During a session at DRJ Spring World 2016 where John
Jackson and I discussed the 2016 Horizon Scan report, I was
struck by the diversity of these threats, as well as how a diverse
set of management disciplines need to participate in effectively
mitigating these risks and preparing appropriate responses.
This DRJ Spring World 2016 session also led me to reconsider
a recent position paper authored by the BCI that clarifies the term
“resilience” and its relationship to business continuity.
I’d like to note five specific conclusions from this paper that
I agree with:
1. Business continuity is not the same as organizational resilience
(which ISO 22316 defines as the “adaptive capacity of an organization
in a complex and changing environment”).
2. The effective enhancement of organizational resilience requires a
collaborative effort between many management disciplines.
3. No single management discipline can credibly claim “ownership” of
organizational resilience, and organizational resilience cannot be
described as a subset of another management discipline or standard.
4. Business continuity principles and practices are an essential
contribution for an organization seeking to develop and enhance
effective resilience capabilities.
5. The wide range of activities required to develop and enhance
organizational resilience capabilities provide an opportunity
for business continuity practitioners to broaden their skills and
knowledge, building on the foundation of their business continuity
experience and credentials.
So I’d like to end this background section with a problem
Given the multitude of threats and their
corresponding risks that could lead to bad
outcomes for organizations, who should take
ownership of mitigating the risk associated with
the 10 threats noted above or, more broadly, the
risks that make an organization less resilient?
Three Different Roles
The business continuity professional clearly owns the responsibility to address availability-related risks – risk mitigation,
response, and recovery – that may disrupt the continued delivery
of critical products/services and lead to missed expectations. But
what about other risks and threats? Take, for example, the first
issue from the Horizon Scan report, “Cyber Attack.” What’s the
business continuity professional’s role? In my opinion, there are
1. OWNER: own and execute risk mitigation and the development of an
2. FACILITATOR: facilitate and organize the risk mitigation and
response development effort; or
3. PARTICIPANT: participate as a team member charged with mitigating
In this case, especially when the organization employs an
information security team, and when the business continuity professional doesn’t double as an information security expert, perhaps it’s the third option above. As a participant, the business
continuity professional can assist with identifying the following:
1. key users and the customers impacted by the loss of the application
and its data
2. the business impact associated with the loss of specific applications
3. a process to manage the response to a disruptive and make effective
4. an understanding of manual workarounds and alternate procedures
associated with the absence of the application and its data
What the business continuity professional is unlikely to offer
1. techniques to ensure the malware is unable to encrypt application
2. methods to restore data to a point in time where the data was
2016 Summer 1-33.indd 10
6/30/2016 2:01:55 PM