You have put in place all the necessary measurements to avert a crisis – your business is protected. Or is it? So many Executives think they have it right, when they really have it wrong.
Think about your organisation, and imagine the following. Crisis plans are in place. Emergency frameworks are implemented with training programs established, and even business continuity and disaster recovery strategies are present. There is principled support from the top, engagement from the middle, and leaders across the business who verbally support the need to have these ‘important frameworks in place’. There was even a consultant engaged to apply international standards to policies and plans.
Now with this progress, the Executives may have a degree of comfort (if not confidence) that capability exists to support the organisation in a crisis situation. A recent audit even came up good (or at least, not red) which is flowing through governance reporting.
Now something went horribly wrong, and capability is being put to the test. With every hour passing, it’s clear the organisation was not nearly as prepared as it thought, didn’t understand the risk exposure from very high impact (but very low probability) risk events, and confused good documentation with capability.
This story has been played many times over, and has a good chance of doing so again.
There are many case studies that provide examples of documentation being portrayed as capability, lack of understanding regarding high-impact low-probability risks, and many frameworks and functions all trying to get the attention of Executives. This leads to more confusion than clarity. Rather than a clear purpose and cohesive vision, often this results in a mash of siloed messages reaching the Executive.
Here are a few thoughts that may help break through the complexity and more importantly, simplify things for Executives and centre the discussion around risk and resilience.
Firstly; the Executives and Board should see a holistic view of your resilience capability. This means having an overarching framework for resilience that is simple, shows the relationship among crisis, emergency, security, continuity, recovery and risk.
The main difference of a resilience framework is it provides an overarching view of the capabilities, provides a foundation as to how they work together. This enables a clear definition of each area’s purpose limits, how they interact, and the relative need for the organisation.
Another benefit is the ability to measure, report, and articulate value in terms of risk. Crisis exercises with the Executive, evacuation drills, security incidents, findings from investigations, loss prevention measures, and IT recovery testing are all examples of ways to measure the capability. READ MORE