Business Continuity: benefits in the battlefield - mentoring by Sun Tzu (part 2)

• 17 Apr 2023
• Maura

• Article
• Thinking and innovating
• The business continuity environment
• The organisational environment
• Analysis
• 0

  Comment

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”  Sun Tzu – The Art of War

During the last few years, organizations have faced new and unexpected enemies, which always seemed improbable until they happened. Did organizations consider themselves victorious without knowing themselves nor the new enemies, and eventually succumb in these battlefields? Are they still suffering the consequences?

How can we increase the awareness of our organizations? Which approach can modern and innovative organizations introduce? Which enemies must we consider in order to be prepared and ‘not fear’ the result of a hundred battles?

We can consider an organization ‘known’ when we have identified its values, what is needed to achieve/produce/generate these values, and when we have evaluated the impacts that the worst case scenario can have on them. In other words, by analysing what and how enemies cause impacts to our organization.

What about self-knowledge?

In this article, we will be looking at the self-knowledge requirement in the above Sun Tzu quote and how that relates to BC.

Nowadays, organizations must be extremely dynamic and flexible to rise above the waves of the restless ocean which represents the current worldwide scenario of threats and risks. Fast and continuous improvement are the main shields for the short-medium market and business battles, but these produce new definitions or a remoulding of the organization’s structure. This can lead to grey areas if the projects or their implementation are not properly and adequately managed from planning to evaluation. Therefore, when can we consider that we have achieved ‘self-knowledge’ of our own organizations?

Self-knowledge can be summarised as self-understanding and assessment of critical activities and resources, including the potential impact of unexpected events.

Starting from the ISO22301 definition of ‘organization’ (a person or group of people that has its own functions with responsibilities, authorities, and relationships to achieve its objectives), we can detail the process, as it relates to BC, through the below steps:

Understand your organization and its context: Considering the above definition of an organization, this process requires the determination of the internal and external factors that are relevant to achieve or maintain the achievement of its fixed objectives, including the needs and expectations of interested parties to achieve its scope (ISO 22301:2019). The products/services, activities and resources should then be analysed to prioritise the necessary efforts required for the organization to not be defeated in battle.

Determining the scope of the BCMS: This involves considering the organization’s context, the identification of external and internal issues, and the requirements referred to in the organization’s mission, goals, and internal and external obligations. It also involves establishing the parts of the organization considered essential, as identifying products and services to be included in the BCMS can determine its backbone.

Identify and control the processes needed to meet requirements and objectives: This involves the knowledge of every element that can be achieved through Product/Service, Value Stream, and Process Resources mapping. This includes establishing and identifying criteria and requirements that should be under control and always considered.

Examples of this can be binding laws and legal regulations, but also the internal and organizational compliance requirements or the acceptance criteria defined by risk assessments or by the business.

Analysis of impacts: As in the introspective analysis, self-awareness includes the consciousness of impacts that can be caused in its critical and essential parts, which can be articulated as the:

• definition of the impact types and criteria relevant to the organization’s context (what can harm)
• identification of the activities that support the provision of products and services (what can be harmed).

Both can be combined for assessing the impacts over time resulting from their disruption, including the identification of the time frame within which the impacts would become unacceptable (MTPD).

From this self-awareness, BC can prepare the actions required to not be defeated:

• set prioritised time frames within the ‘MTPD’ for a reaction at the minimum disrupted acceptable capacity (MBCO);
• identify prioritised activities based on the above analysis;
• determine which resources are needed to support prioritised activities;
• determine the dependencies, including partners and suppliers, and interdependencies of prioritised activities.

What else is needed to subsist and carry on, so the organization can improve instead of succumb?

BC defines this section as monitoring, performance evaluation, review and continual improvement, in terms of suitability, adequacy and effectiveness, based on qualitative and quantitative measures. It should always consider the changing universe in which it exists.