Interview Newsletter CIRERO
Timothé Graziani – Associate Director of Cap Resiliencia – facilitator of the LATAM network.
https://www.linkedin.com/in/timothegraziani/
Portrait
Originally from the Paris region, I began my career in the Internet in 1995. It was still new and I had the chance to enter the University of Marne-la-Vallée which was particularly advanced on the subject at the time and even equipped with fiber! This key moment in my career gave me a direction: Internet and IT services for businesses, etc. I evolved within several companies in France including Orange which, among other things, sent me to the Dominican Republic for one of its subsidiaries, as part of a business continuity program. This 2-year project launched me locally and in the region on a professional and entrepreneurial level since I created my first consulting company during this period. I continued to work on the theme of business continuity, crisis management and risk management in the Latin America region but also with a few clients in France.
How did these issues lead you to question resilience?
For me, Latin America was the region where I projected myself the least at the start of my career, but after having progressed well in France, the opportunity for development abroad arose in the Dominican Republic. What particularly marked me when I settled in this country was the people who, in the face of hardships, difficult situations (economics, politics, hurricanes, earthquakes, etc.), always have a smile. Even the one who has next to nothing smiles and it was a revelation for me. On the other hand, this factor, this capacity for detachment, can also complicate the managerial relationship with American cultures. For example, IBM, with whom I worked a lot, created GBM to enable Latin American managers to manage local human resources more efficiently. I also worked in a large bank in the Dominican Republic and it was while working on the next business continuity activities that I saw the term resilience appear more and more as I read. So I created another company in 2017 – Cap Resiliencia – to dedicate myself to consulting, event creation, etc. on continuity, resilience and governance, in a context of digital transition and cyber threat.
How do you define the terms business continuity, crisis management or even resilience?
As a little boy, I wanted to be a firefighter and I see myself today as a business firefighter. There is a dimension of protection which is quite strong in these disciplines, of security, but also of change. These changes are often abrupt and massively affect certain company assets. The questions are: how to protect? how to manage these changes? and what's next? In English, the concept of preparedness links all these disciplines. The notion of preparation is the most important because we cannot predict the future exactly, in detail. There are major events, out of control, which are crises. There are more moderate events which are incidents. And business continuity consists of designing how I will recover such an asset and how to continue to deliver my products and services to my customers.
I don't use the term forecast too much. This is not very common in Latin America either, but I had this thought a few years ago. David Lindstedt and Marc Armor created a professional business continuity movement called Adaptive Business Continuity. They particularly use the term capacity. They're getting away from the notion of a plan – you know, all plans cancel each other out on contact with the enemy. We spend a lot of time writing plans that won't work because (1) we didn't foresee exactly the situation we're facing, and (2) everything is so interconnected that what affects you is more and more wide. When we plan, we make the effort to consolidate strengths, to improve, to prepare the teams... which gives the company a capacity, skills. Perhaps certain fields, including technology, engineering and computer science, which through mathematics give meaning to forecasting. But even in the field of computing, 4 years ago, we experienced a black swan of computing so it is not antithetical.
According to you, is resilience conditioned by circumstances?
When human beings are faced with circumstances much stronger than themselves, one notices that many seem to overcome the situation despite everything. We are not all made of one mind, one thought, one heart, etc. This is very relative depending on the human being, the infrastructure, the type of business, etc. We cannot rely on the single circumstance to know if the company is resilient. An organization remains complex so it takes work beforehand. Working on this capacity makes it possible to ensure a little more the probability of being resilient in a situation.
All the work I do on organizational resilience is connecting areas like security, cybersecurity, communication, etc. to work together. Synergy is key to dealing with major events and gaining this ability, although it's not 100% guaranteed. Different disciplines feed into this work, but a methodology is also needed to avoid silos. The methodical application and association of all these disciplines opens a path towards this capacity for resilience.
What is organizational resilience for you?
Organizational resilience brings together 2 terms. What is certain is that resilience, I see it as a state that appears long after the event. A major crisis, an extreme event that causes a person to lose both legs does not make them immediately resilient. If after years and years of effort, this same person becomes a Paralympic champion, then we can consider that he has shown resilience to his accident.
People and organizations must overcome events, extreme situations, to develop resilience capacities. For me, on an individual level, it must also make it possible to become better in terms of values. For the organization, it is different and perhaps even easier because it is a group of people, a group of assets who use the infrastructures and within this framework, the organization becomes better because of the preparation. At the business level too, there are also traumas that hurt people. So the idea is also to not only consider the only physical risks but also major negative changes in the environment, such as a market disruption unfavorable to the said company. And for that, we must all work together.
For example, the Basel Committee on Banking Supervision (BCBS) released its Guidance on Operational Risk and Resilience in March 2021. At the same time, the Office of the Superintendent of Financial Institutions (OSFI) released a summary of upcoming actions in areas related to non-financial risk more generally two months later. In these standards, reference is not made to the market but to what can affect you operationally. This distinction between the organizational and the operational, I do not really see it. The operational is perhaps more about the physical elements and the operational about the strategy and the image.
In itself, this is not a concern, but the first to apply these standards will be the English. However, 3 years ago, the British Standard Institute had already released the ISO 22316: 2017 Security and resilience — Organizational resilience — Principles and attributes standard, which is already on the subject. Afterwards, operational resilience risks being confused with well-done business continuity, because the term resilience is overused! I know that all these standards will arrive in Latin America within 3 years and create panic, especially since the certification bodies do not take into account the applications of resilience by geographical business ecosystems. It's a big global issue and we didn't start very well. The ISO 22316 standard also seems to me to be better positioned than the operational resilience of Basel.
Do you have articles or readings that you would like to share with the CIRERO community?
I highly recommend the book by the philosopher David Lindstedt :
I also recommend the book by Judith Rodin, who was director of an NGO on the 100 resilient cities. Paris is cited but also Santiago de los Caballeros in the Dominican Republic. Her refreshing vision made it possible to talk again about the principles of resilience.
https://www.amazon.com/Resilience-Dividend-Being-Strong-Things/dp/1610394704
In the field of business continuity, David Lindstedt and Marc Armor offer interesting reflections on this notion of capacity in their ABC program. The human being is the last asset that can save the company. This dimension is to be associated with resilience, because it is above all a human process.
And of course, the work of Nassim Nicholas Taleb, particularly on the black swan.
https://www.goodreads.com/book/show/242472.The_Black_Swan
Concluding remarks
Finally, the geographical areas do not all have the same levels of maturity on the subjects of business continuity and resilience, the same relationship to the plan, etc. The why is very important so that companies are inclined to listen to you. A reflection by region could be very interesting to measure the degree of resilience, because it is this small figure that an executive committee will want to see at the end, to take into account the risks by zone, the levels of maturity, etc. International regulations translated without adaptation in territories with distinct problems do not necessarily give good results.