Twenty-Twenty. What could go wrong in such a perfectly numbered year? Sadly, we all know the answer to that: Everything.
2020 has been dominated by the COVID-19 pandemic threatening our way of life, challenging our resourcefulness and resilience, on a global scale not experienced since the World War ended 75 years ago.
In 2020, some businesses with a strong digital presence have shown resilience by shifting all their operations online and moving to full-on remote working, adapting to a period of indefinite social distancing. Broadband connectivity was a key factor in keeping the lights on for those businesses. When the stay-at-home order came into full force in the UK, most feared the impact this would have on broadband performance all around. They anticipated a struggle along with their neighbours, stuck at home looking for ways to keep connected with their loved ones and colleagues, and to keep themselves entertained online. No doubt these were all valid concerns for us, domiciled warriors, called to take up arms to save lives by, ahem, manning the recliner, among other things. Yet, lo and behold, most of the ISPs in the UK had no major trouble adapting, and stood their ground as their resilient systems faced this sudden, indefinite surge in demand as the pandemic unfolded.
Our clients often require us to look at business continuity and resilience planning for the critical information systems supporting their services. Resilience describes the ability to adapt and recover from disruptive trends or adverse events, like those caused by COVID-19 or a cyber attack. These occurrences have the potential to dramatically impact service delivery and operations, which sometimes can translate to an existential crisis for an organisation, in turn impacting their customers. For instance, there is heavy disruption in the transit sector, as airlines and public transport continue to incur losses due to the presence of the virus and imposed defensive measures. This has severely limited their actions and recovery strategies.
But what constitutes good resilience planning?
In the words of Lord Baden-Powell, founder of the scouts movement: be prepared…for any old thing. He probably did not have a pandemic in mind, when he uttered that scout motto the first time, but nonetheless being prepared is what gives us that fighting chance. In practice, to be prepared translates into having a strong, proactive understanding and control of the different factors affecting the outcome of any survival situation, as outlined in Figure 1. Moreover, as much as we would like to prepare for any eventuality, resilience planning involves choices. And you can only make the best choices if you have a proper understanding of risk and cost.
There is more to resilience planning than just infrastructure
All this brings us to an important point. There is more to resilience planning than just infrastructure. In fact, resilience planning should be embedded in the culture of an organisation, and its people, particularly if they are providing a critical service to the nation, such as healthcare, telecommunications, financial, postal, or ensuring essential supplies are available.
Resilience planning gives an organisation a strong foundation to face disruption and adversity. This increases their chances of survival, ensuring they can react appropriately, readily accept and adapt to the situation, and eventually recover their operations in a cost-effective manner. Here is what it entails:
Organisational culture and communication arguably constitute the backbone of resilience
You must ensure that the people in your organisation can readily get their act together when faced with the unexpected. Everyone must be aware of their responsibilities. This includes the leadership and external stakeholders who must clearly understand what is expected of them. Their role is critical in determining the priorities and strategy. All this requires buy-in from all stakeholders to ensure the team remains cohesive and productive through adversity. This can be challenging in a continually evolving situation, demanding alternative strategies. If not careful, it is easy to lose buy-in along the way, create division and make key decisions using outdated information, all of which could break you. As such, it is crucial that communication is succinct and unambiguous, which helps maintain the necessary team dynamics and continuous situational awareness for informed decision-making.
A positive attitude can help you readily accept a difficult situation, so that you can focus your effort on recovering from adversity
You should promote a positive attitude, thereby fuelling the will and drive to achieve the objectives and implement the strategy. When facing adversity, it is necessary to refrain from dwelling on negative thoughts that undermine productivity, teamwork, and your capability to overcome the crisis.
Creativity and an open mind allow you to increase the solution space to your problems
You need to be creative, but grounded. You must be ready to waive or compromise on unfounded beliefs and preconceptions, which would usually prevent you from trying out alternative options. You should be open to trying new things. You should seek to fail fast, where possible, and pivot to other options, when the chosen course is not conducive to the intended results.
The shift of the whole workforce to working remotely during the pandemic is a great example. Many employers would not have considered such a move previously, citing security and lack of productivity as potential hurdles. However, this change was forced on companies overnight, and many are now acknowledging that there are significant advantages, suggesting that remote working is here to stay.
Your timely and effective response to adversity is dependent on your capabilities, expertise, and the honed skills of the organisation
You should develop and optimise capabilities in support of your strategy and operations, contributing to a quicker and more effective response. For example, this could be by leveraging technology that enables alternative ways to automate operations or deliver services and engage with consumers, for instance, through eCommerce, mobile, IoT or Machine Learning-enabled solutions.
Furthermore, the skills, knowledge, and experience of the workforce are a key part of your operational capabilities. Therefore, you should continuously develop and expand the workforce expertise, with the goal of boosting their confidence, maximising their strengths, whilst circumventing weaknesses. To maximise resilience, it is fundamental to train a cohesive workforce that can operate as a team, rapidly reacting in an efficient and effective manner, exhibiting high expertise capable of overcoming adversity.
Moreover, you must gauge these capabilities for an early indication of what is working and what is not. These key indicators should measure and track performance in line with your objectives. This is true for normal operations, but even more important in a time of crisis. Key performance indicators provide bearings, feeding into building the situational awareness to make informed decisions.
Protect your people and other key resources at the heart of the operations – without them you are dead in the water
Your people and material assets, such as hardware, software, and data, together with procedures, make up the various information systems at the heart of your organisation. These systems enable you to keep functioning as a business. An adversity can impact the confidentiality, integrity, or availability of these resources. Therefore, it is crucial that operational resources are protected and sufficiently resilient. To maximise the resilience of your information systems:
- the right resources must be acquired and deployed,
- the resources must satisfy the necessary non-functional qualities (as applicable),
- appropriate contingency measures must be implemented, depending on the requirements, risk appetite, and available budget of an organisation.
Resilient information systems will be secure, modular, highly available, scalable, interoperable, maintainable, sustainable, and probably a few more qualities as required. Over the past years, cloud-based services have become popular as they provide and manage resilient resources on behalf of an organisation. Having said that, their increased use has also become a systemic risk, prompting calls for regulating these providers to ensure high standards of operational resilience.
And, do not forget to protect your financial resources as well
Your resilience is also crucially dependent on the financial resources at your disposal, especially, during a crisis. Therefore, you must plan contingency measures around these financial resources, including taking out insurance, establishing emergency reserve funds and seeking alternative sources of financing that can be easily tapped into during a crisis.
Learn to leverage your operational environment to seek opportunities and boost your resilience potential, whilst addressing potential threats
You must profoundly understand your operational environment, including the consumer demographics and behaviour, competition, technology and market disruptive trends, and other aspects of the environment in which your organisation operates, especially during a survival situation. Acquiring the right information in a timely manner can determine the reaction and recovery speed from a disruption or an adversity. An organisation must have mechanisms in place to continuously gather intelligence on their operational environment, feed it into its risk management process and assess its impact. This process relies on the culture and communication, capabilities, and resources of the organisation to efficiently, and effectively, build that foresight into how opportunities can be leveraged, and the risk of threats mitigated.
United we stand, divided we fall – look out for collaboration opportunities and alliances that will help you withstand adversities
You should seek to build alliances with external support systems that could be leveraged, especially, during an adversity. This is particularly important in overwhelming adversities, which would need the intervention of these support systems to increase the chances of survival. This could manifest in various forms, including a collaboration agreement with other players, support from the government, open data platforms, outsourcing opportunities, reliance on other ecosystems (e.g. identity management systems), standards and associations that provide stability in the environment. For instance, locked-down restaurants were able to scale up their food take-away service through sharing economy-based logistics services, like Deliveroo and Uber Eats, highlighting the importance of online-to-offline logistics services. In another example, several governments have stepped in to help businesses cover wages for their employees, who were at risk of losing their jobs due to the imposed lockdown measures. Perhaps the increased risk of pandemics, over the years, should warrant that joint emergency fund schemes, between the government and private industries, should be formally established to cushion the economic blow, when the world is next placed on lockdown.
Master your limitations, policies, and relevant rules and regulations, as they will constrain the type of response to adversity
Organisations operate according to certain rules and within certain constraints. The rules and constraints could be due to resource limitations, policies within an organisation or regulations imposed by third parties, e.g. government, central bank, or other regulators. These rules and constraints define the boundaries of possibilities of an organisation to react and recover from an adversity. Therefore, you should gain a strong understanding and be aware of them.
Your information system resources have their own limitations, which constrain the capabilities and operations of your organisation. These limitations are exacerbated in times of crisis. For instance, COVID-19 quarantine measures have further reduced, already limited, personnel to carry out business functions. In another example, system architectural designs have known limitations that are accepted under normal circumstances, but what is the impact of those during a disruption or adversity. You need to understand those limitations, and the associated risk. You can either accept them as is, try to mitigate them or seek to remove them. Resource limitations have a habit of coming back to bite, especially during an ongoing crisis.
With regards to rules and third-party regulations, they aim to provide many benefits, including order and stability, setting standards, ensuring fair game for all players, reducing or preventing the perpetration of crime, supporting innovation, protecting the consumers and their privacy. However, some regulations have the unintended consequence of stifling innovation and creativity. Therefore, you must look towards ways of continuously monitoring these rules and regulations, so that you can assess their implications and ensure that their intended effect is being realised.
You must build trust and promote an open dialogue with policy makers and regulatory authorities to make sure rules and regulations are there to serve and protect, rather than being detrimental. That trust and dialogue will become even more important during a crisis, where timely relaxation of rules and regulations, with the right mitigation in place, could give breathing space to struggling organisations, and enable lifesaving opportunities. A recurring topic in COVID-19 is the potential trade-off between data privacy and enabling technologies that could aggressively flatten the disease spread, hopefully, eradicating it completely, which has been extensively discussed in our webinar series. Another example featured during the pandemic is the increase in contactless limits on card payments to minimise contact that could spread the disease.
Resilience planning is a probability affair, so make sure you assess and manage your risks and costs carefully
Your choices and actions during resilience planning are driven by a solid understanding of the risks to the organisation, and the resulting impact of not being prepared for an adversity. Those risks are then weighed against the probable cost of implementing proactive measures. As such, risk management is crucial to any organisation, especially during a survival situation. The risks should be communicated clearly to relevant stakeholders, ensuring they all know what is at stake, especially the hard decisions and difficult scenarios, which would need to be considered because of those risks. Furthermore, risk management is also key to informed decision-making whilst reacting to an adversity, ensuring resources and effort are directed in a cost-effective manner to increase the chances of survival and recovery.
Lastly, be prepared by contacting us, of course, to learn more on how you can maximise your potential for resilience
If you would like to know more on how your organisation can maximise its potential for resilience, feel free to contact us. We look forward to discussing your needs and helping you understand your risks, using our tried and tested Structured Risk Analysis (SRA) method. Furthermore, we are planning a webinar that further explores the concept of resilience, with real-world examples from guest speakers. So make sure you are registered, if you don’t want to miss out.
Thank you for this very good analysis