Six basics every organisation should do to remain resilient

There is uncertainty everywhere. The world we live in is much different to than 20 years ago. Then, we did not hear of so many disasters, frauds, closedowns, crises or business disruptions. Such incidents not only affect the respective business activity and economy of countries, but also the lives of average people. Every closedown of a business impacts several hundreds, if not thousands of people and families. 

Unlike in the past, the world today is interconnected. Some work previously done by the human hand is done by robotics today. There is a vast amount of data produced, also called big-data. Mobile technology is in everyone’s hand. Financial transactions can be done instantaneously. They have tremendous benefit to the society. However, people’s expectations are also constantly changing and competition makes it even harder for organisations to survive. 

Apart from the technological changes, the world has major environmental issues. There is global warming with rising sea levels. This has led to various types of natural disasters, such as floods, earth slips, hurricanes, etc. 

The frequency and volume of white collar crime is on the rise at an alarming rate. Customer details of organisations are being hacked and large amounts of customer data are stolen much to their embarrassment and damage to their reputation. The global ‘horizon scan survey 2016’ conducted by the Business Continuity Institute, UK reports that ‘cybercrime’ and the ‘data breach’ as the top two threats faced by organisations today. The third being unplanned IT and telecom breakdown.

Many organisations across the world have realised the impacts of the cyber threat, if it materialises. Organisations are often caught unaware. Disasters happen when people are most unprepared. They do not want to leave it to chance and so take all measures to build systematic preparedness for the unforeseen events. By preparing they avoid the risks of damaging impacts and harmful repercussions. 

Those who are unprepared surrender to those threats and face the painful consequence.

The simple approach to robust preparation can be summarised into six steps. - the ‘6 Rs Approach’. All organisation, big or small, private or public, production or service must follow these six steps, if they want to remain resilient when the unforeseen happens. There is no ‘one size fit all’ method. The strategies and plans in the application of the 6 Rs approach must be tailored to the needs of the organisation.

1. Risk reduction

Exposure to hazards and risks affects organisations every day. However, successful business means taking calculated risks. Those risks that could affect or jeopardise the running of the business must be identified and appropriately mitigated. They should have effectively managed them before they occur. As we know, many of the threats and risks are unknown or unquantified, producing uncertainty to the organisation. With the correct tools, techniques and practices, organisations can reduce that uncertainty and make better decisions in reducing the risks while they achieve their goals and objectives. They have more time to focus on their strategies and the future.

2. Response

With all the risk control measures implemented, there is no total guarantee that incidents and disruptions could not occur. Some of the events are totally out of the organisation control. Natural disasters such as floods, earthquakes, landslides, are a good example. The other external evets such as terrorism, explosions, civic riots, etc. also could seriously affect the organisations. The way the organisation responds is very important. If not responded well, a small issue sometimes could get out of control and end up as a crisis. A bad situation could become a worse situation. To be well prepared to effectively respond to such situations, organisations must have well-rehearsed, tested plans and strategies. This often include communication strategies as well.

3. Recover

Recovering after an incident of disruption is never easy. As said, disruptions come unannounced and most often when leased expected. Irrespective of whatever the failure or disruption, unless roles and responsibilities are assigned and a well-rehearsed plan is available, it will create chaos. When recovery planning is done, they are designed to be flexible and scalable to a broad range of scenarios. Those responsible must know what needs to be done within pre-established time frames. Whom to contact and when to escalate. Arrangement with the key suppliers should be in place to recover the critical activities. The plans will show the prioritised activities that must be tackled first and the orderly manner the issue must be resolved.

4. Resume

Once the problem fixing is done, the process or operations must be re-started. For all critical activities of the organisation, when to re-start or resume after a disruption must be pre-defined. 

Imagine for a moment when an airline ticketing system fails due to a system glitch at a very busy time. Every second is critical and the passengers waiting in the line must be issued their boarding passes for the flight to take off on time. Inability to resolve in time will lead to cascading effects across various airline network. And once the systems are resumed, they should have plans and procedures on how to clear the backlog

5. Restore

Depending on the nature of the disruption or the disaster, restoration takes days to several months. For example restoration of a city after an earthquake takes years sometimes. When fully restored, it is called ‘business as usual’. In organisations, the time to return to ‘business as usual’ after a critical process or product/service line failure is also pre-defined, based on some analytical techniques. The preplanning provided opportunities to think ahead what resources, stockpiling, external support and stakeholder communication are needed during the previous recovery and resumption stages. Lifeline services such as emergency services power, telecommunication, health, transport which are often 24x7, have well thought out plans and procedures through all the stages until normal services are restored.

6. Review

Post disruption or disaster restoration need proper assessments and reviews. Organisations must capture the lessons learnt, what when right and what did not. They should be well documented and action must be taken for continual improvement and achieve improved levels of resilience. Usually, established review methodologies and techniques are adopted and worked on the objectives of the exercise. Impact on the people, business, customers, community, environment are some of the key aspects the reviews and assessments will focus on.

Conclusion

The 6 Rs approach summarises what organisations must do to remain resilient. Organisations need to start somewhere and adopt a committed approach. This is an ongoing activity which needs top management involvement and support. It is the owners or the board of directors who are responsible for continuity of business and resilience. Their leadership and support will bring strategic value to the organisation for continuity and resilience. The competences and skills of their people have to be developed through effective training and manage all aspects within the resilience spectrum. 

(Nalin Wijetilleke, MBA, AFBCI, CISA, CGEIT, PMP, is an international presenter, speaker, coach and an expert in the discipline of Business Continuity Management and Business Resilience. Based in Auckland, New Zealand, he is the Managing Director of ContinuityNZ – a leading consulting and training entity. Nalin has over three decades of broad Business Resilience experience having worked in various industries across the world. He is a multi- award winner and effectively combines his multiple skill sets and broad experience to deliver ‘fit for purpose’ business continuity solutions.)