Some companies are jumping right into getting certified as compliant with ISO standard 22301. That is a necessity for some firms. Many companies in defense contracting, for example, are required to have that certification. Others may not need the certification as a contract condition, but they still need to ensure their resilience.
Whether certification is a requirement or not, the basic process is the same.
Companies need to be prepared to learn new things about how they function, and may discard long-held perspectives on priorities and actual readiness. Senior management needs to stress this effort is a process and not a task. It can be unsettling for many, and many will find it motivating if they are brought into the process and their views heard.
Operations resilience happens when the entire firm understands their risks and processes. Any attempt to have it done outside the current staff and imposed by fiat will fail.
Beware of consultants who say they can provide you with operational resilience without “distracting your staff”. Such consultants can deliver nice binders of plans, but such binders usually serve only to gather dust.
Here are the five basic steps:
1. Identification of Core Processes and Key People: What your business does, who performs the tasks, and how your clients are served are specific to your industry and company. Many companies have plans to back up their computer systems but are less able to ensure staff is able to work and serve customers when hazards arise. These processes and people need to be documented to understand how your operations will be affected by a hazard. This process of documentation itself will often be more enlightening than burdensome.
The detail into which a company goes with this can vary. It is often best to take a higher level view if a company is new to this process. A simple plan where no plan now exists is better than spending months developing a more detailed view. A higher level view will point to the few processes and functions that would benefit from a detailed view.
2. Hazard Identification and Vulnerability Analysis: This step develops the type of hazards, their actual impact, and their probability specific to your company. Natural hazards vary by geography and impact. Technological hazards are often specific to a company but also to a geography. Criminal acts can be devastating, and they need to be evaluated dispassionately. The effects of each hazard both in general and specific to your company will be documented.
Your company’s current state of readiness for this finite list of hazards and risks is best to be evaluated here. This can be a politically charged process, as some will fear that an honest evaluation would be an indictment of their work.
3. Mitigation Strategy. Avoiding a problem is more effective than waiting to respond to it. With the hazards understood, you company can develop a pragmatic plan to lessen the chance of that hazard occurring and lessening its impact if it does.
Mitigation is usually mundane. It is educating staff on the need for cyber-security. It is following the physical security protocols all firms must have. It is ensuring that all agree on what the core processes of the company are, and what the actual procedures are and who is individually responsible.
Mitigation is time and effort, and it should never stop.
4. Response Planning: Response plans will be evaluated, if they exist, for their efficacy and how well leadership and staff are able to implement them. If they do not exist, they will neet to be developed. Care is taken with response planning to stress common responses and avoid planning that is specific to a narrow set of circumstance.
Care should be taken to keep the level of response planning focused on the core processes and people identified at the start. A common fault is to take a multitude of individual risks and make specific responses to each. This can bog a company down.
For instance, separate risks like severe weather, pandemic, and emergent environment hazards may be seen to be planned for separately. A better stance is to identify the hazards but plan responses to the vulnerabilities that are common. For instance, in each of those three examples the common vulnerability is inability to have staff come to work.
5. Implementation and Maintenance: Operational resilience is not a document or one department’s responsibility. It is a continuous process involving all. Company leadership will work to educate staff about resilience in the face of hazards, implement plans and mitigation strategies, and exercise responses.
A longer-term process to review, update, and maintain the company’s plan is critical to implement and responsibility to ensure it is honored is best kept at the company’s highest levels.
The Value of the Operations Resilience Discipline.
The ability to continue operations in the face of emergencies is usually held as the reason for resilience planning. It is the reason such planning is initiated. Companies will find a value independent of dealing with hazards effectively. The process of detailing process and educating staff challenges assumptions and perspectives. Operations resilience planning can be the catalyst to implement efficiencies, and instill a process of continuous improvement.