A couple of days ago Ken Simpson posted an interesting question in respect to resilience. As I promised yesterday I wanted to explore a definition in more detail. I have blogged about this previously, so my apologies for going over old ground, but as Ken has identified, a common understanding is key if we are to push Business Continuity practices beyond a simple resilience rebrand.
The definition which Ken presented was originally defined by the Centre For Resilience at Ohio State University.
capacity of a system to survive, adapt and grow in the face of unforeseen changes, even catastrophic incidents.
I can’t argue with this statement and have no intention of doing so. The question that remains is how do we move away from this abstract definition and into a more substantive one. For resilience to mean anything we need to allow an organisation to understand its own capacity for resilience. This of course is where we run into problems as this is not measured by how many plans they have or how rigourous a Business Continuity Management process they have in place. Resilience should be materially changed by the actions that we take, but as I hinted at yesterday, you really are going to have to prove it.
It is interesting that the definition above uses the term system. An organisation is indeed a system that you can think of as a black box that consumes resources (inputs) in order to transform them into products (outputs). What is interesting to me is that any system will exhibit a number of properties. I have covered these before but here they are again:
- Productivity: measures the level of output
- Quality: measures compliance to requirements
- Profitability: measures the ability to create value
- Timeliness: measures the rate of output
- Efficiency: measures the yield
- Utilisation: measures the resource leverage
- Cost: measures the cost of production
You may have a different list, but I suspect not that different. To this mix we can now add:
- Resilience: measures the capacity to survive unforeseen events
You will note two things. Clearly I have changed the definition but this is purely to fit into the style of the list. I have however changed resilience into being a measure. We talk about improved resilience or a more resilient organisation and I would argue that the notion of resilience is clearly some form of measure. The original definition uses the term capacity which, I would also argue, points to a measurable output.
As you look down the list you should note two more aspects of these properties. Firstly in almost each case we have management practices that seek to maintain and manage them. Business Continuity Management is no different, as it seeks to manage and maintain this notion of resilience. The other thing you should notice is that some of these properties are in direct conflict with one another. From a continuity perspective it should be very clear that if I improve my efficiency then I will almost certainly reduce my resilience. The challenge for senior management is to balance these properties within the context of their own business model. Risk appetite is a common term which is seldom defined beyond the abstract. I would suggest that risk appetite is in fact the risk that an organisation chooses to carry as a result of balancing these different competing constraints on the business.
To summarise, I believe that resilience is a measure of the capacity to survive unforeseen events that impact the organisation. This capacity is managed by Business Continuity Management and any actions we take should show a material improvement in this capacity measure. However, this capacity needs to be maintained in context with the other key properties that the Executive needs to balance.
What remains of course is how do we measure this capacity. I blogged about this in the recent past, but I can feel another post tomorrow is in order.
Related posts:
Recent Comments