4 Key Steps on the Roadmap to Resilience

Richard Long

Most people can sort out what tangibles they need for a solid BCM program, but the following critical steps can make or break an enterprise in times of crisis. Without functional crisis management and effective preparations, your organizational resilience will be impacted, resulting in more than just higher costs or lost sales (see Strategic Issues Surrounding Your Organization’s Resiliency).

1.  Clarify Roles and Responsibilities.

Numerous teams are organized and active during crisis events: Crisis Management, IT Emergency Management, Individual Recovery, Business Recovery, Communications, and more. Often individuals participate on several teams. Due to multiple tasks and efforts, individuals must clearly understand their roles and responsibilities – these are not necessarily based on job title. Individuals should be trained in roles and responsibilities at least annually.

2.  Develop Crisis Leadership Characteristics.

Exercises of all kinds (tabletops, walk-throughs, or full-scale recovery or relocation drills) provide opportunities to practice leadership. Remember, day-to-day leadership characteristics do not necessarily transfer to emergency events. Quick, decisive decisions based on the best information available is often more important during an event than a controlled slow decision. A calm and encouraging approach may be more important than hard-driving high energy. “This recovery was needed 2 hours ago, let’s move people” is often not the most helpful – try “what do you need so you can focus on the task at hand?”

Include time during training for those who may not be experienced leaders or individual contributors, but will have leadership roles in an event. Don’t forget to train alternate personnel who may also need to participate.

3.  Leverage Expertise.

This area can be considered a follow-on to clarifying roles and responsibilities. Identify individuals for team participation based on their skill set and expertise, not by job title or organizational role. During an event, skills and knowledge will outpace ego in ensuring resilience.

Keep a listing of outside resources that you can leverage. Examples include governmental agencies such as city, county, and state emergency management or regulatory agencies, third party security providers (both physical and data security), first responders (Fire and Police), and critical vendors. You may leverage your vendors’ expertise in addition to what they customarily provide for you.

Consider other organizations that may have experienced a similar emergency, or your contacts from professional organizations. Keep your contact list current, and be proactive with ongoing communication with your peers to see how they may be able to help you achieve resilience.

Include third parties as part of your exercises; they can provide increased scope, additional insights, and ideas for preparations.

4.  Create a culture of integrated risk management and multi-stakeholder partnerships.

This is not something that can be done during an event, but is an ongoing part of your program. In all tasks and training, stress the reasons why business continuity and risk management are important. All areas of the organization should be included in decision making and strategy development. IT cannot make appropriate technology decisions without input from business functions regarding impacts, and business functions need to understand the technical impact of their desired recovery times. As a business continuity professional, one of our roles is to facilitate partnerships across the organization.

A culture of risk management allows you to implement processes or technologies that address risk mitigation and organizational resilience. Along with technical implementation, appropriate training and the development of the “soft skills” discussed above are crucial to achieving and maintaining resilience. When these 4 key areas are strong, you can minimize the gaps that occur in an actual crisis through the strength of your people managing the event.

data breachThreat environment