During National Preparedness Month in September, Code42’s corporate resiliency team will conduct a roadshow to talk about the correlation between preparedness and corporate resiliency. The common reaction to continuity planning from the ground up is apathy and resistance; after all, it often adds responsibility to very long task lists. Don’t worry, our plan is in place. Our ability to carry on—come what may—is a critical capability in the minds of the customers’ whose data we protect.
For the record, business continuity has become an antiquated term, historically referring to disaster recovery planning to replace tools and systems when an “incident” takes them down. Corporate resiliency looks at these but also includes processes and people as the pillars of business elasticity and recuperation. Unfortunately, resiliency is often an afterthought for smaller companies which is why, according to the Institute for Business and Home Safety, an estimated 25 percent of businesses do not reopen following a major disaster. Large companies, like UHG have entire divisions dedicated to corporate resiliency.
I’ve been at this a while, so I’ve got some stories to tell. But first, here are the six capabilities a resilient organization must proactively demonstrate. It must:
- Assess risk and map interdependencies of operations, systems and tools, infrastructure, data centers and third party vendors; in particular, how do these components work together and what are the impacts to the others when one system is affected?
- Test continuity and recovery plans to assure response is adequate using directed discussions, table top exercises and functional exercises. Discussion-based exercises familiarize participants with current plans, policies, agreements and procedures, or are used during development. Tabletop exercises involve key personnel in the discussion of simulated scenarios. And functional exercises examine and validate the coordination, command and control between multi-agency coordination centers without “boots on the ground.”
- Train for a range of scenarios throughout the year and incorporate training into staff training.
- Exercise continuity and recovery plans to ensure that people are prepared to respond if the scenario becomes “real.” Exercising is about enhancing capabilities, your people and the resources they need to respond effectively and confidently in situations they have never fully experienced before. They need to know that the ‘testing’ has proven that what they are being asked to do will technically work but they have to make sure that it does whatever the prevailing context—however frightening and dramatic that might be.
- Leverage existing programs and events to reinforce message in brown bag sessions, company intranet publications, during National Preparedness Month, etc.
- Champion a culture of resiliency through education.
In a former life, when I was part of a large federal government agency, we experienced an unexpected earthquake in Washington, D.C. My immediate and big bosses were gone so it was up to me to lead the response. I emptied the building to allow for inspection of its infrastructure and moved critical 24/7 staff to two separate alternate facilities. Without plans in place, we may not have evacuated safely, or set up critical communications. We would have been an impediment to first responders, botched conversion to fail-over plans and devolved functions to someplace else. But because we had planned for an incident, we were ready in a span of ten minutes.
Organizations committed to competing, surviving, and thriving in today’s environment must adopt a culture of resiliency in order to predict and prepare for any requirement, threat, or demand from customers. In addition to a proactive posture, a resilient organization is much like an Olympic athlete. It has a reactive posture gained by countless hours of training that enable the organization to:
- Respond with confidence
- Effectively navigate multiple or concurrent scenarios
- Mitigate second and third-order effects
- Prevent further escalation of a scenario
An organization’s preparedness directly correlates to its capacity to predict the things that can and will go wrong. Unfortunately, there is no magical algorithm to determine preparedness. Today’s reality is that bad things happen and your organization will have to respond when they do. Gone are the days when hoping away bad things was the norm. Hope is not a strategy. Preparation is.