In a recent blog post, I talked about how operational resiliency is changing the way we approach business continuity, highlighting, in the simplest terms, how operational resiliency and business continuity work hand-in-hand to make organizations stronger.

But what does operational resiliency mean for your organization? What does it actually look like in business applications?

I’ve developed this fictionalized case study to demonstrate what operational resiliency is, illustrate how it makes organization stronger, and will share tips about how you can implement operational resiliency concepts within your organization and understand its benefits—all in a convenient storytelling format.

In this case study, you’ll explore how our fictionalized company transformed its business continuity program using operational resilience principles. Here are a few highlights of the many benefits the organization experienced right away:

  • Developed the right level of resilience driven by a balance between internal requirements and our customers’ needs, expectations, and behaviors
  • Developed a digitized version of our organization’s business model and value chains, which is readily available to help everyone make informed decisions – before and during a disruption
  • Successfully navigated a prioritized, business case-driven resilience journey, informed by business data, vulnerabilities and known capabilities

Now, let’s get started on this resiliency journey with some background on our fictionalized company and their business continuity initiatives:

Why We Began Rethinking Business Continuity

With 120,000 employees and operations in 35 countries, we are a provider of premium consumer products, serving customers through a network of retailers globally, our own flagship big city stores, and an online direct-to-consumer marketplace.

We had what we thought was a great and mature business continuity program, delivering a capability that has served us well when things go wrong.

Here are some of the things we did well:

  • We established business continuity requirements at the process level through business impact analysis.
  • We highlighted disruption related risks through risk assessments.
  • We documented and regularly updated plans.
  • We employed an exercise program that demanded frequent testing and a response mechanism that was part of business as usual. (The latter gave us confidence that we had continuity covered.)
  • We used our response and recovery capabilities frequently to combat many disruptions a large enterprise like us experiences, and we always succeed.
  • With corporate resilience standards for the protection of people, property, technology, and suppliers, we ticked all the right compliance boxes and felt confident we were ready for anything.
  • Our continuity capability protected what we knew was important.

But then, like many organizations, COVID-19 shattered our confidence and made us rethink our approach.

What Forced Us to Change?

To be completely open, our executive engagement outside of a disruption was not all that great. We say that up front because we ultimately concluded that was a core issue, brought on by poor scoping and executive-level requirements setting.

That was an ongoing issue for us; then COVID-19 hit. During the pandemic, our immediate customer demand remained, but many of our core customer delivery channels evaporated as retailers locked down. Consumer behavior changed almost overnight, stressing our online presence and end-to-end supply chain. Stock levels rapidly depleted with slow replenishment.

Our customer-facing business transformed in response, while many of our staff transitioned to working-from-home for the long haul.

To make matters worse, we had always looked at business continuity through a 30-day lens, meaning we planned for disruptions at a more tactical level – around disruptions we assumed would be resolved within a month.

Did we really believe a pandemic would play out on a global stage for more than a year? Few, if not anyone, would answer yes.

Even with the challenges, we got by, but it stretched our staff, required us to think outside the box, rapidly accelerated digitalization projects and dented our continuity confidence. Our executives questioned the value of our work and our preparedness efforts to date.

We had followed business continuity best practice and had a list of accomplishments to note, so why did those continuity capabilities, which served us well, offer so little during the pandemic?

Our Blind Spots

With pandemic challenges highlighting program short-comings, we asked ourselves, ow do we re-build confidence for our executive team and all stakeholders so we’re ready for the next severe, but plausible disruptive event?

At the same time, we saw people step up, forming operational teams to plan ahead. The most effective plan-ahead teams explained to us what information they needed to be most effective.

Rather than wait until the end of COVID-19, we got to work right away. We found ourselves asking more questions and most of them started with “What if…”.

The Path Forward

We looked for answers to our core questions and found them in emerging operational resilience principles and thinking, supported by Riskonnect and its unique Business Continuity Operating System (BCOS).

Riskonnect’s thinking was different. It did not replace everything we were doing, but instead it re-positioned some key aspects of continuity and brought focus to missing parts of our program.

BCOS, specifically, introduced a new way of strategically focusing our program on products/services, customers, and markets, as well as channels that connected our suppliers through us and onward to our customer.

Equally powerful, BCOS led with a narrative and language that made it simple, practical, and easily accessible to everyone.

To us, whether you call it continuity or operational resilience really doesn’t matter. It’s all about starting with strategy and then getting into the weeds to work out the details.

Disruption is Inevitable

We also adopted a change in philosophy, starting at the top with our products/services and continuing with an underlying assumption that disruption is inevitable, a key tenet of operational resilience.

Changing this mindset, to accept certainty of disruption from any source, also brought a new way of re-focusing our priorities. It was a key departure from our risk-based thinking.

Riskonnect supported us with the BCOS Frame process to re-visit four key questions:

  • Why are we doing business continuity?
  • What are we trying to protect?
  • How much business continuity do we need?
  • Who should be involved in the program?

It was around questions two and three that a light bulb moment happened for us.

Looking Outward for Inward Guidance

Riskonnect helped us re-imagine what we are trying to protect from an external viewpoint, looking at the products and services from a consumer and market perspective.

We simplified a list of product/services to describe outcomes our end consumer wanted to obtain value from. These outcomes represented the value creation parts of our business model and the areas that contributed most to our brand.

The Frame Process

The Frame process led our program management team to prepare a scoping recommendation using simple, customer-centric service statements such as “I want to place an order online,” “I need support with a product I have purchased,” and/or “I want to be the first to buy your new product.”

What was important was how we could easily work out the value created through these services, for the first time, quantifying the value at risk.

Coupling this with simple metrics such as volume of transactions, which alternate channels are available, and how quickly customers could find alternates from a competitor, this new thinking allowed us to easily decide which customer-centric services were most important and how we needed to prioritize each for resilience.

Next, we looked at answering “how much business continuity do we need?” For each service, we looked at impact built over time, over much longer periods than one month out (which was our existing planning horizon.) That’s because we learned from the COVID experience that we needed to look much further out.

We looked at impact in three main impact categories:

  • To the customer by not being able to obtain service outcomes
  • To the market in which we operate (we are a significant market-shaper and carry huge brand equity)
  • To the organization’s viability and soundness (internal pain)

Our focus before embarking on our new operational resilience journey had been almost exclusively on internal pain (although we tried to model customer expectations to a certain degree). Instead, a focus on an external view gave us different results and challenged our old assumptions on priorities.

We worked through making a recommendation on impact tolerance for each service that included a time (the maximum tolerable period of disruption), but also on how much capacity could we afford to lose in the context of customer, market, and internal pain.

Coupled with impact tolerance, we also identified some plausible scenarios, in a different way than we had before.

Taking probability out of the equation, we leveraged our COVID learnings to focus on big “loss of” scenarios that impacted important business service delivery. We looked for large-scale disruptions that impacted others in our sector, ones that previously we didn’t think could happen to us.

Riskonnect’s software pulled together all of this information – the identification of proposed, important business services, impact tolerances and plausible scenarios – to form a steer report, created as a pre-read with our senior executives, to get their feedback and endorsement of our conclusions.

Program Transformation

Being able to clearly articulate when impact became intolerable (for ourselves, our customers, and the market)—and doing this directly against the value creation aspects of our business model—created links to revenue streams, which subsequently made it easy to decide “what are we trying to protect” and brought “how much business continuity do we need.”

From then on, the rest of our journey was relatively simple.

  • Leveraging the value of the work we had already done we mapped our departments, activities, and resources end-to-end in support of the services we agreed upon in the Frame process with senior executives.
  • By digitizing our organization end-to-end, we easily identified gaps and saw where our previous priorities did not align with this new viewpoint.
  • We learned where our internal assumptions on importance were off.
  • We could start to see failure points, where we were single-threaded, not only internally, but in our supply chain and also in our channels to our customers—all in the context of customer and market outcomes in addition to internal pain.
  • We revisited our internal resilience standards against these new priorities, updated our control assessments and discovered hidden cracks, areas where we needed to invest more in resilience.
  • We even identified some areas where we could invest less.

Today, our program is protecting our business model, as well as the value-creating activities and resources, all based on value-at-risk prioritization.

For the first time, we are proactively effecting change to drive the right level of resilience. If only we had done this last year.

Next Steps

If you’re not sure how to address COVID-19 lessons learned or how to achieve strategic program transformation using operational resilience philosophy, it’s worth it to invest some time here. Skimming this blog and filing it away “for future use” won’t get you where you want to be.

With the help of our solutions, this can be your reality:

  • The ability to map readiness to what matters to your senior leadership team, customers, and regulators.
  • Illuminating hidden cracks in your organization with the goal to decrease the frequency of disruption.
  • Developing a digitized model of your organization you can mine, with the goal of speeding up disruption response.

Make the time to map your journey to a more strategic operational resilience mindset.

If you’re ready for help to quickly get results, book a strategy session with a member of the Riskonnect team today so we can identify the best way to help you accomplish your goals!