In this series, Continuity Insights introduces you to one of the many business continuity professionals scheduled to speak at the 22nd Annual Continuity Insights Management Conference, which will take place at the Sheraton Charlotte Hotel, May 6-8, 2024.
In these times, when the need for critical information-sharing has never been greater, Continuity Insights offers insight, inspiration, and actionable ideas presented by a faculty of leading business continuity experts and practitioners. This conference provides a timely and important opportunity to share best practices, lessons learned, and effective strategies employed to ensure organizational resilience.
Here, we chat with Scott Baldwin, a BCI Board Member presenting at this year’s show.
Continuity Insights: Tell us about your background. How did you first get involved with business resiliency?
Scott Baldwin: I started out as a software engineer during the dot-com boom. As I progressed to team lead and then engineering manager, I was struck with the number of times my team would lose their code, or our closet-server would crash. Backing up and recovery of data an IT became a crusade for me. It wasn’t until 2005 that I realized there was an industry that focused on just this thing. As the dot-com bubble burst, transitioning to DR seemed like a logical move for me.
CI: What is a control-based resilience program? How does this program differ from other resilience programs?
SB: Control-based resilience programs shift the focus from traditional strategies to a more dynamic and practical approach. Traditional methods often rely on the quantity of Business Impact Analyses (BIAs), Business Continuity Plans (BCPs), and validation exercises as indicators of success. However, control-based programs prioritize operational resilience through measurable and actionable controls.
This approach offers a more nuanced understanding of a company’s ability to sustain continuous operations under varying conditions. By emphasizing tangible, quantifiable controls, these programs provide clear insights for enhancing resilience. Furthermore, they integrate these improvements into daily operational activities, ensuring a more cohesive and robust approach to resilience. This method marks a departure from ‘break glass in case of emergency’ planning, towards a practical, day-to-day application that prepares organizations to appropriately resilient.
Not only do control-based programs provide a much better view into an organization’s true resilience capabilities, it’s also much less expensive in terms of time and engagement required from our business partners.
CI: Out of the elements that go into a control-based resilience program, why are you focusing on risk integration in this presentation? Why do you think this is important to focus on in 2024?
SB: I was close to not choosing ‘risk’ as the theme for this presentation, given how many see it as a bit dry and unexciting. This is a misconception. Risk isn’t just an intriguing and lively subject; it’s the cornerstone of any successful resilience program.
Here’s what executives really want from their resilience programs: Firstly, a clear understanding of the actual risks involved, and secondly, a solid plan on how we’re tackling these risks. If your response to this the number of Business Impact Analyses (BIAs) you conducted, don’t be surprised if your program isn’t getting the recognition you feel it deserves. But let’s get something straight: When we talk about Resilience Risk, it’s not your standard ‘impact x likelihood’ formula, nor is it just about being ready for potential disruptions. Resilience Risk is all about the gap – which I refer to as the ‘Golden Triangle’ – between how resilient something is supposed to be and its current state of resilience.
This ‘Golden Triangle’ is the most crucial part of your program. Being able to measure this gap in clear, objective, and data-driven ways, and then outlining the steps to bridge it, is what brings real value. It’s not just about making your program look good; it’s about adding tangible, measurable value. And that’s what I’ll be focusing on – how pinpointing and closing this ‘Golden Triangle’ can significantly elevate both the perceived and actual worth of your resilience programs.
CI: What would you like your audience to take away from your presentation?
SB: In my presentation, the goal is to articulate the importance of Resilience Risk, encapsulated in the concept of the ‘Golden Triangle.’ This understanding alone can significantly enhance the effectiveness of their programs, surpassing many traditional BCM Lifecycle approaches. The primary focus of the session is to demonstrate how to utilize controls not only to identify and quantify resilience risk but also to employ these controls in creating a strategic roadmap. This roadmap will be instrumental in progressively reducing risk over time, thus evolving and strengthening their resilience capabilities.
Scott Baldwin’S BREAKOUT SESSION
Risk Integration – The Cornerstone Of A Control-Based Resilience Program
Monday, May 6, 2024, 9:45am – 10:45am
In 2020, Netflix implemented a control-based program called the Unified Resilience Framework (URF) and in 2022, it was implemented at AWS Resilience Assurance program to validate acceptance by regulatory and other auditing bodies. This session will discuss the major components of a control-based resilience program, and then walk through the first element—Risk Integration. Specifically, it will discuss why risk is the cornerstone of resilience, engaging with Enterprise Risk Management, aligning terminology, primary deliverables (scope, appetite, top risks), and integration into the resilience program. From an ROI perspective, no program is as effective as a control-based resilience capability approach.