Many companies perceive the importance of business resiliency but don’t quite understand what’s truly at stake when the unexpected hits. For example, network downtime prevents employees from working and vital tasks to be accomplished, but in pure monetary terms, every minute a business’s systems are down costs, on average, a whopping $7,900, according to the Ponemon Institute. Considering this stat only reflects IT incidents and not downtime caused by supply chain disruptions, natural disasters, power outages, geopolitical factors, and a wide range of other possibilities, you can see how crucial planning for business resiliency is—as well as how risky not having a plan can be.
Whether regulators are requiring concrete measures or you simply realize the plans you currently have are lacking or out of date, building an actionable resiliency strategy will yield benefits in the short term and the long run—even if you never need to use it. Here’s a quick guide to understanding business resiliency and to get your plan upgraded (or just up and running) as you patiently put all the pieces of such a plan in place:
Business Resiliency, Defined
Business resiliency is a term that often has many meanings depending on one’s point of view. Even industry professionals casually mix up terms, which can lead to some understandable confusion for novices seeking answers to their questions. Simply put, business resiliency is the ability for a business to protect employees, assets, and reputation before, during, and after an adverse event. This goal requires multiple steps, as described below.
Understand the Overall Approach
With the jumbled collection of terms, laypeople may mistakenly believe a certain element of business resiliency is the entire strategy. Crisis management? Oh, that’s business resiliency, right? Are business continuity and disaster recovery synonymous with resiliency? Or emergency preparedness? The reality is all are crucial components of business resiliency, but on their own, are not:
- Emergency preparedness: The planning a company engages in order to prevent and properly react to negative events
- Crisis management: The steps a company immediately takes after a negative event occurs to protect company assets
- Disaster recovery: The actions undertaken to fix whatever damage (usually technology-related) was caused by the event
- Business continuity: The blueprint to restore a company’s operations to pre-crisis levels
Business resilience combines these disciplines into an overarching strategy that addresses the past, deals with the present, and looks to the future of a company’s ability to handle the unexpected. To us, this means going beyond hundreds of pages of documentation and strict adherence to industry regulations and standards. It means a holistic strategy that actually works. Here’s how it can be done:
1. Involve key stakeholders
Trying to assemble and execute a resiliency program on your own would be overwhelming and likely impossible. Other stakeholders must be involved. If, for example, a major snowstorm hits a key production facility, the supply chain may be affected, a power outage may send IT into crisis mode, and HR may need to figure out how to get workers home. These stakeholders know the key issues they face (and may already have plans in place); bringing it all together forms the basis of a comprehensive plan that guides you from the first snowflake to the quick resumption of normal operations.
2. Test, test, test
Many enterprises have resilience plans but no idea if the plans will actually work when needed. A crisis strikes, and because the plan hasn’t been tested, employees panic and, perhaps, fail to execute the plan properly. This can create a bigger problem than before and lead to scenarios that were never considered because some “obvious” step was overlooked. Once you have a plan in place, test it, work out the lumps, and test it again. The end result will be a strategy that is refined and employees who won’t freak out when they must implement it.
3. Don’t let your plan collect dust
Resiliency isn’t a one-and-done deal. After devising and testing a plan (and possibly executing it), the details must be continually updated to reflect industry changes, technology upgrades, shifting risk tolerances, new employees, and so on. Unfortunately, after much time is spent on a plan, it goes into a binder, placed on a shelf, and not opened for years. Think of resiliency as a process instead of just a plan—improve it as needed, and you won’t be frantically scrambling when the unexpected does hit.
What is the state of your company’s business resiliency plans?