Earlier in November 2021, I published a quick primer on the fundamentals of business resiliency…
Extending on this topic, I am delighted to present the following interview with renowned risk and resilience consultant Gareth Byatt. Besides his firm, Risk Insight Consulting, where he helps companies across a variety of industries and locations, Gareth is also a Global Ambassador with the Institute for Risk Management (IRM) and consummate researcher and writer on a broad range of risk and resilience topics.
Below you will find a written interview with Gareth where he provides additional insights into the difference between business continuity and resiliency, some high-level points on how an organization can develop its resilience strategy, and much more.
Also included below is a video portion where Gareth expands upon his answer about establishing and implementing their resiliency strategies.
Gareth, can you give us a brief summary of your background and what you currently do? (experience, types of companies you have worked with, industries, services provided)
My background is in engineering, project and program management in various sectors / disciplines (particularly in construction, oil & gas and IT) – disciplines for which risk management and resilience was always “my friend”. Since 2012 risk and resilience has been, and continues to be a specific focus for me, in roles for my former employer up to 2016 and as a consultant since early 2017.
Nowadays I enjoy working for clients around the world (in a virtual manner at the moment), in various industries and sectors including aviation, construction, engineering, IT, mining, retail, and professional services.
I’m involved with various institutes, particularly the Institute for Risk Management (the IRM) for whom I am a Global Ambassador, and Engineers Australia, for whom I serve on a Risk Committee.
I carry out research and write quite a bit about various aspects of risk management and resilience. One thing I enjoy about research is that, the more I learn, the more I realise that there is more to explore and find out about (including different viewpoints and diverse ways of thinking and approaching problems and challenges). I have maintained connections with various academic institutes for several years, including the University of New South Wales, Nanyang Technology University in Singapore and the University of New Mexico.
Let’s talk about risk and resilience. So many organizations focus on business continuity. Can you please explain the difference between business continuity and resiliency?
To help explain the difference between business continuity and resilience, I’ll start by referencing some international standards definitions for resilience and business continuity (I tend to find it useful to use definitions that are agreed by ISO committees).
The ISO standard on Security and Resilience, ISO 22300:2018, defines resilience as “the ability to absorb and adapt in a changing environment”. Note that this definition does not specifically focus on a negative changing environment – though this is clearly a major focus area. This same ISO standard defines business continuity as “the capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption.”
Taking these definitions into account, I generalise my description of business continuity as it being about “keeping the lights on when a problem occurs”, which covers all aspects of how you operate your business and fits into the broader context of resilience. Resilience is broader. It includes, but is not solely about, important elements that link with business continuity, namely emergency response (which includes the always first priority of health & safety) and crisis management. Resilience can be societal, organisational, team-related and individual-specific and it is intrinsically linked to our management of risk.
When we look at organisational resilience, any organisation that has been around for a good period of time, no matter how large or small, will have demonstrated resilience and adaptability to change as its internal and external environments have changed. Most recently, all businesses have had to demonstrate resilience, and good business continuity, during the COVID-19 pandemic. For some COVID-19 related examples, business continuity may have involved being innovative to keep people in jobs and business turnover “at least ticking over”, such as restaurants selling food to order, and manufacturers retooling their production lines to make health products. Their overall resilience will likely have involved absorbing unanticipated costs and fluctuations to orders, as well as focusing on the mental wellbeing of their people – including their eco-system of suppliers and partners. On this last point, business resilience includes a crucial aspect of the personal resilience and wellbeing of your people (including your eco-system partners and suppliers).
At a high-level, how should an organization develop a resilience strategy? And how does that strategy differ from their strategic plan?
It’s good that you raise the point about a business’ strategic plan. Achieving a good state of resilience requires you to have a risk-informed and resilient strategic plan. The actions you undertake to ensure a good state of organisational resilience need to be tied into your strategic plan and your objectives. Indeed, resilience measures can be used to stress-test your strategic plan.
Tools and techniques that we use for risk management and general business strategy and management can help us understand our state of resilience and to work out how to ensure it is purposeful and appropriate to our context.
It may be worth setting up a framework for purposeful resilience, as long as it is scaled to suit the size of your organisation and its context, and kept practical, sharp and focused. ISO 22301 (Security and resilience – Business continuity management systems – Requirements) and the accompanying standards offer guidance for resilience and business continuity, and they link to other standards such as ISO/IEC 27001(information security management) and ISO 31000 (risk management).
I often use the following points to help work through a resilience strategy and implementation:
- Start with Why – understand your context now and for the future, define your resilience vision, your purpose, goals and linkage to your strategic plan. Ask some questions on a societal level: can you determine truly purposeful resilience that benefits your organisation and other stakeholders?
- Agree a practical approach – practical activities to embed resilience into how your organisation works, perhaps using a Plan Do Check Act (PDCA) approach to stitch it into your operational management system / framework of working. How we stitch elements together and focus on achieving key drivers of success. Don’t make it a massive program, focus in detail on communications and engagement with all stakeholders.
- Develop people – skills development and ensuring people are equipped with tools, techniques, training, including experiential learning as a team. This includes having a clear RACI matrix style of accountability and responsibility.
- Agile implementation – agree a practical approach (inc. phasing options) to creating and using tools and techniques (analysis, plans, templates, tools, technology, testing, simulations, training) and ensure effective organisational change management.
- Good governance – stitched into how your organisation operates (including your eco-system).
- Continuous improvement – learn, improve, adapt. Have targets to measure against. Share improvements with your eco-system.
In order to help people develop their approach and consider aspects of developing people, implementation, governance and continuous improvement, I sometimes hold hackathon-style events, using real-life scenarios that people can relate to, to work out what they really need for resilience.
I also have an “Resilience Effectiveness Profile” that I use (if relevant to the context) to help organisations work through what they think they need now, and in future.
What are the biggest mistakes that you have seen organizations make when it comes to resiliency?
One factor that is sometimes underestimated is the amount of focus we need to have on our overall eco-system of partners, suppliers, customers and society, which means working with them and understanding their needs and their ideas. We can’t just focus on our own activities; we exist in a network, and we need to understand how to ensure a good state of resilience with our partners and key stakeholder groups.
Second, a linked factor to my first point is the risk of not paying enough attention to interdependencies. Resilience activities cannot be performed in a siloed type of manner. Things need to be joined up: we need to see how interrelationships exist. Sometimes, we can uncover surprising things when we delve in “a few degrees of detail.” Of course, this is good general business practice, it’s not purely a resilience benefit.
Third, I mentioned the “Plan Do Check Act” model earlier. I’d say that we need to ensure that enough time goes into the “Check and Act” parts. For this, we shouldn’t rely on holding big exercises to test resilience (though they do of course have value) – small, regular checks and tests (desktop and in practice) add just as much, if not more, value.
Can you describe an example of good resilience?
I have been fortunate to work with clients that have successfully stitched resilience practices into their operations, and to see tangible benefits from these activities.
There are some excellent examples of sector-wide resilience. For example, the telecoms and Internet infrastructure around the world has proven very resilient globally during the COVID-19 pandemic, when people all around the world have depended on these networks even more than usual.
To give you an example of a specific international case that demonstrates good resilience in response to an incident, consider the incident that occurred on Qantas flight QF32 on November 4, 2010. To cut a long story short, Qantas has an excellent safety record, and when one of the engines on the A380 Airbus for flight QF32 exploded shortly after take-off from Singapore (heading to Australia), the crew immediately sprang into action, as did the Qantas business on the ground. The plane landed safely back in Singapore and Qantas handled the whole situation extremely well (with an excellent focus on safety and the passengers).
You can read about my interview with the Captain of flight QF32, Richard de Crespigny, here.
In today’s world, we are navigating through increasing uncertainty. What are three pieces of advice you would give organizations to ensure that they are resilient?
First, I would always bear in mind that to have a good state of resilience requires us to be on alert for and to anticipate changes, and to be ready to respond. Frameworks such as the Cynefin Framework may help you to think about the context and environment that you are working in – is it simple, complicated, complex or chaotic?
Second, remember that “it’s not just about us”. Good resilience means working purposefully with our eco-system partners and considering societal and community activities that we can help and support.
Third, look after your people and their resilience. Invest in and support them in their wellbeing (mental and physical health).
In case it may be of interest, here’s a piece that I wrote for the IRM in 2021 about “achieving cooperative resilience”.
I want to thank Gareth for offering his time and insights to help us learn more about how we can improve resiliency and ensure our organizations’ survival well into the future.
Does your organization prioritize resources to improve resiliency beyond the short- and medium-term?
To share your thoughts and experiences on this topic, please feel free to leave a comment below or join the conversation on LinkedIn.
And if you answered yes to the question above and are ready to improve resiliency in your organization, please don’t hesitate to contact me by email or schedule a meeting today to discuss your specific needs!