What Is Operational Resilience? And How to Ensure Your Business Thrives
Too often, businesses think they have every potential problem figured out, only to find that a small snafu cripples their operations. Not sure if your organization is vulnerable? You’ve come to the right place.
It’s not a stretch to assume that every aspect of your organization, from your people to your products or services, is vulnerable—to injuries, outages, natural disasters, and other hazards that threaten your continued business stability. These risks are too numerous to account for them all. Imagine if you’re a company like Whataburger with over 900 locations spread out over multiple states! At that point, you have no choice but to resign yourself to an eternity of putting out fires (metaphorical and otherwise) while on the back foot…right?
It turns out that’s not the case. During a recent episode of The Employee Safety Podcast, Corporate Senior Emergency Manager at Whataburger, Ron Derrick, told us about the company’s commitment to preempting as many emergencies as possible and building the resources necessary to react with speed and confidence to any crises that do slip through.
Whataburger has built the “Command Center” as its internal headquarters for incident response. It’s not a replacement for first responders like police, EMS, and fire departments, but it does allow anyone at the company to escalate any situation immediately, be it a dangerous emergency or a non-life-threatening business disruption.
Whataburger’s adaptability and dedication enable the organization to withstand a wide array of threats and events. This is known as operational resilience, and it doesn’t take a massive budget or a large company to perfect it.
Download Our Business Continuity Checklist
What Is Operational Resilience?
Operational resilience is the ability to withstand change and disruption and adapt to new scenarios, and it applies to all parts of a business. When an organization has achieved operational resilience, its business functions will continue no matter what obstacles it has to contend with, internal or external.
Operational resilience vs. business continuity
While they are related, “business continuity” and “operational resilience” are two different concepts.
Business continuity planning refers to the practice of preparing for specific, foreseeable disruptions that the business might run into. Operational resilience, on the other hand, refers to an organization’s ability to adapt to unforeseen events on-the-fly without plans that are hyper-specific to the scenario at hand.
You can think of it like an actor learning to perform a role in a play. Business continuity is analogous to the actor memorizing lines they’ll recite on cue. Operational resilience is akin to the ability to improvise. If the stage production doesn’t go as planned, an actor capable of improvising will approach the problem creatively and think of their own solution on the spot so the show can go on uninterrupted. Both of these are important to put on a good play, but they are discrete skills and should not be confused.
How to Develop and Maintain Resilient Operations
If you’re going to improve your organization’s resilience management, you have to be ready to look both inward and outward for potential hazards and determine impact tolerances. Disruptions can come from outside your organization, of course, but ones that originate from inside your business can be just as devastating.
Begin with a risk assessment
All the preparation in the world won’t make your business more resilient unless you target that prep toward your specific vulnerabilities. With a proper threat assessment, you will consult both internal and external stakeholders to identify likely and impactful threats that could hamper the business. From a global pandemic to cybersecurity breaches, stakeholders should consider how those events would alter business operations.
No matter what you need to prepare for, internal and external, this assessment is the critical first step of your operational risk management strategy.
Internal resilience strategies
When organizations come to us for help with emergency preparedness, they often have external emergencies in mind—the kind of emergencies that they don’t have any control over. Think of hurricanes, wildfires, terrorist attacks, and the myriad of other events you might have worried about in recent years. However, these organizations quickly find that preparation for internal threats is equally important—maybe even more important depending on the priorities a risk assessment unearths.
IT security
Almost all business services depend on digital processes. Most financial transactions are digital, as are most internal and external business communications. Unless you take action to prevent it, your organization is leaving the cyber doors wide open for malicious actors who are looking to exploit weak passwords and bad cybersecurity practices.
Train your people on how to spot common phishing attempts, practice good password hygiene, and password lock computers when they’re not in use by employees to avoid unauthorized access. Even if cyberattacks usually originate from outside your organization, they almost always rely on mistakes made by workers, like overused passwords.
Facility security
Similar to cybersecurity, physical security is something that many organizations don’t know they need until an emergency arises, but it is a crucial part of operational resilience. If your workplace isn’t secured from intrusion or hazardous accidents, your organization is more likely to face disruptive events stemming from facility vulnerabilities.
For one thing, your physical workspace should be resistant even to rare external events. Be it a wildfire, severe weather, or another natural disaster that could impact your location, proper building maintenance and strong weather- and fire-resistant construction materials could provide more physical resilience to your entire organization.
The other primary consideration for facility safety leaders is physical safety. If employee-only areas aren’t target-hardened against intrusion, it’s possible that a violent actor could just walk in the door. While active shooters are very rare, simple preventative measures, such as keycard entry control, video surveillance, and strong doors and windows, can deter them and other criminals, such as arsonists and stalkers.
Communication
No matter what kind of unexpected event your organization encounters, communication can help avoid further damage and keep everyone on the same page. With tools like emergency mass notification, you can easily alert anyone (or everyone) at your company who might be in danger and take the following actions:
- Warn employees of threats
- Confirm individual safety
- Activate response teams
- Send evacuation orders
Even when there is no imminent emergency, internal communication is hugely important. Business functions rarely happen in a vacuum. Depending on roles and responsibilities, people often need inputs from other teams, and the results of their efforts might be a critical service or have dependencies throughout the company. If real-time communication between departments falters and teams are operating in decision-making silos, a small snag could grow and require full-blown disaster recovery or business continuity management.
No matter the challenge, the ability to communicate quickly, easily, and effectively is perhaps the most important way of mitigating a problem and securing operational resilience.
External resilience strategies
Of course, only some of the bumps in the road are preventable. Even with prevention and response plans in place, rarely does everything go according to plan. Here’s what you can do to make your business more resistant to stumbling blocks.
Threat intelligence
If you are to protect your people and business from external dangers, you need to constantly monitor all avenues of information and weed through them to determine which are relevant. This process of monitoring and identifying hazards results in threat intelligence.
Threat intelligence enables you to identify and assess risks with the potential to impact your people or operations. You can apply this situational intelligence to help mitigate risk and avert disruptions to business processes. It’s often the first part of any emergency response and is therefore an indispensable part of operational resilience.
Speed is critical when it comes to identifying threats since the faster you can detect a problem, the faster you can respond—and safely. That’s why enlisting an advanced threat intelligence system is so important. In fact, a Forrester study found that organizations using this kind of system are able to respond to incidents 30 minutes faster, on average, than they could without.
External communications
When an emergency occurs, you may need to communicate with external entities. They may be first responders or concerned members of the public, and you have to be ready and able to respond quickly and confidently so you can maintain control of the situation and support the best possible safety outcomes.
One thing Jeff Hahn—a business communications expert and guest on The Employee Safety Podcast—said about external communications is that “no comment” is never an appropriate answer to a crisis. Instead, you need to have a communications team in place that is ready to activate at any time and put out a statement clarifying exactly what happened and how your business is handling it. If that information is not available, they should draft a holding statement that acknowledges the problem so as not to appear disengaged. Proactive communication should be an inherent part of crisis management.
If you aren’t able to communicate effectively with family members of employees, external service providers, financial institutions, regulators, and other groups, you run the risk of the narrative taking a counterproductive course. But these false narratives rarely grow when you’ve already communicated to clarify the details, so be proactive to inspire confidence and support resilient operations as events unfold.
Travel safety
Traveling workers are likely to face more danger and unpredictable threats than their coworkers who remain in their familiar offices. They face new, possibly unknown places while disconnected from direct support from teams like HR and IT, as well as family and friends.
That’s why travelers rely on safety leaders when abroad—so it’s critical that you plan business travel carefully, end-to-end, for each trip and keep track of where everyone is supposed to be at any given time. By keeping in touch with employees on the road and even monitoring their location data via mobile apps, you set yourself up to be resilient and respond to any travel emergency.
360° Business Resilience
The ability to stay agile even in the face of unexpected challenges with immense potential consequences is essentially all-hazards preparedness.
The all-hazards approach is a commitment to broadening your perspective as a safety leader in such a way that every possible hazard can be accounted for. This doesn’t mean meticulously planning for every single thing that might go wrong (although planning is, of course, indispensable). No, it’s meant to be a guiding principle that you need to always be aware of the situation at hand and your options for mitigating operational disruption and harm. By adopting the all-hazards approach and improving your readiness over time, your business evolves to become truly resilient.