I must make a point of ordering a copy of the new BS 65000 Resilience Standard over the festive break – not that I see it as the highlight of Christmas but I will be doing some travelling during which I will have chance to catch up on my reading.

My interpretation of resilience is that it means things don’t break down, they keep going despite hazards and changes in conditions. In order to achieve such a state the item, service, product or organisation therefore has to consider the risks which, if realised, prevent operation, delivery or performance. That way the design can be optimised to ensure resilience is achieved. Easy. You wouldn’t expect your car to stop operating just because you take it out in the rain!

The whole concept is a shift towards prevention rather than cure.

Bad news – well certainly for Business Continuity practitioners – because if our organisations become resilient we will never have a crisis and never need business continuity solutions because they will be integrated into BAU in the form of alternative working arrangements for when conditions change. As simple as switching your windscreen wipers on!

This isn’t going to happen in the first week we all return to work after the holiday period.

So, who is going to own resilience? Is it Business Continuity? After all we are used to helping the organisation devise, develop and prove appropriate strategies for different circumstances so we definitely have skills and expertise to be applied in this area.

Should it rest with the business lines themselves with maybe the Business Continuity practitioners acting as advisers, consultants if you like, to assist the organisation in developing resilient structures and operating models?

Where should an organisation start with it’s preparations in becoming resilient? Surely the risk management function can provide the plan because they have identified all the potential threats and prioritised them. Hold on a minute…….If the risk function has all this information our organisations should already be resilient, shouldn’t they? The answer is of course that our organisations are not resilient. Why is this?

There’s a number of reasons. Risk is all about acceptance – what are we prepared to take a chance on, hedge our bets on maybe? Resilience also costs so when budgets are tight and the organisation’s experience is that stuff hasn’t broken previously, events have not occurred and threats have not materialised budget is not going to be made available. A good catastrophe is always helpful if you are preparing a business case!

Another reason is that risk functions don’t always identify everything. I can sympathise with this because executives and board members only want to hear about the big ticket items. Who wants to sort out a water leak when you can get together with the big boys on a financial meltdown – much more fun and way more valuable on the CV.

I’m excited to see what the standard advises (I really need to get out more don’t I?) but clearly resilience is not going to be solely the responsibility of Business Continuity – it’s going to reach right into the organisation and require all areas to reappraise how they will function under different conditions.

December 20, 2014 at 2:54 pm
Return to All News
Category: Governance & Standards
Tags: , , ,