Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.
We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.
Risk Management Monitor: What companies have best demonstrated resilience?
David Thorp: A few examples of organizations that have displayed a high-level of resilience are Apple, TomTom and PostNL.
Apple displayed resilience when they reemployed Steve Jobs to reshape the company.
TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:
- produced navigation software for PDAs (personal digital assistant)
- produced its own navigation devices
- developed live traffic information
- acquired a digital mapping company
- developed navigation software for smartphones
- struck up deals with car manufacturers
PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.
RMM: What do organizations most commonly overlook in their continuity planning?
DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.
Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes. Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.
RMM: Why do so many companies overlook their continuity planning and emergency preparedness?
DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:
- a) know about continuity planning and emergency preparedness
- b) understand their risk
- c) understand its value before there is a possibility of it being implemented
By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.
RMM: How much time and effort does creating and initiating a business continuity plan take?
DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.
RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?
DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.
RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?
DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.
RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?
DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.
The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.