Recently, The BCI, one of the leading institutes working in the field of organizational resilience and business continuity, issued its regular report BCI Operational Resilience Report 2023 in collaboration with Riskonnect, who work with risk management solutions.
One of the questions they asked the respondents was if there was a difference between organizational resilience and operational resilience. As the answers demonstrated, for most respondents (and in most companies) these terms were used as synonyms. Having studied the report, the colleagues brought up another matter – The BCI introduced the new term of "organizational resilience" in addition to "business continuity" and "operational resilience".
If we search Habr for "Business Continuity", "DRP", "BCP", or "BIA", we’ll find quite enough posts by my colleagues (I’ve met some of them face to face and worked with the others) about data system recovery, data system testing, fault-tolerant infrastructure, and some other things. Yet, hardly any of them explain where all of it has come from, how it is changing, where it is heading – and why.
I thought the time has come to change the situation for the better and answer some of the questions like where business continuity provisions and operational resilience has come from, how they are changing, and where this trend is heading and why. To share my thoughts about development of the industry and its current de-facto state in case of a mature (or not too mature) introduction level – some things I’ve stated for my own use.
You might wonder who I am. Let me introduce myself. I am Sergei Rogachev, an expert in development and introduction of procedures for business continuity, operational resilience, and non-financial risks (NFR). I worked for Jet Infosystems, PwC, Accenture, Raiffeisen Bank as an expert (SME) and leader of the business continuity departments. I’ve been in IT for 13+ years and in BCM&OpRes for 7+ years. During the last several years of my practical work in this field, after several dozen projects associated with BCM and IT, and quite a few successful implementations of continuity procedures in corporate landscapes, I’ve come up with a certain vision as regards to this sector. I do my best to get this concept to business representatives, but I’d also like to share it with you.
First of all, sorry for the longread. Naturally, face-to-face meetings offer much more opportunities for expressing ideas and holding a discussion. I’d appreciate it if my colleagues shared their opinions and joined an informal discussion in specialized channel NFR, Business continuity & Resilience. Let’s go.
As I see it, BCM&OpRes has long ago become an umbrella covering lots of functions within the company. This isn’t a piece of news for any of the continuity experts. BCM working as some kind of an umbrella has many times been declared during public speeches and in presentations. BCM&OpRes has become a mediator and a facilitator for all kinds of functions, a united knowledge base of the company – along with the positive change driver.
I have no doubt that many of my readers have encountered some business continuity management (BCM) elements in their companies, no matter if they are employed with the IT department (I believe, the infrastructural unit ran into them earlier and more often whereas product and scrum masters have come to deal with those quite recently, and most likely only during audit inspections), with the risk management department or audit, or even the business units. Really, some of you must have encountered the continuity management procedures or their elements.
Still, I often see people surprised, confused and even censorious of it when I mention the umbrella role of business continuity and operational resilience management within a company. Rather amazing considering the fact that we’ve been watching it all for several years in a row. Now, let me use some facts to show you how the sector is developing and transforming. I’d like to demonstrate how various corporate functions overlap with the business continuity and operational resilience function.
Things are taking their course and developing. Business Continuity (which is currently referred to as Business Resilience or Operational Resilience) isn’t an exception, but where did it start and how has it become an umbrella?
In general, I can see why business owners of different functions fail to understand this issue and why they are censorious about it. Any leader, manager, or specialist believes that his/her function matters, that they are experts in their field, and that they’re working perfectly no matter what for the benefit of the company. This is where the lack of understanding comes from. People grow positive that as nobody beyond their function knows the details of their jobs (and there’s no arguing here, hardly anyone else knows all the details) then an outer independent function (like Business Continuity) can’t umbrella them as long as they have no issues in communicating with related units (btw, practical experience shows that issues are rather common here, although they hardly rush to acknowledge that within any company). Moreover, the political issues, the powers, and the ‘third weird’ should also be considered, even if it is uncommon to announce it in public ;-)
Let’s look into the history of the industry and its development milestones, remember how it all started many years ago and hit different business functions in place at today’s major companies.
IT function
If you ask me, the continuity management thing took its start in the IT function. Let me as an IT person take this liberty. There was the IT Disaster Recovery. Do you remember DRP – the disaster recovery plan?
Any earnest network engineer voluntarily worked on some backup means, server reset scripts, means of switch to a reserve node, and so on. Then there were independent DC (data centers), DB management systems, and all kinds of things. Many years ago, when informatization and digitalization were far less than today, IT issues bothered only IT people, whereas for most of the business function representatives IT was something behind the scenes, so they hardly recognized a distinctive correlation between operation of the IT landscape and business performance factors of their functions.
All the business units were busy with their own procedures, whereas digitalization and automation were far from the up-to-date levels. Everything within those business units was solved manually.
Yet, as the procedures got more complex, the business continuity specialization emerged, which included risk assessment and mitigation at the business unit level. I don’t mean to say this was the only function, so we have to move on.
Function: risks
The risk function has been in place for really long and is an essential thing, especially as far as financial risks are regarded. However, in recent years the risks (which are often referred to as the non-financial risks, NFR) have started to overlap. There appeared operational, strategical, and technological risks (the latter often including IT and Information Security risks – but IS risks being segregated to a niche of their own lately), as well as project, methodology and other sorts. The risks function has been rapidly developing and extending, this ensuring the overlapping and interconnection (or even synergy) of conventional risks and business continuity. Shall we proceed?
Function: audit
Who else can say if some procedures exist within the company, or guarantee their efficiency and maturity? Only the audit unit – the function that is independent from all others, which (if possible) should report directly to the CEO, or the board of directors (BoD), or the shareholders. As for the business continuity, it also offers an independent take on many functions, as by its nature it interacts with all the functions and has a hand in all the business procedures of the company, its every operational unit, IT teams, and data systems, too.
Have you recognized the similarity? As there is one. That’s why the tight integration of BC, as well as control over this procedure and the inner audit procedures are highly effective and useful for a company in general – especially for the key stakeholders within the business. Next, then.
Function: complience
Compliance is found in many functions – in IT, in Information security, in Finance, in HSE, and so on. All the units have to comply with the corporate standards, and in some sectors like Finance or Oil&Gas (at least, as far as HSE is regarded) with regulatory requirements, too, which get tougher year after year. What happens in case of non-compliance? The time comes for fines and penalties, which can even result in operation suspension and recall of a license. These definitely can be categorized as business continuity risks, right?
So, the compliance and BC functions are tightly connected, too.
Function: physical security, facility management, HSE
Today, hardly any mid- or big-sized business company can be thought of without these functions. And in some of such companies HSE is the most essential element of production processes. These are the functions that are usually in charge of security engineering means, building (office) activities management, as well as safety of employees and customers.
All means of fire safety, site access control management, video surveillance, diesel generator plants, training evacuations, and things like that can only be implemented in direct collaboration with those functions. Classical business interruption scenarios like offices that got inaccessible for different reasons, power failures, using of reserve fuel, and operation of diesel generator plants and automatic transfer switches, as well as training evacuation sessions for employees are the points where the BC function and the functions listed in the subheading meet.
Crisis management
This is another thing that no mid- or big-sized company can proceed without. There are multiple outer factors that can take place lightning-fast and should be reacted to as swiftly. Very few managers are eager to take responsibility and make some real steps unless approved and given a go-ahead by the top management. Sad but true. And this is yet another growth point for Business Continuity and Operational Resilience. And there are more to mention!
Information Security
Of course, IT security and IS hasn’t emerged yesterday but it was quite recently that ISO 27000 was updated with the Business Continuity domain. In general, this field didn’t see such rapid development as it has in the last several years.
Close integration with global digitalization and products switching to online, product development, the notorious Agile with its subsets of frameworks a la SAFe/LeSS and so on, and so forth – all of it resulted in the DevSecOps practice development.
Dramatically increasing damage caused to companies in case of cyber risk events and the amount of intruders willing to hit the jackpot remotely and remain unseen growing at an exponential rate – these are the drivers for strong overlap of Business Continuity and Information security, a point where CyberResilience germinates.
What’s the difference between Cyber Security and Cyber Resilience?
It is in compensatory and remedial actions – something that has been the basis of Business Continuity for many years.
Moreover, there are some functions that also have to be dealt with closely in case anyone wants BCM&OpRes to be as efficient as possible. Those are HR and the Legal Functions, and in some cases – the Commercial Unit as regards to procurement, but I won’t fill you in. I might go into some detail about the interrelation of the BC and OpRes function with other corporate functions in my next posts, though.
Where does this take us?
This rather simple review with a list demonstrates that in due course business continuity elements have found their way into all the corporate functions, or if we put it otherwise, the objectives, tasks, and methods of the business continuity function are present in all the company’s functions nowadays.
BCM&OpRes has become the golden thread running through the company – or its umbrella.
This doesn’t imply that all the other functions should lose their self-sufficiency or independence, of course not, and even the other way round. It only means that the BCM&OpRes function is currently working as a framework as regards to methods, approaches, and control means for all other functions.
If introduced and taken up properly, the BCM&OpRes function can enable refinement and efficiency enhancement of many other functions, contributing to blind spot elimination in the corporate business and IT landscapes. It can provide a visual dashboard for managers at all levels that would give insights about the function statuses, communications, and interaction with the related functions, too.
It would bring up a function that will help the other functions interact with their ‘colleagues’ and bring to the spotlights the bottlenecks and challenges the latter encounter, as well as the hindrances and risks associated with communication challenges.
There will be a texture for accurate and formalized initiatives, and in case enough powers are granted or C-level executives of the company are involved directly (plus some other conditions, too), there will also be a roadmap for implementation of such initiatives, for crosschecking of the functions, an aid and a database for risk and audit functions.
What comes next?
Well, I believe there are several development patterns possible depending on how mature the company and its corporate culture are. All of those patterns have their pros and cons, so I’ll leave it for the readers to decide which of them are more advantageous, efficient, and convenient. As for me, I made my conclusions and put them to practice a long time ago.
Let me finish my post with a few words about the options possible.
1. The BCM&OpRes function will be part of some function that is most relevant at first sight like internal audit – but there will be certain challenges, too.
The point is that the audit function should be intrinsically independent and shouldn’t be part of any other functions. This is where the approaches are going to diverge, as the BCM&OpRes function becomes part of other functions in effect to aid them with looking for possible solutions and interaction with related functions, to work as an assistant and a facilitator, and to let them use its expertise.
However, the audit function has to be independent not to have a conflict of interests with other functions. As far as I am concerned, this approach looks wrong from the academic point of view and isn’t going to be viable in general. Well, exceptions are possible, I guess. At least, I won’t be really surprised if it works.
2. It could be integrated with the Information security (IS) function.
This case is quite common today – especially in view of Information security reinforcing its positions within companies and the regulating bodies and the state continuously working to adjust this sphere.
Think of how Order 250 "About extra cyber security arrangements" appeared, or 787П about operational reliability, or 716П about operational risks, or GOST 57580 "About safety of financial operations", as well as some other russina regulatory documents.
There might be some other drivers in other regions, including local regulatory acts or corporate standards.
The problem is that up-to-date culture and integration of the Information security function into corporate business services and functions is kind of pioneering, at least in terms of getting on well. Many IT teams still see IT security as a hindrance.
Another important aspect is maturity of Information security risks. Alas, few Information security units know how to evaluate potential risks and damages properly. The lack of well-trained employees results from the world’s focusing on technical aspects of security instead of the business or IT related ones.
The BCM&OpRes function is more mature as far as risk evaluation and understanding of corporate business functions, services, and products are concerned. That’s why in case BCM&OpRes is integrated into the Information security function, the latter should consider using this aspect to enhance its competences and use the former’s expertise. This way, they are likely to get on well.
3. BCM&OpRes could also be integrated into the risk function or be developed within it.
This option is quite common and today, it’s most effective as the risk culture of functions is similar enough, methodologies are all alike, and the overall objectives are also in common. Both functions are intended to reveal risks, evaluate their consequences, develop means for risk mitigation and overall enhancement of the internal corporate risk culture, as well as some of its functions.
4. The BCM&OpRes function is within IT.
Such an approach was really common a few years ago, as DR procedures germinated within IT (its infrastructure, in particular) – as I’ve already mentioned in the intro to this post. Today, this is not as popular, and BCM&OpRes is often split into two parts, or units:
a) BCM, which is a business part including Business Impact Analysis (BIA), BCP development, and crisis training sessions for top managers and business function executives;
b) IT, which includes development of Disaster Recovery Plans (DRP) and testing of engineering services switching to standby circuits.
In my opinion, this is rather archaic and can only be used in case both units are closely connected. However, that will result in duplication of the functions, as well as some other challenges, which in the end make such a segregation meaningless even in the short run. The IT unit usually doesn’t possess information about business procedures and functions within the company, and neither has it data on the loss financial indicators, or sufficient risk registers. Consolidating these two parts in a single function seems much more effective.
5. And last but not least development pattern is the BCM&OpRes function being independent within the company and having some precise objectives of being involved to aid and find bottlenecks in the corporate procedures and functions, to accompany changes and transformations within the company, to act as a united database and a competence center for purposes of the OpRes methodology, as well as to provide a single dashboard for all the functions that would keep the executives at all the levels updated on the current statuses.
There’s no doubt that new cooperation and integration points between the BCM&OpRes function and the corporate functions will appear as long as the latter develop and the new functions emerge. For instance, one shouldn’t leave out ESG guidelines and risks for sure.
This is where I stop with describing the tasks and objectives the BCM&OpRes function possesses. I’ve explained my take on this field of concern, and I hope you’ve found it interesting and useful. With pleasure, I’ll take part in a discussion on the matter, answer any questions you might come up with and provide the necessary explanations. If you are interested in such topics and other relevant information join in specialized channel NFR, Business continuity & Resilience.
P.S. I’m considering some other posts – more specific and applicable. Stay tuned.
