Is the world of risk, continuity and crisis about to change as new concepts and approaches linked to resilience gain momentum or are we seeking solutions to the same old stories repacked through a different language?
Protecting organisations is big business, or at least it should be, as no one wants to fail and few if any executives can wish to face the negative impact of serious disruption or crises. In general crises are expensive for organisations to handle, derail the best-laid plans and generally threaten the reputation of the top people in the business. Added to which there is a mix of guidance, regulatory requirements, employee concerns and shareholder expectations to address.
Is Resilience the ROI?
There is a positive return from the investment in managing risk and establishing continuity and response in an organisation: in practice it helps to build cross business engagement and, if effectively managed, builds relationships and improves efficiency.
BUT, and there is a but, organisations do not want to spend time and resources building ever more complex processes to handle concepts and ideas that may never cause problems. At a simplistic level this seems obvious but it does appear to result in a situation where this years “must do” risk drives the thinking.
That investment on the other hand, lets the organisation proactively manage the risk portfolio and embed the business continuity, emergency and crisis arrangements to fit the needs of the business through establishing competence and capability. Alternatively, the reality if we go the more piecemeal route, appears to be a desire to have basic compliance arrangements in place then attempt to bolt on specific procedures as and when deemed appropriate.
2014 may be remembered as the year of the cyber risk, with the focus for response, continuity and crisis moving in to the world of hackers. Who knows what next year’s theme will be, but we can be sure there will be a theme and it will result in more corporate anxiety and more procedures.
The result is a patchwork of processes, some of which are good others less so. What is often absent in this scenario is the time and resources to embed the principle, establish the capability and competence and fully test the systems and the people before moving on to the next problem.
But it’s OK, we have standards!
In theory help is at hand in the form of a full suite of standards from risk through continuity to crisis and resilience. All have standards (British or ISO) which guide users on their application. But like members of the same family it feels they are close relatives who are not talking to each other.
This places the emphasis back on the practitioner to determine how best to use limited resources to achieve a complex outcome of change across an organisation. No one wants to fight for a Business Continuity budget only to find the risk management or crisis systems are then exposed for lack of investment or coordinated activity.
Unite & Lead
If the future vision for sustained business success does lie with organisational resilience then all of these specialist subjects need to be
developed and built into the cultural foundations of the organisation. To achieve this requires an integrated approach.
So, who out there in the business community is for risk managers talking about business continuity and governance specialists understanding the deeper fundamentals of crises? Maybe this is what will make the difference.