We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Having and promoting business resilience

Published
1 Nov 2013
Topic
Preparing Scotland
Having business resilience

Deciding on a business resilience strategy

Having used business impact analysis and risk assessment processes to identify those areas where the organisation is most at risk of disruption, senior staff must decide what approach will be taken to address the situation: what must be done to protect its operations and to allow its aims and objectives to continue to be achieved. This will be the organisation’s Business Resilience Strategy.

Several factors will affect this decision, but the most important are likely to be:

  • The risk treatment options and the organisation’s risk appetite
  • The cost of the available options to mitigate risks
  • The practical constraints that arise from the operational requirements of the organisation and the nature of the risk

Types of risk and risk treatment

Organisations will be faced with a range of potential risks and consequences. The risk that any potential event poses can be considered as a combination of its impact, how bad the consequences would be if the event occurred, and its likelihood, the probability of the event happening. For simplicity, events can be thought of in four groups which will require different risk treatments (although there will usually be a continuous spectrum of impacts and probabilities, and these will vary over time):

  • Risks that have a low likelihood and low impact – these may require no specific action and may be dealt with through generic arrangements
  • Risks that have high likelihood and low impact – these may be regarded as a normal operational overhead, similar to “wear and tear.” To some extent they should be expected, but they may still be monitored and managed to reduce likelihood, impact, and costs. They should not constitute emergencies
  • Risks that have high likelihood and high impact – these will require close attention. Organisations should normally have arrangements to mitigate these risks and to respond to their consequences. Under the Civil Contingencies Act, Category 1 responders have a duty to do so
  • Risks that have low likelihood and high impact – these are often the most difficult risks for senior staff to determine a strategy for. Expending effort on risk reduction and response arrangements may seem a poor investment if the event does not occur, but the costs could be very high if it does. Because of the rarity of these events, detailed analysis may not be possible and the willingness of senior staff to “live with the risk” – their risk appetite – will be a significant factor

Risk treatment options

There are a number of strategies that can be adopted to manage risks. These include:

  • Do nothing – in some instances senior managers may consider the risk to be acceptable
  • Mitigate – take steps in advance to reduce the likelihood of the disruptive event, or to lessen its impact should it occur
  • Change, transfer, or end the process where the risk has been identified – such decisions must be taken with regard to the organisation’s key objectives and statutory responsibilities
  • Insurance – this may provide some financial compensation or support but will not aid the organisation’s response and will not meet all losses, which may include its reputation, other non-financial impacts, and human consequences
  • Plan for Business Resilience – combine risk reduction options, a clear understanding of organisational priorities, and the ability to respond effectively to disruptions so that the loss of critical functions is minimised

The organisation may decide to combine several of these strategies and apply different approaches to different areas. Some activities might be given a high level of protection while others are left to “take their chance.” The approach may vary according to the characteristics of the asset or process that is being protected. Stock, continuous processes, organisational reputation and personnel will each need a different approach.

Support of senior staff and resourcing

Business Resilience arrangements are unlikely to be effective without the clear support of senior staff. One of the most important strategic actions will be to demonstrate executive level commitment to developing and maintaining Business Resilience. Part of this will be a decision to resource this work at an appropriate level, so that staff working on resilience are sufficiently senior and their budgets are appropriate to achieve the desired outcomes.

Organisations should determine and provide the resources needed to establish, implement, operate, and maintain their resilience arrangements to agreed standards. This should include identifying a person with executive level authority to be accountable for Business Resilience policy and implementation within the organisation.

This should be combined with formal arrangements to sign off plans and other arrangements, and ensuring that resilience priorities feature in:

  • Job descriptions of senior staff
  • Departmental aims and objectives
  • Reviews of work
  • Standing agendas of senior staff and departmental meetings
  • Policy statements

Visible leadership such as support at events and through formal and informal communications with other staff can provide further evidence of a real commitment to resilience and contribute to developing a culture where it is taken seriously at all levels.

Back to top