Business Continuity and Operational Resilience
Daman Dev Sood 'Resilient People - Resilient Planet'
??Professor of Practice| Mentor-Coach-Guide|????100% NPS|??10 books|18 Copyrights|| Top Trg. & Dev. Voice??| Resilience Trainer-Consultant
I was attending this BCI webinar “Navigating the relationship between operational resilience and traditional business continuity concepts” couple of days ago. While all discussions were good, I picked up few points to ponder.
?
I liked the last two bullets, very easy to understand the ‘Upstream’ and ‘Downstream’ dependencies.
Is another way to define these is that internal dependencies are downstream and external dependencies are upstream? Are the customers also not vendors (they supply business to us!)?
Look at the last bullet. Does this mean we are ‘adjusting’ to ‘what is available’ rather than ‘asking’ for ‘what is needed’?
Or, as I understand, we first need to know what are our needed timeframes internally and then need to fix (more stringent) timeframes with external parties. This deliberation is correct for third (fourth and fifth) parties. What about with customers? We would like to have more relaxed commitments with customers – isn’t it? E.g. if we know we want to recoverin 4 hours, we would like to give a target of 4 hours to the vendor, but we may like to commit 5 hours to the customers.?
I could not seek clarification on the last bullet during the session. Did they mean we must fix the effect not the cause? Then I have disagreement, I teach focus on Causes (as these may be less) rather than the effects (as these may be too many). E.g. Flood (the cause) may have many effects – people or building or IT, or a combination of or all may be down. So, during Risk Management, I would focus more on Causes (to control), while in BCM I would have arrangements for unavailability of people, building, IT – one or all in combination.?
While defining the relationship between Business Continuity and Operational Resilience, I opined (and the speakers agreed) that BCM-to-Operational Resilience was a natural progression.?
I actually add Organisational Resilience beyond that.?
Operational Resilience is not a replacement for BCM. Both are required. BCM is a main pillar in Operational Resilience. Or, if the need is Operational Resilience, the means is Business Continuity Management.?
I draw the full maturity path as
领英推荐
I also maintain that the way BCM got implemented in the organisations, had some deficiencies. These deficiencies have been addressed through Operational Resilience (hence its natural progression) e.g. Operational Resilience has more focus on third (forth, fifth and sixth) parties; it has more focus on Cybersecurity, and it stresses more on Testing.?
I do have a question in mind though – can any organisation ever be bold enough to have a real end-to-end scenario test?
A question I raised but could not be picked up was – shall we add one more step that the boards/ management should be willing and ready to penalise, if people do not fall in line. I recently ran a poll with?simple question ‘Does Enforcement Work Better Than Awareness’?
Interestingly, one participant wrote “Enforced compliance is not sustainable. Awareness, internalization and change of practices may take longer but is certainly more sustainable, sometimes covering the coming generations. Behavioural change communication, though, should be carefully planned and sustained over longer periods of time”.?
To which my response was “ Agreed. Think from the other angle also, when the compliance is time bound (due to a regulation) or the loss may be immediate and huge (e.g. bike drivers not wearing helmets or car drivers not wearing seat belts). One doesnt have generations in such cases to fall into line and wait for behavioural changes through time taking communication and awareness programs.
I look forward to your views.”.
Here I share?the results of my poll:
?
The responses were running neck to neck for Yes and NO, but interestingly, by the time poll ended the result tilted towards “Yes”.
And I look forward to your views on the last point as well as the full paper.
?
Enthusiastic and Experienced Resilience Practitioner who loves what she does
2 年Daman, I always enjoy seeing discussions regarding Business Continuity and Operational Resilience. I like your bull/bear graphic! Our profession is indeed very hungry for clarity between the two. I agree with your statement that 'Operational Resilience is not a replacement for BCM. Both are required'. Likewise, from all the discussions and research I am involved in, it seems that your statement 'BCM is one pillar in Operational Resilience' is also accurate. I like where you are going with your maturity path, and understand that your focus was on BC and Op Res only for this post. I do agree that Operational Resilience is the forerunner to Organizational Resilience. However, in order to acheive full Organizational Resilience, there would have to be many more pillars represented. (Technology, Financial, Brand, etc..)
?#ResilienceThinkTank - Shaping the Future of Resilience | Board Advisor | Awards Judge | Conference Speaker ?? | Governance, Data, AI, Cyber, Risk, Resilience, InfoSec, Crisis Management, Data, Security, Oil Futures
2 年Thanks for sharing your views Daman ???? I don't know if I agree to the map of progression, but I certainly like the end goal "Organisational Resilience" which has always been a mission for BC. Operational Resilience without BCM could be detrimental, but that is certainly not the only pillar. I am keen to see more organisations do full end-to-end live testing, including critical/key suppliers. I am also keen to see how many organisations, especially in financial services, have become more resilient following the implementation of the Operational Resilience Policy requirements by FCA/PRA/Bank of England. Is this just another compliance tick-box exercise or can organisations embed resilience at the core of what they do.
Student at Podar International School
2 年RE can any organisation ever be bold enough to have a real end-to-end scenario test? I think the larger the set-up, the difficult it becomes to test the redundancy end to end. My dad and I have a small cyber lab at home and testing itself is a headache (not accounting the log management here Daman uncle).