An abbreviated history of business resilience management before COVID-19
Documenting the early resilience wars
In the post-COVID world, talk of business resilience is everywhere. The subject has inspired many a ‘think piece’ and ‘how-to’. And business leaders en masse are telling survey-takers how crucial the proactive business resilience agenda is to their organizations.
But it was ever thus!
The new popularity of business resilience is, in many ways, a correction to the pre-COVID consensus of benign neglect. This consensus resulted in a tacit belief that, with minimal intervention, businesses could withstand disruption and still maintain continuous business operations at acceptable levels.
COVID disabused business leaders of this fallacious thinking.
Nevertheless, it’s still important to understand how the consensus developed in the first place. And for that, it’s helpful to go back to the early (academic) resilience wars to trace the emergence of business resilience (and business continuity) into their presently practiced forms.
As notes De Montfort University Associate Professor, Brahim Herbane, in his piece on the evolution of business continuity management, the earliest resilience wars saw feuding factions championing the normal accident theory (NAT) and the high reliability theory (HRT) to speculate whether companies could withstand disruption.
What did proponents argue?
The normal accident theory propounded that the more complex a system became the more likely accidents were to arise. Certain specifics (e.g., lack of slack and lots of overlap and complexity between component parts of a system) as well as the passage of time increased the likelihood of accidents within that system. And so, within the business context, external actors (i.e., regulators and policymakers) would have to force businesses to prepare for inevitable disruption.
Meanwhile, proponents of the high reliability theory argued that unlike human beings, organizations could resist accidents. They could do so by compensating for human frailty with intelligent design.
Which measures, specifically? Unbidden by regulators, organizations could seek to lower complexity, incentivise safety, build redundancy, and learn from their own accidents and near misses to remain resilient.
The technological revolution ushers in disaster recovery and business continuity
Of course, these academic debates, examining what was happening in businesses at the time, issued out of a larger context. That context was the technological revolution in computing of the last decades of the 20th century.
In particular, the introduction of business computer systems served to integrate critical data into what looks now like proto-information management platforms. These new systems, besides the productivity gains they provided, created points of failure.
As a result, disaster recovery plans began to crop up in IT departments – what many scholars consider the origins of the systematised field of business continuity management that we know today.
Regulators also started intervening, beginning in the financial services industry, home to a high concentration of corporate data centres. The Office of the Comptroller of Currency, for one, issued a circular in the early 1980s, compelling U.S. banks to have formal disaster recovery plans with provisions for off-site assets.
By the 1990s, public healthcare, telecommunications, and government services policymakers and regulators would enter the fray, thanks in large part due to the Health Insurance Portability and Accountability Act (HIPAA) (1996) and Telecommunications Act (1996). Both Acts of Congress required entities to have IT disaster recovery provisions to ensure the availability of systems and the security of customer records respectively.
In the government sector, a significant executive order put out by the Clinton Administration mandated heads of federal departments and agencies to ensure the continuity of essential functions by (a) safekeeping essential resources and records and (b) developing emergency operating capabilities.
Terrorism and the acceleration of business continuity and business resilience
This functional, compliance-based, approach to business continuity and business resilience, hived off in IT, did have its critics. Within banking, for instance, onlookers noted how institutions themselves began to emphasise user-driven needs in their decisions to relocate activities to emergency facilities.
The spate of terrorist attacks on financial centres in New York and London in the 1990s also prompted reconsideration of what it meant for businesses to be resilient. These attacks, as Herbane notes, suggested the need for an “organization- and process-wide approach to crisis management planning…to support and take precedence over IT focused and function-specific disaster recovery planning.”
Then came September 11, and everything changed.
September 11 wasn’t just a mass casualty event. Businesses and government agencies lost access to buildings, facilities, suppliers, and clients, as well. They also lost connectivity with telecommunications and information systems.
In response, businesses quickly boosted their resilience capabilities. Disaster recovery, shelved in IT, had to make way for broader approaches to business resilience. Those often meant more flexibility to deal with critical event scenarios.
The upsurge in guidelines, regulations, and standards
Businesses weren’t the only entities readjusting. September 11 also proved a catalyst for regulators and policymakers.
U.S. regulators once again led the way. The following post-September 11 guidelines and regulations all had strong resilience provisions:
- Guidelines for strengthening the resilience of US financial system
- National Institute of Standards and Technology Special Publications 800 Series
- Security guidelines for the electricity sector
- National Association of Securities Dealers Rules 3510/3520
- New York Stock Exchange Rule 446
- Federal Financial Institutions Examination Council business continuity planning booklet
- National Futures Association (NFA) Compliance Rule 2-38
Nor were standards-making bodies silent. Even before September 11, standards had been emerging from national bodies.
These standards were novel in one key respect, argues Herbane. They crossed economic sectors, while previous regulations had tended to be mostly sectoral. British business continuity standard 25999 dates from this time, as do the COBIT (Control objectives for information and related technology) 4.0 guidelines.
In the U.S., there was the National Fire Protection Association’s standard on disaster/emergency management and business continuity programs, standardised in 2000 and later championed by the American National Standards Institute (ANSI) as the national standard for emergency and disaster preparedness.
The trickle of pre-September 11 standards became a torrent after the terrorist attacks. That trend went global.
The King report on corporate governance for South Africa was issued after the attacks, identifying risk management and business continuity requirements. The U.K. Civil Contingencies Act established a multi-agency coordination mechanism. Singapore, for its part, introduced standards for business continuity/disaster recovery service providers.
Throughout the 2000s, many of these national standards would get rolled up into international standards, thanks to bodies such as the International Organization for Standardization (ISO).
The Singapore standard helped birth the ISO 24762 security techniques standard, which provided guidelines for information and communications technology disaster recovery services. The ISO/PAS 22399 guidelines for incident preparedness and operational continuity management synthesised existing national standards including the National Fire Protection Association’s standard on disaster/emergency management and business continuity programs.
The impact of the Great Recession
The financial crisis that struck in the late 2000s was another seminal moment in the evolution of business continuity and resilience in the workplace, with the near collapse of the banking system on both sides of the North Atlantic leading to a global economic downturn the likes of which hadn’t been seen since the 1930s.
Besides the spectacular bankruptcies of financial titans like Lehman Brothers and Washington Mutual, more than 170,000 small businesses went under in the U.S. alone, according to conservative analysis by the Business Journals of U.S. Census Bureau data. Less conservative analysis in Investopedia puts the number around 1.7 million.
As a result, policymakers and regulators in the financial services space attempted to prevent a repeat of under-capitalised firms posing a systemic risk to the larger financial sector. That meant that financial resilience was here to stay, at least as a compliance driver.
The Dodd-Frank Wall Street reforms subjected financial institutions with $50 billion or more in assets to enhanced prudential regulatory authorities. Meanwhile, the Federal Reserve garnered powers to stress test bank holdings to ensure that they had sufficient capital to weather economic and financial stress.
Internationally, Basel post-crisis reforms also aimed to strengthen the regulation, supervision, and risk management of banks to make them more resilient.
In the non-banking world, ISO enjoyed a productive decade in resilience-enhancing standards, too.
ISO 23001 was first published in 2012, then updated in 2019, laying down business continuity management system requirements. Other standards published in this period included:
- ISO 22320 (2011; updated 2019) Emergency management – guidelines for incident management
- ISO 31000 (2009; updated 2018) Risk management – guidelines
- ISO/IEC 27001 (Second revision 2013; updated 2022) Information security management systems – requirements
- ISO 22316 (2017) Organizational resilience
- ISO 22398 (2013) Guidelines for exercises
Despite the growing body of business resilience best practice being brought together in the 2010s, organizations remained under-prepared for a systemic shock like COVID, reprising their relative lack of preparation for September 11 and the financial crisis. They would pay dearly for this lack of business resilience, with some surveys, such as the Small Business Roundtable, pointing to as many as a third of small businesses closing due to the pandemic and related shutdowns.
However, the businesses that emerged intact out of the COVID crisis are the beneficiaries of this latest turn in business resilience history which has produced a weighty library of best practice, including the latest resilience-enhancing standard, ISO 22361 for crisis management.
And so, what’s next for business resilience management depends largely on what businesses do. Businesses can once again become complacent, with this increasing as more time passes from the peak of the COVID crisis. Or, they can heed the lessons of business resilience history, embracing the best practice that’s out there to stay one step ahead of the compounding crisis threat.
Get involved in BCAW 2023 - Follow the link below: