Resilience is a word of the moment, it crops up in the UN, WEF and government. The introduction of the British Standard, BS65000:2014 and the ISO 22316:2017 has prompted debate around the concepts in these documents. This post, therefore, provides some thoughts on organisational resilience.
Firstly, what is ‘organisational resilience’? The first step is to turn to the standards definitions, while in BS65000 and ISO22316 it varies, they have the same theme:
BS65000: Organisational Resilience: “capacity of an organisation to anticipate, and respond and adapt to, incremental change or sudden shocks in order to survive and prosper”.
ISO22316: Organisational Resilience: “the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives to survive and prosper”.
Both documents are for guidance and define the ‘concept’ rather than a specification. I prefer the BS definition as I feel it is clearer and enables the key components to be identified. The key words being capacity, anticipate, respond, adapt to incremental change or sudden shocks. Both have the ‘survive and prosper’. Both use the words ‘ability’ and ‘capability’ and since we are always looking for capability building in programmes, maybe the word capacity and capability require exploration? Having been involved in organisational resilience for over 30 years the measurement of capability has always been a challenge.
The definition of ‘capacity’ is multifaceted and I have fallen back on the work of United Nations and the book ‘measuring vulnerability to natural hazards’ published in 2006. This provides numerous definitions and the definitions for ‘capacity’, ‘adaptive capacity’ and ‘coping capacity’ all of which provide food for thought. The term that resonates most is as follows: “a combination of strengths and resources available within a community or organisations that can reduce the level of risk, or effects of a disaster” . ‘Capability’ seems to be easier to define – “capability is the ability to do something”.
Taking concept to practical application, the questions are: what the capacities, abilities or capabilities we need and how do we measure them. The BS and ISO provide some discussion on attributes, but these are only a guide. Recently I conducted a BS65000 review for a Chief Executive. The organisation was supplying services to critical national infrastructure and the customer wanted the supplier to be ‘resilient’. The themes chosen for the review were:
- Area 1 – Leadership and culture
- Area 2 – Strategy, governance and integration
- Area 3 – Anticipation and assessment of the risks of business disruption, incidents and crises
- Area 4 – Continuity planning and continuity incident management capability
- Area 5 – Crisis and incident management capability
- Area 6 – Linkage between operational risk controls
The product of the review was deemed to be ‘very useful’ and highlighted the lack of link between strategy, risk management, risk controls and assurance mechanisms. It was uncomfortable reading but the CEO has used it to focus the management team on driving strategy for competition and significantly building resilience measures as an essential thread in the roadmap.
There are some organisations which seem to have high coping capacity and in the main I have found these to be organisations where they have experienced events to proven the need for preparation. In trying to understand Nicolas Nassim Taleb’s book ‘Antifragile’ he says that ‘Antifragility’ is beyond resilience or robustness. He says that the resilient resists shocks and stays the same : the antifragile gets better. I admit that I find the whole book challenging to read and that I find his thought pattern hard to follow – but the pearl for me is the concept of antifragile. If ‘antifragile’ is a quality an organisation can seek, then that may be a useful concept. I think where we are going in the next decade and century means that being used to working in conditions of massive disruptive influences and uncertainty. Organisations that think about these challenge are likely to be better placed. Talib also provides the conditions that ‘fragile’ does not like, he calls this an extended disorder family (or cluster). These are worth listing as the sum of the whole provides an interesting picture: (i) uncertainty (ii) variability (iii) imperfect, incomplete knowledge (iv) chance (v) chaos (vi) volatility (vii) disorder (viii) entropy (ix) time (x) the unknown (xi) randomness (xii) turmoil (xiii) stressor (xiv) error (xv) dispersion of outcomes (xvi) unknowledge. The markets and crises in 2016/2017 so far tick a lot of these conditions! However, if you take the ‘anticipate’ or ‘adapt’ parts of the BS65000/ISO22316 definitions this is linked to strategy and innovation. A review demands how good the future/horizon scanning is and how sophisticated is the future thinking. As we are in disruptive age any business that has not thought about issues, such as AI, robotics, major advances in all manner of markets and sciences etc. will find it tough to exist in 10 years. Product lifecycles are shorter and major disruptors challenge established business models (e.g. Blackberry, the liquid fuelled car – petrol and diesel etc.).
I like the concept of anti-fragile and can see an example today. BP after Deepwater Horizon developed even deeper drilling capability and is arguably better placed to survive the current oil price slump having been through the forced (get efficient, sell off basedon value over quantity) strategy drive after the Macondo Well crisis. These are assumptions, but any organisation that has a near extinction event does have to revise and develop a new strategy. Perhaps this is the advantage of having a major but not organisation extinction event – providing you can overcome the weakness period when vulnerable (to takeover, infection etc.). Not that this is a recommendation to become resilient. A more enlightened strategy would be to commit to more developed scenario planning/analysis, crisis leadership coaching and realistic exercises. This is a cheaper way of breaking assumptions and showing the executive management the awful reality of a crisis. While ‘antifragile’ as a term may gain ground, most executives recognise the term organisational resilience, even if the next question is what do you mean by that?
- Are the BS65000 or ISO 22316 Organisational Resilience definitions useful for you? Do the OR concepts open new opportunities to further the resilience issue and engagement of head of strategy or the CEO/COO?
- Will discussions with executives be more effective using ISO22316 or BCM/ISO 22301?
- Have you thought about what the adaptive and coping capacity of the management and leadership of the organisation is and how it is quantified?
- What is the differential between the coping capacity of the organisation and the community/authorities or the infrastructure you rely on? Is this gradient fully understood and what impact will it have over a range of scenarios? Have you done any scenario planning to test your assumptions in this area?
- Can you answer the question what is the difference between organisational resilience and business continuity?
- What are the benefits of adopting OR over the current op risk controls?
- Do you really understand where you need high ‘fidelity, availability or integrity’ resilience?
- Has the BCM process defined and delivered the resilience for the organisation where arrangements are fundamental to delivery of critical processes (see BCI GPG Strategic BIA)?
- What needs to be done to develop a resilient organisation?