In this blog, inspired by the Business Continuity Institute World Conference, Scott Hughes, Senior Manager Operational Resilience at Nationwide Building Society, reflects on some of the key challenges discussed in delivering effective resilience and business continuity for firms. His session session took place on Wednesday 3rd November 2021 and it included other fellow resilience and continuity professionals.
A lot has been written and said on resilience over the past years. In particular there has been guidance from within the UK’s Economic Regulated sectors which have focussed on key aspects of resilience; including from the Cabinet Office, Keeping the Country Running (2011), followed by Ofwat’s outcomes focused regulation on resilience (2012); and more recently the tripartite Discussion Paper (2018) and regulatory policy (March 2021) on Operational Resilience from the UK Financial Sector. There are also the standards for resilience which have been developed including BS65000 – Organizational resilience guidance and latterly ISO 22316 Security and resilience – Organizational resilience, as well as those standards specifically written for the protective disciplines like business continuity management, cyber security, IT resilience and service continuity, third party risk and resilience and physical security.
The standards, guidance and regulation which has been produced around resilience are an excellent source of information for any organisation looking to develop or improve its approach to, and levels of, resilience. However, several key practical challenges to implementation and embedment were raised and discussed by resilience practitioners which are being faced into across sectors, which included:
The challenge of embedding accountabilities for the ownership of Important Business Services within an organisation below the level of Board and Executive team. It was felt by the group that the typical approach to how firms organise themselves, for example with corporate governance and functional divisions, did not lend itself well to identification of a single appropriate owner for a firm’s important services. This is especially as many teams and departments, with different leaders within an organisation, will own or deliver key separate activities which all underpin important services. It was heartening to understand that firms are working toward this single owner position for end-to-end important services to provide a helicopter view for improvements and investment needed to meet resilience outcomes and that some organisations have named individuals already.
The pandemic response has highlighted the innovation that can be achieved by individuals, organisations and governments across the globe when facing into adversity and also highlighted the weakened position that firms should carry on practices just because this has been the norm to operate in a certain way before. We discussed how response to the ongoing pandemic and key learnings will also lead to fundamental changes to the way we deliver business continuity. As a group we discussed the importance of further breaking down silos and aligning policy, frameworks and processes between different protective disciplines (capabilities) which support the delivery of resilience outcomes, such as business continuity, cyber security, enterprise risk management and technology resilience. In order to deliver on resilience outcomes, these disciplines have to operate with a shared understanding of how the whole organisation operates and what services, and so underpinning resources, are critical as approved by the senior leadership team and Board. Much effort is going into breaking down political or organisational barriers which prevent this.
This led on to a further discussion on the use of an Enterprise Process Model as a single source of organisational process and resource data for operations and all protective disciplines, including business continuity. It was felt that there was a direct correlation between firms who had a managed central Enterprise Process Model and the ability to align protective disciplines and draw upon a shared understanding of resources including technology, suppliers, teams, data and facilities.
We finally discussed the future of the profession for resilience and business continuity practitioners. It was felt that the profession was in a great position to evolve into a “conductor” role to enable firms to deliver resilience outcomes. However, the group acknowledged that the only way to be successful in delivering and embedding resilience is for a whole organisation to foster a resilience culture rather than rely on a single person or team with the title of ‘resilience and continuity’ on its own.
It was fantastic to see the willingness and enthusiasm of practitioners to adapt and learn to deliver improvements in the resilience and continuity of their organisations around the virtual room. We finished the session by thinking about what we would be reflecting on in 5 years’ time as a profession….
Please do let me know your thoughts.
This article was originally published by Scott Highes on November 4 2021, he is the original and only author of this piece. You can find the original article here.
If you liked this article, then you might want to read this.