Resilience is the ability of an organization to foresee, prepare for, and adapt to disruption while maintaining continuous operations and safeguarding its people, assets, and reputationsi. Meanwhile, resilience management refers to the set of business processes needed to build such a capability by integrating all of an organization’s protective activities.
Typically, the protective activities that go into resilience management vary depending on the disruption risk a given entity seeks to mitigate. What then are the main types of resilience management? They include:
These modalities, or types, of resilience management overlap. However, there are important distinctions between them.
For instance, organizational resilience deals more broadly with the ability of an enterprise to absorb change and adapt to a new environment. On the other hand, operational resilience relates more narrowly to initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders.
Meanwhile, business continuity practitioners are responsible for the management of prioritized activities, i.e., those activities that make critical products and services happen.
This differs from operational resilience in that the latter is more concerned with the management of critical products and services. Here, these critical products and services are those provided by an organization, or another organization on behalf of the organization to one or more clients, which if disrupted cause intolerable harm to the customers or pose risk to the soundness, stability, or resilience of the organization or the market in which it operates.
For their part, cyber and digital resilience tend to deal with ICT risk to digital assets. Those threats have historically included hardware and software failure, human error, spam, viruses, and malicious attacks. But they can also include natural disasters (e.g., fires, severe storms, and/or floods) that damage information assets.
Severe weather, of course, has typically been seen as a business or organizational resilience challenge, with organizational resilience covering all key threats to continuous business operations.
The distinctions between the varying aspects of resilience management – operational, digital, cyber, etc. – seem like they might militate against an integrated approach to resilience. But in practice, resilience management to be effective must be holistic.
That means resilience management activities must work together to:
To do so, these activities must pull together what are typically distinct business enterprises including operations, technology, workforce, supply chain, data, finance, reputation, and customer experience. Resilience management itself must cover the following solution areas:
Of course, most businesses have end-to-end programs in place to address these matters. Not just that. Most businesses have point solutions in place for each solution area.
However, if resilience itself can only be achieved if all solution areas are working in harmony, why do so many companies operate in silos? This indeed is a keen challenge to building an integrated resilience capability to foresee, prepare for, and adapt to disruption, and precisely why so many organizations fail at the task.
Instead of uniting, they are actively dividing – meaning that when a risk that cuts across solution areas materializes, they aren’t able to respond effectively. Why’s that?
Well, having distinct point solutions for the varying aspects of resilience management means that you don’t have all the capabilities you need in one place. More specifically, resilience data and information remain fragmented throughout the resilience lifecycle. Information remains siloed.
Point solutions themselves each have different user experiences, meaning a greater training lift for Resilience Managers when responding to cross-cutting crises as theywill lack familiarity with tools and workflows.
Further, point solutions rarely manage different scales of event. They either manage routine or crisis, never the two, even though most crises can be sourced back to the day to day.
Most significantly in an age of strained budgets, having multiple point solutions, many of which do similar things and address similar risks, gets expensive quickly.
Total cost of ownership balloons when having to make crucial updates to multiple systems – rather than one. And lack of consolidated reporting and analysis means businesses still incur compliance risk or won’t learn everything there is to learn from a disruption they’ve weathered as information will be strewn across multiple systems.
That’s because point solutions, by their very nature, pull against effective collaboration in resilience management. Collaboration, here, entails sharing information and advice, coordinating actions, communicating effectively, analyzing situations from multiple perspectives, considering different aspects and impacts of options, and supporting a whole team to be effective, productive, and healthy.
Why’s collaboration so important to resilience? Well, effective collaboration helps:
Of course, ensuring effective collaboration isn’t the only thing integrated resilience management software does better than point solutions. What then is the business case for integrated resilience management software? It consists of the following:
Not all integrated resilience management software solutions provide the same benefits, though. What then to look for?
For starters, look for a digital workspace. What’s that?
A digital workspace brings together the tools and information you need to do resilience work and enables the best collaboration in the following resilience solution areas:
And workspace? Well, a digital workspace can be provided for individuals, teams collaborating on planning, risk management, and more, as well as everyone else engaged in incident response.
Digital workspaces should be platforms, too. That way there’s no need for different solutions for communications, risk, incident management, safety, security, BCP, etc.
A platform also means less integration work, cost, and user experience messiness. You also get to consolidate all resilience data in one secure, centrally-governed system; and you can integrate once with key corporate systems - HR, BI, Identity Management, GIS, and more.
What’s more, no-code designers mean it is easily adapted as needs change. For example, teams can configure new modules easily to solve new use cases, including in-house.
A library of configuration options and best-practice solution templates, with nothing to install and supportive of many devices and format, will also help you get started quicker – as will a responsive user interface, which enables you to design forms and workspaces once and then to access the same information and features across desktop, tablet, and mobile.
What other capabilities matter? Consider:
Getting started quickly is important, but your resilience management platform should also make life easier for you and your team when it’s up and running, as well.
Needed to make that happen is a platform with a powerful workflow engine. This engine should allow Managers to automate key resilience tasks, by building their own workflows with notifications, business rules, approvals, and much more.
Relevant capabilities to consider, here, include:
Get better bang for your buck with a resilience management platform that includes Governance, Risk, & Compliance (GRC) functionality. Why? Besides avoiding redundancy, such a Module will work to manage cyber, emergency, and security threats, risks, and treatments based on industry best-practice guidelines and ISO standards, as well.
What should such a Module look like? Well, the Module should enable customers to plan their objectives, set targets, manage all elements of standards’ compliance, as well as schedule and record audits and inspections. Customers should also be able to manage non-compliances and corrective actions to drive continual improvement.
Besides including a GRC Module, a resilience management platform should also come equipped with a full range of integration options. Indeed, the platform, to garner better ROI, should be deliberately architected to play well with other resilienceenhancing technologies.
It should do so through the easy connection and synchronization of data. Add to that, import, export, and API capabilities should also help to ensure that customers can always get their data when and where they need it, and that they can plug in their own systems (e.g., single sign-on, messaging, and mapping) into the resilience management platform.
The BIA remains a mainstay exercise in resilience management. And so, your resilience management platform should work with forward-looking Managers to make that exercise more agile and pleasurable for all involved.
To that end, the platform should make the BIA process as simple and efficient as possible, with the aim of promoting greater usability across the entire organization. To do so, the platform should have an easy step-by-step guide on its BIA dashboard to help guide stakeholders through the process.
The relevant functionality should look like this:
Along these lines, resilience planning, as noted by industry experts, has also become more complex “as the range of possible threat scenarios keeps changing and expanding”ii.
As a result, the resilience management platform itself should function as a plan. That way when customers need to develop their BCPs or other plans, all the data they have previously entered seamlessly comes together. Managers, then, won’t have to go sifting through documents to find the data they need. And the risk of someone referencing an out-of-date BCP during a crisis is removed.
What’s more, because the plan is in the platform, multiple stakeholders will be able to collaborate on the plan, which enables better engagement. All data associated with building the BCP will also be managed centrally, in a controlled way. Data, after all, only need be captured once and updated, removing the risk of duplication.
Plans, of course, must be exercised. To facilitate exercising, resilience management software should provide exercise dashboards that navigate users and their teams through each stage of an exercise. That will help ensure that everyone understands what needs to be completed and when.
From there, the platform’s automation capabilities should ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
Once the exercise is activated, all users will then be able to see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages, will, then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.
Resilience management software should also provide the capability to record meetings, minutes, and action items. This exercise management functionality should also mirror the platform’s incident management functionality, to ensure a consistent user experiment that will give users the benefit of familiarity in the event of a crisis.
Finally, the resilience management platform should also facilitate greater self-management, increased accountability, and more agile response. That way the team keeps improvement and decision makers have line of sight into what’s going on.
How to accomplish it?
Your resilience management software should provide personalized user workspaces. Within these workspaces, users should be able to visualize outstanding tasks (whether BIA activity, incidents, exercises, etc.) that have been assigned to them, as well as any checklist actions items which still need to be actioned as part of the exercise or incident response.
The above is key. Not only should your resilience management software capitalize on the modernization of methodologies and tools in the provision of resilience and business continuity services, but it should also facilitate greater agility in the implementation of your programs, plans, and projects.
Paired with greater process automation, such a resilience management capability lends itself to improved efficiency. And with improved efficiency comes significant time (and cost) savings in response, recovery, and restoration – these are the key business benefits of resilience management software that should make your case for investment.
i. Available at https://www.techtarget.com/searchcio/definition/business-resilience#:~:text=Business%20resilience%20is%20the%20ability,assets%20 and%20overall%20brand%20equity.
ii. Steve Culp, Forbes: Taking A New Look At Business Continuity Planning. Available at https://www.forbes.com/sites/steveculp/2021/10/04/taking-anew- look-at-business-continuity-planning/?sh=5c08614e54aa.
Published: 26 September 2023