The BSI have recently released the results of their organisational resilience survey, the first since COVID. This provides an early snap shot of the relative gap between impact and performance of key elements that make up “Resilience”. It makes interesting reading.
At the most positive end of the spectrum it is clear that well established business continuity programmes are performing and adding value. That is great news and highlights the value in getting this right. At the bottom end of the spectrum adaptive capacity, alignment and horizon scanning emerge as large and significant gaps.
These are fundamental strategic capabilities in this fast changing world. Business operating models have changed during the pandemic with a substantial shift from the physical estate (offices, classrooms) to virtual estate (remote working, online delivery). Many of these ways of working and new customer behaviours and expectations will endure. Organisations are understandably reviewing their business models. Quite rightly they are asking three questions:
1. What are the risks now?
2. Where are our gaps?
3. How do we build forward with greater resilience?
Current resilience standards (ISO22301, 27001, 31000, etc) provide helpful frameworks but do not offer a view across vastly complex inputs and dependencies or a route to resilience improvement alone. Too often audit is a cursory review of document currency. It is not a robust challenge or stress test of arrangements. Near misses and critical gaps exist in many organisations.
This includes Critical National Infrastructure and highly regulated sectors, and examples can have fatal consequences. A recent cyber-attack on a water treatment plant in Florida, , USA where dosing levels were changed by an attacker via a tool installed to aid remote working, is one recent example of new risks introduced adapting to COVID. The failure of the energy supply providers in Texas to plan ahead and be adequately resilient for cold temperatures is one of failure to horizon scan and adapt.
2021 is a golden opportunity to build organisational resilience, and to emerge stronger from the shadow of COVID. Common reasons driving the need to improve organisational resilience include:
¨ Inadequate implementation. Processes have been found wanting during COVID
¨ Competition to evolve, especially against competitors that are born digital
¨ Regulatory pressure – new frameworks
¨ Supply chain pressure to “be resilient”
¨ Inadequate stress testing and assurance
The questions that Incident Ready Consulting Ltd are commonly asked highlight that organisations are actively looking to address the organisational resilience gaps during this financial year.
¨ Are we vulnerable to the outages that our competitors have been impacted by?
¨ Can we meet resilience assurance thresholds from our regulator?
¨ How do we know if we are resilient enough across our processes for IT, Premises, Supply chain and People?
¨ Despite investment in risk and resilience functions (IT, Safety, business continuity, supply chain), these operate in silos. What risks and opportunities are we missing that could get lost in the gaps?
¨ How do we break down silos in our risk management, and how do we improve our data / oversight and anticipation?
¨ What does the target operating model for resilience look like?
If any of the questions above resonate and you would like to find out more about our organisational resilience gap analysis approach, please get in touch.