Control-Based Resilience: The Future of Operational Resilience
Introduction: “You’re wasting my time!”
Over the years I’ve had the pleasure and opportunity to speak with colleagues from all over the world. I love talking about what is going well in their programs, but I am especially interested in their challenges — during which, almost without exception, one or more of the following things come up:
- “Senior leadership seems indifferent to our efforts.”
- “Engaging business partners feels like an uphill battle.”
- “We’re severely under-resourced for the scope of our program.”
Though these challenges may seem distinct, I think they are all symptoms of one primary problem: The lack of value that leadership attaches to our BCDR programs.
I came to this stark realization myself a decade ago when a technology VP told me very clearly that he felt BCDR planning was a total waste of his time. He let me know that he would partner with us, because he had to, but he would ensure that he provided the absolute bare minimum investment. I’ve never had another conversation quite as candid as that since, but whenever I have problems getting business engagement, or feel leadership is not invested in our success, I can’t help but attribute that candid VP’s words to their behavior.
I spent the next decade developing a solution to this challenge, which included many discussions with colleagues and experiments in program building. At the end of all of this, I’ve come up with an answer: Control-Based Resilience.
This article describes what a Control-Based Resilience program is, and later, why it’s so powerful, (hint — big ROI). Finally, I will follow up with a practical guide on how to implement a strong Control-Based Resilience program for your organization.
Defining Control-Based Resilience
I think most of us in this industry have an idea of what a ‘control-based’ program means — even if it’s only at the abstract level. Those of us who have worked with GRC, auditors, or other risk groups have seen first-hand a control-based system. However, because our traditional framework (BCM Lifecycle, BCMS, etc.) does not have the vocabulary or toolset to even speak about control-based resilience, it makes it almost impossible to apply it within our current paradigm.
As the name implies, a control is something that enforces (controls) a state or behavior that mitigates risk.
Our current industry-training and certification approach does not do this. What about the metrics that we do use, like BIAs, recovery plans and validation exercises? As anyone who has been in this business for any amount of time knows, all recovery plans are not created equal (nor are BIAs or exercises). Having a plan does not mean a department is resilient. Even if all plans are excellently crafted and effective, this barely approaches true operational resilience. The best way to illustrate this is to compare operational resilience to healthcare.
Operational Resilience: The Healthcare of Organizations
At one end of the healthcare spectrum are things like EMTs, ambulances, and urgent care. There is no denying that these play an important role in the overall healthcare system. Likewise, our traditional recovery plans and exercises are critical to preparing for and responding to the worst-case scenarios. In fact, having these plans and exercises in place and regularly reviewing them can be compared to having a trauma center nearby and a professional ambulance service available 24/7.
However, there’s a reason good healthcare doesn’t start with an ambulance ride or late night trip to the emergency room. Good healthcare starts with healthy habits and regular check-ins with a doctor. It would be odd to see your doctor for a yearly check-up only to be told, “You’re fine! You have a trauma center down the street. They’re great with emergencies there.” Unexpected health emergencies happen, but should knowing that there is a plan to handle urgent healthcare scenarios be a rational excuse to ignore all preventative and proactive health measures?
This is how leadership often feels about our resilience programs. They want to know about the organization’s resilience risk, and when we answer them with the number of documents we’ve created, it can reduce their perceived value in us.
Obviously, if we want to understand our actual health, we look at and track specific data points, e.g., blood pressure, cholesterol, family history, etc. These data points can reveal potential or existing health risks. ‘Controls’ are how we mitigate (or control) these risks. For example, when it comes to the risk of high blood pressure and heart disease, a control might be examining our exercise, the quality of our diet, or in a more serious case, are we taking proper medication?
These are not emergency response activities in the way calling 911 might be but are daily, incorporated standard operating procedures, that gives a persistent window into our health and risk, and can help get ahead of an emergent scenario. The point of a control based system is to use regular risk assessment data points.
Likewise, in a Control-Based Resilience framework, we look at regular, everyday resilient activities and processes. One such example of a control might simply be based on a team’s remote work practices. This capability is actually a feature of high availability, and adds to an organization’s Operational Resilience capability score (Redundancy). Another is whether a function is performed solely by a vendor, or if its shared with some internal team as well; another ‘availability control’ (Diversity).
Conclusion
If we look at the full spectrum of healthcare, from urgent care all the way to diet and exercise, it’s clear that the vast majority of our personal care happens day-to-day and not in the emergency room. So the question is, how much can we gain by investing into the day-to-day health monitoring that can better form our response to emergencies or even prevent them?
It’s always a better investment to prevent an emergency rather than pay for one. This is what the Control-Based Resilience program does. It identifies, quantifies and tracks the existing states and activities that we are often doing anyway. And, just like in healthcare, these proactive and standard activities have a nominal cost when compared to planning for or implementing a recovery program.
When the term ‘Resilience’ first started to become popular in our industry, I wanted to join in. I did research to try and understand the difference between BCMS and Resilience, and I must admit, I found very little concrete, actionable differentiators between the two. However, I did see a shift in terms that began to surface and describe resilience, like ‘holistic’, ‘integrated’, and ‘cross-functional’. But they floated in the void without any description of how to achieve them. Control-Based Resilience is the framework that bridges the gap, that unifies data from all relevant sources to give an actionable, holistic strategy that truly makes Resilience justifiably different from BCMS.
In my next article I will discuss why this new approach is such a game changer from a perceived and actual value perspective. I will finish the series with some practical ways that you can implement a good control-based resilience program in your organization.
