Organizations in today’s business world are facing increasingly difficult and changing conditions that threaten their profitability and existence. Many factors have contributed to these challenging conditions including:
- Perpetual threats of natural disasters, human related disruptions, and technical failures;
- Threats of pandemic such as SARS and Avian Flu;
- Increasing dependence on technology;
- Rapid regional and global expansion;
- Competitive pressures and increasingly high customer expectations;
- Stricter regulations and increasing requirements for accountability
- Supply chain concerns such as “just-in-time” delivery; and
- Market penetration opportunities in developing countries.
The financial success of business depends upon its ability to be resilient so as to take the fullest advantage of its constantly changing business environment and surroundings, full of anticipated as well as unexpected events and risks, bringing opportunities to increase shareholder values and gain competitive advantage.
A business resilience program enables a business to protect itself from untoward events and capitalizes on opportunities. A business resilience program has three main resilience objectives for dealing with anticipated and unexpected events:
- Protect critical operations, services, and resources to maintain business continuity
- Develop resilient business strategies that exploit opportunities to gain competitive advantage
- Overcome enterprise-wide risks and vulnerabilities to protect shareholder values
As depicted in Figure 1, the business resilience program has an enterprise-wide scope that begins with the adoption of resilience objectives at the corporate mission and objective level and spreads to rest of the levels within an organization.
Figure 1: Business Levels
An effective business resilience program requires a concerted effort to achieve resilience objectives from different areas of expertise with an organization. The following three areas are essential for establishing a business resilience program:
- Business continuity planning (BCP),
- Business resilience strategy planning (BRSP), and
- Enterprise risk management (ERM).
These three areas are the key components of a business resilience program as shown in Figure 2. BCP is considered a part of disaster recovery and business continuity management function. BCP is a critical component for achieving the first resilience objective of protecting critical operations, services and resources. BRSP component is considered a part of corporate business strategy planning function, and it is focused primarily on achieving the second objective. The ERM component is considered a part of risk management function, and it is aimed at achieving the third objective.
Figure 2: Business Resilience Program
Evolution from Disaster Recovery to Business Continuity to Business Resilience Planning
The fields of business continuity planning and disaster recovery planning have played critical roles in helping businesses achieve parts – but not all – of the business resilience objective. The primary objective of disaster recovery planning has been limited to protecting IT infrastructure and services from unexpected events and disasters. Business continuity planning extended the boundaries of disaster recovery planning to protection of business operations and processes. However, the objective of a business resilience program is larger than both business continuity planning and disaster recovery planning. A business resilience program extends the boundaries of protection from beyond unexpected events and disasters to include any changes from normal business activities.
Business Resilience Program Objective
The business resilience program objective is to empower the organization with the ability to rapidly adjust and transform business in response to any change in order to prevent and mitigate hazards, capture opportunities, create competitive position, and improve shareholder value. The program enables organizations to become resilient by proactively adapting and adjusting to any changes resulting from either unexpected events, such as disasters, or normal business demands and activities such as mergers, downsizing, or market changes.
Business Resilience Program Requirements
The requirements are expressed in terms of capabilities and characteristics that allow a business resilience program to achieve its resilience objectives. The business resilience program has five high-level requirements. The program needs to be comprehensive, methodical, adaptable, proactive, and reactive.
- Comprehensive – This characteristic requires that a business resilience program is based on a comprehensive scope that covers organization’s end-to-end business and operational aspects. The scope includes business resilience strategies, business processes, people, IT assets and resources, non-IT assets and resources, product and services, supply-chains, laws and regulations, etc.
- Methodical – This ensures that a business resilience program is built on a structured, systematic and analytical approach for achieving resiliency objectives.
- Adaptable – This characterizes the ability of a business resilience program to adapt quickly to changing threats, circumstances, and business demands.
- Proactive – This is the ability of the business resilience program to anticipate future business changes, impacts, and discontinuities, and take preemptive actions to protect the resilience goals. The proactive business resilience program also has the ability to take advantage of opportunities to increase the shareholder values.
- Reactive – A business resilience program needs to have a strong reactive capability – in addition to the proactive capability to defend or protect the organization from unexpected situations that can lead to disastrous consequences.
Business Resilience Program Model
BRCCI defines a Business Resilience Program Model (BRPM) aimed at achieving the five business resilience program requirements stated above. This model, shown in Figure 3, consists of four main components:
- Business Resilience Strategy Planning (BRSP)
- Business Continuity Planning (BCP)
- Enterprise Risk Management (ERM)
- Business Resilience Management (BRM)
Figure 3: Business Resilience Program Model