Disaster Recovery Journal Spring 2023

4. Continuity management : performing a business impact analysis, removing critical services, and making recovery plans for a disaster situation. 5. Crisis management : creating a 360 degree perspective which will identify the current crisis and share it with all stakeholders. 6. Cybersecurity : making the necessary preparations to be vigilant and responsive to cyberattacks. 7. Dependencies : identifying critical assets and alternatives with dependencies. 8. Governance, audit, compliance : follow-up of standards and continuous monitoring of compliance with them. 9. Human resources : identifying the people who will take action and carry out the basic operation in a crisis. 10. Incident management : taking a proactive action to ensure resilience and planning the necessary actions to reduce risks, especially health and safety. 11. Risk management : planning of actions to identify, monitor, and minimize risks. 12. Service management : assure operational excellence and efficiency. 13. Supply-chain management : identifying and managing critical service providers and ensuring they will provide ongoing support in an emergency. 14. Organizational behavior : extending the operational resilience vision to the organization and testing it with practice. It is not necessary to include all these domains in the methodology to establish organizational resilience and ensure it functions fully. As I mentioned above, it would be more appropriate to focus on the highest risk of the organization. For a large financial institution with a “high” earth quake risk level, you don’t have a chance to focus on a specific domain. In such a case, you will have no solution other than detailing all these domains to the highest possible level and operating them flaw lessly. Considering the size of your organiza tion, the risks it has, the economic, physi cal, and other conditions it is in, you can

to addresses the widest range of events and risks. When you take a look at Figure-1, I’m sure you noticed that business continuity, disaster recovery, and crisis management are represented as domains here. This situation shows us that operational resil ience deals with the issue of continuity in a broader framework, and it is necessary to take action and communicate method ologically in very different areas. What to do when such a wide scope comes to the fore? There is no need to panic; the important thing is to create the methodology to make the structures here operate properly. The data content and attributes may be different in the sub-details, but since the content will be very similar even in different organiza tions, the same structure can be adapted to many organizations with the necessary arrangements. The most important action here is to what extent you want to apply this structure due to the risks you have and with what you aim. If you are aiming for full implementation, then you can prepare a competent, comprehensive team and get started. On the contrary, it is possible to carry out a more limited and target oriented work with a team of just a few people. Let’s touch on these domains and the issues which may need to be addressed in detail: 1. Capacity management : determining the resources and capacity which will bring the organization back to life and ensure the smooth running of the operation. 2. Change management : by embedding change management into operational resilience, you can control IT changes to absorb, adapt, and effectively respond. 3. Communications : communication plan should be prepared which may include best-case and worst-case scenarios for optimal operational resilience. This plan can be used for post-crisis communication planning and identifying vulnerabilities. On the other side this plan

remove some domains or group them dif ferently. Domains which need to be handled in order for an organization with a good infrastructure – taken all precautions against risks, whose business continuity management system works flawlessly, and whose risks are very low – cannot be the same as those of an organiza tion with the opposite processes. At this point, it would be the most appropriate solution to calculate the benefit/loss of operations and make these decisions accordingly. A small sample can be useful; it may be better for understanding the methodol ogy. If your main concern is unplanned interruptions then you should consider continuity and related subjects like sup ply-chain management, communications, crisis management, and incident manage ment. On the other side, if your priority is cybersecurity then crisis management, governance, audit, compliance, risk man agement, and dependencies should be focused. Although the initial adaptation, imple mentation, and operation process will be more difficult and time consuming, it is our main goal to increase the resilience of the organization against all kinds of risks. You can accept the application of all these domains at the same time as a general rule. In this article, I tried to briefly touch on which domains you can extend a very effective and powerful business continuity system to operational resilience by taking additional actions. What is critical here is to determine the main domains. How deep the operations to be carried out here are all about the risks you have and their effective potential. Now it’s your turn. You can immedi ately discuss the current risks, determine which domains to deal with, and embark on the operational resilience journey. v

Hakan Kantas is an IT director who has IT experience of more than 30 years in several subjects from IT GRC to operational resil ience. Currently he is working in operational resilience, IT continuity management, and

can be used as a preparedness plan at the same time so it should contain identifying and simulating teams.

disaster recovery technologies and methodologies.

DISASTER RECOVERY JOURNAL | SPRING 2023 39

Made with FlippingBook - Online catalogs