Business resilience is an organization's ability to respond to and survive a disruptive event, while adapting its procedures and methods based on lessons learned from an incident to better respond to future events. The goals are to not only respond and recover from future events, but also to improve procedures and resources to recover business processes more efficiently in the future than with previous methods.
Existing methods for responding to disruptive IT events, such as power outages, severe weather and cyber attacks, are well-defined. Established disaster recovery (DR) plans increase the likelihood that damaged or disabled systems and networks can be recovered and returned to normal.
Cybersecurity plans increase the likelihood that damage from security breaches, phishing attacks, DDoS attacks and viruses can be minimized and effectively mitigated.
Acknowledging the preventive and response mechanisms above, what can you do to support business resilience? Below are six ways that individuals, departments and senior management can help promote resilience at an organization.
1. Gain senior management support
The idea of a resilient culture may not be top of mind for many senior managers, or even a company's board of directors. Without such support, resilience programs are far less likely to launch. The key challenge is to educate and inform leadership on the business value of a resilient organization from perspectives such as IT operations and business processes supported by IT.
Educating senior management about resilience requires a clear understanding of the company's critical business activities and how IT resources enable them. Demonstrate how a disruption to the business might affect its financial and competitive positions -- and, especially, its reputation. Senior management must decide what constitutes resilience for the organization and whether a culture of resilience already exists.
2. Build and promote resilience within IT
IT departments can achieve resilience by first understanding the system and network assets that are most critical to the company's continued operations. After that, they must deploy controls for the following:
- Business procedures.
- Company policies.
- Specialized applications.
- System backup.
- Redundancy and high availability activities.
- Network perimeter protection.
These actions help ensure that mission-critical processes can continue in the aftermath of a disruptive event. For example, increasing remote access to IT resources is one way IT can place an additional emphasis on resilience. Help desks are an effective way to reinforce the importance of IT and the view that IT exhibits a culture of resilience.
IT leadership must decide what constitutes resilience and, if it is not present, how to achieve it. An IT general controls audit can identify areas where resilience can be achieved. Regardless of how it is achieved, a culture of resilience in IT is essential to maintain a high level of reliability, availability and performance.
3. Create a companywide culture of resilience
A culture of resilience is not limited to IT. Partnering with HR is an important first step in establishing a corporate culture of resilience. Assuming senior management is supportive, HR is the ideal partner for such an activity. They can provide an interface with other departments and also help provide guidance on how to communicate the "culture of resilience" message within the company.
Share examples of how employees can increase their resilience to avoid potential confusion. Examples of simple tasks employees can do to support business resilience include the following:
- Back up their work on secure storage resources.
- Lock their desks to prevent unauthorized access.
- Use available cybersecurity resources to prevent attacks.
- Ensure their laptops and desktop systems are up to date with all current software releases.
4. Work with HR on training and awareness
HR can also provide guidance and resources to disseminate relevant information about resilience and its importance. Among the options are internal training programs to educate employees on resilient practices. This is an important opportunity for IT to provide its expertise and leadership. By providing employees with briefings on new cybersecurity practices and systems, updates on accessing systems and data, and tips on how to better protect critical data and files, IT can reinforce the culture of resilience.
Awareness programs using an internal platform, such as SharePoint or something similar, can help deliver regular messages reinforcing the importance of resilience and how employees can support it. It can provide an opportunity for employees to ask questions and solicit comments from senior management on the value of a resilient culture.
5. Review recovery plans to increase focus on resilience
Business continuity plans (BCPs) and technology disaster recovery plans typically focus on recovering the business and technology, respectively. They might not have any components that address how to adapt and improve business operations based on insight gleaned from a disaster, but existing plans may be enough to address real-time issues.
Plans can be improved, however, by including sections that provide procedures for increasing resilience and survivability from future events. These might include conducting a post-event assessment and report on what worked, what didn't work and recommendations for improvement. One of the key attributes of resilience is the ability to adapt BC and DR plans to perform better based on lessons learned from prior events.
Be sure to periodically test these plans to validate their capabilities. The presence of technologies with increased resilience capabilities may look good on paper, but nothing substitutes for testing. Tests should demonstrate that the organization has the necessary procedures and resources -- especially within IT -- to weather future disruptive events better than in the past.
6. Eliminate silos to encourage cooperation
Since building a culture of resilience involves all parts of an organization, it may be necessary to break down the silos that historically keep activities separate from each other. This often occurs within IT, and when it comes to resilience, an organization's IT, DR and cybersecurity departments must collaborate regularly.
Achieving a state of resilience from an IT perspective means that all units with IT, such as operations, security, storage management, programming, engineering and help desk, need to understand their roles in achieving resilience. Next, they must find ways to exchange information on how they are achieving resilience with their colleagues. It is this cooperation -- and reduction or elimination of silos -- that supports business resilience. For example, weekly status meetings can add an agenda item discussing how resilience is being achieved.