When I was asked to create a business resiliency taxonomy I did some research to see what had already been created. To my surprise, none of my colleagues had ever seen one or had though to put it together.
The highest level of the newly created taxonomy is the overarching term business resiliency or business resilience. This term is well recognized in the industry since constantly changing business requirements and the demands of a global economy for 24 by 7 up-time have driven the evolution and maturity from early technology recovery objectives with time-frames of days to weeks, to today’s environment of continuous business and IT operations. Where disaster recovery once gave way to business continuity in the mid-1990s, business continuity is now giving way to business resilience. Availability, recovery, security and compliance processes and techniques have converged and must be managed concurrently to create an infrastructure that can sustain true business resiliency.
The branches under the business resilience umbrella are crisis management and business continuity. Where are pandemic planning and disaster recovery? Sometimes considered equal peers of crisis management and business continuity, they are both actually types of business continuity planning. Pandemic planning is planning for a loss of people. Disaster recovery is planning for a loss of a critical process; technology. IBM has articulated business resiliency as “The ability of an organization’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”
Within the crisis management branch of the business resiliency taxonomy, there are two major sub branches; man-made events and natural events. Man-made events include terrorism, kidnapping, hostage situations, bomb threats, chemical attacks, biological attacks, nuclear attacks, tampering, workplace violence, active shooter situations, strike/picketing, malicious rumors, malicious intent, espionage and organizational misdeed, including skewed management values, deception and management misconduct. All of these crisis situations have the ability to occur with little or no warning, disrupt business and impact personnel physically and psychologically. They may start out and end as manageable incidents. These same events might also spiral into serious, life threatening situations requiring a large scale mobilization that needs to be managed in a coordinated response involving multiple responders from both the public and private sectors. Since man-made crisis management events generally happen with no warning and the panic, fear, injury, death, property damage and negative publicity that they often generate creates other serious issues that need to be communicated and managed.
The other sub branch of crisis management taxonomy is the natural events category. Natural events include a variety of weather related incidents; wind, rain and snow storms, but also include geological events, fire, epidemics, insect infestations, famine and stampedes. Advances in satellites and other meteorological technologies allow potentially effected organizations, in the path of whatever is coming, some time to prepare and react. Like many man-made events, there are some natural events that occur with no advanced warning and others require full scale evacuations, rescues and other crisis management responses. Also like man-made events, some natural events don’t turn into crisis and can be handled as incidents if they are forecasted correctly and given some notice. These events can quickly escalate to a crisis however, especially if they are incorrectly forecasted or occur with no warning.
In addition to causing damage to assets and property and disrupting businesses for weeks or months at a time, many crisis events cause physical and psychological impacts to human beings. Over the past number of years, companies have had an increasing responsibility during crisis events, for their employees, regardless of whether the event has happened on or off business hours. Organizations must have communication methods in place that respond to both the reality and perception of crises both of which can be equally damaging. And internal metrics must be established that define what situations constitute a crisis and should consequently trigger the necessary response mechanisms, and what situations simply qualify as incidents that can be handled without a full crisis response. The majority of communications occur within the response phase of emergency response incidents.
The other major sub branch of the business resiliency taxonomy is business continuity. As mentioned earlier, in many cases, business continuity is the next step in resolving an incident after a crisis situation is stabilized. But there are also a myriad of events that can cause a business operations disruption without the incident triggering a crisis response.
When a business suffers a blow to its reputation, it is considered a crisis, but it is not a business continuity event. When a major storm is forecasted and blows through, but the proper preparations and effective incident management leave a business untouched by storm damage, business continuity may not need to be initiated. On the other hand, when a fire breaks out and burns down a building that is a crisis situation that causes a disruption to business operations and triggers a business continuity response. Crisis events where lives are lost also trigger a business continuity response. Business continuity is necessary when there is loss of a place of business or loss of a resource that conducts a business process. When a building is impacted, people are transferred. When people are impacted, processes are transferred to other locations.
Unlike crisis management which most often requires a business continuity response, business continuity can be necessary without a crisis situation. Think about a building with a leaky roof. The leaky roof is not a crisis situation, but the leak may impact equipment storage or an employee location. In either case, alternate work location plans should be implemented so that critical business processes can continue.
Business continuity has two sub branches in its taxonomy; internal events and external events that could disrupt business operations. Internal events involve Facilities, operations and people. Many facilities, such as those in the manufacturing and bio technology industries rely on extremely high value, unique facility assets. It is often cost prohibitive to have more than one of these custom, specialized chambers or test machines available as a backup, just in case. If something happens to this sole high value asset (HVA) - and there is no alternate or recovery strategy, a single point of failure may occur, halting business operations. Operations include electrical power, technology and transportation. Should these processes fail, the business and its critical processes will certainly be negatively impacted, but these issues are generally recovered in a relatively short time span. Especially if the organization has an operations business continuity plan, contingency plans for loss of electrical power and a disaster recovery plan for their technology.
Unlike any other areas within the taxonomy, the internal disruption section of business continuity also includes return to work and alternate work arrangements. While these are responses to disruption, rather than causes of disruption, they are unique processes that are owned by the business continuity discipline.
Business continuity external events involve supply chain, regional events and pandemics. In a supply chain disruption, a supplier may strike or go out of business. If this supplier happens to be a single source supplier to your company, you are going to have an issue; delays to your project milestones and deliverables. It is critical when selecting suppliers to ask to see their business continuity and disaster recovery plans.
During a regional event everyone is competing for the same resources. Response and recovery efforts are prioritized by local government. Even if your company has recovered and is ready to resume operations, the supply chain whether it be up or down, may be impacted. You might not receive the parts you need for your deliverables because the supplier up the chain still has not recovered. Or, you may not be able to send your product on to the next step in the supply chain because the regional event that is affecting your business is also affecting theirs and either they have not recovered their critical processes or they are not back to business as usual (BAU). Regional events such as earthquakes or flooding can impact transportation and roads so that supplies and employees attempting to travel to work after a disaster cannot get through. And Pandemics can be brought in to an organization by external parties including subcontractors, delivery personnel, contaminated supplies or employees causing an impact to business operations, slowing down processes and causing delays to anticipated project milestones.
Business resiliency is the maturation and integration of the individual disciplines of crisis management, incident response, business continuity, disaster recovery and pandemic planning into one integrated set of processes and capabilities that work collectively, instead of in silos. This approach allows businesses to have minimal disruption in the event of an incident that affects the entire organization. Business resiliency is the ability of a business to spring back from a disruption to its operations. Business continuity and disaster recovery have historically focused on a business' ability to recover from a disruption. Recovery implies that there was downtime during which business operations were unavailable. Resiliency, on the other hand, implies that an event may have affected a business' operations but the business was never completely unavailable. All organizations experience failures or other impacts to business operations at some point, so it is critical for all services to be both designed for uptime and prepared for failures. Resiliency is tightly aligned to business strategy. It takes a holistic approach to risk management silos, and it strives to minimize downtime by embedding resiliency and workarounds into everything the organization does--from business processes to corporate and data center site selection to enterprise architecture and application development. A resilient organization must be like a spring: It absorbs the impact and bounces back.
Hannah Snyder, CCM, ABCP, BCP is the business continuity planner for xMatters. In this role, she serves as the company's subject matter expert on BC planning and communication best practices.