A new survey conducted on behalf of Sungard Availability Services asserts that resilience is no longer solely an IT issue (if, indeed, it ever was) but demands buy-in from every part of the business.
The IDG Connect online survey of IT management in companies with 500 or more employees shows resilience now has visibility among the C-suite with almost three-quarters (72%) of those surveyed claiming to have a formal corporate resilience policy. Almost half (45%) go as far as including it in their company vision or mission statement and having a Board level champion (44%).
With risk a perpetual force in every business, although the form it takes constantly evolves, the report states that the way organisations handle risk – the extent to which they are able to foresee the future, adapt positively to change and quickly bounce back from a crisis – will define their long-term success or failure.
The survey found reacting to incidents as and when they occur remains the most common approach to establishing organisational resilience. Just over half (53%) describe their position to unanticipated change as ‘proactive’ with 44% of firms saying they are ‘reactive’. Worryingly, a small proportion of respondents (13%) felt their company’s attitude was ‘defeatist’ when it faced unanticipated change.
While this trend is similar for organisations of all sizes, a higher percentage of smaller (500-999 employees) organisations described their approach as preventive (32%) rather than reactive (29%) or proactive (23%).
The report suggests that it may in fact be better to concede daily disruption of some kind or the other as being a normal state of affairs, and build resilience into each and every business process from the ground up to the point that adaptability and recovery become second nature. Instead of merely having a Plan B, organisations should also have plans C, D and E! However, it acknowledges that such a step change would require bold new thinking by the organisation’s leadership that transcends departmental barriers and self-interest.
Routes to resilience
Physical security was considered the most important factor (67%) in achieving resilience with IT Disaster Recovery and Information Security rated second highest (both 63%). Risk management came in third place (57%), closely followed by business continuity (54%) and crisis management (53%).
The survey quantified various resilience indicators, all of which encouragingly received high maturity ratings (over 80%) although the report’s authors note ‘there remains room for improvement in most cases’. Leadership and Unity of Purpose were the most mature resilience indicators ahead of situational awareness, innovation and creativity, a proactive posture and internal resources.
Strategic planning was felt to be the most effective way to build organisational resilience. However, all approaches to establishing effective resilience were rated ‘important’ or ‘very important’ by respondents, and the relative differences between the top-rated approaches were marginal.
Considering the role played by IT in organisations, understanding and managing risk (53%) followed by flexible working (49%) were cited as the top functions driven by advances in technology. IT teams were not thought to be heavily involved in relationship management, while over a third (37%) felt IT involvement is also absent or limited when it comes to horizon scanning.
When it comes to overcoming obstacles to resilience, effective leadership was overwhelmingly considered the most important factor with 39% of respondents citing it as ‘extremely significant’. IT infrastructure (36%) and compliance (30%) were accorded the same degree of importance. More than a third felt staff education, motivation and preparedness (27%) were significant factors but support from external business partners less so at just 16%.
Here, there were marked differences between organisations of differing sizes. The largest companies felt that IT infrastructure is their biggest challenge, indicating that current technology platforms may be holding them back in some cases. This category of firms inevitably attribute greater importance to compliance, perhaps unsurprising given that the scale of their operations and revenue makes them most likely to be governed by national regulation and have internal guidelines for resilience to which they are expected to adhere.
The standout finding of the research is what looks like a consistent mismatch between the IT department and other executives when it comes to judging current standards of corporate resilience within their organisations.
Equally, even where measures to address physical security, IT disaster recovery, information security, crisis and risk management, and business continuity have been widely adopted, they often operate in isolation and are not well integrated within the business.
Other areas with room for improvement include establishing an effective leadership team, meeting compliance requirements and training and motivating staff to be better prepared to meet challenges. The report concludes that the key to success may depend on uniting physical security, risk/crisis management and business continuity under a single framework.
Ultimately, resilience hinges on making sure everybody involved – regardless of the job they do – understands what the business is trying to achieve and is happy to work together in implementing a uniform approach.