Having worked in the business continuity space for over two decades, one of the constant refrains we hear is that business continuity is more reactive then proactive. Usually companies plan for business continuity only after the process is in place. Companies embark on an organizational business continuity program long after all the processes have already been defined and operationalized.
While this was acceptable earlier due to the low maturity level of the BCM discipline, today with the need for continuity in face of seemingly never ending disasters, organizations can no longer plan for business continuity long after the processes have been defined.
Business continuity by its very definition seems to be a reactive approach.
As per ISO 22301:2019 BCM can be defined as….
“capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption”
However, the need today is not for recovery of business after disaster but rather ability of a business to seamlessly continue working without any disruption.
While this distinction may seem to be trivial, implementation of resilience requires a very different approach to that of continuity.
To illustrate resilience let us use this example:
A call center located in Gurugram, India is doing very well. In order to cater to its ever-increasing clients, it is forced to expand its operations. In the interest of keeping cost low they decide to go for or a larger facility that can house more people in Gurugram itself. This would enable them to optimize cost and keep management simple. However at this stage during the decision making process no assessment has been done on how to make the business more resilient. Top management is unaware that it is imperative to involve resilience into to the parameters that should be considered before implementing its expansion strategy.
The result of this decision? Concentration risk whereby any disaster that affects this single location would affect all it client services. Hence, if the organization then plans for continuity, they would need to put in some strategy to mitigate this risk. This could mean setting up some alternate sites or work from home strategy. Thus, while having one single center seems to be an efficient decision, in the long run, it can prove expensive.
What could be an alternative to this? Imagine that top management also considered the need to be resilient along with the need to expand. Probably at this stage itself they could decide that instead of having all its employees at one location they could actually set up another facility in another city to take up additional business. Make no mistake, such a decision is not easy. In the short run it is an expensive decision. Having another facility in another city has its own cost and management issues. However doing so brings much needed resilience in the organization which is needed to meet its contractual agreements with clients. In fact, the facilities could serve as alternate sites to each other.
However given the costs involved and the narrow management bandwidth available the management decides not to go in for a center in another city. Instead they decide to go for another facility on the outskirts of the city. While this certainly does not meet the requirements in case of a region wide disaster, it’s certainly is a much more resilient arrangement.
When we examine the above example, there are some clear concepts that we need to understand to conclude, why resilience by design is important, but at the same time not easy to do.
Today’s businesses are primed for efficiency. Getting things done in the most cost optimized manner is one of the key drivers to achieving efficiency. However this efficiency comes at the cost of resilience. Companies need to recognize that just efficiency cannot be the sole driver. Resilience is one of the key parameters that should be taken into account whenever any new initiative is taken up. While it may seem to be more expensive in the short term the result and benefits in terms of having a more resilient organization that can respond to disasters, far outweigh the costs. By considering resilience at the design stage, organizations can avoid expensive retrofit or additional recovery resources at a later stage.
Another example that comes to mind is; organizations that invest in desktops for the employees due to the twin consideration of cost and data security. Instead of desktops, at the planning stage itself, if the organization takes into account resilience and decides to buy laptops, it will give them the flexibility of allowing their staff to work from home, should such a need arise.
Also in terms of applications many organizations have applications in their own data center. During disasters this has proven to be quite problematic for two reasons.
- Network bandwidth when all staff try to access these applications remotely
- Maintenance of the data center during disasters.
Hence it may be worthwhile for organizations to use cloud solutions for their application requirements. During the pandemic many organizations that primarily had all their applications on the cloud and already had the employees fully provisioned to work from home could immediately transition to work from home model in comparison with others who is employees primarily used the old paradigm of having desktops and in-house data centers.
So what is Resilience by Design?
Resilience by design is similar in concept to SSDLC and privacy by design. The key argument for resilience by design is that it is better to building resiliency at the start of any new initiative rather than go in foreign expensive retrofit or add-on solution later.
Management must involve continuity professionals early on during the planning stage. Continuity risks should be identified upfront and mitigating controls should be made an intrinsic part of the overall solution itself.
The above recommendations shine a light on an important concept. Resilience / business continuity cannot be an afterthought. It should become second nature for business to think about resiliency whenever they think about any business process. In this way businesses can build resilience into the design of the entire organization instead of looking at business continuity as some sort of an additional extra capability that is bolted on once a process is implemented.
Implementing Resilience by Design
Below is a suggested approach to achieving resilience by design
- Whenever the management decides to implement something new in the organization, the business continuity team should be notified as part of an established change management process
- The business continuity team should do risk assessment and a business impact analysis of the proposed process even before it is developed
- Thereafter resilience options should be considered to address continuity risks. However doing it at this stage gives the business continuity team a chance to be as creative as possible and help design a resilient process rather than being forced into a box into thinking off bolt-on solutions.
- Cost benefit analysis should be carried out and presented to management so that they can take and informed decision.
With disasters showing a proclivity of just increasing in frequency and magnitude the earlier approach of having business continuity as a bolt-on solution puts organizations at a disadvantage since the implemented process narrows resilience options. Following the approach of resilience by design, allows organizations to be as creative as possible in building resilience into to their processes from the get go.
You liked what you read ? Leave a comment.