Mar 272012
 

A resilient organization aligns its strategy, operations, management systems, governance structure, and decision support capabilities so that it can adjust to continually changing risks, rebound from disruptions of any type including those that involve primary earnings drivers, and create advantages both through ability to respond and through beneficial changes brought about by absorbing new learning. It should be able to withstand the widest range of threats, including natural disaster, hazardous economic and market conditions, fraudulent employee behavior, IT infrastructure failure, disruptions of independent supply chains, disruption of customer channels, intellectual property theft, inability to respond to emerging conditions, and a host of other factors. Resilience should accomplish several objectives that are only achievable by combining a unified view of risk management with flexible and rapid response. Among these objectives are:

  • Protecting the business from change and mitigating or benefitting from any change that might occur
  • Mitigating risk that arises in any area of business and technology
  • Identifying and decreasing reliance on nonresilient programs, processes, and procedures
  • Enabling the business to adaptively respond to internal and external pressures
  • Strengthening and enhancing business processes by improving governance and flexibility
  • Using disruptions to improve efficiency and develop more effective responses, rather than merely focusing upon survival
  • Reducing insurance costs and exposure to uninsured losses by providing enhanced oversight and a better understanding of response

The goal of resilience is not just recovery or continuity, but transformation from reactive to proactive and then to adaptive. Recovery efforts have demonstrated the value of several principles that constitute the core of business resilience, including:

  • Mission focus. All resilience measures need to focus on the core business processes and values of the company at all times, ensuring the confidence of customers, partners, and suppliers. This is often critical to recovery, particularly from situations that might impact the reputation of the firm.
  • Risk management. A thorough risk management program is essential, including a business impact analysis and development of mitigation strategies for key threats. Risk needs to be understood and evaluated in a unified way across the enterprise.
  • Agile local empowerment. Empowerment of managers and workers who are close to the crisis, either geographically or by specific area of the threat (IT security, for example), ensure that lines of authority are known and response can begin immediately.
  • Agile structural flexibility. The capability to realign organizational structure to meet new needs of the changed business or technological situation is vital. This realignment may require immediate and radical changes to existing hierarchies.
  • Agile collaborative capability. The capability to cooperate with other businesses, outside organizations, and others, as needed, to meet recovery demands is also important. This is often critical to success, particularly in catastrophes that involve an entire region or business sector.
  • Practice and rehearsal. Practice, rehearsal, and simulation of recovery locates weaknesses in resilience and strengthens the ability to recover. Rehearsals and simulations demonstrate the current recovery capability and prepare employees to respond to the real thing.
  • Absorption of new learning. This involves the capability of learning from adversity and developing stronger and more focused business processes, using the disaster as a platform for beneficial transformation.

Resilience has become a concern of businesses operating in every sector and risen to the fore with events such as earthquakes in New Zealand and Japan, flooding in Australia and Thailand, hurricanes and flooding along the US East Coast, and fires in California. Other events have included the global economic crisis and major recent technological changes involving mobility and cloud IT.

Concepts of agility, adaptability, and resilience have been in development for at least the past four decades, with both progress and need accelerating recently in the wake of economic and technological change. These concepts, which began as lean manufacturing, have gained further validation through work on complex adaptive mechanisms and through practical application at the process level in software development, where methodologies such as Scrum and XP have provided significant benefits to companies in meeting the challenges of change.

As a result of growing concern, resilience has come under investigation over the past several years, particularly in the context of integration with existing IT solutions. Because it involves other aspects of risk management, auditing, and compliance and must incorporate the whole enterprise, we have seen the emergence of several frameworks and approaches aligned with existing management frameworks, such as ITIL, COBIT, and CMM. These frameworks, including the IBM Resilience Framework and its Resilience Maturity Model (RMM) and the CERT Resilience Management Model (also RMM), provide guidance for incorporating various elements into a resilience program.

avatar

Brian Dooley

Brian J. Dooley is a Senior Consultant with Cutter Consortium's Data Insight & Social BI practice. He is an author, analyst, and journalist with more than 20 years' experience in analyzing and writing about IT trends.

Discussion

  4 Responses to “Understanding Resilience”

  1. Brain,

    most points in your post are well made, however the two big areas that are also vital is the bost benefit analysis of resilience that is the main point why we do not have more of these vital projects. Here it would be good to equip people on how to do such an analysis that would nicely build into the risk analysis you mentioned.
    The second topic is that of over engineering resilience, which is one of the main point that opponents use. Since this is happening as all consultants usually tend to do more and sometimes go a bit into hubris it is important that we do stay away from it.
    I would have hoped that you would have used the recent nuclear accident in Japan as a business case for not planning proper resilence, because on that desaster it is pretty easy to build a good business benefit case. Great posting

  2. avatar

    Excellent article (thanks) up to the last paragraph. Then suddenly it’s all about IT. Why is that? Up to that point everything you said was relevant to all aspects of the business of an enterprise, so it seems a shame to reduce it all to IT.

    • Quite true. The IT conclusion is mainly because this is oriented toward an IT audience. It is part of a much larger research focus which has included a number of reports and a conference here in Christchurch (“Seismics and the City”). The topic has great resonance here, as much of the central city collapsed in the February 2011 earthquake.

      • avatar

        Thanks. Understood. I for one, and I hope other folks with an IT background, would be very interested in your broader work, if that’s available anywhere.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>