Organizational Resilience (OR) refers to a united approach in the face of growing risks, threats and opportunities, rather than applying separate functions (e.g. security, disaster recovery, risk management, business continuity etc.), each trying to cope at different levels. OR moves beyond defensive security and what might be called a ‘protection posture’, by applying a more cohesive yet flexible approach that far from downgrading key functions such as security, both elevates and integrates such tasks by uniting polices, objectives and a shared purpose. In short, synergy replaces silos.
The objective is to enable any organization, including structures that supply it and otherwise depend on it, to absorb shocks, learn from them and be better equipped for future events. Functions such as business continuity, information security, IT disaster recovery, crisis management, physical security, environment management and operational risk management, become part of a broad corporate framework in a world that is becoming turbulent faster than organizations are becoming resilient.
An organization’s resilience, properly understood, has critical implications for its stability, competitiveness, profitability and shareholder value. One reason why Governments such as the UK[1] , Australia[2] and the US [10] are already committed to promoting OR.
Organizational Resilience Defined
The UK Government standard on OR[1] (as one example) states that it is the “capability of an organization to anticipate and respond and adapt to, incremental change and sudden disruptions in order to survive and prosper”. A succinct explanation and not that dissimilar, for example, from the definition stated by the Australian Government [2]: “a business’s ability to adapt and evolve as the global market is evolving, to respond to short-term shocks, be they natural disasters or significant changes in market dynamics and to shape itself to respond to long-term challenges”.
Perhaps the most relevant definition of OR in Canada is one put forward by IBM[3] Canada: “Resiliency is your company’s ability to protect people, assets, data and technology through proactive measures that help mitigate risk”.
For the purpose of this article I have assumed that OR is broadly the same as Business Resilience as well as Corporate Resilience. It does not equate with fusion centres where the purpose is simply to share and better manage the flow of data and intelligence across different levels and sectors. OR has a significantly broader remit to unite policies, objectives and a shared purpose with a function to absorb shocks, learn from them and be better equipped for future events.
Comments from the UK OR standard (which draws on other standards, such as Crisis Management [4] include:
- Resilience is not a choice between continuity and adaptability. Rather, it is a synthesis of both: continuity in the face of disruptive challenges, and long-term viability against a backdrop of strategic change.
- A more resilient organization cultivates a culture of shared purpose.
- Organizations should create the means, incentives and imperatives to share information about risks, incidents, near misses, vulnerabilities and opportunities, across the organization and with partners and other interested parties, including competitors where this could realize mutual benefit.
OR therefore moves from a more usual/traditional collection of silos, towards the integration of key disciplines, as shown in this diagram. This enables a 360-degree connected capability to better detect, mitigate, respond, recover, learn and adapt to any disruptive challenge that might impact either, or every layer in the organization. It can also reduce overheads by having one overall coordinator, albeit with managers at key positions, all sharing the some purpose:
It does this by integrating all those aspects of each discipline that have a common shared theme (or connection) of anticipating, responding and adapting to slow or sudden disruptions or shocks wherever, or however they might occur.
Why Organizational Resilience
In today’s increasingly interconnected world where communication is both global and instant, disasters can have a wave effect that resonates throughout the supply chain, already made fragile by cut backs and ‘Just in Time’ work practice. For example, when a disaster destroys a manufacturing plant on another continent, a supplier 1000’s of miles away is unable to meet production goals. Therefore, a crisis in one part of the world can bring economic activity to a grinding halt in another country or region. No surprise then that several governments are already signed up to the principles of OR.
On which point, the approach of any government to OR has to rely on more than just politics. It is possible that the long-term vision required to plan and create true OR could be in conflict with relatively short 4/5 year political terms of office. Such a situation offers little incentive for politicians to take a long-term rather than a short- term view as acute or short-term risks are more likely to gain attention over longer term chronic risks. Consequently, organizations and governments alike can often be focused on specific risks which may not in fact, be the greatest threat to them.
Whether it is the public or private sector, all this prompts the need for real change in crisis mitigation, security, preparedness and response from both sectors as many countries’ vital parts of critical national infrastructure (e.g. power, transport, communication etc.) are in the hands of commercial organizations, sometimes with a head office in a country distant from where the service is actually provided. All this matters in a world that is constantly changing, where crises don’t fit into precise boxes with a neat beginning and end.
Organizations (and professions) make distinctions of expertise but so far, rarely promote OR as a feature to share common doctrine and procedures, each others’ infrastructure and bases, and to be able to easily communicate with each other. This is sometimes referred to as ‘interoperability’ that has the following benefits:
- Understanding interfaces
- Collaborative work practice
- Present and future focus
- Share everything – no restrictions
- Pooling resources
- Synergy
In 2013 PricewaterhouseCoopers (PwC), a global business support organization with 13 offices across Canada, published a report on ‘Rebuilding for Resilience'[5]. This contained a series of observations, including some of the challenges that organizations might have to consider when reforming their in-house disciplines towards OR. For example, taking higher risks for the same rewards and recognizing that failures and disruptions still happen, despite heavy investments in risk management.
Case Studies
- JP Morgan Chase & Co, a successful global bank, has long applied a ‘Global Resiliency’ program designed to provide integrated firm-wide resiliency aligned to its business strategy and principles. It does this by engaging senior management on all aspects of the program, including determining the resiliency risk appetite, strategy, leadership and program oversight. Also, helping employees understand their roles and undertake validation tests and exercises for all critical functions and locations.
- In 2014 Cranfield School of Management (www.som.cranfield.ac.uk) looked at the following specimen/successful organizations who already apply OR in their report ‘Roads to Resilience’ [6]: InterContinental Hotels Group, Jaguar Land Rover, UK Olympic Delivery Authority, Virgin Atlantic and Zurich Insurance. They found that resilient companies do not just happen. They have cultural and behavioural traits that encourage all employees to be flexible, customer focused and alert to danger. In particular (a) the ability to anticipate problems before they develop, (b) flexibility to respond, (c) risk information flowed freely, (d) people and processes were in place to restore things to normal as quickly as possible and (e) the ability to learn from experience and make the necessary changes so that every event is analyzed. At Virgin Atlantic, for example, senior executives work in one corner of an open-plan office on the second floor. Colleagues can come to them with their thoughts and, of vital importance, there is a no-blame culture. To quote the head of internal audit (coincidentally on secondment from another firm): “There is an executive team who do not really have egos. They are happy for you to go and have an honest conversation with them.” As a result, vital risk and security information travels around the company and the board make well-informed decisions. This contrasts with the risk blindness evident in virtually every corporate failure identified in an earlier report by Cranfield.
- In 2010 the Australian government set out to measure and compare OR in that country. The Australian Journal of Emergency Management Volume 25 2010[7] states that ‘effective resilience management for any one organization must look beyond that single organization and consider the resilience of other organizations that it depends on…..threats can exceed the scale foreseen and planned for by an organization. The ability to survive and take advantage of these events depends on the resilience capacity of the organization. An organization wishing to survive and prosper from adversity could optimize its opportunity by enhancing its resilience attributes in preparation for such events’.
- In 2011, President Obama issued Presidential Policy Directive Eight [8] ‘to develop (ongoing) a national preparedness system with the objective of strengthening resilience in the face of terrorism, cyber attacks, pandemics, and catastrophic natural disasters’. The directive defined resilience as ‘the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies.’
- In 2012 Aon Global Risk Management services published a ‘Reputation Review'[9] which found that ‘there is an 80% chance of a company losing at least 20% of its value (over and above the market) in any single month, in a given five-year period’. They conclude that ‘in an age of instant and global communications, it is more important than ever to identify emerging threats’.
Conclusions
OR offers two practical concepts of responsiveness: the first might be considered a buffer. That is a collective process to hopefully anticipate any form of shock and prepare a reaction to allow some breathing space before the organization learns and adapts.
The second might be described as adaptive capacity that combines organizational agility to adapt, along with strategic flexibility. Buffers might be important for survival, but adaptive capacity is an indicator of longer-term resilience.
In a world where the extraordinary has become commonplace and the unexpected is now regularly anticipated, predictability takes on a different meaning, so the need to anticipate and allow for adaptive capacity has never been greater.
Present attitudes on trying to carry on operating through any disruption, damage or any other challenge tend to be rooted to the world of business continuity (which seldom has enough links to physical security), being dependent on historical data, and therefore might be described as “Bouncebackability” (a word invented by football coach Iain Dowie).
However, successful organizations in the future might benefit from taking a slightly different approach if they consider the comment attributed to Charles Darwin in his 1859 book ‘The Origin of Species’ that changed forever global thinking on evolution: “It is not the strongest of the species that survives, but rather, that which is most adaptable to change”. Successful organizations might therefore adapt to change, rather than follow the Latin origin of Resilience (resalire – to spring or jump back) by going forward instead. In other words, OR with collaborative work practice, forward looking, synergy and adaptive capacity – “Bounceforward”
In 2017 the International Standards Organization (ISO) is due to publish an international standard on OR – ISO 22316[10]. This global standard will set out [1] a series of principles that govern resilience as an outcome, a state of being achieved by an organization, rather than a discipline, function or process and [2], a series of attributes of a more resilient organization, e.g. purpose, leadership, behaviours, innovation and potential strategies to enhance resilience.
There is no ‘one size fits all’ approach to OR. Sometimes there are no right answers to the questions raised. However, an organization that considers different views and opinions as an asset, is willing to learn from near misses and failures (without rushing to blame people) and enables a high level of synergy rather than silos, is likely to be well placed to demonstrate effective OR.
With today’s pervasive change and uncertainty it is no longer adequate to simply rely on security, risk and business continuity that often applies historical data to try and predict future shocks, catastrophes and crises along with their consequences. Big or small, an organization needs to anticipate, respond and adapt to incremental change and sudden disruptions, in every direction and at all levels, in order to learn, survive and prosper.
“Change will not come if we wait for some other person, or if we wait for some other time. We are the ones we’ve been waiting for. We are the change that we seek”.[11]
U.S. President Barack Obama.