The ability to continue business operations for the foreseeable future is a key metric from a financial standpoint. But from a risk management perspective, all dimensions of an organization’s strategic and operational framework must be analyzed in order to…
- Identify what could possibly go wrong.
- Prevent it from happening.
- In case it happens, identify how to withstand and recover from it.
The last part relates to business resilience — and it’s what we’re going to explore here.
Defining resilience for businesses & enterprises
ISO 22316 defines business resilience as the ability of an organization to absorb the effects of and adapt to a changing environment.
Business resilience isn’t merely about recovery from disasters like fires or cyberattacks. It encompasses dealing with any internal or external event that could threaten the organizational ability to achieve its mission. No entity is immune to such events — COVID-19, climate change, AI — which may individually or collectively threaten an organization’s existence.
Business resilience is a capability that must be addressed from the very top of the organizational leadership. It requires principles and mechanisms that are cascaded across the business operational model, resourced appropriately and monitored for effectiveness.
Let’s examine these three levels to identify the indicators required for any organization that desires resilience not just in name only, but in reality.
Resilience from a strategic viewpoint
As the board and executives chart the path that the organization must take to achieve its objectives, one of the main inputs is understanding the business context. Techniques like SWOT and PESTEL are quite popular in this regard, as the environment plays a great deal in determining whether objectives will be met in the light of changing circumstances.
Strategic resilience starts from the organizational leadership making effective decisions about priorities for resilience by:
- Thinking beyond current boundaries.
- Taking a risk-based approach to the achievement of strategic objectives.
From a governance perspective, policies that entrench resilience in the organizational structure and operating model should be enacted and published. In addition, risks to business resilience must be identified, assessed, controlled and regularly reviewed. The most recent World Economic Forum Global Risks Report detailed the interconnectedness of the highest-ranked risks as shown below:
WEF Global Risks Landscape 2023
Planning for resilience requires executives to be equipped with the right skills, knowledge, and behavior that can influence the rest of the organization to pull together during difficult times. The strategic response to risks that can impact the organization’s resilience should be informed by a leadership culture that is empowered and committed to preparing effectively for whatever change might be on the horizon.
And should these risks materialize, then the business leaders must be at the forefront of tackling these issues. Periods of uncertainty and disruptions are an opportune moments for executives to demonstrate strategic resilience to employees and stakeholders by:
- Taking charge.
- Executing their mandate with courage and integrity to carry the organization through that season.
- Afterward, honestly reviewing the outcomes including lessons learned and opportunities for improvement.
Resilience from a tactical viewpoint
Business functions must be planned and managed with resilience in mind. A business impact analysis exercise, that supports the aforementioned risk assessment, can help organizations to:
- Determine the criticality of business activities
- Quantify resilience requirements by analyzing the likelihood and impact of disruption,
- Then develop the appropriate plans and solutions to ensure the continuity of business.
Adopting a framework like ISO 22301 for business continuity can enhance the resilience of an organization, enabling them to continue delivering products and services at an acceptable predefined capacity during a disruption.
(Compare business resilience with continuity.)
When it comes to business information that powers the processes and functions, two main metrics that are key outputs of the business impact assessment are:
Recovery Time Objective (RTO)
RTO is your goal for how quickly business information and associated systems must be made available again. For example, systems that manage business transactions will need to be made available in minutes. Systems that manage other secondary functions can take longer.
Recovery Point Objective (RPO)
RPO refers to how much business information loss can be tolerated as a function of time.
For example, your organization may not want to lose any data that may result in loss of revenue, or lead to lawsuits or regulatory penalties. Acceptable data loss would be that which can be recreated easily from alternative sources such as data backups or manual records.
RTO and RPO (Image source)
Assigning these metrics to business processes and functions provides clarity in planning the resource requirements and associated business costs related to resilience.
Too little resource allocation (e.g., only relying on a cloud service provider’s backup or having only one human resource at a critical business role) may prove ineffective should disruption come, as the organization may be hampered in its attempts to respond to an event of significant magnitude.
Conversely, too much resource allocation (e.g., hosting the same business applications across multiple cloud providers) may prove wasteful especially if allocated for worst-case scenario, as well as create new headaches in managing them. The right balance must be evaluated and continually reviewed based on evolving environmental conditions.
Resilience from an operational viewpoint
Strategies and plans concerning resilience will not take off unless they are made operational as part of day-to-day activities. Leadership should disseminate resilience strategies to all levels of the organization, and the operational teams should be involved in the review and implementation of the plans to ensure continuity.
Implementation at the operational level should consider all dimensions of the business model including:
- People. Training and awareness of resilience plans conducted for all employees, and contractors involved in operational activities.
- Technology. Implementation of technology solutions such as automated failover, self-healing systems and backups to support information resilience plans. Testing of these solutions especially in production to ensure that RTO and RPO metrics are achievable.
- Process. Testing of all scenarios for key business processes in the event of a disruption, measuring responsiveness and identifying opportunities for improvement.
- Partners. Ensuring that vendor contracts include provisions for resilience and flexibility in the event of disruptions.
Final thoughts: the reality of disruption
Today’s reality depicted by the risk landscape is that no organization, large or small, is immune from disruption. Our 2023 global survey, Digital Resilience Pays Off, indicates that advanced organizations that get resilience right…
- Save on average $48 million annually in downtime costs.
- Are more effective in dealing with change, executing digital transformation initiatives, and achieving financial performance goals.
These organizations have built critical capabilities such as visibility, detection, investigation, response and collaboration, which holistically address strategic, tactical, and operational level requirements, and result in greater adaptability to the changing environment. Resilient organizations don’t just survive disruptions, they thrive!
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.