So what is business resilience?
A number of people have asked me, what is business resilience? Business resilience in conjunction with ICT and facilities allows a business to create a baseline of where they are at present. This baseline is updated regularly especially with each major change that will influence the business.
High availability computer systems offer resilience to failure – for instance clustering is the ability for two or more servers to appear as one but in the event of a failure and one fails then the others do all of the work. Clustering across geographical locations means that in the event of a disaster (flood, earthquake) then there is a good chance that your infrastructure will continue to support your business without the loss of any business at all.
Cloud computing is now replacing the concept of clustering as the geographical location of the cloud can range over a number of data centres all over Australia or the world.
The concept of business resilience is based on:
- Protecting the business from change and being able to either mitigate or benefit from that change.
- Mitigating business and technology risks as opposed to allowing those risks to damage the business.
- Assurance of business continuity.
- Decreasing reliance on non-resilience based programs.
- Enabling continuous business access.
- Enabling the business to be reactive to internal and external pressures.
In business today, there is no such thing as being over prepared.
An example of business resilience is the case of the Bankstown City Council Fire on 1 July 1997. The council had no business continuity plan in place at the time and recovery from the fire was expected to take an extended period, but the council’s response was organised, the staff were highly motivated and services were quickly restored. A BC plan is not the sole key in the process of recovering from severe business disruption. To create a resilient business environment requires effective and motivated leadership, devolved decision making, supportive external partners and a highly driven and effective work force.
Business Resilience is not a checklist or plan but it is a way that the business approaches business. It is found in the businesses culture, in their leadership, in the business attitudes and most of all in the corporate values that flow through the whole business.
Being resilient can provide a business with a competitive advantage. Following an interruption, a resilient business can:
- return to profitable business faster
- use the disruption to improve efficiency
- protect insurers by reducing insurance premiums
- reduce the exposure to uninsured losses
- enhance its reputation, and
- increase staff morale.
A decent resilience program can be used as a business development plan. Resilient is something that comes about though good organisational leadership. I was in the Navy in the 80’s and I had a supply officer (Brian) who had one of the best leadership profiles I have ever come across. Brian’s attitude was that there were never any problems but there were challenges to resolve, by leading through example and delegating responsibility he had a group of people that would go to the wall for him but bring him back as well. This attitude had the whole supply department on HMAS Swan willing and able to do anything to get the job done.
So staff in a resilient organisation will not only pull together to achieve the desired outcomes (one in, all in) but they also have predefined direction and a supportive network that allows for the right attitude. The team will adapt quickly and with passion but will also try to predict future outcomes.
A resilient business will float to the top in times of adversity and to do that it needs to have a number of things in place prior to that resilience being needed. The business needs to be:
- the staff and management need to know what to do,
- they are willing to change and have plans to do that,
- have a vision for adapting to situations,
- think outside the box,
- capitalise on adversity, and
- respond rapidly to change.
So a resilient business has a Chrystal Ball and it is functioning pretty well. It is clear what and who is involved in the business and hire only those people who will fit the ethos and attitude of the business.
In a resilient business there are components that go forward to create a holistic approach to that resilience. Parts of a business that will impact the resilience of the business are risk management, business continuity, physical and IT security, OH&S and human resources. The resilience of a business is a jigsaw and the fitting together of different components enhances the resilience of the business.
The resilience of the business comes from the culture of the business and enables ideas and knowledge to be bought together, combined and acted on.
The challenges to a resilient business are the following:
- Resistance to change in staff and management.
- The inability to recognise points of failure inside the business and act on them.
- An understanding of the flow on effects from HR, Management and external forces.
- The need for champions to change internal attitudes.
- Changing the idea of resilience from a strategic plan to a component of the business.
- Education at and for the business is a further requirements of resilience.
Business continuity and disaster recovery planning are all components of business resilience. The more resilient a business is the better the business is able to react to both problems and benefits and profit from the changes within the environment.
I believe that business resilience is one of the main driving forces of Information Security in today’s business world. In a completely resilient business environment, any change to the environment will be acted on by the systems in place before it becomes a business issue.
The baseline for business resilience ensures the changes both above and below the normal will have risk management components in place to protect the business or to benefit from an improvement in business capability. Business resilience looks holistically at what is happening at the information level.
Business programs like risk management, business continuity and crisis management may fail to achieve a high level of resilience for a business. This maybe because these programs are based on steps and boxes not on the reliance on business culture and attitudes.