Finally, there is real concrete evidence that an organisation’s ability to recover is central to its immediate survival. Not its ability to recover after an incident, but its ability to demonstrate its recovery capability as perceived by others before any incident occurs. Business Continuity is now firmly center stage.
According to The Times, senior UK government officials “want the Co-operative Bank to be sold to a bigger player that could stabilise its IT system, which is feared to be so precarious that the bank could not cope with a serious problem.” For years I’ve been telling senior executives that not being able to demonstrate the existence of credible and tested Business Continuity arrangements could mean the difference between survival and failure, and now I can point to a real example. Business Continuity is not just for use in response to an incident – it must be demonstrable to interested parties well before any incident takes place.
Apparently, In the risk factors disclosed in its annual report, the Co-operative Bank has stated that “whilst a basic level of resilience to a significant data outage is in place, the bank does not currently have a proven end-to-end disaster recovery capability”. How many organisations can really hand on heart state that they have a proven end-to-end disaster recovery capability? Not that many.
Business Continuity has been practised in the banking industry for more than 25 years, and many of today’s accepted Business Continuity ideas and practices started in banking. Where banking leads in Business Continuity, other industries follow.
How long will it be before organisation’s in other industries are put at risk because they do not have a proven end-to-end disaster recovery capability?
Resiliency, or rather Business Resilience, seems to be the flavour of the month in the Business Continuity and Risk industries. Apparently, businesses are moving away from having separate silos for Security, Risk, Health & Safety, Business Continuity, etc., and are bringing all these related disciples under the heading of resiliency and are appointing a Head of Resilience.
This all sounds quite good, and is for once a piece of joined up thinking, except that the idea of Resiliency goes beyond these operational areas to the idea of ensuring that the business itself is resilient, which takes the discipline into the areas of leadership, reputation, innovation, product development, marketing, etc.. In other words, it seems to be about everything that the business does, and that a single manager should be appointed to ensure that the business should remain resilient in the changing environment in which it operates.
Now, tell me if I’m wrong, but I thought that this was actually the point of a Board of Directors. One of the prime responsibilities of a Director of a company according to UK law is to “try to make the company a success, using your skills, experience and judgement”. In other words it is the responsibility of every Director of a company to ensure that the company is resilient – it should not be delegated to a manager as Head of Resilience.
The Business Continuity and Risk industries should either start talking about Operational Resilience, or stop talking about Resiliency.
Most people that I talk to agree, in theory, that having a single point of failure is not a good idea. However, these very same people appear to accept that it is reasonable for their own organisation to have many single points of failure if they are a fundamental part of the way that the organisation has been set up.
An example of such an organisation would be a government regulator with a single office in the centre of a country’s capital city. Having a single office containing all the staff, the organisation’s records, and its computer system, is a single point of failure. Any suggestion that they might like to make their organisation less vulnerable is met with solid resistance. If they were a manufacturing company I could better understand the reluctance, as duplicating manufacturing sites can often result in the company becoming noncompetitive. But an office based regulator?
I suppose that this is what’s called risk appetite, but it’s rarely consistent across all the risks that such an organisation faces.
Interestingly, The Times newspaper in the UK ran a two page spread on Nassim Taleb on Saturday (the man who wrote “The Black Swan – if you haven’t read it, then do so, now). He has a lot to say on risk, most of which is very controversial with risk managers in banks, but The Times quoted something that he said which, in my opinion, sums up the difference between the two management disciplines of Risk Management and Business Continuity. He said “Instead of trying to give yourself the illusion of predictability, you want to build systems that are naturally robust to error”.
You can have the best Risk Management that money can buy, and you can take all the mitigating measures that you want, but you cannot remove the chance of something going wrong. You need to plan for things going wrong, and be able to recover and survive in the long term. This a robust organisation.