How to Approach Resiliency Planning

Is your organization resilient? How would you know? Can you actually measure resiliency?

The ability to measure resiliency varies depending on anticipated situations. In today's IT environment, deciding how to react to a disruptive system or network event or shock comes with great uncertainty. In addition, knowing how to resolve the disruptive situation can be challenging. The goals are agility, adaptability, robustness, and continuity. You do not know what you do not know so how do you resolve the disruption? You need a resiliency plan.

Risk Analysis
Disasters and crises happen. The causes can be extreme natural events and technology-related incidents. Resiliency can be a supplement and an alternative to traditional risk management. Organizations strive to produce resilience-based strategies to help cope with unexpected and sudden shocks. They need resiliency strategies when facing uncertainty about risk impacts and catastrophic consequences.

Risk analysis encompasses risk assessment, risk characterization, risk communication, risk management, and risk policies. The exploration of risk in this blog applies to public agencies and private-sector organizations at local, regional, national, and global levels.

Risk analysis comprises two parts:

Defining Resiliency
You can find many different business definitions of "resiliency." Some define strategic resiliency as "the ability to dynamically reinvent business models and strategies as circumstances change" -- in response to new competition, for example. Resiliency might also be defined as part of business continuity, as in "the ability to recover from unanticipated disruptions" such as storms, floods, chemical spills, and cyber or terrorism attacks.

Measuring Resilience
The resilience profile, as illustrated in the graphic below (demonstrating strengths and weaknesses) consists of four dimensions:

The Resilience Profile is divided into 14 specific features of four dimensions: O=operations, S=structure, P=perception, and R=resources. This figure illustrates and compares the profile of two cities; source: "Organizational Resilience – How Do You Know If Your Organization Is Resilient or Not?"

Resiliency Over Time
The first stage in producing resiliency is becoming aware that there are vulnerabilities and disruptions that could affect the organization. Unfortunately, this may take quite a bit of time because of the many opinions about what is or is not important to the organization. You will need to come to some consensus. This will affect the resiliency budget.

Following the awareness stage, an organization's resiliency performance may reduce and the plans for adapting to and producing the resiliency impact the organization. Resiliency performance will improve once the adaption is finished, thereby improving the organization's agility.

The final stage of improved resiliency comes from active learning. This is where the organization uses exercises, plans, and reviews to improve the performance of the resiliency plans. In other words, the risk will be lowered, the duration of outages can be shortened, and the return to normal operations will produce equal or better business performance in the organization.

Resilience measured by performance over time; source: "Organizational Resilience – How Do You Know If Your Organization Is Resilient or Not?"

Beyond IT
IT is not the only department that should be involved in resiliency planning. A disruption can cause financial loss, loss of reputation, and may require remarketing to customers, which means departments such as Finance, Marketing, and Sales need to be involved in resiliency planning. That way, should a disruption occur, the organization will know what steps to take to salvage its image, support its customers, and return to business rapidly.

Several years ago a major bank produced a disaster recovery and business continuity plan. Much to the bank's surprise, six months later a major fire broke out at the headquarters building. The bank instituted its resiliency plan. It provided backup facilities in hotels, Kinko's (now Fedex) shops, and other business locations. The plan worked as designed.

However, the bank had forgotten one function. No one had postulated that it would need to create a new directory of employee locations and phone numbers. That left employees needing to call their friends, associates, contractors, and service providers to let them know where they were and how to reach them. It took about two weeks before everyone knew how to reach each other. The bank eventually created a new directory for use during the outage.

Conclusion
You have to remember that something will be forgotten. Don't depend on the technology staff alone to come up with vulnerabilities. In the bank's case, had non-technical people been involved in the business resiliency planning, they may have recognized the need to create a directory problem before disaster struck.

For more information on resiliency planning, check out the following resources: