How to Approach Resiliency Planning
A sound resilience-based strategy will help an organization cope with unexpected and sudden shocks.
Is your organization resilient? How would you know? Can you actually measure resiliency?
The ability to measure resiliency varies depending on anticipated situations. In today's IT environment, deciding how to react to a disruptive system or network event or shock comes with great uncertainty. In addition, knowing how to resolve the disruptive situation can be challenging. The goals are agility, adaptability, robustness, and continuity. You do not know what you do not know so how do you resolve the disruption? You need a resiliency plan.
Disasters and crises happen. The causes can be extreme natural events and technology-related incidents. Resiliency can be a supplement and an alternative to traditional risk management. Organizations strive to produce resilience-based strategies to help cope with unexpected and sudden shocks. They need resiliency strategies when facing uncertainty about risk impacts and catastrophic consequences.
Risk analysis encompasses risk assessment, risk characterization, risk communication, risk management, and risk policies. The exploration of risk in this blog applies to public agencies and private-sector organizations at local, regional, national, and global levels.
Risk analysis comprises two parts:
- Risk assessment includes the identification, evaluation, and measurement of the probability and severity of the risk.
- Risk management occurs after the risk has manifested itself, and involves deciding what to do in response. This is where resiliency enters the picture.
You can find many different business definitions of "resiliency." Some define strategic resiliency as "the ability to dynamically reinvent business models and strategies as circumstances change" -- in response to new competition, for example. Resiliency might also be defined as part of business continuity, as in "the ability to recover from unanticipated disruptions" such as storms, floods, chemical spills, and cyber or terrorism attacks.
The resilience profile, as illustrated in the graphic below (demonstrating strengths and weaknesses) consists of four dimensions:
- Operations include the culture and the speed of an organization's reaction, how trusted the organization is, and experience with exercises that duplicate the disruptions.
- Infrastructure consists of an organization's operational layers. This is true for employees, contractors, outside services, and physical IT infrastructure.
- Strategy consists of an organization's conception of its environment, measure of the vulnerability of business strategies, and its vision and stated mission.
- Resources are composed of five factors: internal competencies, contractor and service competencies, redundancy inside and outside the organization, diversity, and mobility.
Resiliency Over Time
The first stage in producing resiliency is becoming aware that there are vulnerabilities and disruptions that could affect the organization. Unfortunately, this may take quite a bit of time because of the many opinions about what is or is not important to the organization. You will need to come to some consensus. This will affect the resiliency budget.
Following the awareness stage, an organization's resiliency performance may reduce and the plans for adapting to and producing the resiliency impact the organization. Resiliency performance will improve once the adaption is finished, thereby improving the organization's agility.
The final stage of improved resiliency comes from active learning. This is where the organization uses exercises, plans, and reviews to improve the performance of the resiliency plans. In other words, the risk will be lowered, the duration of outages can be shortened, and the return to normal operations will produce equal or better business performance in the organization.
IT is not the only department that should be involved in resiliency planning. A disruption can cause financial loss, loss of reputation, and may require remarketing to customers, which means departments such as Finance, Marketing, and Sales need to be involved in resiliency planning. That way, should a disruption occur, the organization will know what steps to take to salvage its image, support its customers, and return to business rapidly.
Several years ago a major bank produced a disaster recovery and business continuity plan. Much to the bank's surprise, six months later a major fire broke out at the headquarters building. The bank instituted its resiliency plan. It provided backup facilities in hotels, Kinko's (now Fedex) shops, and other business locations. The plan worked as designed.
However, the bank had forgotten one function. No one had postulated that it would need to create a new directory of employee locations and phone numbers. That left employees needing to call their friends, associates, contractors, and service providers to let them know where they were and how to reach them. It took about two weeks before everyone knew how to reach each other. The bank eventually created a new directory for use during the outage.
You have to remember that something will be forgotten. Don't depend on the technology staff alone to come up with vulnerabilities. In the bank's case, had non-technical people been involved in the business resiliency planning, they may have recognized the need to create a directory problem before disaster struck.
For more information on resiliency planning, check out the following resources:
- The "IRGC Resource Guide on Resilience," published by the International Risk Governance Council
- "Organizational Resilience – How Do You Know If Your Organization Is Resilient or Not?" "How Businesses Can Build Resilience by Design"