The ability to continue business operations for the foreseeable future is a key metric from a financial standpoint. But from a risk management perspective, all dimensions of an organization’s strategic and operational framework must be analyzed in order to…
The last part relates to business resilience — and it’s what we’re going to explore here.
ISO 22316 defines business resilience as the ability of an organization to absorb the effects of and adapt to a changing environment.
Business resilience isn’t merely about recovery from disasters like fires or cyberattacks. It encompasses dealing with any internal or external event that could threaten the organizational ability to achieve its mission. No entity is immune to such events — COVID-19, climate change, AI — which may individually or collectively threaten an organization’s existence.
Business resilience is a capability that must be addressed from the very top of the organizational leadership. It requires principles and mechanisms that are cascaded across the business operational model, resourced appropriately and monitored for effectiveness.
Let’s examine these three levels to identify the indicators required for any organization that desires resilience not just in name only, but in reality.
(Explore public sector stories: Profiles in Resilience)
As the board and executives chart the path that the organization must take to achieve its objectives, one of the main inputs is understanding the business context. Techniques like SWOT and PESTEL are quite popular in this regard, as the environment plays a great deal in determining whether objectives will be met in the light of changing circumstances.
Strategic resilience starts from the organizational leadership making effective decisions about priorities for resilience by:
From a governance perspective, policies that entrench resilience in the organizational structure and operating model should be enacted and published. In addition, risks to business resilience must be identified, assessed, controlled and regularly reviewed. The most recent World Economic Forum Global Risks Report detailed the interconnectedness of the highest-ranked risks as shown below:
WEF Global Risks Landscape 2023
Planning for resilience requires executives to be equipped with the right skills, knowledge, and behavior that can influence the rest of the organization to pull together during difficult times. The strategic response to risks that can impact the organization’s resilience should be informed by a leadership culture that is empowered and committed to preparing effectively for whatever change might be on the horizon.
And should these risks materialize, then the business leaders must be at the forefront of tackling these issues. Periods of uncertainty and disruptions are an opportune moments for executives to demonstrate strategic resilience to employees and stakeholders by:
Business functions must be planned and managed with resilience in mind. A business impact analysis exercise, that supports the aforementioned risk assessment, can help organizations to:
Adopting a framework like ISO 22301 for business continuity can enhance the resilience of an organization, enabling them to continue delivering products and services at an acceptable predefined capacity during a disruption.
(Compare business resilience with continuity.)
When it comes to business information that powers the processes and functions, two main metrics that are key outputs of the business impact assessment are:
RTO is your goal for how quickly business information and associated systems must be made available again. For example, systems that manage business transactions will need to be made available in minutes. Systems that manage other secondary functions can take longer.
RPO refers to how much business information loss can be tolerated as a function of time.
For example, your organization may not want to lose any data that may result in loss of revenue, or lead to lawsuits or regulatory penalties. Acceptable data loss would be that which can be recreated easily from alternative sources such as data backups or manual records.
RTO and RPO (Image source)
Assigning these metrics to business processes and functions provides clarity in planning the resource requirements and associated business costs related to resilience.
Too little resource allocation (e.g., only relying on a cloud service provider’s backup or having only one human resource at a critical business role) may prove ineffective should disruption come, as the organization may be hampered in its attempts to respond to an event of significant magnitude.
Conversely, too much resource allocation (e.g., hosting the same business applications across multiple cloud providers) may prove wasteful especially if allocated for worst-case scenario, as well as create new headaches in managing them. The right balance must be evaluated and continually reviewed based on evolving environmental conditions.
Strategies and plans concerning resilience will not take off unless they are made operational as part of day-to-day activities. Leadership should disseminate resilience strategies to all levels of the organization, and the operational teams should be involved in the review and implementation of the plans to ensure continuity.
Implementation at the operational level should consider all dimensions of the business model including:
Today’s reality depicted by the risk landscape is that no organization, large or small, is immune from disruption. Our 2023 global survey, Digital Resilience Pays Off, indicates that advanced organizations that get resilience right…
These organizations have built critical capabilities such as visibility, detection, investigation, response and collaboration, which holistically address strategic, tactical, and operational level requirements, and result in greater adaptability to the changing environment. Resilient organizations don’t just survive disruptions, they thrive!
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.