application technology must also be supported by telephony balancing between sites – this is relatively easy and I have seen that this is the quickest way to achieve resilience – but it will be limited to telephony only.
– Last is the people aspect. In todays touch economic client it is difficult to simply increase head count. To achieve true resilience you have to employ more people, duplicate supervisor and manager roles and replicate the end-to-end process across two or more sites. With headcount freezes, this becomes a show stoper which generally forces business to adopt a sort of resilience model where a function in its whole is located at one site and the next dependent function is at another site. This still creates a recovery strategy rather than a continuity strategy..
The above text is not meant to be negative around the topic but rather to raise the awareness of how difficult it actually is to obtain true resilience. However I strongly believe that if you get the timing right on the above 4 key areas then you have a great opportunity to move very quickly into a resilience environment. Of course the magic words are still “you need executive buy in around this topic”.
This is indeed an interesting subject.
Resilience is the new “Fab” of BCM, a way for BCM to reinvent itself because it’s been about 20 years since the “old” BCM of current thinking came of age. I hear too much about resilience here and resilience there – but with nothing really done about it. I think that everyone agrees that resilience is the way to go and this is proven by so much literature on the subject.
The biggest stumbling block to obtaining resilience is about timing. If you get the timing right then you are able to move to a more resilient solution – a win-win for any organisation. The biggest obstacle about implementing resilience is getting the timing right around the following areas:
-Fixed property (the buildings from where we operate) are either tied into fixed lease periods or owner managed. The first move to resilience is to ensure that you have the right “purpose built” property. Most often moving property portfolios is difficult, cumbersome, expensive and “we are okay with where we are”. The best time to approach this is if the organisation will be going through a property consolidation or restructuring phase. The problem is that property manager’s focus on the building and that is it. There is a budget to get the building right with little or no input from business.
– Built in technology infrastructure – tying into buildings is the fixed investment in technology. I’m not talking about data centre stuff, but rather the call centre infrastructure that is normally housed within the building and the associated network and infrastructure in place in-building to reduce latency. Normally to be in a position to move, the cost vs benefit comes into play and one has to take into account the end-of-life of the technology and when it will be replaced. No business will want to incur additional expenditure or take a write-off of infrastructure before it’s required. You have to get the timing of building moves in line with infrastructure replacement time-lines.
– Application technology – this is the most cumbersome to overcome. The reason for this is that many organisations still operate legacy systems that traditionally do not support a true resilience IT architecture. Yes we have seen active-active implementation on storage devices but that about stops there. In order to move to true resilience, the application architecture must be modified in such a way that you can have two instances of the application running and that the data is copied immediately across sites. It sounds simple, but very difficult to implement. Especially in complex organisations such as banks – its not a question about just one application but its also the underlying architecture of moving data from one system to the next that will eventually end up in a payment system transaction somewhere in the depths of the data centre. To redesign this in a complex organisation is where the biggest challenge lies. I believe simple organisations have a greater chance of success around this than complex organisations. To get this right, a proper architecture landscape must be presented; business must adhere to these requirements and must understand that this will be a journey. In addition, the application technology must also be supported by telephony balancing between sites – this is relatively easy and I have seen that this is the quickest way to achieve resilience – but it will be limited to telephony only.
– Last is the people aspect. In todays touch economic client it is difficult to simply increase head count. To achieve true resilience you have to employ more people, duplicate supervisor and manager roles and replicate the end-to-end process across two or more sites. With headcount freezes, this becomes a show stoper which generally forces business to adopt a sort of resilience model where a function in its whole is located at one site and the next dependent function is at another site. This still creates a recovery strategy rather than a continuity strategy..
The above text is not meant to be negative around the topic but rather to raise the awareness of how difficult it actually is to obtain true resilience. However I strongly believe that if you get the timing right on the above 4 key areas then you have a great opportunity to move very quickly into a resilience environment. Of course the magic words are still “you need executive buy in around this topic”.
Ken, very interested in future posts within this series. Your background in Social Sciences of course provides you with a particular point of view as my own management systems background provides me with mine. Although our recent exchanges would lead me to believe that we may well meet in the middle.
Patrick, your own comment was also very interesting. I agree that there is a danger, if not an inevitability, that business resilience will become a marketing term. Business continuity rebranded as business resilience has no more value than disaster recovery rebranded as business continuity.
However, I do think there are some of us who realise that the expression of resilience is really an expression of value to the end client. It is not the case that you sell to the executive the notion that they need business continuity or bad things will happen (FUD) but that they can actually measure the resilience of their organisation and then manage and maintain it.
Like Ken, I believe that a resilient organisation should be capable of dealing with a wide range of events. It should also be capable of flexing to match changes in the environment in which it operates. Resilience is therefore not a static position (do this, do this, your resilient) but an active response to external and internal events. Indeed two different organisations may maintain different resilience levels and be comfortable with those positions.
Ken, very interested in future posts within this series. Your background in Social Sciences of course provides you with a particular point of view as my own management systems background provides me with mine. Although our recent exchanges would lead me to believe that we may well meet in the middle.
Patrick, your own comment was also very interesting. I agree that there is a danger, if not an inevitability, that business resilience will become a marketing term. Business continuity rebranded as business resilience has no more value than disaster recovery rebranded as business continuity.
However, I do think there are some of us who realise that the expression of resilience is really an expression of value to the end client. It is not the case that you sell to the executive the notion that they need business continuity or bad things will happen (FUD) but that they can actually measure the resilience of their organisation and then manage and maintain it.
Like Ken, I believe that a resilient organisation should be capable of dealing with a wide range of events. It should also be capable of flexing to match changes in the environment in which it operates. Resilience is therefore not a static position (do this, do this, your resilient) but an active response to external and internal events. Indeed two different organisations may maintain different resilience levels and be comfortable with those positions.