Following my previous blog post on Business Continuity, I would like to continue today on the same theme, but this time moving to the concept of resilience. 

Resilience in the context of Business Continuity can be defined as a combination of the following:

Not being vulnerable
Is your infrastructure, processes and plans capable of responding to threats that you have not even thought about, the so called “Black Swan” events.

Robustness
Is your organisation able to withstand stresses, pressures, or changes in procedure or circumstance without failing?

Redundancy
Do you have fall back plans / systems / processes to keep the business running?  These redundant options may require the business to chop and change in the event of the disaster …

Adaptability and Agility
Is the organisation agile enough to adjust to the changes imposed by the above?

Resilience is a property of not an activity.  That is to say it is what your organisation is that makes it resilient, not what it does.  Therefore resilience is a function of the People, Processes, Technology and Partners.  Moreover, resilience is determined by what your organisation is capable of doing, rather than the number of plans and documents you have.  Practice and rehearsals are much valuable to developing resilience than the plan artefacts, which reinforces the points made about BCP above. Resilience can be developed in an organisation, but it is difficult to measure.  However the level of resilience in an organisation can be observed during and after an incident. 

As with BCP, building resilience is a journey, not a destination.  As your organisation continues to evolve, so must the business continue to think about ways to ensure it remains resilient.

For further information on resilience, business continuity and disaster recovery, I would recommend reading Ken Simpson’s blog here.

The topic of the last PicNet User Group meeting was on Business Continuity and Resilience.  The discussion in this meeting revolved around the importance of business involvement and eventual business ownership in a successful BCP project and how to develop resilience in an organisation.  It is from these discussions I would like to share some of the thoughts on this subject.

All too often the terms Disaster Recovery and Business Continuity are (incorrectly) considered to describe the same thing, that is, the recovery of IT system after a disastrous event.  This has lead to a trend for the responsibility of creating and maintaining a Business Continuity Plan to be left to IT.  However, Disaster Recovery (DR) should not be confused with Business Continuity, for which DR is only a subset dealing primary with IT.  Business Continuity Planning (BCP) must include areas of business, not just the IT functions.

The experience of producing DR Plans puts an organisation’s IT department in good a position to enable and facilitate the BCP process.  However for BCP to have any chance of success, it is imperative that all functional parts of the business take an active part in the development of the Business Continuity plan.  Furthermore, long term success is dependent on the business taking ownership of the plan once it has been produced and dedicate the required resources in plan maintenance to keep it up to date.  One our customer has had direct experience of this.  Several years ago, this customer’s IT department undertook a project to produce a Business Continuity Plan for the for the wider business.  However, the BCP process had not been sufficiently explained to the business, which resulted in a lack of resources from the various functional departments.  Without sufficient business involvement, the project inevitably failed.  In 2009, the IT department once again took the lead in producing a Business Continuity plan.  However this time around, the process and the requirements were first explained to the Managing Director and the various departmental directors.  It was made clear that for BCP to succeed, the business as a whole must be involved and resources made available.  Once the plan had been produced, the business must take ownership of the plan and ensure it is maintained and kept up to date.  With the boarder business onboard, this second BCP project was successful.

When it comes to BCP, often it is the process rather than the end artefact that is of the most value to an organisation.  The process of planning for business continuity stimulates thinking on processes, organisation, suppliers, customers etc and ways to keep the business operating if the proverbial “sh*t” was to “hit the fan”.  The process of testing the BC plan either reinforces these ideas or (if it is found that the processes detailed in the plan are no viable) forces new solutions to these problems to be found.  This is also true for the maintenance of the plan.  The maintenance process allows the business to increase their awareness of the BC plan and to re-examine their business to verify that the details of the plan reflect the needs of the current business.

For further reading, I would recommend reading Ken Simpson’s blog here. 

More to follow in my next blog entry on Resilience.