Balancing reactive and proactive approaches to build new resilience capabilities
Business Continuity vs. Operational Resilience (Part II)
In our first article, we discussed Business Continuity (BC) and Operational Resilience, clearing up the differences between the two by overviewing the main definitions, policies, and standards proposed by the relevant governing bodies. Following that basis, in our second article, we will focus on reactive strategies, typical of a BC approach, and proactive, typical of a security ‘by design’ approach, looking at a more pragmatic and effective way to deal with severe but plausible events.
By using the saying ‘a picture is worth a thousand words’ to discuss these approaches, we have chosen to rely on the simplicity of a cartoon storyline, where our two characters Bunny and Tom will be getting ready for a camping trip. A simplified representation will allow us to better represent the pros and cons of each approach and how they reflect the complexity of an organization.
Having a reactive solution for every scenario
BC practices have been, over the years, implemented in organizations in various ways, many of which are not embedding a BC mindset in an organization’s culture. Based on our experience, this is quite evident in annual BIA activities, which usually engage many different resources throughout the company and tend to be a mere repetitive exercise designed to complete the ‘shopping list’, losing the opportunity to focus on the more pragmatic goal of the entire exercise.
This routine could lead the practice of BC to its extremes, where it becomes either a mere exercise for regulatory compliance (where applicable), or a heavy (and expensive) burden of solutions and plans which a company carries out thinking that it can solve any issue.
Having a solution for each scenario doesn’t necessarily mean being ready for the unpredictable. This is even more true when cost-effective solutions are designed for extreme (and implausible) scenarios and are not effective to cope with more plausible (and even severe) ones.
Thus, as Bunny and Tom demonstrate while planning their camping trip, preparing a solution for each scenario can create a burden that can impede them from progressing to their goals.
The proactive ‘by design’ approach: a security example
In the field of security, being secure by design means proactively identifying and remedying existing and emerging issues to protect a company and its customers. Being too proactive doesn’t necessarily mean avoiding disruptive security events. As we all know, when we talk about cyber security it’s never a matter of if, but it’s a matter of when (black swan theory).
But, by attempting to avoid every possible risk, an organization reduces its capacity for dynamism and thus development, both of which are required for the achievement of business objectives and facing challenges in a continuous transformative process. Indeed, developing a BC strategy that is ‘too safe’ can prevent businesses from growing and welcoming new opportunities, anchoring them to safe strategies like Bunny and Tom, who never leave the safety of their home.
In media stat virtus: the opportunity of Operational Resilience
The Operational Resilience paradigm provides the opportunity to review, with common sense and pragmatism, each organization's ability to be flexible in facing its complex but plausible challenges, while developing new internal skills to be resilient regardless of what plausible scenario occurs.
This necessitates the ability to anticipate, comprehend, and plan for uncertainty, as well as the ability to devise solutions that reduce risk while remaining adaptable and flexible.
All of this must be done with the same sense of responsibility and attention that every organization has for itself, its stakeholders, and, most importantly, for those customers to whom interruptions in product and service supply can cause intolerable harm.
This is a critical success factor in the FCA's vision of Operational Resilience.
At the same time, such a vision aims to bridge the ever-widening gap between ordinary and extraordinary event management, between daily and worst-case scenarios, reactivity and proactivity.
Thus, Operational Resilience enables organizations to focus on their important business services or, in the case of Bunny and Tom, plan their camping trip in a way that does not focus on providing a reactive solution to every possible event, but instead ensures that a flexible, proactive approach is in place from the start to be able to continue operating in case of an adverse event.
Final remarks
These three approaches, discussed through a cartoon storyline, allowed us to highlight the main ideas and possible outcomes when undertaking each strategy. Getting ready for the unpredictable is a never-ending exercise, since today, more than ever, the nature of disruptive events is becoming more difficult to foresee. Every day the list of risks to the continuity of businesses is getting longer and there is a higher chance that an unconsidered event will occur. Therefore, developing new skills, such as flexibility and proactivity, and focusing on what is most important (or intolerable) for our customers, our stakeholders, and the system itself, becomes extremely important.
Accepting that the "black swan" will arrive sooner or later and that we cannot predict the exact consequences of it, organizations can begin working to develop and improve their resilience capabilities, integrating them into business as usual without creating a major burden.