Is your business resilient? How would you know? What standard would you use to measure its resiliency? Why should you care? The term “resilience” has become something of a buzzword in business, used so much that its meaning is diluted to the point of becoming almost meaningless. Business resiliency should be of great concern to the leadership of the business, to its employees, and to its customers. It’s a state of being and a state of mind.
Let’s start with defining our term. Webster gives two definitions of resilience:
- the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress
- an ability to recover from or adjust easily to misfortune or change
The second definition seems more apt to apply to business. Let’s define this more tightly so that its focus is on business exclusively: Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.[i]
However, this definition lacks one thing. Before resilience can become an ability of the company, it has to first become a mindset of the company. When I worked for General Electric the “6 Sigma” process was being introduced. The Medical Systems business unit had a poster I remember to this day. The caption was “6 Sigma. It’s the way we work.” It wasn’t just a process applied to products. It was the way every member of the business thought about their work.
It must be the same way with business resilience. Resilience needs to become a part of the culture of the organization; no easy task! Changing culture is hard work and takes time. The benefits of becoming resilient must be made clear to everyone. Let’s look at how resilience benefits the business in three key areas: Operational Resilience, Reputational Resilience, and Cyber Resilience.
Operational resilience management includes all the practices of planning, integrating, executing, and governing activities to ensure that an entity can:
- identify and mitigate operational risks that could lead to service disruptions before they occur
- prepare for and respond to disruptive events (realized risks) in a manner that demonstrates command and control of incident response and service continuity
- recover and restore mission-critical services and operations following an incident within acceptable time frames [ii]
This is just good risk management. Employing this definition, a business thinks through the ways in which its operations could be disrupted and then formulates plans to recover its operations quickly to minimize the impact to the customer. This is the measure a company should use to judge the degree to which it has operational resilience: can it recover its operations before the customers feel the impact?
This planning cannot be done in isolation. It must involve the outside services upon which a business relies. It does little good for a business to be able to survive a hurricane if all the roads leading to it are blocked with downed trees. While some employees may be able to work remotely, if the business is a manufacturer, then people are required to be onsite to run the machines. Operational resilience is about internal and external dependencies.
Shakespeare said it well some 400 years ago:
“Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.”[iii]
Let’s distinguish between brand and reputation. Brand is what your company tells the world about itself and its products. Reputation is how the world perceives your company based on its actions. The irony regarding a damaged reputation is that companies usually do it to themselves. They “steal” their own good name and make themselves “poor” by their actions.
Do you recall United Airline’s advertising slogan “Fly the friendly skies of United”? Some ad slogans, like this one, live on long after the ad campaign has ended. Do you recall what happened to United Airlines in 2017? An incident concerning overbooking ended with airport police being called and dragging a customer off the plane. All of this was captured on the cellphones of passengers who quickly posted it to social media. United Airlines became fodder for the monologues of the late-night tv show hosts. The “friendly skies of United” became something decidedly other in the mind of the public. The tone-deaf response of management which defended the actions of the employees and labelled the passenger who was dragged from the plane as “disruptive and belligerent” didn’t help the company image. Worse, the airline’s stock value dropped 6% or 1.4 billion dollars after the incident.
At the heart of the problem was a disconnect between United’s brand and its corporate culture. The prevalence of social media quickly unveils these disconnects and results in a lack of trust in the company and its management. If this is how a company treats its customers in a routine situation, how will it act during crisis?
In 2015, Deloitte conducted a survey of publicly traded companies to examine the gap between real and perceived crisis readiness in the eyes of board members and the large companies they direct. Of those surveyed, 49% reported that their company had a crisis management “playbook” for crisis situations. Of the remaining companies, 18% said no, they did not have a crisis management “playbook” and 33% were uncertain.[iv]
If your company hasn’t thought about how it would respond to a crisis and how it would communicate its response to customers, employees, and shareholders, then it’s unlikely to get it right when a disruption occurs. Given the speed at which news is shared via social media, an incident involving your company can go sideways quickly damaging the brand, impacting revenue, and even resulting in firings or forced resignations.
As with operational risk, your company needs to conduct a reputational risk assessment to identify and prioritize these risks. You need to proactively develop a crisis response “playbook” for reputational risk as you do for operational risk. All of this starts at the top and has to be incorporated into the culture of the company.
Let me state at the outset that cyber resilience and cybersecurity are not the same thing. Cybersecurity is concerned with the methods and processes your business puts in place to prevent cyber-attacks from occurring. It answers the question “How are we going to keep the bad guys out?”. Cyber resilience is the ability of your business to continue its IT operations in spite of any kind of disruption. A robust cybersecurity program will contribute to your business’s overall cyber resilience.
What do you need to do to improve the cyber resilience of your business? First, you need to assess the vulnerability of all your business processes to a breakdown of your IT systems whether due to an external attack or a natural disaster. It’s likely that every process of your business relies in some way on your IT system. Next, every department needs to think through the risks it faces were the IT system to be unavailable. Then, once those risks are identified, the question of how to mitigate those risks need to be answered and acted on.
Who should be responsible for the cyber resilience of the business? Everyone in the business is responsible to make the business cyber resilient by employing the tactics of cybersecurity. Since this should be a part of the overall risk
The Resilient Business
At the beginning of this article I quoted a definition of business resilience that’s worth repeating:
“Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.”
Can your business quickly adapt to disruptions? How would you know? If you haven’t performed some form of a disruptive exercise, you won’t know until something happens and that’s too late. Every department of your business should have a business continuity plan it reviews and updates on a regular basis and exercises at least annually.
Is your corporate culture in alignment with your brand? Does the public believe it is? If not, when a crisis occurs, your brand may take a beating from which it will be hard to recover. If yours is a publicly traded company, expect to see this adversely affect the value of your company.
Does your overall risk strategy include the cyber resilience of your business? Have you tested the ability of your systems to recover from a disruption? Do you have work-arounds in place when any of your systems go down?
Business resilience is not a destination. It is a journey. Taken seriously, the resilience of your business will grow over time making it resistant (not immune) to disruptions and preserving its value.
Discenza Business Continuity Solutions works with small to mis-sized businesses to help them assess their vulnerability to operational disruptions, create plans to respond to these disruptions, and build their business resilience. Call us to learn more about becoming a resilient business.
David Discenza, CBCP, president of Discenza Business Continuity Solutions, has been involved in business continuity planning since 2009. He was the business continuity manager for the Risk & Information Management (RIM) group within American Express and currently works with companies in Philadelphia, New York City, Washington, DC, Baltimore, Connecticut, and nationwide to help them formulate plans they can implement when an unexpected business interruption occurs. David is certified as a Business Continuity Planner by the Disaster Recovery Institute International.