Citrix
Business continuity adverts
Monthly newsletter Weekly news roundup Breaking news notification    

Organizational resilience

Get free weekly news by e-mailWhat is resilience and what benefits does it offer? Is it an attempt to re-brand business continuity – to give it a new coat of paint? Or, is it an enabler for business continuity practitioners to provide an enhanced level of service to their stakeholders?

By Robert Oldfield, group risk officer, QBE Insurance (Australia) Ltd.

Statement of purpose

Resilience - a word that we hear on a daily basis. Acknowledging that resilience can be targeted at multiple levels within a society, the word resilience may be preceded by: corporate, business, enterprise, emotional, individual, organizational, sectoral or societal. In each case the objective may be different: however each has common core elements, such as the ability to absorb change gracefully and remaining stable in a turbulent environment.

So what is resilience and what benefits does it offer? Is it an attempt to re-brand business continuity – to give it a new coat of paint? Or, is it an enabler for business continuity practitioners to provide an enhanced level of service to their stakeholders? Firstly, let’s explore the origins of the word, how it’s currently being interpreted by organizations and what opportunities are evident, for those living in the new world.

The word resilience is derived from the Latin words resiliens and resilire – first recorded in 1626 - meaning ‘to rebound’. In 1973, Crawford Holling introduced two further definitions of resilience. The first, and the more traditional, concentrates on stability near an equilibrium steady-state, where resistance to disturbance and speed of return to the equilibrium are used to measure the resilience. Holling defined this as engineering resilience. Business continuity practitioners will recognise that this is very much related to the process of recovery.

The second definition emphasises conditions without an equilibrium steady-state, where instabilities can change a system into another state or behaviour. In this case resilience is measured by the magnitude of disturbance that can be absorbed before the system restructures into something new. This Holling termed as ecological resilience and it’s this term that’s challenging some business continuity practitioners.

The objective of this article is to:

* Highlight the changing environment in which we live and work;
* Stimulate thought regarding the issues associated with the common processes to identify and measure risks;
* Challenge the generally accepted belief that recovery to the point prior to an incident is appropriate; and
* Discuss the elements and the associated benefits of a truly integrated resilience program.

The environment

Every business continuity practitioner must surely acknowledge that the world is changing at a frightening rate. Some believe that the advances in our knowledge and capabilities have made us immune to collapse. This belief is challenged by Debora MacKenzie, of the New Scientist, who wrote “As the networks that connect us become ever more intricate and finely tuned, modern civilisation is becoming increasingly vulnerable”. Mackenzie suggested that “once society develops beyond a certain level of complexity it becomes increasingly fragile, where a minor disturbance may bring everything crashing down”. In his book The Collapse of Complex Societies, Joseph Tainter discusses a possible cause of this being diminishing returns - a situation where an ever-increasing level of effort and complexity is required to support the necessary returns. As returns diminish and complexity increases, society will inevitably reach a point where complexity will outweigh the return, resulting in the balance of societal resilience being unfavourable.

With business continuity being a relatively new discipline, there’s an expectation from business that it reflects the current environment in which we live and work - where there is increasing evidence of turbulence, uncertainty, complexity, connectivity, acceleration, consolidation, globalisation and climate change. The Royal United Services Institute makes reference to the changing environment in a recent report:

“Corporate entities are facing a dazzling array of fast changing conditions from technology to terrorism, social responsibility to social unrest…all these considerations now exist in a quickly evolving and mutating context ... a company that is unable to respond to change will not survive”.

The UK Ministry of Defence’s Development, Concepts and Doctrine Centre agrees. It believes that “during the next 30 years, every aspect of human life will change at an unprecedented rate”.

Awareness of environment

Business continuity practitioners understand that the environment has changed and that they need to adopt practices that reflect this new environment. Recent research conducted by numerous experts in their field has challenged the generally accepted methods to predict future incidents and our ability to make decisions regarding the management of incidents if they were to occur.

It would appear that fear is generated whenever we discuss issues such as ‘flu pandemics or terrorism. It’s generally accepted that we fear most those things which we can’t influence and fear least those things we can influence – regardless of the actual likelihood or potential impact. Hence, history books are filled with shocking examples of occurrences that weren’t expected.

It would appear that we naturally focus on known risks that we believe we can’t influence, that generate fear, would cause outrage and are unacceptable to society. But what about the ontological risks – the unknown unknowns? In his book, The Black Swan, Nassim Taleb discusses his theories on randomness and how it contributes to organizations having a tainted view of their risk environment. Taleb highlights that we need to acknowledge that there is the unexpected. Large unexpected occurrences are generally what drive history. Most wars, pandemics and stock market crashes appear predictable when we have the benefit of hindsight. At the time, however, such occurrences generally came as a total shock. Taleb states “it’s not the forecasting errors that are a surprise, it’s our lack of awareness of it that’s the issue”. Taleb calls these surprises ‘Black Swans’.

As we all know, swans can be black or white. However, before Europeans came to Australia, there was little uncertainty that all swans were white. The ‘discovery’ of black swans in Australia shattered this belief. This highlights the problem of induction – basing a prediction or expectation on something that occurred in the past. Taleb’s analogy surrounds 1001 days in the life of a particular turkey.

“A turkey gets fed every day for 1000 days. Each feeding firms up the bird’s belief that it is the general rule of life to be fed every day by friendly members of the human race. On the afternoon of the Wednesday before Christmas, something unexpected will happen to the turkey. It will incur a revision of belief. To the turkey’s horror the evidence of induction proved to be vastly lacking with unexpected results.”

Another example…

“But in all my experience, I have never been in any accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”

Yes, of course – the quote above is from E.J. Smith, Captain of the RMS Titanic. This quote emphasises that we may not be in a situation where we can predict the infinite future based on knowledge of the limited past.

Taleb discusses two major contributors to Black Swans: confirmation bias and narrative fallacy. The first is based on our inability to truly open our minds to new possibilities – those beyond what we think is rational based on our knowledge of the past. It’s natural for us to seek out the data that supports our belief – those occurrences which prove us correct. History is littered with tragedies where the obvious was ignored because it didn’t fit the thought pattern of the time or people involved. David Wilkinson, author of The Ambiguity Advantage, calls this the “paradox of perceptual consistency”. To support his theory, he refers to the decision made by the United States military, in 1941, to discount a British intelligence briefing regarding an imminent attack on Pearl Harbour by a Japanese Carrier Taskforce. Even though the British had broken the Japanese naval codes, the intelligence didn’t fit with the accepted belief that the Japanese fleet would be used in an attack on Manila.

Narrative fallacy is the second contributor to Black Swans. This is all about our brain’s ability to store, retrieve and interpret information. To make sense of information, we generally compare it to some pre-existing thought or event. Once we understand what the information is, we shape it so that it may be easily stored and retrieved - using a very effective indexing process. Each time we retrieve and review this information we again compare it with new pieces of data thereby altering it again, based on this new information. Therefore, our memory of a certain event changes over time.

Because we’ve manipulated and shaped the thoughts and linked them with other memories, the past appears more predictable and less complex than it actually was. We make memories into narratives to enable effective and efficient indexing - which impacts our view of the past. Therefore, if our memories of the past aren’t consistent with the unpredictability and complexity that actually existed at the time, how can we use this information to predict the future?

The reaction

In an attempt to manage this turbulent environment, most organizations have mature risk, business continuity, security and emergency management programs. Without these programs, unknown risks and vulnerabilities will go unchecked, resulting in the organization being in a constant state of mismanagement. Unfortunately, many organizations manage these programs in isolation of one another, resulting in gaps or wasted resources through overlaps. Risk managers maintain a risk register, security managers conduct a threat and vulnerability assessment and business continuity managers carry out a business impact analysis.

A resilient organization recognises the synergies between these functions. It recognises that a risk is a risk regardless of whether or not it has been identified and regardless of who identifies it. Many organizations have successfully developed and implemented an enterprise risk management program which encompasses process, business and strategic risks as well as those controls that either eliminate the risk or reduce it to an acceptable level. As we know, the risk manager doesn’t generally own the risk nor are they usually the best person to identify the risk. Risk managers facilitate the risk management process. They rely on managers, such as business continuity, security and emergency services, to identify the threats, risks and vulnerabilities. In return for their input, each manager may refer to the central repository of risk so as to enable them to develop an effective, efficient, coherent and seamless control environment. Such a program will reduce the possibility of duplication or inconsistencies in the implementation of the controls – with business continuity plans and security or emergency systems being such controls.

Business continuity and risk management challenges

Some challenges with risk management are: dealing with ontological risks (unknown unknowns), those low frequency high impact risks and the ability to change culture. As stated by the World Economic Forum in its recent Global Risks 2008 report “There is a fundamental disconnect between risk and mitigation. Risks are rising but the mechanisms in place to manage and mitigate risk at the levels of business, government and global governance are inadequate.”

There may also be a tendency to follow the ‘what if’ anticipatory approach - predicting the future, based on a narrative version of the past. This approach to risk and business continuity management differs from resilience in that it’s still generally finite in its possible course of action. It generally excludes the ‘outliers’ (those huge events) and discounts Black Swans through confirmation bias and narrative fallacy. The limits of the ‘what-if’ approach show up when a possible disaster situation arises that hasn’t been envisaged. Whereas a resilient organization learns and adapts - it evolves as risks evolve.

The traditional risk and BCM approaches often tend to focus on process, documentation, compliance and risks that fit within a bell curve (generally within 1 standard deviation of the mean). Such programs are spread across the organization, frequently operated within silos and generally lacking direction and purpose. Resilient organizations, on the other hand, have an understanding of the need to acknowledge the outliers (the Black Swans and ontological risks), they have a greater awareness of the environment they operate within, they have an ability to adapt to changing situations and they have non-hierarchical communications, as documented in KPMG’s ‘Living on the Front Line’:

“Organizations across the world are facing challenges from the global risks of terrorism, pandemics and climate change. The likely impacts of these risks are far wider and longer-term than business continuity preparations have traditionally been designed for … the ultimate goal for BC professionals is the resilient organization”.

Characteristics and behaviours

Resilience is not a plan, or a checklist. The capacity of resilience is found in an organization’s culture, attitudes and values. As Dr Erica Seville, of the University of Canterbury, said “Resilience is not something you do, it is something you are”. Hence we need to look beyond the tactical elements of resilience. We need to look at those elements which are non tangible, those elements which make a truly resilient organization.

Adaptive capacity

Along with the changing environment, organizations need to also change, so as to retain competitive advantage. Change may include strategy, operations, management systems, governance structure or decision support capabilities.

Engineering resilience, or recovery to the original state of equilibrium, may not be the best option. The situation may dictate that you need to recover to a new equilibrium so as to retain synergy with the environment. This new equilibrium may be totally different from that previous. This is ecological resilience, the magnitude of disturbance that can be absorbed before the organization restructures into something new. This may happen whether you like it or not. It may be positive or negative, therefore you might want to plan for it.

Communications

It appears that lack of communication has been a contributor to many global disasters. It’s generally the case that, at some level or another, the information was impeded. Either:

• Those in authority didn’t possess the information and didn’t take the trouble to make sure they did;
• Those who did possess the information didn’t act upon it or didn’t pass it on; or
• Those who did receive the information didn’t act upon it.

Interdependencies

People and business units within an organization; organizations within a sector; sectors within a community – each are interdependent on one another. As Steven Covey said:

“Independent thinking alone is not suited to interdependent reality. Independent people who do not have the maturity to think and act interdependently may be good individual producers, but they won't be good leaders or team players. They're not coming from the paradigm of interdependence necessary to succeed in marriage, family, or organizational reality”.

Situational awareness

Having good situational awareness contributes to the quick identification and response to a disruption or change in the environment, thereby limiting the potential of any negative impact and increasing the number and magnitude of opportunities. Awareness includes understanding risks (including Black Swans) and vulnerabilities, thereby enabling quick detection of a change and a rapid response. The nightmare situation isn’t the known risk occurring, it’s the undetected or unexpected risk emerging.

Leadership

Responsibility for acts and decisions lies with everyone at all times and is not restricted to any one person, place or committee. Every member of an organization should have the responsibility to act, to ask for information, to pass information on and to rightly receive information. The unwillingness to assume responsibility for taking action or ensuring the existence of free-flowing information is the source of most, if not all, global disasters.

Key elements of leadership are: principle centred leadership, non-hierarchical communications and empowerment to act.

Culture and values

Culture is about how principles are learned and translated in day-to-day behaviour. Values contribute to the culture and may include integrity, customer focus and results. In a resilience context we look at a number of essential characteristics and behaviours. Each of these is dependent upon the organization having the appropriate culture and values.

Enterprise wide

We’ve discussed business continuity, risk, security and emergency services management. For true organizational resilience, we need to acknowledge and embrace the importance of other business units and how they contribute to the resilient characteristics and behaviours required. Other significant contributors that need to be considered in an organizational resilience program include, but are not limited to: facilities, human resources, supply (through) chain, sales and purchasing.

Ownership

Ownership is dependent upon the organization, its structure and its people. Some business continuity managers may be ideal owners of a resilience program - as could risk or security managers. However, it should be emphasised that resilience isn’t an alternative word to describe one of the tactical elements - it’s the balanced integration of all of these. Therefore in most cases it may be more appropriate to consider having an individual or steering group oversee the resilience program.

Next steps

Leading organizations are putting plans in place to manage outcomes, rather than specific scenarios and are creating a capabilities-based approach. An organization may not be able to anticipate every scenario, but it may create response capabilities that will be resilient no matter what the cause of disruption.

To have organizational resilience the National Resilience Workgroup (a group sponsored by the Australian Attorney General’s Department) suggests that organizations need to:

• Anticipate and understand emerging threats;
• Understand the impact of threats on the business, supply chain, the community in which they operate and upon employees lives;
• Develop and maintain supportive partnerships with critical stakeholders in their supply chain, sector and community;
• Respond to and recover from disruptions as a unified whole of organization team;
• Adapt to disruptions and react flexibly to restore routine functions and strengthen the organization;
• Ensure staff are willing and able to support the organization to achieve objectives in times of adversity;
• Lead with clear direction while enabling devolved problem solving.

Statement of summary and conclusion

To finish, I’ll challenge you with a self assessment developed by the National Resilience Workgroup:

• What are our key vulnerabilities?
• What are our critical interdependencies?
• How do we monitor for new threats and incorporate them into our risk practices?
• What strategic changes are occurring in our threat environment?
• Who would be our leadership team in times of crisis?
• How do we ensure all business units work in a united way during a crisis?
• Who decides what our operational priorities are during a serious disruption?
• How would we ensure all our staff members were informed of our immediate priorities during a crisis?
• Do we have a program ready to build and maintain staff morale during response and recovery to a crisis?
• Are mutual aid agreements in place with our sector peers?
• Which key stakeholders would support us in times of adversity, who would attempt to undermine us?

I’ll leave you with a comment from Charles Darwin:

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

This article was first published in edition eleven of Continuity Forum News. www.continuity.net.au

•Date: 24th October 2008• Region:Australia/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here




Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help