Operational Resilience and Business Continuity
Security
Years ago, when business continuity plans were formulated the risks that needed to be controlled were high in impact but low in frequency or likelihood. We sought out the best way to ensure we had reliable provision of power, and protection against fire, earthquake, and flood. Does the B really stand for Business or were we only dealing with events of Biblical proportions?
Resilience is typically defined as the capacity to recover from difficult life events. However then and now we do have to determine the minimum business continuity objective (MBCO). What? In other words what must absolutely run so that we can continue to do business in a meaningful way. Important “recovery” metrics also need to be established such as RPO [1] and RTO [2]. But here is the thing what if we cannot afford a 4-hour break in our operations? What if you are a retailer that makes more than 50% of its revenue during special holidays such as Valentine’s day? In the context of your business activities 4 hours could be an equivalent to 6 months loss in revenue when compared to another industry sector. As we leverage the speed of transaction and customer focus made possible by digitalization, we can see that a recovery only strategy is not appropriate for today’s business requirements.
As any good doctor will tell you prevention is better than the cure. This is where operational resilience takes center stage. Resilience in this regard is more than just the ability to recover from difficult life events it is also the ability to thrive amid adversity. And make no mistake the conditions are harsh out there. Our thirst for creating more value from our precious data naturally leads to more and more of it. Given that it is being processed and connected over disparate systems it is sometimes hard to see the wood from the trees. Then we have the challenge of protecting this “system” inclusive of the real people that need to interact with it. How do we mitigate the risk that in a poorly designed system just one click can rule them all! Bang where did my data go? Then we have the constant menace of malware attacks that are more prevalent than ever with often crippling effects. These are just some of the adversities that we need to be able to withstand. Thankfully, there are ways to build in the required resilience right now. First and foremost, you need designated people who know how to do right thing at the right time. Knowledge plus responsibility enables effectiveness.
Finally, the technology in place whether it be cloud or some mixture thereof the mode of deployment and the architectural dependencies will be a major factor on how robust and thus resilient your business operations are. Over 2000 years ago Vitruvius [3] defined the type of architecture that I fully agree with:
- Firmatis (Strength) – It should stand up robustly and remain in good condition.
- Utilitas (Utility) – It should be useful and function well for the people using it.
- Venustatis (Beauty) – It should delight people and raise their spirits.
If digitalization is really people centric, I believe this is the way to build resilient solutions.
[1] RPO = recovery point objective (how often are your backups?)
[2] RTO = recover time objective (how soon can you restore?)
[3] https://www.idesign.wiki/tag/principles-of-good-architecture/
