Business Resilience

Stevens_Garth.jpg

Adapting quickly to significant disruptions while safeguarding people, assets and brand value marks a resilient organization.


Business resilience (sometimes also referred to as corporate resilience) is the ability of a business organization to quickly adapt to significant disruptions or other material adverse events while maintaining continuous business operations and safeguarding people, assets and overall brand value.  Resilient organizations do more than just survive disruptive events; they thrive in them, leveraging the challenges that arise in such events to demonstrate responsiveness, flexibility, and adaptability and to come out as stronger, more competitive performers.

Balancing a well-thought out, competitive business plan with appropriate risk mitigation considerations is essential for every successful enterprise.  However, this is often as much an art as a science, especially in many of the rapidly evolving business and technology environments in which companies operate today.  Business resilience involves adopting a coordinated approach to balancing organizational systems and processes with the promotion of an environment that encourages flexibility and pragmatism to both prepare for and respond to unanticipated challenges, including material disruptive events, as and when they arise.

Systems and processes that are properly designed, communicated and practiced at all levels of the organization should serve as the underlying architecture for the practical work of threat identification and response.  These include at their core having an organizational culture that both implicitly and explicitly promotes awareness and proactive behavior to identify material threats and challenges, ideally before they rise to the level of being disruptive, and to respond to such threats and challenges in a constructive, coordinated manner, utilizing available organizational resources (human, technological, informational, financial, etc.).  Among other things, such systems and processes should bring a degree of order in dealing with disorder and help mitigate potential adverse effects of what is sometimes referred to as the “human element”, including panic, impulsive or premature responses, poor (or no) leadership, disorganization, and improper or premature disclosures.

But systems and processes cannot be so restrictive as to inhibit timely and practical responsiveness.  As the old saying goes, “no battle plan survives first contact with the enemy.”  Which brings us to balancing the systems and processes element with the need for a workplace environment that not only permits but promotes flexibility, pragmatismand creativity in response to actual or potential disruptive events, both at the organizational and individual level.  Among other things, this means giving employees both the permission and the tools to be problem solvers, but to do so in an organized and collaborative manner.  It means creating a culture of ownership and ambassadorship in the organization at every level from executive management down to the lowest level employee that promotes and recognizes individual responsibility for the protection and advancement of the organization’s interests.

Two common examples of disruptive events where an organizational resilience culture can be seen to work include data security breaches and significant regulatory violations. Each of these types of events, if mismanaged, can be back breakers for otherwise well run organizations.  Applying the resilience culture in either of these situations means having in place both the systems and processes and the right people, acting collaboratively, to respond preemptively and effectively to identify facts or circumstances that may give rise to such events and to take timely actions that serve to prevent such events from occurring or at list mitigate the harm caused by their occurrence.  To the extent such events occur without the ability to prevent them or preemptively reduce their adverse effects, applying the resilience culture in their wake means (among other things) having systems and processes in place to objectively assess the harm caused or threatened by such events, control internal and external communications, and establish a chain of authority and responsibility for responding to such events, while at the same time having an environment that promotes coordinated and pragmatic actions by personnel to respond in ways that (a) do not make the situation worse and (b) work to safeguard the organization’s, assets, business, personnel and reputation.

Speaking preemptively in the case of data security, this means having systems and resources for ensuring broad internal awareness at all levels (i.e., not just limited to IT department staff) of an organization’s data security strengths and potential weakness and common external threats (e.g., phishing; hacking), regularly evaluating hardware and software systems for technical weaknesses and upgrading them as necessary, and promoting a mindset among personnel of watchfulness for threats and weaknesses and the ability (and expectation of them) to communicate concerns to the right people.

Similarly, in matters involving regulatory compliance (and avoidance of regulatory breaches) this means having systems and resources for periodically educating relevant personnel on regulatory requirements, monitoring business activities in real time to ensure they conform to regulatory requirements, timely reporting to the right people facts or circumstances that may give rise to noncompliance events, and having a culture that promotes timely identification and communication of potential concerns, as well as the ability of appropriate personnel to institute corrective changes on a timely basis necessary toconform operations to regulatory requirements.

And in circumstances where a disruptive data security breach or regulatory violation has occurred, application of the reliance culture includes having established systems and processes for ensuring a clear understanding of who is in charge of the response plan and how authority is delegated down, for collecting and analyzing relevant information relating to the event in question, for controlling external communications regarding the event (including with customers, regulators, law enforcement, media and the general public), for obtaining timely and effective advice and representation from qualified legal and other professional advisors, and for creating and executing a viable response plan.  It also includes having an environment in which personnel, working within the framework of such systems and processes, can undertake individual (albeit properly coordinated) actions to support such response plan.

Ultimately, business resilience is not about merely surviving adverse events, but having in place the operating resources and organizational culture to turn such events into opportunities to improve and thrive.

Editors Note: For more information on Business Resilience, view Garth's presentation from our Orange County Fall Event.