The latest and greatest from Sungard AS

Categories


Tags


/ 0

Events

How to Build a Resilient Organisation

18th May 2017

Rogelio Aguilar, senior consultant, Sungard Availability Services considers what it takes to make YOUR company resilient…

Organisations today are expected to be both agile and resilient. We all have an idea what we mean by personal resilience. The individual who prospers despite the odds being stacked against them, who rises from a sink estate through hard work to reach the top in public life. But what does it mean for a company?

The most important point about resilience and the idea of rising above, or not allowing yourself to be dragged down by, adversity or a disruptive event is the aspect of emerging stronger than before. The ability to learn from the experience and improve is implicit. In the Oxford English Dictionary’s definition of resilience, the key word is ‘adaptability’, the second most important word is ‘successful’ again.

Today’s consumers have an ever-increasing expectation for 24/7 service, 365 days a year. Gone are the days when they were happy to accept downtime while a heroic recovery was executed. They would much rather trust an organisation who successfully anticipates and manages risk in a calm and measured manner.

So, what are the traits of a resilient organisation? In our view, a resilient organisation has three core elements:

  1. Strong leadership and the right culture
  2. Preparedness to meet challenges, and
  3. Good internal and external networks.

You will note that these are all inherently “people things” that also involve some processes like planning, training, sharing and learning. Essential qualities during a crisis include the ability to quickly understand what’s going on and generate shared situational awareness, being capable of making good decisions under pressure, and the skills to communicate clearly and effectively to all stakeholders.

“Gone are the days when customers were happy to accept downtime while a heroic recovery was executed.”

— Rogelio Aguilar, senior consultant, Sungard AS

Unfortunately, this being real life, there are several barriers to achieving organisational resilience. These include poor planning, complex business and IT processes, an inadequate approach to risk management and inherent structural issues. It can be difficult to get the issue of resilience onto the Board’s agenda, ensure cyber risks are included in enterprise risk management, and incorporate crisis preparedness activities into the demanding schedules of decision-makers.

If this sounds familiar, here are our tips to make your organisation more resilient:

  1. Take a risk-based approach

More and more organisations are bringing risk management into the core of their strategy and creating a C-suite role for risk and resilience on the Board. Enterprise risk management should look at all risks not just strategic risks, but this naturally has to incorporate IT and cyber risks.  Risks, as we all know very well, reflect threat and opportunity and this requires organisations to fundamentally identify and assess their risks before planning and implementing suitable risk management responses.

  1. Prioritise planning and preparation

While it is often said that ‘no plan survives contact with the enemy’, planning and preparation are vital.  Thinking ahead before you experience a crisis avoids you having to make it up ‘on the hoof’ when you are hit by a disruption.  Establishing your most likely assessed risks – in fact, taking steps to assess your risks in the first instance! – and providing guidance on responses is hugely helpful to the incident response and crisis management teams. Simple flow charts and action-oriented guidelines provide guidance and reassurance to people who will be reacting well outside of their comfort zone, possibly nervous, scared, stunned, in denial and in desperate need of leadership.

  1. Map out your ecosystem

You are likely to have mapped out your information architecture and organisational structures as part of your business continuity planning process.  But how accurate is it?  Have you really captured all your shadow IT, for example?  What about the way people actually work, rather than the way you think they work?  Then, have you considered your third parties –  and their third parties too? Given how hyperconnected the cyber world is, are you sure that your vendors’ third parties comply with necessary regulations and have watertight information security?  Under the General Data Protection Regulation (GDPR) you are likely to have joint liability with your third parties for any data breach so you need to understand what the risks are to your organisation from your ecosystem.

  1. Collaborate and share

Particularly with threat intelligence, collaboration is essential.  Ten years ago, such a suggestion would have been unthinkable, but collaboration over cyber threats goes beyond competitive advantage.  We appreciate it may be difficult for organisations to collaborate with the competition but this is just a new feature of the business landscape.  Companies need to collaborate and share internally too, with the aim of overcoming corporate silos and turf issues.  Learning from each other – within organisations, across sectors, and with third parties – takes effort and a great deal of trust, but will significantly improve your resilience.

  1. Make cybersecurity a standing agenda item for the Board

Cybersecurity is one of the biggest issues facing organisations today and needs to be front and centre of the Board agenda. But the critical point is that cybersecurity is not just an IT issue, or even an operational issue: it is one of the most pressing strategic corporate issues.

  1. Get your head around data privacy and the GDPR

With every cyberattack comes a data breach, or so it seems – Yahoo[1], Talk Talk[2], Tesco[3] and now Wonga[4].  Some are more significant than others but the simple fact is that data privacy and protection is at the heart of the GDPR which is enforceable from 25 May 2018.

  1. Develop the right skills and behaviours in leaders and managers across the organisation

And finally, it would be unreasonable for organisations to expect their people to respond effectively without some form of awareness and training in resilience.  The odd individual may be a natural leader in a crisis but for the majority, some training and development will be needed.  Incident response training, crisis communications, decision-making, leadership or information management – these are all skills that can be developed in people and sits alongside planning and preparation as a core component of preparing an organisation to be resilient.

 

If all this sounds too daunting to tackle alone, help is on hand from one of Sungard AS’ many knowledgeable consultants. Find out how the Resilience Consulting team can help you by calling 0800 143 413 or emailing contactme@sungardas.com.

 

 

[1] https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

[2] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/

[3] http://www.bbc.co.uk/news/business-37891742

[4] https://www.theguardian.com/business/2017/apr/09/wonga-data-breach-could-affect-250000-uk-customers