Guest author Brian Zawada, Chief Strategy Officer for Castellan Solutions, offers tips to get organizations into fighting shape against business disruption.
We live in an increasingly complex and fragile world that’s fully ready to disrupt your organization’s operations.
How prepared are you? When your organization “takes a punch”, will it get right back up or will it be knocked out and down for the count?
The answer to this question depends on how well you’ve strengthened your organizational resilience. For more than 25 years, I’ve worked with companies to assess and build resilience capability and to provide a process and framework for achieving the right level of resilience and preparing for the unexpected.
The last few years have made it hard for businesses to ignore the need increase resilience. When you think about all that’s happened – a global pandemic, supply chain disruption, cyberattacks, the Great Resignation – hardly any business has come through unscathed. What separates those on their feet from those still on the mat is organizational resilience – the ability to address anything that disrupts an organization’s strategy from being successful.
Those best prepared – the ones who don’t languish on the mat – are the ones who’ve focused their readiness efforts on protecting their go-to-market strategy and the end-to-end delivery of products and services to their customers.
It sounds simple, but it can be very difficult to get everyone on board. That’s why it’s important to create a culture of continuity in which everyone operates with resilience in mind. Some leaders may feel there are more immediate short-term concerns than planning for threats that may or may not disrupt strategy execution. Still others may prioritize their own functional area’s response to threats. In fact, 76% of organizations prioritize their resilience management program by department, process or function, according to research by my firm, Castellan, and BC Management.
However, leaders can instill a culture of continuity in their organization by working across teams and considering resilience in day-to-day decision-making. When everyone’s working together, it’s much easier to take a punch and bounce back stronger than ever.
How to Avoid a Knockout Punch
1. Start at the top
The idea of building resilience first got its start in the data center, where people mostly focused on minimizing disruption to IT services. These efforts were all about responding and recovering – not prevention. Even today, whenever a threat emerges, each functional area instinctively focuses on protecting the activities and assets most important to their part of the business.
We’ve found that’s not the most effective way to help organizations prepare and avoid the knockout punch. Instead, to ensure a more resilient state, you need to identify and focus your readiness efforts on the delivery of the most important products and services.
Thus, leaders first need to answer and get on the same page on four foundational questions:
- Why are we investing in resilience?
- What are we trying to protect (in terms of products and services)?
- How much resilience do we need?
- Who should participate from across the organization?
By scoping resilience in a top-down manner, you’ll avoid spending time on areas of the business not critical to the success of the organization’s go-to-market strategy and you’ll drive resilience more efficiently.
2. Make it real
Once you establish a foundation for resilience, define a process and let everyone in the organization know what’s expected if a crisis occurs. The key is to get everyone to recognize there’s a common goal – continue delivering products and services to the customer – and have them rally around that concept.
When executives are closely involved in defining and communicating organizational priorities, they reinforce the culture of continuity. Organizations with more mature risk management programs have higher executive engagement, our research shows.
To gain buy-in and engagement, it’s important to frame the issue in the context of role and experience. There are three ways to help make resilience real for everyone across the organization.
- Speak their language. Every organization has its own vernacular, and people bring their own experiences and biases to the table in any discussion. Framing the problem in the context and language of each department helps make the situation real.
- Identify the right people. A common problem for many organizations is they fail to assign resilience-related roles to the employees who will have the greatest impact in the readiness effort or during a response to a crisis.
- Make it believable. One way to make resilience real for all involved is to ask them to identify the real-world scenarios they worry about the most. For instance, a plausible scenario might be the loss of their only supplier of a particular part. Without this supplier’s parts, the organization’s production lines will come to a halt, creating a real threat to delivery of goods to their customers.
If you can engage leadership and employees in this way, you’ll have a head start to make the problem real and concrete for them.
3. Isolate what's vulnerable
Once you understand what’s most important, you can identify potential problems. For instance, you might not have an alternative source in place for your top supplier, putting your production line at risk. Or there’s only one method for customers to contact your support team. Addressing these problems now will help you avoid being knocked out in a crisis.
Regular reviews are crucial to this step. In the last year, 45% of organizations with mature programs have conducted an end-to-end review of their program, according to our survey findings.
In addition, business continuity professionals often believe the process is what needs to be fixed. Of course, methodology is important and enables you to drive good outcomes. But our research shows this isn’t the biggest problem. Organizations struggle most in two fundamental areas.
An inability to focus on what’s most important. Without a solid framework to understand how to protect products and services in a prioritized manner, many organizations are unable to focus on the most important aspects of developing resilience.
Engaging their people in the right way. Many organizations approach critical event management by inviting staff to informational meetings or attending annual trainings. A better approach is to build a culture of continuity by engaging them in a series of techniques so your people can learn how to integrate resilience into their daily decision-making.
4. Go for the quick wins
Indeed, the disruptions of the past several years have shaken many executives’ confidence in their organization’s ability to take a punch. The most effective way to build confidence is through practice. Just like a boxer spends hours in the gym getting ready for the big fight, you need to put your team through the paces. They need to learn footwork, what punches to anticipate and how to bob and weave.
Establishing quick wins can build confidence faster. Start with mastering the basic response first. During role play or tabletop exercises, ease employees into scenarios. Let’s say one plausible scenario is a cyber attack. Have your team practice sending a single alert to an individual team charged with assessing the situation. Once they’ve mastered this step, throw in some curve balls. Who would get an alert if email was comprised? How would that alert be delivered? If they don’t have all the facts, should they send the alert at all?
It’s not just about a rehearsed script. It’s about getting everyone to think on their feet. Drills are the basis for organizational muscle memory. Just like the boxing experts say: Train, train or remain the same.
In-the-moment response capabilities developed by practice and supported by the right technology is the only way to build confidence. Regular exercises also provide practical lessons and help you work out the kinks in your plan.
By combining these four best practices, organizations can build a lasting foundation that withstands a worst case scenario in any critical event. Execute them with discipline and consistency and you’ll have a stable base of organizational resilience and a culture of continuity. It’s time to get into fighting shape.