The business of resilience – it’s no mistake! A new competitive advantage? by Christopher Burman-Day MCMI.
People tend to dismiss incidents or events of which they have no recent experience; the “it hasn’t happened in the ten years I’ve been here” mentality; and it is perhaps understandable. Uncertainty reigns, but experience is still King. We however, as security professionals are in the business of managing such uncertainty.<br><br>We live not only in an increasingly less predictable world but also a world in which technology has developed to create a 24/7 on-demand business culture; where “right-here, right-now” and the ability to deliver is the line between success and failure. The increasing range and frequency of potential disaster incidents has created an environment where those best able to manage their operational security win.<br><br>In the UK alone the past ten years has seen witness to incidents as wide ranging as foot and mouth disease (2001 / 2007), the Buncefield disaster (2005), London bombings (2005), Tewkesbury floods (2007), avian influenza (2009) and the most severe winter in thirty years (2009/10). These events serve to highlight the broad spectrum of real external risks posed to organisations, ranging from terrorist incidents to extreme weather, industrial disaster to disease and pandemic. Such incidents demonstrate that no industry is exempt from suffering loss events. These events clearly impact on the provision of the security function be that the inability to meet Service Level Agreements due to treacherous weather conditions, additional duties requiring specialist training such as monitoring disease control, failures of security technology or wider incident management. It is also clear that the role of the security department or function is pivotal in managing and maintaining operations in such times.<br><br>Other specialist functions exist surrounding the issues of operational effectiveness before, during and after such disaster incidents, many cross-over but these are routinely broken down as Business Continuity Management (BCM) and Emergency or Disaster Management (EM), often allied with Disaster Recovery (DR). The history of these functions in particular BCM and DR are often heavily weighted towards IT infrastructure, although BCM in particular has developed beyond IT to encompass the holistic business function.<br><br>While these functions are clearly allied to that of security (and risk) management, the security function alone cannot as yet solely manage these disciplines across the broad spectrum of operational risk. Management disciplines outside that of security management; namely human resource management and financial planning; have a clear input on business continuity and emergency planning. However, as the nature of acknowledging and managing risk changes within industry, the security department becomes that which is best placed to manage and coordinate those functions which surround operational risk.<br><br>Alongside BCM and related functions, and the fast paced changes within security over the past ten to 20 years; the importance of security and the relevance with which it is placed within the business model has increased. This has lead to an environment in which there are clear areas of transferable skills in planning for operational resilience. This relationship can be clearly visible when considering the example of a BCM practitioner identifying risks to the business operation and developing a Business Impact Analysis. The methodology used and information required will mirror that which the security department will use in conducting the risk management cycle, with BCM aligning under one of the four risk response methods considered by the security department in their approach to the management of risk. <br><br>Although the resiliency of business operations is not a legislative requirement, addressing the issues of risks posed to a business and identifying and planning contingency strategy can be aligned with an organisations corporate and social responsibility. Often compliance with international standards or local requirements assists an organisation in attaining a moral stand point within their industry while protecting them from exposure to liability. In addressing exposure to risk and recognising operational threats to its assets while developing plans for contingency, the organisation is so far as is reasonably practicable ensuring the well-being of its critical functions.<br><br>Often times the perception within the wider business community of any function that does not directly support the immediate operational goal is that of burdensome red tape and unnecessary bureaucracy. Disciplines involving compliance and conformity are often perceived to offer little if any tangible benefit. Creating what to some is perceived as being a restrictive pathway that does not contribute to profitability. While this belief may on the surface be true or at the very least understandable, it does not stand up to scrutiny. There are a number of examples that can be used to counter this argument, two, taken from the incidents outlined above are the number of farms and agri-businesses that failed to recover post foot & mouth, and the example of Northgate IS, who implemented their disaster recovery plans in order to maintain their operational obligations as a result of the Buncefield disaster, resulting in all stored data being recovered and records reinstated. <br><br>Addressing risk and planning for contingency events better enables organisations to respond in the event of a crisis situation, whatever form that incident may take; this planned and co-ordinated response can be lead and directed at a strategic level by the security function. Addressing these issues and managing risk across the entire spectrum of business operation better satisfies the stake-holders and ultimately leads to a new competitive advantage. <br><br>For the organisation that combines its resiliency functions at a strategic level into one holistic discipline there is much to be gained. Many of the aims and objectives of the disciplines surrounding resiliency are complimentary, combining them will likely result in a saving of resources and efficiency throughout the organisation. In an increasingly financially unstable economy the amalgamation of aligned disciplines becomes not only a prudent structural investment but one which will enhance resiliency and credibility.<br><br>The challenge is for heads of security to develop and drive this alignment with industry bodies to create a business resilience management framework that stands up to the test.<br><br>About the writer<br><br>Christopher Burman-Day is a consultant with Insight-SRR specialising in integrating elements of security and risk management with business continuity, disaster recovery and corporate and social responsibility. He has a background encompassing senior management at national level and most recently has been working on behalf of national and multi-national food production businesses supplying the multiples. Christopher holds a number of relevant qualifications in business management, risk management and security consultancy, in addition to currently researching for postgraduate studies in Business Continuity, Security and Disaster Management. Email [email protected]
