As fields such as business continuity, risk management and security management, to name but a few, develop, they often develop different branches and specialities. With the multiplication of concepts and methods, the original discipline isn’t big enough to hold them all, or so it seems. Yet resilience management is something that bucks that trend. It draws together a number of areas of expertise, such as the ones of business continuity, risk and security management already mentioned, and others such as disaster recovery, and crisis, emergency and privacy management. With this unification in mind, what is the defining model?
The model often cited is the CERT Resilience Management Model (CERT-RMM). A brainchild of the Software Engineering Institute (SEI) of Carnegie Mellon University in the US, the model accepts that organisations cannot plan for every possible disruption. Instead it proposes that hitherto separate fields should also converge into a single, unified model, and that organisations should move towards this model using a process improvement approach.
Does CERT-RMM cover all the bases? Its remit is broad, including four key areas of operational assets: facilities, information, people and technology. As a description this does not indicate the degree to which the model takes into account the intangibles such as reputation and customer loyalty that are also a part of keeping an organisation operating. However, as a SEI website page on the CERT Resilience Management Model states, the goal of the model is to improve the use of practices already in existence in organisations, rather than to replace them.
A coincidence perhaps, but the model is apparently organised by fours. Besides the four areas of operational assets, the model also splits out process areas into four main categories (enterprise management, engineering, operations management and process management); and defines four capability levels for each process area of incomplete, performed, managed and defined.