Strategic Organizational Resilience & Survivability...

According to the best practices from several sources, the Board of Directors is responsible for the "Strategic Resilience and Survivability" of an organization.

Let’s take a look at what the highly influential Basel Committee says about one principle as it pertains to Business Crisis and Continuity Management (BCCM):

Review and Testing of Business Continuity Plans – Basel Principle 13

“It is the responsibility of the organization's Internal Audit and Business Continuity functions to ensure that all of the organization's business continuity plans are tested and reviewed on a periodic basis to spot incorrect assumptions, oversights or changes to equipment, and employees and to identify any changes in business requirements not reflected in specific plans. Any undocumented requirements must immediately be documented. In addition, appropriate information owners and users must be informed of updates to plans.”

The Basel Accord for large global money center institutions says you have to test all of your suppliers and their plans so that you don’t have any service interruptions. The question is how often is enough? When is the last time you knocked on the door of your Power Company, Phone Company, and Water Company and said I’m here to audit your BCCM plans. And in every country you operate critical information processing and personnel centers.

Having survived several large quakes in Southern California in years past, you can be sure that all of the testing in the world can't prepare people for human behaviors that come from within.

People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right.

Believe it, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios.

These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees

In summation, the following six factors are the critical aspects of effective and strategic organizational resilience and survivability:

1. Business continuity planning will be conducted on an enterprise-wide basis 24/7.

2. A thorough and continuous business impact analysis and risk assessment is the foundation of an effective BCCM.

3. Business continuity planning is more than the recovery of the technology; it is the recovery of the business.

4. The effectiveness of a BCCM can only be validated through continuous and thorough testing.

5. The BCCM and test results will be subjected to continuous independent audit.

6. A BCCM will be continuously updated to reflect and respond to changes in the organization.

Frankly, corporate directors have their hands full managing risk and continuity on behalf of the shareholders.

The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance…

operational risk

Be Brave: Courage to Experience Fear...

“We’re all afraid of something.  Some have more fears than others for reasons too various to quantify and examine.  The one we must all guard against is the fear of ourselves.  Don’t let the sensation of fear convince you that you’re too weak to have courage.  Fear is the opportunity for courage, not proof of cowardice.  No one is born a coward.  We were meant to love.  And we were meant to have the courage for it.  So be brave.  The rest is easy.”  —p. 206. Why Courage Matters by John McCain

What are you waiting for in your life?

Making decisions to do or act on a daily or weekly basis takes courage.  When was the last time you did something that was foreign or even fearful to you?

Before you had courage, did you ever think about how it would hurt if you fell off your bike.  And when you did, yes it did hurt.  Did you get back on and ride home with tears in your eyes?

Before you had courage, did you ever think about asking for permission to leave home for a night out with a friend without your parent beside you?  Did you ever have a curfew of 10:00PM and arrive back home at 9:55PM with your mother sitting in the kitchen with the light on?

Before you had courage, did you ever worry that someone would reject you if you called them on the phone to ask them for a business appointment to introduce your company or product?

Before you had courage, did you ever fear investing in your future by saving 10% of every paycheck to put in a savings/investment account?

Before you had courage, did you ever fear learning how to debate on stage or give a presentation to an audience about a topic that you had become an expert in?

After you realized that after every attempt to engage with your fears, you learned and adapted for the next attempt and gained a little more courage each time.

Of course you did.

So what are you waiting for and why are you hesitant to get out there.  To try it.  To make your call or send your message.  Or save for your future.

After you learn to be more brave and love to practice to alleviate your fears your life will change for the better.

Your courage to live and to love experiencing fear will make all the difference in your life.  Get out there!

Life Journey: Mission Accomplished...

 Remember that particular time and place when you were sitting with family having a coffee or “Hugo Spritz” enjoying the new mission view?

Then it comes over you and that feeling of peace and joy is joined by a few small tear drops…as you lift your sun glasses to wipe them away, and you say a short silent prayer.

Your current happiness and thankfulness is what this life is all about.  After so many years of hard work, challenges at home and in your career it all seems unreal.

You are now on a new mission with your long loved spouse to live your life dreams and explore new experiential learning.

Whether it is in the cities along the rivers in foreign countries or in the mountains in your own USA state does not matter.  Get out there!

"If you are exploring new places, new cultures and establishing new Relationships on your journeys  you are well on your way to continued Results and new Rewards (R3)."

Think back on all the hours you worked and were clocking out after the sun went down in another city.

What about all the quiet hours on airplanes or hotel rooms on weekly travel all alone.

It is now time to focus on what and who you truly love.  To enjoy your new found life experiences and to be so grateful each day.

Think about how you got here and who was by your side each time you were challenged or celebrated.

The older you get in life the more you realize that someone is watching over you.

Experiential learning begins to develop new disciplines and skills that will forever assist you in your life.

What will you learn and who will you learn with?

Surround yourself with all the right people that already have the skills you are pursuing and you will soon achieve the results you are after.

REPEAT.

After enough exercises, evolutions, classes, hops, billets, missions or sessions the rewards will start to appear.

LEARN.

Utilize these rewards in such ways that you are continuously investing them for the future.

REPEAT.

Now look out at your view today and take another sip on that drink.  Raise your cup and look up…

Digital RubiCON: The Fifth Domain...

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example?

People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future.

The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains.

The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment.

Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert.

As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure.

Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis.

The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency.

The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable.

The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists.

Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust...

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity. 

Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

• · Public perception
• · Unethical dealings
• · Regulatory or civil action
• · Failure to respond to market changes
• · Failure to control industrial espionage
• · Failure to take account of widespread disease or illness among the workforce
• · Fraud
• · Exploitation of the 3rd party suppliers
• · Failure to establish a positive culture
• · Failure in post employment process to quarantine information assets upon termination of employees

Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders.

The risk management process will continue to have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare.

These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here.

What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what?

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Business Resilience: Beyond Readiness…

The continuity of your telecom operations is an operational risk that in many cases is underestimated until a significant business disruption occurs. When telecom is down, this means a combination of voice and data services that serve your business enterprise may not be available. The resilience of both the voice and data communications is the holy grail of continuity of operations and disaster recovery professionals on a global basis.

Business Resilience and the ability to effectively anticipate or absorb the impact of an incident, whether man made or as a result of a natural phenomenon differentiates your suppliers. When is the last time you tested your Tier I service supplier for a mission critical business process to determine the ability to keep their voice and data services running during a time of crisis?

And maybe more important, is your own enterprise Incident Command system survivable so that you can provide voice leadership to your "Incident Commanders" where ever they may be located?

As we approach the middle of the Hurricane season here in the U.S., you can understand why having energy to power systems is an important aspect of most COOP discussions. This simple yet valid argument for back-up power has been going on for a decade or more.

When it comes to planning for the next Hurricane Katrina or the "Tip of the Spear" overseas operations readiness, resilient business organizations need to implement robust planning, exercises and systems to be able to overcome the operational risks that are before them.

Power blackouts are the catalyst for many risks to the critical infrastructure including Transportation, Internet, Voice communications and even those services that you take for granted like pumping gas at the local petrol station or emergency services at the local hospital. 

September is DHS Preparedness Month in the US and the focus is once again on the physical readiness of our nation.

Cyberspace as we know it is so embedded into most of the mission essential aspects of business today that our readiness factor needs to go well beyond redundant power supplies and battery back ups for power. 

Cyber-Readiness is a key component of any organizations plan to stay resilient in the face of a Distributed Denial of Service Attack (DDOS) and other cyberspace exploits that disrupt our operations.

Do you think you're spending too much time with your team planning and training? You haven’t.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

"The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful in their strategy execution. Their missions will be accomplished on time and within budget."

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?