A Single Source of Truth: The Key to Organizational Resiliency and Efficiency

Siloes: they are the bane of organizational resiliency and efficiency, and they are notoriously hard to tear down. Departments that focus on business continuity, IT, disaster recovery, third-party management, and incident management all tend to function independently of one another, even though the intersection of their responsibilities is where organizational resiliency and efficiency live.

But, what if you could have a single source of truth about business data and business processes that could be shared and accessed across departments and disciplines to improve not only recovery and continuity, but overall organizational resiliency and efficiency?

That would go far toward tearing down siloes, wouldn’t it? You would be able to avoid duplicative work, address gaps that create risk, and optimize processes across the enterprise. It’s a beautiful thought … and the good news is, it is possible to achieve.

The fact is, business continuity is uniquely positioned to destroy departmental siloes and improve the alignment of various functional areas. The reason is simple: business continuity’s responsibilities involve a tremendous amount of data collection and analysis. This includes information from business impact assessments, configuration management databases, application impact analyses, technical impact analyses, and other sources. By gathering all this data into one location, business continuity can create an information foundation that can act as a single source of truth for the entire organization. By sharing the data in the information foundation across siloes, business continuity can help diverse business functions work together to optimize organizational resiliency and efficiency.

For real-world examples of the information foundation in action, read our whitepaper Creating the Foundation for Increased Business Resiliency and Efficiency.

The Uncertainty with Brexit

As 29 March 2019 nears, the uncertainty with Brexit continues to grow. Many organisations have not fully grasped what this means for their business, but it is clear that it will likely be the largest operational business resilience undertaking most UK organisations will face.

A majority of organisations are focusing on the high level financial impacts, while ignoring business continuity and risk impacts that are no less important. Preparing financially for a completely new economic structure is imperative, but planning for other aspects such as changes to privacy and security laws, employment regulations, trading legislation, and more is still key to successfully navigating Brexit through it’s full lifecycle. Each upcoming change comes with its own set of potential risks, many of which organisation’s will have little control over.

However, many things can be accounted for by educating organisations on their operational risks along with their the financial risks. Now there is no way to be fully prepared for this magnitude of change, especially right now when so much is still to be decided, but organisations must stay up-to-date to make informed decisions on new legislation, cross border agreements, resources, residency, etc. This not only means up-to-date on the state of Brexit, but also up-to-date on organisational data necessary for business resilience.

What’s next is organisation’s must run exercises and simulations with all of the factors in line to help prepare programs for the upcoming changes. Unfortunately for many, the time given to business operational and resiliience teams will probably be far smaller than those given to financial impact managers to prepare for Brexit. According to a CBI survey, 48 percent of participants said the cost required to make contingency plans is prohibitive, while 47 percent find the complexity of the information challenging.* This could lead to some organisation’s not running test simulation exercises as a part of their strategy, and ultimately not being prepared for the impacts of Brexit.

The heart of these issues is storing the correct information in an easily accessible vessel like an information foundation. Having clear and up-to-date access and visibility to who owns what process, site, and object transposed over the associated impacts of failure will be key to managing the threat of Brexit.

Learn more about how Organizational Knowledge Empowers Enterprises with our whitepaper!

*http://www.cbi.org.uk/cbi-prod/assets/File/FINAL-Brexit-preparedness-survey-write-up.pdf

Why IT Managers Need an Information Foundation

Business continuity’s responsibilities involve a tremendous amount of data collection and analysis. This includes information from business impact assessments, configuration management databases, application impact analyses, technical impact analyses, and other sources. Everything centers around business processes.

That brings us to the crucial point: every department has business processes, and many of these business processes and required support of these processes cross departmental siloes. For example, if IT updates an application, it can have a direct impact on finance. If vendor management chooses not to renew a contract, it can have ramifications from production to pricing to sales.

Frequently, the existence of siloes means that such connections and interdependencies are not recognized – to the detriment of the business. But, by creating an information foundation and sharing its data across siloes, business continuity can help diverse business functions work together to optimize organizational resiliency and efficiency.

The information foundation can be defined as a single source of truth about business data and business processes that can be shared and accessed across departments and disciplines to improve not only recovery and continuity, but overall organizational resiliency and efficiency. With this as the definition, it is readily apparent that the right software is key to creating, maintaining, and leveraging the information foundation. In a typical organization, IT is tasked with:

  • Providing a redundant, hardened processing environment
  • Protecting systems and data from unauthorized access
  • Ensuring that data and applications are available to meet business process requirements in production
  • Managing current capacity
  • Planning for future capacity
  • Providing for the recovery of systems and applications that support critical business processes in response to a major incident

These priorities may be applied to on-premise environments owned by the business, or toward managing a relationship with an external IT provider or cloud service. The question then becomes, what data does business continuity already have in the information foundation that could support IT with these priorities?

One place where the information foundation can be of assistance is when there is an IT storage upgrade. Take the case where an older storage frame needs to be replaced. Using the shared information foundation, the IT storage team may discover the storage frame is connected to a Linux server and the server supports a critical revenue generating business process. Therefore, the IT storage team will need to work with the Linux team to insure error free operation after the upgrade and work with the process owning business unit to investigate how an upgrade could potentially impact the revenue process should problems be encountered. Representatives from the business unit could also be engaged to validate successful process operation following the upgrade. By collaborating with these other business units, IT can make plans to upgrade the storage in a way that will not generate a negative impact on enterprise operations.

This example shows how, through the information foundation, data concerning process criticality, impacted audiences, teams and contact information, applications used, affected locations, and more are all available to IT to increase production process efficiency and reduce potential undesired ramifications, thereby increasing organizational resiliency.

Learn how to establish your information foundation.

It Takes a Community to Manage Risk Effectively

Risk managers are seeking ways to engage a broader range of the organization to keep risk management as a top priority for all. Without engagement across the organization, today’s risk manager can put the organization at greater risk by missing out on key insights that cannot be gained by relying on personal experience and training. The community has the answers (or at least the right questions) in today’s complex organizations.

Many risk management programs tend to look at external and internal risks in traditional ways which results in programs stuck in risk initiatives that have good intentions but lack the most current operational insights. Organizations have simply become too complex to understand potential risks without engaging more constituents deeper into the extended enterprise. The challenge is how to reach those that may not fully be aware of their role in controlling risk but who are very much aware of where risk exists.

Today’s leaders seek to obtain and leverage more direct input by engaging communities of people that are not typically thought of as core to managing risk. Ideally, these communities would become occasional users of the central risk management system and contribute their unique insights to build a more complete information foundation that tells a complete picture of the organization.

A community is built around a specific purpose that can benefit both the risk manager and the users. Members of each community may not always be aware of the larger impact they are having, but when a system is effective, the community users both receive and share information in ways that expand what is possible in any risk management program, including operating efficiently and uncovering issues faster to help the organization meet its obligations to customers, shareholders and employees.

Users who make up a community that a risk manager needs to engage may not even know the other members of their community. However, the risk manager can group them together when they have similar information needs to share and gain new insights in both directions.

The positive impact of engaging broader communities in managing risk directly through their personalized view of the central risk system includes:

  • Identifying risks earlier so they can be treated or mitigated
  • Recovering faster through better planning based on community insights
  • Communicating accurately at critical times of need because the community is organized in the system
  • Reducing effort to onboard and approve new vendors, reducing risk by engaging the vendor community directly in formal risk processes
  • Engaging an executive community to drive more efficient workflows and approval processes
  • Engaging trusted vendors as part of your extended team securely
  • Providing tools for safety and security to the broad community, preventing harm and optimizing outcomes

Managing risk can no longer be done only by the few who have the words “risk manager” in their title. Organizations are too complex to rely on traditional methods to uncover internal risks, which can be akin to guessing or chance when broader communities of contributors are not engaged. Fusion can help those communities with our products and services. Find out more about how to better engage your community of users.

5 Factors for Building an Information Foundation

Companies should consider five major factors when compiling and organizing all of their components into one repository and dashboard that integrates information from multiple sources into a unified display, an approach we view as a “single pane of glass.”

1. Knowledge Must Be Consolidated

We have all seen enterprise companies where no one had an understanding of what others in the business did. IT has no clue what the sales is doing, and sales doesn’t know much of what is happening in product development, and so on. People’s knowledge is limited strictly to the work they do on a daily basis. And that can lead to a myriad of problems.

If there is little to no interdepartmental communication, what will happen when a disaster – manmade or natural – strikes? It will be every department for itself; recovery and continuity efforts will almost certainly elongate or possibly fail due to a complete lack of coordination. Knowledge is power, as the old adage goes. When it comes to maintaining a streamlined and secure company, it is imperative all stakeholders have full knowledge of operations so that they can respond to any need across the organization with confidence.

The processes undertaken by an enterprise on a daily basis can number in the hundreds. It is nearly impossible to maintain organizational knowledge without a single repository where all of these processes can be viewed.

2. Command and Control

Executives never want to feel they have lost control of a potentially damaging situation. Nothing can be accomplished in the face of a disaster if leadership doesn’t have command over the events that are unfolding. Proactive planning and a firm grasp on every piece of information needed makes for the best chance at a full recovery in the least amount of time possible.

It is important to possess a software solution that pulls all of the necessary processes into that all-important single pane of glass, so everyone involved in the response has access to the most up-to-date information to efficiently execute a plan.

3. Visualization and Decision Support

There are many cases in which there are no clear and actionable steps for addressing a disaster. Businesses can choose to prepare for a potential recovery using either data (knowledge) or documents (plans). It is inefficient, ineffective, expensive, and risky to rely on documents when success versus failure can lie in the balance. Visualization and decision support can serve as a force multiplier for your teams while documents can slow you down and cause you to make costly mistakes and possibly even outright fail.

A living, virtual system can digest this information and update data in real time so that processes are always current and easily accessible. The ability to use that information to provide visual insights and deep analysis can materially change not only the effectiveness and efficiency of your teams but also the outcomes you achieve. In the face of a threat, an enterprise needs to able to immediately contact key decision makers, review all assets, and determine which locations have been affected. People need to be able to trust this information and make decisions in real-time. In other words, they can generate a reliable plan on the fly or be confident that existing plans are utilizing current information while filtering out information that is not relevant to the situation at hand.

4. Enable Wisdom

Steve Jobs once said, “Great things in business are never done by one person. They’re done by a team of people.” That is the essence of organizational knowledge. If all processes are known and accessible by every executive and employee within a company, the likelihood of recovering when a disaster strikes is much greater.

Everyone involved in a business should be able to easily view best practices and know how to implement them in the face of a threat. When stakeholders can find all of the most up-to-date information via one pane of glass, they are much more likely to educate themselves on policies across all departments and gain that all-important wisdom – not just knowledge.

Some people might see wisdom and knowledge as interchangeable. However, that isn’t the case. Knowledge by itself simply refers to information that has been acquired – it is awareness. Wisdom, meanwhile, is experience and the ability to convert acquired information into action. When we talk about “organizational knowledge,” it is really a combination of both concepts.

5. Vulnerabilities are Endless. Resources are Not.

Try as we might, it is impossible to identify, let alone plan for, every disaster that might befall an organization. You cannot solve them all, so you must prioritize.

Say you come up with 20 different scenarios in which your company is at risk. Some will inevitably be more likely to occur than others. It is important to determine which have the highest probability of occurring and which will have the most impact on your organization should they occur and use that information as your guide.

Every enterprise, no matter the size, has limited resources to dedicate to its business continuity efforts. The threats that have the highest probability of occurring, along with the highest potential impact, are obviously the ones that will require the most attention and planning. It can be viewed as a simple line graph that helps you determine how to delegate time, money, and staff.

Read more of John’s thoughts on organizational knowledge in Corporate Risk and Insurance.

4 Disruptions That Impact European Business Resilience

Our European business climate is rife with potential risks these days. Countries where the political landscape has remained relatively stable now face polarization, borders are being hardened, corporate domiciles are in flux, and the regulatory environment is becoming more complex. As the General Data Protection Regulation (GDPR), addressing individuals’ personal data, recently became enforceable, many businesses are scrambling to determine whether they are compliant or, if not, what they need to do to get there.

And with the looming economic fallout of Brexit yet to be determined, talks continue on how to undo decades of treaties and agreements with the European Union. All these serve to magnify and exacerbate what’s become the standard list of growing risks and threats affecting organizations across the globe – terror threats, data breaches, supply chain risk, and extreme weather events to name just a few. The types of disruptions that can readily impact any organization include:

  1. IT services disruption – any disruption affecting access to IT services (often referred to as “IT disaster recovery”) or the protection of critical data (often referred to as “cyber security”).
  2. Workplace disruption – any disruption of a business entity (offices, call centers, retail locations, trading rooms, manufacturing plants, labs, warehouses, etc.) as well as its critical assets such as machinery or other specialized equipment.
  3. Workforce disruption – any disruption involving personnel such that sufficient, trained and skilled employees are not available. Possible causes may include labour actions; regional disasters during which the community or public infrastructure is severely impacted; or pandemics, any of which can cause severe absenteeism.
  4. Supplier disruption – any disruption to critical suppliers, service providers, utilities and related infrastructure, or logistics that stops or slows the movement of critical products and/or services into or out of your business.

The potential for any of these to critically impact an organization based on its complex dependencies are what drives the need to operationalize risk management.

While the concepts of risk, compliance, crisis response, and disaster recovery are becoming more familiar throughout European businesses, the evolving threat landscape and growing uncertainty call into question legacy approaches to business resilience. Today, more than ever, an organization failing to prepare both strategically and tactically for any type of disruption can experience a much greater impact than it can readily absorb.

How Organizational Knowledge Empowers Enterprises

Organizational knowledge – it’s not a term commonly associated with business continuity, resilience, or disaster recovery, but it is a critical component.

First, let’s briefly explore the concept of knowledge. Merriam-Webster offers several definitions of knowledge, including “the sum of what is known: the body of truth, information, and principles acquired by humankind.” Take a London Black Cab driver as an example – they spend several years studying the streets and buildings so they can get anywhere by the fastest route by address or building name, all without GPS assistance. They each know what few others know – every nook and cranny of London. This indispensable body of knowledge gives them a strategic and tactical advantage in conducting their business.

Before I co-founded Fusion Risk Management, I was the general manager of a Fortune 500 enterprise that sold one of its subsidiaries. Of course, whenever a large acquisition occurs, due diligence is of utmost importance. The potential purchasing companies needed their teams to review all elements of the business to ensure everything was in order.

To do this, we created a “data room.” We took over a large conference room and filled it with filing cabinets, stacks of paper, and thick binders. This was the only way we could demonstrate a complete view of the business. In came hordes of people from a myriad of potential acquirers, and they spent several days to weeks painstakingly digging through these physical documents and putting all of the information they needed into spreadsheets. It’s hard to believe, but that was just in 2001. Things have certainly changed.

The “data room” we put together now seems like a relic of the distance past. Today, a business can gather all of its data virtually and store it in one place, creating a level of efficiency that was completely unimaginable less than 20 years ago. Moreover, information can be stored in its raw form rather than embedded in documents, enabling leadership to gain valuable insights and make more informed decisions.

Any business that evolves beyond a few people in a single location runs the risk of developing information silos that different departments or people are responsible for. There is not a person or group that knows every process, asset, vendor, and dependency that allows the organization to operate successfully. It is inefficient and can cost a company time and money, while also creating unnecessary risk. This leads to a fundamental need to avoid the many pitfalls of a fragmented company through the use of organizational knowledge.

An organization improves over time as it gains experience, and experience enables an organization to equip itself with a broad base of knowledge to make the best decisions for continued success. When a company commits to ensuring all leadership and employees understand the process of creating, retaining, and transferring knowledge, it is much better positioned for that success. The concept is simple – the more we understand how an organization works, the better we can understand how it might break or fail. With that knowledge, we can best implement processes to protect and recover it.

Redefining Success

Business continuity is important! What organization can succeed if it can’t ensure the flow of its products and services? Could it be that leadership still doesn’t know what business continuity is?

Before we place blame on business leaders who dismiss the relentless efforts of business continuity managers to garner support and funding, perhaps it is time to define business continuity in terms that resonate.

The challenge is to define business continuity in a way that places it in the critical path of an organization’s efforts to obtain and retain clients, not just an insurance policy that only pays off in a crisis.

The first step is to embrace the notion of “management” versus “planning.” Vulnerabilities and threats are endless, but the funds to address them are not. Every risk must be managed, but not every risk needs a plan. In fact, a successful response is more about making great decisions than it is about following a script.

The key is to position business continuity management as a critical element of the organization’s mission and success. Every organization has a responsibility to serve its customers. An organization’s ability to deliver its products and services is the core of its purpose.

A critical success factor, therefore, must be to consider the full spectrum of continuity risks that can impact the flow of products and services. It must organize, measure, and inform. It must make the leadership, and the organization as a whole, more effective and efficient in preparing for and responding to an adverse event. It must serve as a pillar in the relationship of trust that organizations have with their customers, suppliers, shareholders, stakeholders, and employees.

Success in business continuity risk management depends on building a program that enables executives to understand risks and impacts, and empowers the organization to be resilient at time of crisis. It has to be aligned with the business and connected strategically to the organization’s brand and the foundation of trust it has with customers, stakeholders and employees.

Successful programs and successful program managers are knowledgeable, organized, resourceful, and decisive. They leverage emotional intelligence and communicate and collaborate effectively. Legacy views and a focus on planning are destined to fail. Plans, as needed, must come from the strength of an informed core and a focus on compelling business priorities.

Business continuity management is fundamental to the strategic success of every organization. It lies at the core of the organization’s values and mission. Business continuity management is important. It is incumbent upon everyone involved to ensure that every effort is made to understand business continuity risks and address those that cannot be accepted.