Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.
Now you’re ready.TM
Resilience. Security. Continuity.
If you were asked to define these words, what do they mean to you? And, as a business continuity professional, have they changed in scope and complexity in the past year? Has the coronavirus pandemic altered the way you approach these for business?
In Scenarios Episode 002 of Castellan’s podcast, “Business, Interrupted,” we chatted about the evolution of these words in both meaning and practice, as well as the rapid evolution of operational resilience into a resilience movement, with James Crask, senior VP and head of resilience at Marsh.
Resilience may very well be a top catchphrase of 2021, but it’s more than that because business leaders are more concerned than ever with overcoming the next major obstacle. It’s a movement that’s forever altering the way business continuity and related professionals approach their roles as an integral and foundational component of organizational success.
The resilience movement unfolding now is about more than just planning for disruptions. It’s also about forethought and planning to prevent disruptions, regardless of cause. It’s going beyond traditional known threats such as severe weather events or technology failures. It expands into prevention, response, and recovery strategies for the unknown as well as, for example, disruptions with your supply chain or a cyber-attack. The movement is about shifting from the “if” a disruption may happen approach to the “when.”
The resilience movement, from the Castellan point-of-view, is about knowing what to do when your organization experiences a disruption, responding in a timely fashion, and decreasing impact both internally and externally, with the support of your executives and key stakeholders, while meeting all of your organizational goals, customer expectations, and compliance and regulatory requirements.
Think of the resilience movement as how your organization bends in a crisis, not breaks.
It’s the new normal for business as usual.
“I think quite a bit has changed. Hasn’t it?” Crask reflected in our podcast episode. “In the past… the challenge has always been, how do you get resilience onto the agenda at executive or board level? Well, now for many organizations, it is the agenda. They’re in survival mode for dealing with severe weather or the fallout from COVID or some of the political instability that we’re seeing across the globe as well.”
And that survival mode in our changing environment is contributing to a new level of interest and scrutiny for business continuity and cyber and operational resilience programs.
“It probably feels quite uncomfortable for some that may not have had that kind of scrutiny in the past,” he explained, “being asked quite difficult questions by their boards, but I think it should be welcomed.”
This is one of the many positive changes for resiliency post-pandemic for many organizations.
“I think COVID showed us that the scope and depth of some of our planning needed to be wider and deeper,” Crask said. “I think too many plans were focused on recovering discrete bits of infrastructure and individual building and individual results.”
Pre-pandemic, many organizations—even those with pandemic plans—hadn’t considered just how long a global emergency might last, meaning several assumptions made in continuity and disaster response planning just didn’t hold water.
“So, I think we’ll see more scrutiny in the breadth of planning, the scope and the depth of that planning,” Crask explained. “And supply chain, I think that’s another. We’re only just starting to see some changes here, I think, but I think … we’re going to see radical changes in that sort of element of resilience.”
As organizations try to get their hands around operational resilience, the picture, over time, will become clearer.
Executive leadership and key stakeholders, now more invested in continuity and resilience planning, will likely play key roles in what this looks like in the short- and hopefully, long-term.
Zawada posed this important question: “What’s the method to not only engage once, but engage continuously to keep the momentum on this very important topic? Because I don’t think it’s going away anytime soon.”
As continuity and resilience professionals continue to evolve their skills in a technical sense, it’s critical that they also focus on further developing important “soft” skills like relationship management, communication, and understanding the business to make resilience relevant to executives and properly connect at the Board level.
“I think the resilience professionals of the future will spend more time honing those skills,” Crask said, and making those skills and programs more relevant to senior leadership and carrying that through customer and client connections.
Risk analysis and continuous risk management will also play important roles, as well as prioritizing risk management and risk response.
“That’s a skill set,” Crask explained. “I think that some of the more traditional business continuity practitioners need to learn having that skill sets is going to be hugely valuable because you can then have a conversation at an executive level about where to invest in protecting the organization, balanced against the likelihood of risk and the impact of, of risk its challenges, some of the core concepts of business continuity.”
These soft skills will also play important roles in managing and guiding that “return to normal” post disruption of all sizes, severity, and timeframes.
“One of the things we need to get better at,” Crask said is, “harnessing our imagination in a more effective way to develop more robust, more rigorous, more testing scenario exercises,” especially for more severe, but plausible disruptive events.
As we plan for a broader scope of plausible scenarios, our focus should also include prevention. Again, it’s that shift in focus from the “if” to “when,” but what can we do to decrease the likelihood of that “when?”
There is a lot of value, for example, on increasing focus on our supply chains, similar to some of the new guidance and requirements coming out for the financial services industry.
Crask says that is rooted in the assumption that disruptions will happen and our need to plan accordingly. It’s an area where business continuity and resilience can benefit from increased focus, along with more emphasis on impact tolerance—both internally and externally—beyond the traditional focus of recovery time.
As part of this resilience movement, organizations should shift focus beyond the four walls of their buildings, even going beyond the traditional supply chain to include the end-to-end value chain, which today is multiple suppliers deep. And even beyond that to include our customers, how and what we communicate to our customers, and the impact of disruptions on our brands and reputations.
When it comes to operational resilience, organizations face a number of challenges and common pitfalls that hinder success.
“Delivering the planning at the business service level requires some degree of mapping of those business services,” Crask explained. “I’ve seen that delivered at various different levels of detail from something that is relatively high level, but delivers just enough in order to get to the next stage of the process, to something that has taken an army of consultants, an awful lot of time, effort and costs the client a significant amount of money, but in my view, probably doesn’t necessarily give them much more benefit than having just got a reasonable understanding of those mapping processes. There’s a potential to get lost in the details very quickly and really the approach that I’ve been taking with clients is to deliver enough to get to the point where we understand criticality to the level of detail that we need in order to get to the next stage.”
Then over time as your program matures, you can focus on adding in additional details that help your organization identify or expose vulnerabilities for prioritization.
Although COVID-19 is driving changes in business continuity to this resilience focus, some organizations may be hesitant to evolve along with it. Now is the time to move beyond those traditional incident-response practices for continuity toward a strategic play that includes resilience as a focus.
“You’re not going to get to that stage unless you try, unless you take risks,” Crask explained.
Need help getting started with operational resilience or maturing your existing program? Check out the full episode of Business, Interrupted: The Resilience Movement with James Crask at Castellan or wherever you listen to your favorite podcasts. In addition to some of the topics shared here, Crask and Brian Zawada, Castellan COO, also discuss the role of resilience in new financial service industry regulations as well as the role of ISO frameworks in implementing and managing resilience best practices.
Now you’re ready.TM
Get resilience insights delivered to your inbox.
Save a spot in our upcoming webinar “The Keys to Defining Impact Tolerances” on Wednesday, May 25th at 11:00am ET / 4:00pm BST.