May 2017
Part One of this article defined business resilience planning and stated the five things you need to know about business resilience planning.
Careful business resilience planning can mitigate the impacts of a disruption and allow your business to continue to function or return to normal more quickly. In addition, effective business continuity planning has the potential to improve overall performance and minimize corporate risk. Business resilience planning can minimize potential negative productivity and decrease the financial impact that a disruptive event can have on the bottom line. If you consider the impact of a damaged reputation, the return on investment in business resilience planning is almost immediate. For more information on business resilience planning, refer to Part 1: The Five Things You Need to Know About Business Resilience Planning.
Hope is not a strategy. Organizational Resilience is [1]
In this article, we will highlight how to operationalize and put your resilience planning efforts into practice. A structured vision is a critical element of resilience efforts. The process to organizational resilience can be broken down into the following five key areas:
Following this process when incorporating resiliency principles into your operations is an efficient and effective way to create a culture of organizational resilience.
Business Impact Analysis (Prioritized Essential Functions)
The vision to survive
We, as humans, are quite resilient despite our major vulnerabilities. Instinctively, our top priority is to survive. Luckily, as a species, we have a pretty decent track record of survival. Why is that? Our brain understands its internal processes and their relationships and is programmed to prioritize its most essential functions—all because it has the instinct to survive. In times of inherent danger, we are willing to trade comfort and well-being for safety and survival. The business application is a whole different animal. In business, essential functions are not instinctive and must be regularly assessed to know how to respond efficiently in times of disruption. If you think of your business as a body, which are your vital organs? What business processes will it take to keep your business functioning? The Business Impact Analysis (BIA) process is the tool to determine what it takes, operationally, to keep your business alive. The BIA process identifies essential functions by department to determine the minimum level of operation needed for business to continue. The outcomes of the BIA include a prioritized list of functions for each department, recovery time objectives for those functions, and a desired minimum level of operations to return to following a disruption. Because your business may not be able to do everything in a disruptive state, identifying those functions critical to continuity of operations will help in prioritizing your response efforts.
Everyone in your business has something to lose if your business is not able to survive and that can be the driving force in all your resilience efforts. Assigning an organizational criticality to each essential business function will help prioritize which functions to focus on first during times of disruption. When identifying and prioritizing essential business functions becomes a living, ongoing effort, a resilience mindset will become second nature.
Risk Assessment (Prioritization of Threats)
Pressure points
Disruptions can hit your business where it hurts. Assessing and prioritizing threats at the essential function level will help to focus your efforts on the most severe and most likely threats to your most essential business assets and processes. How many single points of failure do you have in your organization? Have they been identified and addressed? Focusing on what can threaten your essential functions will help prioritize your risk aversion and disruption response efforts.
The Risk Assessment (RA) process is the identification and analysis of business risks and associated threats that may affect an organization’s ability to continue its essential business functions. The objective is to understand the effectiveness of existing risk controls and identify additional risk treatments to decrease the likelihood or severity of threats from disrupting your essential business functions. The outcomes of the RA are to develop and document strategies to mitigate the prioritized risks and threats. The results of the BIA and RA help to align mitigation measures with the most critical business functions to ensure minimal impact to business outputs—especially during disruptive events.
It is important to prioritize your efforts by evaluating threats using a risk rating. The risk rating (likelihood x severity) focuses on the threats whose impact on your essential functions and their associated critical resources is severe and have the greatest likelihood of occurring. Threats can affect the bottom line in a variety of ways, but should be categorized by what they immediately affect—loss of facilities, loss of IT/Data, Loss of Critical Personnel, Loss of Supply Chain, Loss of Reputation, etc.
Risk treatments
The reason for identifying risks is to plan how to respond to them. Each identified risk is like an open wound, and should be treated by limiting (or eliminating) the likelihood and/or severity of identified threats to your essential business functions. Risk treatments are often categorized into avoidance, mitigation, transfer, and acceptance. Avoidance is a total elimination of a product, service, or process linked to a specific risk and is appropriate, when possible, for the risks with the highest risk rating. Mitigation is a way to reduce a known risk and can be achieved by changing internal processes to include redundancy of efforts, changing suppliers, communication, or training. Transferring risk can be accomplished through outsourcing or by contracting processes or assets outside your organization and supply chain. Financial reserves and insurance policies could be considered a partial transfer of risk. Acceptance is simple acknowledgement that the efforts of any other risk treatment would outweigh the benefits because the likelihood and/or severity is so low. When assessing risk, it is important to note that some risk is worth accepting.
Prioritize implementation efforts for resumption
You can establish resumption priorities by prioritizing essential functions, departments, and resources that need to be up and running to support the continuation of products and services
delivered to your customers. An additional level of prioritization is to, for each essential function, compare the organizational criticality to its risk rating (likelihood x severity). Those with the largest numerical value should be treated first.
Regardless of your risk treatment strategy, it is important to be aware of the risks to your essential functions for business survival. Ultimately, a more resilient business will have identified and protected its most vulnerable essential functions.
The following elements should become part of a comprehensive Business Continuity Plan:
|
Resilience Procedures (Readiness Handbook)
Business Continuity Plan
Remember, the goal of resilience efforts is to re-establish business-as-usual as quickly and safely as possible. Business continuity planning should align with that vision and answer the “Now what?” asked during disruptive events. The vision will articulate itself in resilience procedures, and its parent—the Business Continuity Plan. The Business Continuity Plan should be well-thought-out, made readily available, and simple enough to be understood by all. There is no one-size-fits-all continuity plan because every organization has unique missions, customers, functions, threats, and people.
Readiness Handbook
As a tangible representation of business resilience efforts, you can create a user-friendly version of the corporate plan as a quick reference for business continuity procedures as well as emergency procedures in your place of business. This document should be a visually appealing synopsis of key items that all employees need to remember and should be readily accessible by all.
Training & Exercises (Ready Workforce)
“Practice doesn’t make perfect, practice makes permanent”—Larry Gelwix.
It takes frequent and effective training to build muscle memory. We want to build the right kind of muscle memory for our emergency response. A business resilience plan is not just a written document—it is practical. Regular training and exercises will help operationalize resilience and build the long-term culture change you need to be successful with your business resilience program. It is important to know from personal experience that you can respond and resume critical business efforts when disruptive events occur. The goal for emergency response training and exercises is to prevent unwanted knee jerk reactions when it counts. Not only does training prepare us to better respond in an emergency, but it is required by law. OSHA requires all US employers to create and train on their emergency action plans (OSHA 29 CFR 1910.38).
You need a Ready Workforce
During disruptive events, initial responses may be laden with emotions—and opinions and decision making becomes increasingly difficult. It is best to analyze and prioritize business functions before the disruptive event to eliminate in-the-moment decision making and help the business get back on its feet at a quicker pace. Training also engages your team and the entire workforce. At FEA, training and exercises conducted as part of our ISO 22301 Business Continuity Management System certification were an integral part of our success. Performing exercises proved to be an invaluable activity, reinforcing and putting into action the procedures each employee had been instructed to perform during a disruptive event. Through our certification process and our engagement and education activities, we invigorated a core team of business continuity professionals, engaged with our employees companywide, and created a culture of organizational resilience.
Measurement & Monitoring (Continual Improvement)
It is imperative that a consistent process for ongoing evaluation and continual improvement become a part of your Business Resilience program to create a reliable, sustainable program. One way to measure your success is to utilize a Balanced Scorecard (BSC) approach. The BSC approach dissects an organization or public entity and its influencing factors, or perspectives. The four main perspectives of the BSC are customer, employee, process and financial. The BSC is a good framework to evaluate program performance not only against specific objectives but also addresses the strategic goals of the organization to better plan for and measure improved performance. The framework set by the BSC approach provides an excellent methodology to make sure the resilience objectives align with the organization’s strategic goals. The benefit of aligning the resilience goals with the organization’s strategic goals is to maintain alignment with what is important to the organization which may improve resource and budget request probabilities.
FEA utilized a balanced scorecard as part of our ISO Business Continuity Management Certification Systems certification process to track progress and evaluate our performance against objectives. Since we met many of our targets, and we want to continually improve, we have increased our targets for 2017. The simplicity of the BSC and its alignment with the organization’s strategic goals allows for easy visualization, tracking and review.
Summary
Business resilience is the ability to rapidly adapt and respond to business disruptions, and safeguard people and assets, while maintaining continuous business operations. Business resilience planning includes both emergency planning and business continuity planning. An effective business continuity plan is the cornerstone of effective planning efforts and will frame your ability to respond, resume, and recover. However, business continuity planning is what is most often overlooked. Don’t underestimate its importance. Do you need to tell your body to breathe? No, our bodies are programmed to prioritize its most essential functions on its own, but the nature of businesses require conscious resilience planning. You need to know what the essential functions and business processes are that will keep your business alive during a disruptive event. With a structured vision and an organized process incorporating a Business Impact Analysis, Risk Assessment, Resilience Procedures, Training & Exercises, and Measurement & Monitoring you can build an effective business resilience program.
[1] ICOR BCM 2022 RA Student Guide 2013
Maureen K. Roskoski, CFM, SFP, LEED AP O+M is the Business Continuity Lead and Corporate Sustainability Officer at Facility Engineering Associates, P.C (FEA). With extensive experience in all things sustainability, Maureen leads FEA’s business resilience practice area. She is our internal Business Continuity Lead and helped FEA adopt business resilience as part of the company culture as we achieved ISO 22301 certification at FEA’s corporate office. As an experienced presenter and instructor, she teaches numerous IFMA and BOC courses and presents on all things FM, sustainability and business resilience.
Stephen Clawson is a Staff Professional at Facility Engineering Associates, P.C (FEA). He is a graduate of Brigham Young University where he majored in Construction and Facilities Management. Stephen has always had a curiosity and respect for the built environment. His experience at FEA has exposed him to high-performance FM principles, and has broadened his perspective of the FM industry to include business resilience which has reinforced his appreciation for the built environment.