Subscribe to receive our latest Risk and Compliance Insights and Research as they become available.
Business resilience is a term that seems to have many meanings for many people, but at its heart, it is about maintaining the ability to deliver on your objectives through volatility in the environment you operate within, whether that volatility is driven by the unintended consequences of planned activities or unexpected and unplanned activities.
Planned work, increased risks and associated treatment expense:
Sometimes newer industries (for example recreational domestic drones, third party food delivery services, hire a bicycle, etc.) are still discovering unexpected outcomes as a result of their product or service becoming prolific in society.
- Recreational drones are considered, by air flight authorities, as a serious hazard when used near airports and experts are hired to bring the drones down (not usually in a controlled way)
- Third-party food delivery services are faced with new OH&S hazards travelling further than before on a hybrid bicycle/light motorbike in heavy traffic/poor weather conditions and most of the time, late at night
- The bicycle hire organisations have a lot of damaged bicycles and must pay for bicycle retrieval from rivers, large drain ways and private property
Unplanned work, increased risks and associated treatment expense:
Large scale events driven by external factors (usually have originated outside of the business) can prove challenging.
- Pandemic (COVID-19) and associated lockdowns
- Public opinion shift (e.g. eco/environment, political, modern slavery, privacy, quality, etc) with a secondary impact of ‘swift change in demand’
- Environmental disasters (drought, floods, earthquakes, nuclear incidents, oils spills, etc.)
This all boils down to the need to:
- Understand what is most important to you in achieving your objectives, and how you might be impacted by unintended consequences of planned activity and unplanned activity – Understand your vulnerabilities
- Actively monitor and, if possible, prevent unplanned consequences on your activity – Actively monitor and prevent
- Prepare for when, not if, your business is interrupted, whether it be people, process, technology and have plans to maintain your operations during these interruptions – Actively plan and test business continuity
- Have robust plans to recover if you are interrupted – Active plan and test disaster recovery
Industry approach – The 4 steps to better business resilience
1. Understand your vulnerabilities
Risk identification and assessment (click here for our free business resilience assessment)
Acknowledge the potential effort and cost.
2. Actively monitor and prevent
Risk treatment and reduction
Ensure that what is preventable is identified as a risk and has appropriate treatment and ownership. In some instances, mitigation (proactive control of risk triggers) may be an option; in other instances transfer may be an option (third party monitoring or maintenance); and in some instances, total avoidance may be an option (removal of the risk by altering strategy significantly).
Knowing what you can control and influence, and what the costs and benefits of this may be, could help you prevent unnecessary business interruptions and maintain operations when others in your industry or area do not – although not all serious business interruptions can be avoided.
3. Active business continuity planning/testing
Risk mitigation and response to realisation
Business continuity planning is focused on knowing how to continue core business services in absence of some or all the supporting people, processes, technology and infrastructure which you may expect to ordinarily have access to.
It is important to know when, why and how to respond to an emerging threat (risk potential to become an incident). A Business Continuity Plan (BCP) provides the ability to be able to respond to early warnings/near misses and incident occurrence. Business must continue to operate to remain viable in the long term.
The aim of Business Continuity Planning is to design a plan, develop and test processes to follow, establish decision-making criteria and knowing what needs to be done, in what order, by who, to minimise the impact of an incident on all aspects of the business.
a) Detect (Identify early warning signs)
b) Respond (Determine approach based on pre-determined scenarios within the BCP)
c) Recover (Execute the BCP to recover lost services)
d) Restore (Restore to original state prior to the incident)
4. Active disaster recovery planning/testing
Risk mitigation and response to realisation
Disaster recovery planning is focused on knowing how to recover the technology/infrastructure required for the business to operate efficiently. A disaster is generally an unplanned event that may cause disruption for any period and may not be controllable (e.g. a tsunami cannot be stopped no matter what we do).
It is important to know when, why and how to respond to an emerging threat (risk potential to become an incident). A Disaster Recovery Plan (DRP) provides the ability to be able to respond to early warnings/near misses and incident occurrence. Business must continue to operate (even if this means service quality changes slightly for a period during recovery activity).
The aim of Disaster Recovery Planning is to design a plan, develop and test processes to follow, establish decision-making criteria and knowing what needs to be done, in what order, by who, to restore impacted technology and infrastructure to return the business back to peak efficiency as soon as practical.
a) Design (What, When, Who, How and Priority Order)
b) Develop (BCP driving key infrastructure recovery priority)
c) Test (Physical and Desktop based testing possible incident scenarios)
d) Improve (Seek ways to reduce the incident rate or outage time through infrastructure)
The above is by no means comprehensive, but instead gives us an insight into the thinking around business resilience.
So, you may wish to ask:
- Have I identified key risk scenarios that would hurt my business?
- Are we preventing and monitoring these potential scenario triggers?
- Do I have a Business Continuity Plan?
- Do I have a Disaster Recovery Plan?
- Who is assigned to proactively own and drive the business resilience activities?
If I don’t know the answers to the 5 questions above, then I would benefit from an assessment of my current status.
Insync offers a high-level assessment, in-depth assessments, and assistance in developing roadmaps for business resilience programs so that you can do ‘the doing’ yourself and augment your skillset along the way.
Senior Manager - Risk and Compliance
John is an accomplished risk and recovery professional with over 25 years’ experience in developing and delivering medium to large scale complex enterprise wide initiatives, risk frameworks and complex business investment justifications.
John has developed a strong reputation for ‘thinking outside of the box’ to execute effective strategies, risk/governance processes and business transformation, cultural change management, business readiness/disaster recovery planning, procurement/supply chain strategy, complex business-case development and ICT governance.