by António Relvas on October 27, 2016
What is Resilience in an organization? The definition that is widely accepted is that “organizational resilience” is the “ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.
Ok, the above definition is a great one, but how to achieve resilience in an organization? This is the tricky part, and there are two ways (that can work).
The first one, that is the most common I have encountered, is what I would call “go by trends & fears”. Organizations fallow trends (freely, by market trends, or imposed by regulations) and/or react after an incident that occurred either with themselves or others, and tend to implement, in a stand alone way, the most common processes and functions that traditionally address resilience, such as: Risk Management, Business Continuity, IT Disaster Recovery, Crisis Management, Information Security, Operational continuity, Physical Security and so on.
Of course that the best practice is to put in place these processes and functions (mandatory in my opinion) but, when trying to implement any best practice in an individual way, you will always end up protecting a subset and not the organization as a whole.
The second one is the one that I personally support more often, and is to build resilience in a supported and structured way, that can be properly managed. It can justify prioritisation and be implemented in a way that processes and functions are but one element of an organization’s resilience web.
This starts with a proper Enterprise Risk Management (ERM) that set out the bases for implementing and managing three main pillars of resilience:
- Security & Protection: whether applied to physical, financial, personnel, cyber information or any other asset, aims to put in place the appropriated measures to protect against danger or loss, with emphasis on being protected from dangers that originate from outside. It needs to take reasonable protective actions (for example to mitigate damages, or transform assets into a unattractive target) and taking reasonable protective actions that includes putting in place alternative capabilities as needed or the ability to withstand a disruption.
- Preparedness: Preparedness efforts are very specific sets of tactical actions that start in basic plans, as evacuation and sheltering plans, and goes as far as addressing specific emergency management for the business functions to assures the continuity, as the organization could be impacted in numerous functions across the whole structure of the organization. These may include human resources, strategic planning, financial management, information technology, and others.
- Crisis Management: when a crisis strikes, whatever the situation that originates it (natural, man-made, internal or external), and considering that the organization is prepared with a set of actions (plans) and capabilities (means), gives the organization the ability to deal with its operations in a way, when preparedness is effectively in place, to respond and contain the situation, managing all the players (stakeholders – both internal and external) and effectively communicate during and after the crisis to manage and minimize all type of impacts.
Organisations should consider to put in place an effective ERM, that will set the bases for developing the tree pillars mentioned above, with common understanding and the definition of risk appetite, acceptable business impacts, common base for risk identification & treatment (that captures strategic and enterprise levels of risk, that are far beyond operational risk), and then put in place the best practices that will translate the operationalization of the pillars dealing with, or treating, the whole of the organization and not just a part of it (this is the definition of holistic). In this way, when implementing the best practices for each necessary discipline, they will be properly aligned.
Also, and most important, to get all the acceptance and support for all disciplines needed to implement the tree pillars, the ERM also needs to be an effective management tool for the senior management’s use, and assist when reporting to relevant shareholders. So, there is a need to step above the traditional approach (that have a defensive nature), and move forward to a more proactive and return on investment focus.