Integrating Risk Disciplines
If you surveyed business continuity, IT disaster recovery, crisis management and global security practitioners from a single organization on what resilience means to them, you’d probably get (at least) four different answers. That doesn’t necessarily mean that the organization isn’t resilient! We’ve worked with many organizations that start with a siloed approach. Though the aims of each program are largely similar, we’ve often found their lack of integration hinders their ability to effectively leverage each other’s capabilities and achieve organizational goals.
DOWNFALLS OF A SILOED PROGRAM
Though each of the programs listed above have a defined focus and address risk differently, performing work in each program without considering the work, information, outcomes, and priorities of other risk disciplines creates a host of other issues. The issues that tend to arise from a discrete approach can be grouped into two main buckets: unnecessary duplicated work and a limited understanding of organization-wide threats and capabilities.
Issue One: Duplicated Work
When resilience-related activities are segmented across multiple disciplines, teams often try to solve for the same problem either using a different approach or prioritizing efforts differently. I recently witnessed this happening in an organization where one risk group was trying to identify employees that needed to be available during a crisis while another group was simultaneously attempting to identify how employees needed to return to work following a crisis (what we often refer to as recovery staffing requirements). Both efforts required talking to leadership, identifying essential departments and essential personnel, and training those employees. As I’m sure you can guess, there was a lot of overlap. However, because each team was unaware of the work the other was doing, each group was using time and resources to create different solutions for the same issue that, ultimately, led to a similar result.
Separate initiatives and meetings, with seemingly similar motives and audiences, left employees wondering what the difference was and how it all fit together. Where was the handoff and coordination between the various programs they were being exposed to?
Issue Two: Limited Understanding of Enterprise-Wide Threats and Risks
Trying to identify risks and solve issues in only one risk discipline with just the one lens limits the overall view.
Here’s an example that may feel all too relevant to your organization: An organization had a large disconnect between IT disaster recovery priorities and the business’ technology requirements. Though the business had gathered application dependencies and requested recovery time objectives (RTOs) during the business impact analysis (BIA), the IT team was left to come up with their own list of priorities and capabilities. Because of this, the gap between requirements and actual capabilities continued to widen without the knowledge of either team. Risks and priorities were presented to top management without accounting for the work other teams were doing and the risks they were identifying.
Issue Three: Inability to Develop Holistic Strategies to Address Risks
In both of the situations above, individual teams were unaware of the risks to the organization identified by other teams or were only seeing part of the overall picture. So, how could either group begin to address it in a truly effective and comprehensive way? Not only is your organization less likely to identify all the risks threatening organizational resiliency using a siloed approach, but you’re also hindering your organization’s capacity to best address risks using effective, collective strategies. Let’s say the IT team was trying to address the recovery gaps without input from the business continuity team. IT is missing out on valuable information about true software impacts on the business and viable workarounds that the business units could implement in the event that a particular application was down. The business might even have an alternate application in mind that would function more effectively for them. Also, the applications users in the business could require specific data for regulatory and operational purposes that must be recovered that the IT team is unaware of as system administrators. When you have blind spots to risks, you inevitably have blind spots when it comes to solutions.
Having siloed programs can open our organization up to a whole host of other issues.
So how do we fix it?
HOW TO EFFECTIVELY INTEGRATE
First and foremost, let’s not overlook the fact that there will be obstacles to overcome as you work to increase effective integration across the different teams. That being said, we’ve developed a clear and workable approach that can help you solve for the most common and most challenging of these obstacles, such as:
- Overcoming structural differences that exist among the various risk and preparedness programs in your organization
- Deconflicting priorities to find a common goal and purpose
- Breaking the status quo for those that see no need for change because this is “the way it’s always been done.”
We’ve found the most effective method to implement a more integrated approach is to create a cross-functional, interdisciplinary steering committee to provide guidance to and representation of all the risk disciplines across your organization, as well as any other key stakeholders that may be necessary to make a decision or define priorities. To start, you’ll need to identify the right people to represent each program and get everyone aligned on some very important questions. The four questions listed below may sound simple, but we’ve often seen a surprising difference in how each program – or even stakeholders within the same program – answer each.
Before any other work is done towards the goal of integrating the programs, make sure there is clear alignment across the new steering committee on each of these questions:
1. Why do we want to increase the integration between preparedness and risk programs?
2. What are our most strategic organizational priorities?
3. How integrated do we want the programs (software, program activities, scope, etc.)?
4. Who needs to participate?
If you’ve read our perspective on The Frame Meeting, these questions may sound familiar. Whether implementing an individual program (business continuity, IT disaster recovery, etc.) or a larger cross-functional steering committee, it is critical to frame the program to achieve lasting focus.
The key outcomes of successfully answering these questions are:
- Documented roles and responsibilities for all participants that detail who does what and when. Additionally, each participant must understand their role, want to participate, and have the capacity, such as knowledge, training, and expertise, to do so.
- A list of products and services that are organizational priorities. These are the products and services that must be provided to customers within acceptable timeframes in order to avoid negative reputational, financial, and regulatory impacts.
- A clear risk tolerance that defines the level of risk the organization is willing to accept. This could be a dollar value of an acceptable loss, an acceptable timeframe of downtime, acceptable market loss, etc. Ultimately there should be alignment among the steering committee and management to say, “We are willing to accept ‘X’, and we must mitigate or eliminate the potential of ‘Y’.”
- Metrics that enable the program to measure success and understand if it is meeting established goals. These goals will likely be based on each risk group’s internal metrics; however, establishing those goals and metrics at this level enables the steering committee to hold each group accountable and report on successes and gaps to the rest of the organization.
Of course, once you have answered the frame questions and established a foundation for a preparedness program in your organization, the work must ensure that the program continues to drive increased resiliency in the organization and evolve to meet new and changing risks and challenges. To continue to evolve its capabilities, members of this new steering committee and all associated preparedness programs should engage regularly at various levels and at set intervals.
Now, we realize creating a new level within your organization’s preparedness structure may not be the right fit for every organization. If not, a formal steering committee is not necessary to ensure you have the right engagement and coordination across your risk disciplines! Using the Frame process and an engagement plan to communicate risks, coordinate efforts, and make or recommend decisions will keep all risk disciplines engaged and driving toward a common goal, whether it’s a formalized steering committee or representatives from each program.
The frequency of meetings and participants may vary by organization and how often changes occur; however, we have identified some key meetings that can drive engagement and integration. The following are examples of meetings your organization may benefit from implementing:
- Steering Committee or Interdisciplinary Preparedness Meeting:
- Who: All members of the Steering Committee, or representatives from each risk discipline and functional leadership within the organization
- Objective: Gain alignment on program capabilities, threats, and action items to address gaps across disciplines
- Frequency: Annually
- Program Working Sessions:
- Who: Interdisciplinary representatives
- Objective: Identify, discuss, and brainstorm solutions for addressing resiliency gaps, threats, and program issues
- Frequency: Quarterly
- Program Status Meetings:
- Who: Leadership in each risk group, each group has their own focus meetings
- Objective: Gain alignment on scorecard performance and issue resolution; brainstorming and decision-making
- Frequency: Monthly
BENEFITS OF INTEGRATION
You may find that it takes some time to integrate all disciplines into one, holistic preparedness program, especially if you’re in a large organization with a history of separate programs, but your organization can benefit immensely from your success.
Creating an organization-wide view of preparedness is a great first step, and as you continue to build on the foundation you’ve established, communicate effectively, and keep the organization’s strategic objectives and priorities in mind, you’ll be positioned to consciously increase the resilience of your organization. Over time you’ll start to see:
- Scalable Solutions: Acquisitions, new departments, additional locations, and any other growth or change to your business will be able to integrate into the established preparedness program.
- Increased Organizational Resiliency: The key here is continual improvement! Your organization’s level of risk will change as the program can effectively identify and solve for the risks that threaten the key products and services that your organization delivers.
- Clear Hand-off and Coordination Between Risk Disciplines: With clearly defined roles and responsibilities, your organization can quickly and effectively deal with the problems it faces because there are clear centers of excellence and necessary coordination taking place when more than one risk discipline needs to be involved. No more rework or confusion across programs or employees, just plain and simple solutions!
To learn more about how to effectively integrate the various risk disciplines in your organization, or if you’re looking for assistance to make it happen, please contact us.
Get business continuity insights delivered to your inbox.