Business Resilience is defined as "the positive ability of a company to adapt itself to the consequences of a catastrophic failure caused by power outage, a fire, a bomb or similar” event.  It is used to describe businesses, communities and governments' ability to respond to and quickly recover from catastrophic events such as natural disasters and terrorist attacks.

Asset Recovery, Business Recovery, and Crisis Management strategies can be event specific thus limiting their flexibility and adaptability.  Often, they are focused on specific disruptive events such as earthquakes in California or hurricanes in Florida.  Today, we realize that we must be prepared for any business change, disruption or catastrophe, anywhere and at anytime; from natural events to economic crisis.  We simply cannot predict what might happen and its affect on IT services because anything could happen to disrupt the support of business operations.  A company must now focus on the development of a comprehensive Business Resilience Strategy which is event agnostic and blends Business Recovery with Asset Recovery and Crisis Management; all in support of the organization's Strategic Business Plan. 

The trend in business has been towards greater leanness and efficiency. Companies have stretched their supply chains to the limit, sourcing goods from ever more distant destinations and reducing levels of inventory to a matter of days.  They have stripped layers of management in an attempt to streamline their organizations and reduce costs, and they have outsourced non-core business processes to external providers. Finally, they have come to rely so heavily on their IT systems that, even if they suffer just a few hours of downtime, the survival of the entire organization could be threatened. 

This powerful combination of highly visible threats, reduced redundancy and greater reliance on IT has pushed the need for business resilience to the top of the agenda. Business continuity, disaster recovery, and crisis management which were hitherto seen as dull but necessary adjuncts of doing business, have drawn boardroom attention and intense scrutiny from investors, customers, regulators, insurers and other stakeholders.

Risk has always been part and parcel of doing business, and every company seeks in some way to prepare for damaging incidents and to respond to them as best it can. But in recent years, the need to demonstrate resilience has been given greater urgency as a result of a number of powerful trends.  First, a series of high impact, low probability events has alerted executives to the need for precautions.  Protection of an organization's reputation continues to be an organization's the biggest concern. 

Steps towards resilience
The traditional approach to business continuity involved thinking through the steps that companies should take in response to a major incident; this approach is both outmoded and dangerous. "One of the things that people need to get into their heads is that business continuity is not just about the disaster recovery plan.  "It's also about how you do business, where you do business and where work gets done.”  The successful management of operational risk and business continuity requires companies to conduct a thorough assessment of the risks and vulnerabilities.

The first question companies need to ask themselves is what is it that they do and what is mission critical to their company. Once they have understood this, they can then understand the critical processes and deliverables that they have to guard against from an unexpected event.  Some risks will be common to all businesses—for example, the need to prepare for possible pandemic flu outbreak or power outage—but others will be specific to the company's industry or location. Careful risk and vulnerability assessment, perhaps using tools such as scenario planning, can focus the minds of executives on the level of the threat that they face and help them to decide where resources should be allocated and where priorities should be set.  Having determined what the risks are, companies then need to get to grips with the likelihood of those risks.

The next step is to assess the effect that a range of incidents would have on the company, using a business impact analysis. A business impact analysis requires companies to ask themselves what would happen if, for example, a power outage shut down the email server for six hours, or what would happen if a police cordon shut off access to the head office. Is the company more or less vulnerable than its peers to particular disruptions, perhaps because of its location or a quirk of its organizational structure?

Conclusion
The minds of corporate executives have rarely been as focused on the need for business resilience. The threat from major catastrophes, such as a terrorist attack or pandemic disease, has encouraged companies from all sectors and regions to think through their operations and look for areas in which they may be vulnerable.  In doing so, they also make themselves more resilient in the face of more mundane (and far more likely) interruptions, such as power outages and human error.

Practice Leader
Kathleen McGrorty is the practice leader for Craft Strategies LLC's Business Continuity and Strategic Planning Services. She maintains a Certified Business Continuity Professional (CBCP) designation from Disaster Recovery Institute International (DRII).