One of our specialities at GSS is training and awareness for our clients, producing Playbooks on most of the Technology and business frameworks. One playbook is in BCP/DRP and Crisis management. Some organisations introduced the concept of ‘Resiliency’ a few years ago to emphasise the need for organisations to plan for continuity and disaster recovery.

This short paper introduces the framework, and we do a critique on what we think is missing or areas that require more clarity by WEF.

WEF Summary of the Framework

2.1 What is Resiliency verses Business Continuity and Disaster Recovery?

  • Business continuity planning (BCP, also called business continuity and resiliency planning BCRP) identifies an organization’s exposure to internal and external threats and combines and integrates hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity. (Elliot et al 1999)
  • A business continuity plan is a plan to continue operations if a place of business (e.g., an office, work site or data centre) or information systems are affected by adverse physical conditions, such as a storm, fire or crime, or electronic systems availability. Such a plan includes a Disaster Recovery Plan typically explains how the organisation would recover its operations or move operations to another location.
  • Any event that could negatively impact operations should be included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource). As such, risk management must be incorporated as part of BCP
  • A DR plan is more focused than a business continuity plan and does not necessarily cover all contingencies for business processes, assets, human resources, and business partners.
  • A successful DR solution typically addresses all types of operation disruption and not just the major natural or man-made disasters that make a location unavailable. Disruptions can include power outages, telephone system outages, temporary loss of access to a facility due to bomb threats, a «possible fire» or a low-impact non-destructive fire, flood, or other event. A DR plan should be organized by type of disaster and location. It must contain scripts (instructions) that can be implemented by anyone.
  • OCEG defines Resiliency as going beyond Business Continuity and Disaster recovery. OCEG define Operational Resilience as the ability of an organisation to continue to serve its customers, deliver products and services, and protect its workforce in the face of adverse operational events by anticipating, preventing, recovering from, and adapting to such events. This is an essential element of what they call Principled Performance… the ability to reliably achieve objectives while addressing uncertainty and acting with integrity.
  • WEF defines it as is the ability of an organization to overcome external shocks and grasp new opportunities in their wake. For companies, resilience is not the result of a single action or a single attribute but encompasses five pillars:
    • Operational resilience captures a company’s business continuity in the event of a shock
    • Strategic resilience is the ability to respond to changes in the economic, social, and political environment in which the business operates
    • Financial resilience describes the organization’s financial health in relation to its ability to weather a crisis
    • Social resilience recognizes that a company’s resilience is dependent on and interconnected with the social and political resilience of the communities in which it operates
    • Organizational resilience refers to the ability of a company’s workforce, culture, and structure to deal effectively with sudden disruptions.

WEF Process and Practices outlined

This framework is deliberately built around four key principles that will be critical for businesses to become and remain resilient in a volatile future:

  • Resolve is the organization’s will to survive.
  • Communication is necessary to move from principled commitment to developing the planning, goals and procedures that make resilience actionable.
  • Agility facilitates execution so that companies can adapt to sudden change.
  • Empowerment enables individuals to take ownership and collaborate with peers to meet new challenges.

Figure 1 More on Principles

 Risk management is defined by WEF as a business function focused on assessing and controlling threats to earnings and capital and is often disconnected from day-to-day operations. Resilience, on the other hand, is woven into the core ethos of a company. Building resilience is about building the resilience mindset and operational philosophy. A company’s resilience is not limited to the risk-management function but lives across the organization and is manifest through deep resolve, effective collaboration and communication, and an agile and empowered workforce. (See our response and comments)

What is Missing from the Framework & Comments

Figure 2

Some Comments & Observations

  • This is not meant as a criticism of the WEF, and we understand that this is an introductory framework to highlight the criticality of resilience and continuity and is not meant as a detailed playbook on how to implement and manage the framework.
  • However, to be able to get buy in from organisations, there is a need to show how it fits existing practices, systems, and processes that many organisations have already implemented or are in the process of implementing and how it should be approached in the integration process.
  • WEF uses the term withstanding external shocks, BCP and DRP is more than withstanding external shocks. It also involves internal critical events that is caused also by internal acts.
  • WEF uses the term ‘building a resiliency process to withstand future shocks’; like risk you cannot avoid or prevent for example natural disasters, you manage it by being prepared with good continuity and DR planning with preparedness, so withstand is the wrong term to use.
  • WEF says that Risk management is a business function focused on assessing and controlling threats to earnings and capital and is often disconnected from day-to-day operations. Resilience, on the other hand, is woven into the core ethos of a company. This not true, Risk Management is a CORE Governance Process for all aspects of an organisation process or system, from technology to Business process. Yes, it is true that many organisations do not integrate risk into the culture and woodwork.
  • There is some redundancy in definitions between Resiliency, BCP and DRP. There is a lot of duplication which can be confusing to stakeholders.
  • In our approach we show how common frameworks and approaches overlap and align; like OCEG Resiliency framework, COBIT Governance Controls, ISO 27001/2 etc.
  • Finally, we can learn from the model especially in areas of social resilience which is quite often missing in our models and frameworks.
  • The following summaries in our view the missing links and how it should be aligned with the WEF framework.

Integration & Key Processes with Alignment with BCP and DRP.

Figure 4 a BCP Model we use graphically to explain BCP

  • We use a 7-step BCP process that works in a business continuity life cycle.
    1. Assessment of business value in terms of revenue, reputation, and regulation… Important input to the Risk assessment
    2. Assessing the value chain, critical business processes and current protection capabilities
    3. Creating Threat scenarios with site specific threats for different sites if existing
    4. Create Recovery profile and Risk Matrix
    5. Deciding on Risk Treatment
    6. Producing BCP ‘s and DRP ‘s integrates into a Crisis Management centre (to be activated when there is an alert of a critical crisis) This is a group of senior managers and support teams identified in the plans and strategy to activate the BCP and DRP (See paragraph with more explanations)
    7. Final Recovery Profile

Figure 5

Figure 6 Overview DRP Project Implementation

  • Project Initiation

Project Planning & Scoping

 Major IT change

 New Operational requirements

 Changes that require additional budget

DR Location selection confirmation

  • Understand Business Requirements

IT with Operational Leadership Specifies the DR requirements: Recovery Time Objective (RTO) Recovery Point Objective (RPO) If it is an IT generated change, then the existing operational requirements remain but solution may change.

  • Defining Recovery strategy

Review the existing DR strategy, Look for SPOFs Single Points of Failure (risk analysis) Finding a solution, reviewing with the Operations, Getting the funding to proceed.

  • Develop & implement the solution

Implementing the solution

 Updating / writing DRPs or recovery plans

 Removing SPOFs

 Upgrading DR site

 Performing the acceptance test

 Giving the handover to IT operations

 Install, configure, and start up DR Centre

Crisis Management Explained

In almost all assessments and audits we have concluded that this aspect is missing both at Government, Regional, Local and Enterprise levels. You cannot activate a BCP/DRP plan without it.

What is it and why do we need it?

  • Crisis Management is more than Business Continuity and Disaster recovery Planning. This is an important part of Crisis management planning and preparedness and of course the response of the organisation.
  • It brings the recovery and continuity together. The Crisis Management Program may be activated as a result of any event that impacts or threatens to impact the safety of employees, its image, or the availability of business processes critical to the provision of products and services.
  • The Crisis Response Team (Can be virtual and not a physical centre; selected teams are called into action when needed) must institute their emergency response rapidly to control the problem, the Crisis Management Team must be able to make informed decisions quickly and the Corporate Affairs and Communications team members must tell the story accurately, immediately, repeatedly, and consistently.
  • Many organisations do NOT have a CM Function or process. In today’s organisations it is becoming more critical given the increase of Natural Disasters and pandemics which on the top 10 Risk list for 2023 from WEF together with the Cybersecurity Threat Landscape, Major Geopolitical events including Terrorism makes it an important part of managing a business or organisation.
  • There must be a strategy and plan on how to respond, when to respond how to activate BCP and DRP plans.

Figure 7 Example of Threats and Events requiring activation

Figure 8– Example of Crisis Management Team

Figure 9

Figure 10