Preparing for the Unexpected: Resiliency

Good day everyone!!

Our show for Thursday, August 10, 2017 will focus on Resiliency – a hot topic among BCM and DR professionals.

Join us with guest Ken Simpson (The Resilience Ninja) and hear some very good insights on what Resilience/Resiliency really is….and what it’s not.  We’ll touch base on things such as Black Swan events and Lessons Learned vs Lessons Observed

https://www.voiceamerica.com/episode/100661/bcm-and-dr-what-is-resiliency

Enjoy!

The StoneRoad Team

 

 

BCM & DR: Can Organizations be Resilient?

There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.

The following sections outline some areas that must be considered as part of the overall resiliency plan if an organization is to become resilient. See which one’s fit within your organization and which items you might want to focus on to improve or instil a sense of resiliency.

1 – Previous Adverse Experiences
Resilient by definition means ‘bouncing back from adversity’ so no one can be resilient if there hasn’t been previous adverse situations that the person / organization hasn’t bounced back from. How is an organization resilient if it’s never had an adverse experience? How can you measure resiliency? What are you measuring against? What has it bounced back from to prove it became resilient? It can’t be because it’s wouldn’t have anything to bounce back from, so how could it ever know it was resilient? It can’t. Of course, some would say that because the organization didn’t suffer badly during a disaster, it was resilient. Well, maybe it really wasn’t a disaster or major crisis, just a well-timed and coordinated response; that doesn’t automatically equate to being resilient.

2 – Plans/Process
It would be ridiculous to suggest that BCPs and TRPs etc don’t help make an organization resilient; of course they do. These are what get opened up and followed (or used as a guide) when the ‘real’ situation occurs. Through consistent validation and testing, amendments are made and they become more and more robust over time; able to deal with a myriad of situations. If the plans are living, validated and leveraged, then the plans will help the organization become resilient. Not just from providing point by point activities but because the validation and the testing that goes on behind them helps instil a sense of accomplishment and progression to those who use them.

3 – Technology
You can set technology functions up in a way that keeps it going even when the power goes out; even when a primary server (or other component) goes down and data/communications are redirected. You can keep the ‘green lights’ on in many ways (too many for this small article). The technology component is the single most discussed area of resiliency, to the point where many organizations believe they are resilient simply if they have a strong technology recovery or IT disaster plan in place. Well, we know that IT is only part of the overall picture.

4 – Leadership
Leaders are usually leaders because they are resilient as a person, not because they have a high profile title behind their name. They have fought there way through the ranks, overcoming obstacles and thought their way through many complex challenges, all so they can be the leader – or a leader – of an organization; a reward for hard work and perseverance. A good leader will give back to the organization and help train others within the organization how to better focus energies and deal with adverse situations.

5 – Culture
Who creates the culture? Leaders, create it. If the aspects noted in #4 are true, then the corporate culture will eventually sway in that direction, even when those that oppose the leader find they have to deal with the new way of doing things or decide to leave for other pastures. We all know what flows downhill when theirs a problem, but if a good leader really is a good leader, then the good also flows downhill. This positive aspect will help

6 – People
People. People are the most important component of resiliency. Without resilient minded people, no organization will ever truly be resilient. Its people that bounce back from adversity and as the old English adage states, ‘Carry On.’ From the org’s leadership right down to the newest person walking through the door. They all must work together to support each other; from the top down to the bottom up. Everyone has something offer in an organization and everyone has a role to play when a disaster occurs.

When all these aspects are combined, then and only then, will an organization have the chance to become resilient. Then, an organization must encounter a situation that tests all these components and that’s when an organization can determine if it’s resilient or not. Once an organization has bounced back and can stand in front of its clients, customers, partners and the general public stating that it has weathered the storm with its reputation intact, that’s when it becomes resilient; not when it buys a product or service off a shelf.

© StoneRoad 2014 (A.Alex Fullick)

What is a Disaster? (Part III – Final)

My apologies for the delay in posting; after illness and busy work commitments, this took longer than anticipated.

Based on some feedback and comments received from the initial 2 part “What is a Disaster?” articles, I decided to put some additional closing thoughts together in a third – and final – instalment.

Thanks to everyone who sent comments and emails about the first 2 parts; you inspired this final piece.

*****************************************************

So let’s start from the beginning; What is a Disaster?  It’s still difficult to define a disaster in some respects because it’s different for every person, corporation and community.  They must have something in common if we call the situation a disaster, yet we all have varying perspectives as to what a disaster means to us – ourselves.  What may hinder one may not hinder another and if it does, it hinders them in different ways.  For individuals, the same situation impacting a corporation may not have any impact upon the individual.  Is it still a disaster?  From the corporations perspective, yup – it is.

Is a disaster something we feel?  See?  Experience or have knowledge of?  It can be any and all of these; either collectively or as separate entities.  From a corporate and/or community perspective, it’s how the situation plays out and impacts their operations, facilities and people – and it’s in direct relation to how well they prepared for an unplanned situation and their ability to mobilize resources in response to the situation.

A disaster is something you know will happen and can perceive happening but do nothing in response to the threats/risks/vulnerabilities.  One knowingly accepts the consequences of what occurs and yet, when it happens show complete surprise and shock.

Most ‘disasters’ have short-term durations.  They’re sudden and unplanned after all however, what makes them even more ‘disastrous’ is the long-term impact they can have.  Let me explain.

An earthquake lasts for only a few moments but the rebuilding processes and the care for those injured can go on for weeks, months and even years (thinkNew   Orleansafter Katrina).  This author visited the Sichuan Earthquake Zone in China, where devastation was so great that instead of repairing the city, China is building an entirely new city a few miles away; it was easier, quicker and less costly to do this.

The scars a flood can leave on landscape and future building and farming capabilities can last for years even when the flood was only rife for a short period of time.

Technologies and facilities can be rebuilt – sometimes better and stronger than they were before the disaster.  However, the effects on employees and residents who may have been badly impacted by the loss of technology (i.e. loan payments, lost pay cheques etc) or the loss of their home(s) can have very damaging long term impacts; in some cases they are emotionally scared until their dying days.

Of course, many sudden disasters – man-made and/or natural – can harm and impact many.  If you can get past it and move on – manage it well – it might not be such a disaster to you or your corporation; it could just be an inconvenience.  And let’s face it, people are resilient; it’s corporations that need to capture this human resiliency and incorporate it into their organizational culture.  They need to create mechanisms that are pro-active and help mitigate the potential of dangers, threats, risks, crises and disasters.  In everything it does, it thinks about risk and puts measures in place to mitigate and manage the risk.  It becomes second nature and we’re not just talking about financial risks but the full gamut of risks that can be attributed to any operation.   This doesn’t mean that everyone in the company is a worry-wart or paranoid…

If we can get through things on a basic human level – which is what got us here today – then corporations should be able to do that as well.  What’s missing that stops corporations from becoming resilient?  Is it too many standards and audit requirements – which sometimes can be interpreted as showing a lack of trust on some level – or is it the willingness to play the odds; cross the fingers and hope for the best with very little planning done to address the worst case situation.  If a corporation is resilient in its daily operations, will/can it still experience a disaster?  Sure it will; the trick is that it knows how to respond appropriately because it prepared appropriately and having become resilient, was able to stave off the worst of the disaster through its day-to-day operations.

It needs the internal workings – the internal workings of people – to drive its resiliency.  If a corporation – of any size – can harness the human resiliency, then it might find that when encountered with a crisis or disaster, it functions like a well-oiled machine instead of tripping and falling over itself trying to set things to right.

For many, disasters and crises are seen as learning opportunities to strengthen their resolve; to move towards their goals, regardless of what gets in the way.  A fire at an older building means the newer building is built with better detection and sprinkler systems; there is always the opportunity to improve on something.  There is a story that Thomas Edison failed at inventing the light bulb 99 times (I’m guessing at the number).  However, because he was resilient and didn’t give up or get bogged down by failure, he didn’t say he failed 99 times, he said he found 99 ways how ‘not’ to invent the light bulb (I’m paraphrasing of course).  Were 99 incidents of failure a disaster in this case?  No, they were opportunities to grow and learn.  He saw the silver lining within adversity and kept going after it; that’s resiliency; that’s what determines if a disaster is really a disaster.

The greater a persons (or corporations) resiliency level, the less impact the disaster has on them to continue; to move beyond the troubles and keep going.  (Note: By the way, I’m in no way stating that a hurricane, tsunami or major fire isn’t a disaster; that would be ridiculous.  I’m just illustrating a point.)

So how can a corporation (and its employees) become resilient and prepared for disasters?  Here’s just a few considerations.

  1. Involvement – Involve employees in what you’re doing; ERM, DR, BCM etc and know that it’s not just there for the corporation, it’s there for them.  When there isn’t a disaster the most critical thing corporations say is that their employees are important and yet often when there is a disaster corporations seem to focus on getting systems up and running first because competitors swoop in on their clients if they aren’t up and running.  Doesn’t this go against the “employee’s first” thinking?  I think it does.
  2. Empowerment – Empower your employees to do the right things the right way.  Sure, there are standards that have to be met but each situation encountered – let’s say a client issue – might require a different resolution to make the client happy once more.  Let an employee do that to a certain degree (you don’t want to give away the farm here…).
  3. Communicate – Communicate.  Communicate…and when you’ve done that communicate some more.  I really can’t say it enough.  Remember, communication isn’t just monologue – ‘telling’ others what to do and how to do it when a disaster strikes – it’s proactively listening to others and developing a dialogue – with employees, partners, vendors, suppliers etc – and then defining and solidifying your preparedness, appropriate strategies.  You get their expectations and you get their buy in because they believe in what you’re doing; heck, they helped you build the right plans and processes.
  4. Embed – In everything you do, consider the risks of not being able to do it; decide on a mitigation strategy (to ensure something doesn’t happen) and a contingency strategy (for when something does happen) so that business continuance slowly become engrained within the corporate culture.  It doesn’t mean everyone has to be paranoid or risk averse but rather everyone is focused on ensuring that the corporation – and its people – becomes resilient and considers risk in its operations.
  5. Practice – Practice may not make perfect but it does make you stronger to deal with adversity.  When plans and processes are developed, practice them or exercise/test them.  If you don’t practice you can’t become better at what you do or have a full understand of how to do it right.  And remember, your practicing what is in the plan, not practicing on how to manage the ‘planned and coordinated exercise.’  There’s no value in that; proving you can coordinate an exercise but possibly proving you (the corporation) would be lost in a real situation.
  6. Understand Impermanence – Understand that not everything lasts forever, in fact nothing does.  If you’re not experiencing any difficulties and things seem to be all ‘bunnies and rainbows’ know that at some point those rainbows disappear and those bunnies…well, they move on too.  Even when you nurture and take care of something to keep it functional for a long time – like a car – it will still eventually run down, turn to rust and fall apart.  Corporations must understand that they will experience a crisis or disaster soon enough.  So instead of ignoring it or crossing fingers behind their back, prepare and embed (like I said above) business continuity into the organization; takes the steps to become resilient cause the smooth sailing won’t last forever.

 

Disasters will happen and will continue to occur, we just don’t know when.  It’s this aspect that causes people and corporations to panic.  Since we don’t know when a disaster occurs, we play the odds and hope for the best, which can often come back to bite us.

What is a Disaster?  Who can say…‘cause what’s bad for me might not be bad for you; it depends on how resilient you and I are and how big our umbrella is when ‘it’ hits the fan.

 

 **NOW AVAILABLE**

 “Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibility

“Made Again Volume 1 – Practical Advice for Business Continuity Programs”

“Made Again Volume 2 – Practical Advice for Business Continuity Programs”

All great books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com