ltstudiooo - Fotolia
Operational resilience frameworks hinge on breaking down silos
Resilience is more than just business continuity and disaster recovery. Operational resilience depends on communication among many different business functions at an organization.
Collaboration and knowledge sharing are key elements of an operational resilience framework. All production and delivery units of a company's products and services must be in communication to yield resilience.
Each business unit has a stake in ensuring the company can recover and return to business following a disruptive event. This differs from the traditional siloed business continuity and disaster recovery (BCDR) processes.
BCDR teams often operate in a vacuum, particularly when they focus on IT aspects of recovery. Those working in BCDR might miss out on other important aspects of what the organization needs to return to business as usual.
All players in the organization are engaged in the process of complete business recovery, as depicted in Figure 1.
The recovery may be from a natural disaster, ransomware attack, power outage or fire, among other possible risks. Regardless of the crisis, an operational resilience framework includes all necessary departments.
In Figure 1, the business functions closely associated with operational disruption response are all interlinked. Each has a stake in an organization's ability to recover from a disruptive incident. These business activities are the work of the following teams:
- Business continuity. Gathers data from all business units and understands the criticality of each unit, the technology requirements and the timeliness of recovery activities.
- IT disaster recovery. Coordinates the recovery and resumption of all IT systems and related technologies following an event.
- Incident management. Performs the initial analysis of a potentially disruptive event, makes decisions regarding employee safety, and communicates with emergency teams, senior management and business unit leaders on the initial status of the event.
- Crisis management. Coordinates long-term activities of business units, senior management, health management for injured employees, communications with external organizations and families, and engages other teams.
- IT/telecoms technology. Collaborates with the DR team to ensure all hardware, software and networking resources are effectively managed and repaired.
- Facilities management. Protects the physical facilities for the company, such as buildings, HVAC systems, and power and water supplies.
- Physical security management. Ensures physical access into company locations is guarded.
- Cybersecurity management. Protects the company from external or internal access breaches to critical systems, networks and data. Attacks can come via hackers, phishing schemes, viruses and ransomware attacks.
Risks to one team affect the entire resilience effort
Each of these activities has a risk component, so the risk management team must analyze processes and coordination during an incident as part of the overall operational resilience initiative. They also coordinate with other business units, as seen in Figure 1. As part of their research and data gathering, risk management teams must understand the risk each business unit faces and identify potential threats and vulnerabilities to address and mitigate in advance of an incident.
The operational resilience framework requires significant collaboration among business units and risk and emergency response teams. This is the most important component of the framework; it's not just risk management and emergency teams that must share information. All of the departments must communicate to identify additional risks and mitigation opportunities.
A multidisciplinary approach
Communications among the various emergency disciplines, risk teams and business units are essential to develop a comprehensive plan for incident response and recovery. The teams listed in the risk management box in Figure 1 typically operate autonomously and only engage when an event occurs that requires the efforts of multiple teams.
For many organizations, this degree of intergroup communication may be uncomfortable in light of a silo-oriented culture, but businesses that see the value of operational resilience should actively work to break down the silos.
Another important aspect of an operational resilience framework is greater engagement from senior management, because the entire organization will be involved in operational resilience activities.
Because multiple teams engage in an operational resilience initiative, organizations must understand their information dependencies. Organizations that invest more time and effort to identify and simulate an array of possible scenarios can organize technology to respond to incidents, identify where plans might fail and implement corrective measures in advance of a disruptive event.