Following his recent bulletin on why he thinks the business continuity profession is in decline, Charlie looks at why he does not think resilience is the solution.
A couple of weeks ago, I wrote a bulletin on why I think the business continuity profession is in decline. This week I will discuss why I don’t think resilience is the saviour the business continuity world is looking for. Many organisations, such as the Business Continuity Institute (BCI), are pushing the resilience agenda. Whilst I believe resilience is the answer to some issues, I do not think it is the sole answer to the future of business continuity.
I believe the promotion of resilience within organisations is an excellent idea, and many companies are embracing it. For example, in the public sector, Scotland Emergency Planning Units have renamed themselves as 'Resilience’ and I have seen a number of resilience roles within the banking sector. At the moment, there doesn’t seem to be a standard with regard to what roles might exist under the resilience umbrella, but they could include:
2. Business Continuity
3. Health and Safety
4. IT DR
5. Information Security
7. Crisis Management
8. Physical Security
9. Horizon Scanning/Corporate Intelligence
The principle of bringing all these different disciplines under one umbrella will add value across an organisation. There are many synergies between all these roles and each one can support the rest. Having identified a risk, other disciplines within resilience can help mitigate the risk and provide ongoing monitoring. This stops risks being managed in silos and mitigation measures in one area potentially increasing risk in another. The crisis management plan can be used to manage a reputation-type crisis, as well as business continuity, health and safety, and cyber incidents. The skills needed for resilience roles are not technical, but managerial, as it would be very rare to find one person who has the technical knowledge of all of these disciplines. Therefore, it is the resilience manager’s responsibility to manage a team of technical experts, who provide in-depth knowledge of each subject. The role of the resilience manager is one of coordination, audit and compliance.
Many business continuity organisations, such as the BCI, are heavily peddling resilience almost as ‘Business Continuity Plus’. Yes, the BC manager could take the role of the resilience manager, but there is absolutely no reason why the IT DR manager would not be equally as well placed. The role of the resilience manager is all about good management of a number of areas, and does not require the technical skills of the BC manager. I don’t believe the BCI really understands what resilience is, as so far, they have made a lot of noise about it, but have not produced any guidance or training on resilience.
The BC manager has two sets of skills; their business continuity technical knowledge, such as how to implement the BC lifecycle, and their understanding of how to manage business continuity within an organisation. The management skills are similar to those needed by the resilience manager, but the technical skills for BC are completely different to those needed to manage health and safety.
In conclusion, resilience is a natural process to bring together organisations which identify and manage risk on an ongoing basis. I would like to see a Chief Resilience Office (CRO) who takes this role and ensures that the silos between all these disciplines are broken down and brought together. I would also like to see organisations, such as the BCI, separate BC from resilience and concentrate on the discipline of BC, without clouding the picture by talking about resilience all of the time. Perhaps there should be a ‘Resilience Institute’ which provides guidance on how to carry out the role of a good CRO and introduce guidance on how to manage several disciplines together, including how to audit and assess each ones level of maturity. Finally I would like business continuity people to concentrate on using their business continuity skills to add value across the organisation, not by trying to become the resilience manager, but by using their existing skills to improve the organisation’s response to an incident.
I think there is a lot of value BC managers can add, without trying to incorporate resilience, and there is lots to be done which will safeguard the profession. Business continuity does have a bright future, but we have to keep evolving, we cannot stand still!