The Road to Resilience 2: What Real Planning Looks Like
In part one of this series, I suggested that resilience requires an understanding of the organisation and its operation, needing a map of some kind so it functions efficiently and cost effectively. In this part I will look at the planning.
When risks become a reality the control environment provides resilience, resisting the disruption, if possible. This requires the ability to detect the problem in the first instance and directives to assist in dealing with disruption.
Continuing the city analogy from part one, let us consider Manhattan and its grid system. The system was designed for efficiency and ease of use, derived from detailed surveys undertaken by John Randel Jnr 1812 to 1817.
The plan was not embarked upon all at once. It took time, planning and implementation. This diligent surveying is comparable to what we call today business impact analyses and risk assessments. In doing the analysis, we are mapping the organisation and understanding that map with its intersections, dependencies, interdependencies, no-go areas, speed limits and resource requirements and capacities.
From plans to planning
The phrase “plans are worthless, planning is everything” is attributed to Dwight D. Eisenhower, 34th U.S. president. Professional Practice 4 (‘Solutions Design’ from the BCI Good Practice Guidelines version 7 [1]) is the planning stage, planning based on the surveys that suggest (and can be challenged and amended) tolerances, time objectives, and minimum capacity ambitions together with proposed resources to achieve an effective response.
If we as professionals “tick box” the understanding of the organisation, without real understanding and analysis of the consolidated position and map, then any form of planning becomes disjointed and siloed, rendering subsequent plans ineffective.
Let’s assume Professional Practice 4 is called “Planning” to create a resilient organisation and resilient operations. The road to resilience is defined in this stage, the map, derived from the surveys (analysis) proposes the requirements of the organisation (the system, the city) in terms of its activities, resources and exposes the potential no-go areas, offers priorities and maps interdependencies.
It offers analysis on the functionality of the grid, the map, the performance specification, specifically understanding the organisations as a system and network.
The control environment
In this planning stage, the enterprise explores how it can create the control environment that provides, directives and the ability to detect issues and possibly self-heal with immediate corrective actions.
These controls provide risk mitigations, but actually it is better to focus on the control environment rather than the threats that may crystalise.
At the latter end of the control environment, we have the “responsive” controls in the form of strategies and solutions which in effect create the performance criteria and specification for a response to a disruption to the operational activities which would deteriorate the organisation’s operating systems and activities.
The proposed responsive controls are considered against the proposed requirements of the system when it suffers a disruption.
The requirements are analysed against the costs and benefits of the responsive controls being considered. Planning the response is measured against the desired requirements, and this would lead to the approval of the planned response, or the decision not to invest in potential planned solution.
Approved solutions would be turned into a solution specification, adding resilience to the organisation.
I have intentionally not used the acronyms used in the Good Practice Guidelines until now, but to link the dialogue to them, proposed requirements are created following analysis, these being the proposed objectives, set against tolerances.
We know them as:
- MTPD (Maximum Tolerable Period of Disruption) - the no-go area
- MBCO (Minimum Business Continuity Objective) - what level of operation is required to achieve a recovered state that is sustainable and stable.
- RPO (Recovery Point Objective) - a time bound dependency to the time objective to provide data or information.
- RTO (Recovery Time Objective) - a time bound objective, when will the system recover
Creating the proposed responsive controls is the planning stage, without which any future plans are unlikely to be effective.
The output from Professional Practice 4 is the planned, costed and agreed responsive controls that add to overall levels of resilience, together with planned, preventative controls.
The organisational surveys (analysis) have become planned additional levels of resilience. These performance specifications need to be made operational.
At this stage it is worth mentioning that supply chain resilience fits well here, and some performance specifications are provided by external providers and others require procurement activity to deliver security of supply through tender processes.
Some resilience professionals advocate working specifically with the control environment when planning, in the form of preventative and responsive controls, I concur and support this stance.
Building in resilience is not a state to achieve once. External and internal operating context constantly changes, requirements change and the control environment has to keep pace with changing requirements.
The end game is that we understand the organisation via the creation of a proposed mapping of it (Analysis PP3) and we design the organisation (Planning PP4) to be capable to direct and detect when an issue arises and take corrective and responsive actions to adapt the organisation to the issue. In this way we absorb the issue and the organisation maintains operations to an acceptable adapted planned for solution, before bouncing back to the primary method of operating the systems.
About the author
David Window
Director
