Castellan brings every aspect of business continuity and operational resilience together in one place, so you can stop hoping and start knowing.
Now you’re ready.TM
This is part 1 of a two-part series exploring the resilience movement, how it can positively impact modern business, and the roles executives and key stakeholders play in ensuring business resilience while managing efficiencies, and adapting to changing environments with an expanding threat landscape.
While it’s hard to find a lot of bright spots from the pandemic, when it comes to business continuity, there actually may be one: a renewed focus on continuity, risk and efficiency management, and resilience—from employees responsible for day-to-day tasks, all the way up to executives and key stakeholders.
Although a range of team members have important roles, when it comes to building resilience into organizational culture, few may be as critical to your success as your executives and board members.
As we move into the next phase of our new business as usual, how can we keep the momentum going? How can we continue to build engagement and support across the entire enterprise? How do we shift organizational focus from one-off plans and programs to a holistic approach that encapsulates risk and critical services to ensure survivability when faced with a constantly changing and expanding threat landscape?
Now is the time to make a formal shift away from looking at terms such as business continuity, risk management, and operational resilience as just catch-phrases shared once a year in board packets or when an audit comes around. It’s time to embrace the resilience movement as how we anticipate, plan for, respond to risks, and recover from disasters or disruptions—all while managing efficient and adaptive organizations.
But where do you begin?
In a recent event, Castellan partnered with the Women Corporate Directors (WCD) Foundation to take a closer look at how important executive and key stakeholder engagement is for success and offer suggestions on how your team can build on pandemic momentum and keep resilience and continuity integrated into your organizations. Together, the teams united to publish a new resilience management report, which takes a closer look at WCD members’ thoughts about business continuity and operational resilience. That report, and related findings, serve as a basis for conversations shared in this blog.
The Women Corporate Directors (WCD) Foundation, a nonprofit, is the world’s largest membership organization of women corporate board directors. WCD inspires and supports board leaders in public and large private companies around the world. Castellan is a WCD Global Supporting Sponsor. For more information on this important partnership, read the related press release.
At Castellan, when we talk with our clients about resilience management, we’re generally focused on two critical components—readiness and response—with goals to help organizations minimize the impact of disruptions on business and business services.
While there are a range of events that might cause these disruptions, some common ones include:
With resilience management, the goal is to be able to anticipate which types of risk may affect your organization and its critical business services and be prepared to respond to and recover from them.
Unfortunately, many boards struggle to balance the demands of improving operational efficiencies and building a culture of resilience. So, how do you break through the barriers? How can you help your board better manage and understand the yin and yang of both?
As shared in our conversations with WCD, even with many lessons learned during the pandemic, some companies are still more focused on efficiencies, for example cost-cutting, changing suppliers, and budget and resources cuts, than they are resilience. Why? Often, there’s a lack of understanding that resilience organizations can actually effectively manage both.
In many cases, efficiency approaches contradict resilience goals. Some organizations don’t understand that they can be both efficient and resilient at the same time.
So, how do you find the balance between the two?
At the executive and board level, that balancing act may teeter around having a better understanding of organizational risks and how they’re managed. That’s because, ultimately, resilience is all about understanding, anticipating, and managing risks.
Even in events where cost-cutting for efficiency must happen, we must understand not only risks that exist now, but also the roles efficiency changes will play in introducing new risks into an environment.
As panelists shared in the WCD discussion, even with the best laid plans and program maturity, an organization is never fully resilient. That’s why we talk about resilience as a movement, not a one-and-done program. It’s no longer just about developing plans, testing and exercising them once or twice, and then putting them away until it’s time to repeat the following year. It’s about a continuous process of gap identification and improvement.
Another area where we’ve seen organizations struggle to bridge the gap between efficiency and resilience is because they don’t have a good understanding of their critical operations. As we saw when the pandemic first happened, some organizations struggled—and failed—to adapt because without this understanding, they tried to restore and focus on everything across the entire operation, instead of first investing resources into those required for continuity.
But it’s more than just knowing what these critical operations are. For resilience, all of these critical operations should be inventoried and mapped, with correlations to all dependencies. If your executives and your board members don’t understand where your resilience weaknesses are—before an event happens—they’ll likely be surprised by both scope and impact when something goes awry.
And it’s more than just taking a look at what’s happening in one location or office or division. These criticalities should be explored and documented across your entire organization—and even further. Also include customer impact, your supply chain (beyond just tier 1 and tier 2 suppliers), and have a good understanding of financial impact as well as impacts short- and long-term on your brand and reputation.
Your resilience journey should include mapping all of your dependencies and critical services end to end, with plans for risk response such as avoidance, acceptance, mitigation, and response and recovery strategies.
When you’re looking at the criticalities, it’s important to share the risk impact to your executive and board in a language they understand. For example, what would the financial impact be if you lost critical services or how much could it cost to address the risk during an event compared to mitigating it beforehand? Talk with your board and executives about these risks, as well as give them insight into current and emerging risks as they happen.
Remember, your board and executives hold the keys to the financial and other resources you’ll need for success. They’ll need to understand this resilience movement isn’t just about buying new or better technologies to address risk. Those are important, but so is ensuring that you have the people and processes necessary as well, and you can address these risks on an ongoing basis and adapt as your environment and the threat landscape changes.
Think about it similar to how you might approach adopting a new technology. In those cases, you’re often seeking out a new technology to improve efficiencies (save time/money/resources), but you also want to increase performance. Your board should look at resilience in the same way. You can have both; you just have to pursue it from the perspective.
And while management teams and executives have shared responsibilities to get the information a board needs to them, board members similarly shouldn’t just sit back and wait for the upward flow of knowledge from the ground level.
Effective board members should have a solid understanding of your organization’s mission, goals, and objectives, as well as the role programs such as business continuity, risk management, disaster response, cybersecurity, and others play in ensuring resilience.
To close the traditional gap between efficiency management and embracing the resilience movement, board members should engage directly with their executives and ask questions.
Here are some open-ended questions your board could ask program managers and executives to get a better understanding of the current risk landscape and organization response and planning. They can ask:
These questions can help fill the knowledge gap with your board so their understanding is more than just charts and words on paper.
However, it’s more than just asking those questions. It’s also about when and where your board should engage. Don’t just set aside a single board meeting once a year to talk risk. Instead, incorporate risk and resilience discussions every time your board discusses strategies.
The resilience movement should support your organization as it develops, implements, and matures its enterprise risk management (ERM) program. Your board and executives can help move the program beyond standard key performance indicators (KPIs) and key risk indicators (KRIs) so it becomes a part of everything the organization—and as a result, board and executives—do continuously.
Want to know how you can build on executive and key stakeholder engagement to create a resilience movement across your organization? Keep an eye out for part two of this blog series to explore the role of resilience assessments, recommendations on how to scope your assessment and, understanding and establishing your organization’s risk appetite for continuity. Can’t wait and wait to know more now? Download the report, “Resilience Management: Bringing People, Process and Technology Together,” for a deeper dive into the resilience movement and how it can positively impact your organization.
Now you’re ready.TM
Get resilience insights delivered to your inbox.
Save a spot in our upcoming webinar “Operational Resilience: Why it’s more than just a financial sector priority” on Thursday, January 20th at 9:00am ET / 2:00pm GMT.