Minimizing chaos amid crisis through organizational resilience, the COVID-19 pandemic continues to test the overall resilience levels of organizations worldwide. At its height, the pandemic led to the closure of 20% of the small and medium-sized enterprises (SMEs) in Europe, with those numbers still recovering. An Experian analysis*) outlined that during mid-2020, bankruptcies in Finland and Sweden grew by 36% and 30% YoY, respectively. Additionally, supply chain disruptions are prevalent all over the globe now. At times, gaps and root causes are easily overlooked due to the chaos related to recovery. This is where organizational resilience can make a significant contribution.
The COVID-19 pandemic has been one of the most impactful crises in recent history. The effect it had on organizations was unprecedented across the following key areas:
- Staff health and safety
- Supply chain
Though the impact was detrimental to companies, the pandemic explicitly showcased the importance of organizational resilience. As a result, organizations have started to make resilience a priority by allocating appropriate budgets, resources and time toward ensuring the continued serviceability of customers, where applicable.
Before the pandemic, resilience planning was a chore, and work conducted in that space was brief lacking the necessary depth. It was just enough to tick the boxes.
Why should I spend my time on organizational resilience?
Organizational resilience, much like personal resilience, refers to the ability to recover after an adverse event has occurred. Such events that warrant adequate resilience planning include, but are not limited to:
- Cyberattacks: Ransomware, malware, phishing, Denial of Service/Distributed Denial of Service (DoS/DDoS), Structured Query Language (SQL) injections, man-in-the-middle and brute-force attacks to name a few, can drastically hinder the confidentiality, integrity and availability of critical applications. Due to the continued “work-from-home” guidance, remote workers are the main targets for cybercriminals. For example, the existence of effective measures over Virtual private network (VPN) services can reduce your organization’s reputational and financial loss.
- Natural disasters: Floods, fires and earthquakes (including power outages) may be infrequent in your organization. However, it only takes one instance to bring operations to a prolonged halt, especially if your data centers are nearby. An important note to keep in mind is that an organization’s critical third-party suppliers may also be at risk of the same natural disaster.
- Political risk and extremism: The Business Continuity Institute (BCI) 2021 Horizon Scan reflects the rise in political risk among the continued operations of organizations. All the political protests last year resulted in tremendous global losses, mainly across France (US$90m), Hong Kong (US$77m), Chile (US$2b) and Ecuador (US$821m).
- Pandemics: As we’ve seen over the past 18 months, businesses are very susceptible to the lack of staff and lack of “normal” foot traffic.
The identification of an organization’s critical processes and the associated recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum allowable outages (MAOs) immediately give decision-makers a good idea of where vulnerabilities may lie. Additionally, they help identify the areas which require a more scrupulous (and rapid) eye, during an organization-wide recovery – by leveraging a business impact analysis (BIA).
Proper documentation of such critical processes, their agreed-upon recovery strategies and manual workarounds in business continuity plans (BCPs) provide priceless insights. Furthermore, the documents act as reference points for recovery teams (including rescue and salvage teams) when they are tasked with the responsibility of prioritizing efforts during a crisis.
In conjunction with the BIA and BCPs, it is paramount that key systems and infrastructure (including storage services, such as the cloud) have disaster recovery plans (DRPs) reinforced with various periodic disaster recovery tests (DRTs). Tests can fall under either simulated or physical tests.
- Simulated tests include tabletop, structured and full simulation tests.
- Physical tests include parallel processing, partial and full interruption tests. The tests chosen depend on the systems, the type of data held, budgets and resources. As a result, the ability of recovery teams to confidently implement strategies and next steps during a business-hindering event may eventually save the organization.
Striking a balance while performing BIAs, designing comprehensive BCPs, and consequently implementing DRPs and tests can significantly increase the organization’s ability to return to business as usual, with adequate consideration for governance, testing and overall staff awareness.
Benchmarking organizational resilience
There are multiple standards followed in an attempt to comply with international guidelines and prepare for a business-hindering event.
The fundamental building blocks for the implementation of an effective organizational resilience program are comprehensive risk management processes. Such processes are used across the organization. The International Organization for Standardization (ISO) 31000:2018 – Risk Management is a globally recognized standard used across industries. However, the planning for organizational resilience requires additional approaches being embedded within the organization.
The BS 65000 Organizational Resilience standard is rapidly becoming one of the most widely cited standards in organizations worldwide.
Some widely used resilience standards are listed below:
- The BS 65000 Organizational Resilience
- ISO 9001 – Quality Management Systems
- ISO 27001 – Information Security Management
- ISO 45001 – Occupational Health and Safety
Alternatively, guidance can be obtained through National Institute of Standards and Technology (NIST) 800-34 which provides instructions, recommendations and considerations for the following:
- Federal information system contingency planning
- ISO/International Electrotechnical Commission (IEC)-27031 – Societal Security
- Business Continuity Management Systems
- BCI’s six-step process of “good practice guidelines (GPG)” – the independent body of knowledge for business continuity