Leslie Whittet sets out to define what resilience is; and explains why it should never be enshrined in a standard.
Increasingly we are hearing the term ‘resilience’ being used; organizational, community, et al. It is not new, having been clearly highlighted as an objective in the Business Continuity Institute’s definitions of business continuity management for some time, but it is fair to say that we are now putting a great deal of effort into defining resilience and into understanding how it is achieved. The purpose of this article is to attempt to provide a simple definition and also to demonstrate that it is not something that can be enshrined in a standard.
This last point is important because various interest groups have seized upon the concept of resilience as the next wave in the risk versus BCM versus crisis response, etc, debate. We are in grave danger of putting the ‘ship in a bottle’ and forever limiting its massive potential.
Resilience is not something that you can buy by the pound – it is a concept, a state of being, something to which we may aspire. That sounds rather esoteric and does not advance the understanding of how to become resilient. It is a shame that present efforts have been more directed towards definition than achievement of the goal. Some good work is beginning to emerge with publishing of case studies; this is a practical means to understanding and will advance the cause.
Having said all of that I am going to present a simple definition and also an analogy that I hope will demonstrate that resilience is not rocket science and that we all have the ability to become resilient. The following diagram gives an idea of the scope of resilience and some of the key components necessary to its achievement:
One could add several other components to what is clearly a ‘tool box’ and this is the key to understanding resilience – it is not a thing, it is a concept achieved through the development and implementation of a number of clearly definable components.
Let me digress for a moment. Major works of classical music are comprised of a number of clearly defined elements; the score contains notation (plans) for various instruments. These instructions describe notes to be played – pitch, duration, dynamics, etc. For a work such as Beethoven’s 9th Symphony this involves a large number of instruments, four solo voices and a choir. Managing – leading – all of this is a conductor who will have decided how he/she wishes to interpret all of these ‘plans’. If everyone follows their own plan and executes the work according to the conductor’s leadership then the result will be a beautiful performance. If, on the other hand, the violins go to sleep, or one of the soloists drops dead, then the outcome will be less than perfect. To achieve this everyone must know their plan and must have practised it thoroughly. Note, however, that the more they do this the easier it is to tackle something new (unexpected) that may come their way. Critically, everyone must have the right attitude; collectively they must want to make the music soar.
So it is with resilience. If all of the component pieces are in place and practised then the ability to respond to an unforeseen event in a confident, effective and agile manner should be expected. It is interesting that so much emphasis in business continuity circles is being placed upon people issues; for that is precisely the same with resilience. If an organization undertakes all of the planning suggested by my diagram, but has failed to develop a committed, capable and “can do” culture, then it is unlikely that they will do any more than just scrape across the survival line in the event of a major incident. Resilience is all about the response provided by your people and that begins with effective leadership. By all means develop the plans – risk, emergency, business continuity, etc – but make sure that you have brought your workforce along with you. Then and only then will you be in a position to bow to the audience as the last note is still ringing in their ears!
I did say that I would also demonstrate why resilience cannot be enshrined in a standard. Actually I hope that has already become obvious, but let’s explore it anyway. Going back to the classical music analogy, there is no way that a standard could be developed for a major work – you cannot describe or define a symphony it is only present in the integrated performance of its component parts. Note, too, that the actual delivery – the sound, if you like - may be re-interpreted again and again by various conductors. It is the same with resilience; it can only be achieved AND DEMONSTRATED through the effective performance of all of the business elements during management of an unforeseen event. For the rest of the time it is a dormant concept. Nor will it be implemented the same way in every organization – there is no “one size fits all”.
Hopefully I have successfully demonstrated that it is simply not possible to devise a resilience standard and I would question whether there is even value in trying to really pin down the elements that should be in the ‘tool box’ because there are so many variables – organization size, industry, resources, etc. The one common denominator, though, is people and if we do nothing more that work to achieve a positive, loyal and dynamic team we will have considerably advanced our standing in the resilience stakes.
Make a comment
Leslie T Whittet, FBCI MACS MRMIA
Leslie Whittet & Associates Pty Ltd
Tel: 61 2 6292 7822
Thanks - and nicely communicated. Resilience and risk are both social constructs - concepts. It is all too rarely that we have anyone encourage this higher level appreciation - good things are often not simple add ups. So well done and thank you.
I enjoyed Leslie’s article about Resiliency and your notion that it cannot be defined as a standard. Resiliency is a destination, an objective that you can reach in many different ways; at the end of that journey your organization is either resilient or it is not.
Regarding whether or not there is value “in trying to pin down the elements that should be in the ‘tool box’ ” I disagree with you. I see a corporation as a live entity constantly changing. There are always new ideas, new structures, new channels of distribution, new technologies, etc., continuously altering the landscape and increasing the potential for business disruption. We must continue defining all the components that may be at risk and identifying new tools and techniques to mitigate them.
To me, resiliency hinges on the assumption that an organizational structure’s continuity of operations cannot be executed without relying on people. Without people, a faceless entity such as a corporation cannot function solely on the potential energy of its inanimate parts. The fundamental tenet of a business to achieve its objectives is decision making which does not occur without relying on people to execute. Focused attention on the human elements becomes critical for the success of any endeavor.
Here is a link to a recent article about resiliency, where I also provide a definition: http://disaster-resource.com/newsletter/2010/subpages/v341/meettheexperts.htm
I think that Leslie got it wrong here. Resilience is the ability to bounce back after an event which caused you harm. You can make up a matrix of events and business capabilities and in each cell put whether the capability will survive the event - if not, what percentage of the capability will survive + how long it will take to recover (given the event). This has been done for years and is as quantitative as any risk analysis.
As with many areas related to BCM, we try to define things as a way to communicate them to the stakeholders. By doing this, we are risking putting boundaries around the concept. The risk is even greater when these definitions are left abandoned for long times or when they are being taken as principle facts.
Resilience as with BCM is a feature of the organization; of it being capable and able to adapt to changing internal and external circumstances and incidents affecting its operations and assets. This is a target that all organizations should aim at.
Abdullah Al Hour
There are people who like and need procedures to varying degrees, and at the other end of that spectrum are people who like and need options. The procedures and options people often find it difficult to understand each other. Sometimes with experience the procedures people develop options for themselves, and the options people may develop procedures. In the real world both are important in balance and suitable for purpose. Resilience requires having robust procedures but also recognising the requirement to be able to go beyond procedures and develop options for new situations. Les you are right, we need to be careful of reducing life to a formula and allow for people to adapt and overcome.
Scott Milne ESM
Leslie makes a very valid point in saying that the industry is putting a great deal of effort into defining Resilience. However, I don’t see this as a ‘concept’, more an evolutionary step in business continuity management thinking. The current standards and best practices in BCM focus on planning for various ‘denials’ and rehearsing / validating our response to those incidents. With Resilience we have an opportunity to do something broader, more proactive, more preventative and ultimately more effective in limiting opportunities for disruptions and crises.
For example, to what extent do we properly understand the multiple layers of infrastructure / resources that underpin our most critical business activities? How easily could we develop and maintain a Resilience Dashboard in line with risk appetite? How many organisations have ‘real-time’ oversight models that ensure ‘denials’ planning is 100% effective at all times? And crucially, do we have the mandates within our organisations to act as gatekeeper for organisational / strategic change initiatives?
My view is that this is more than simply a name change or a ‘concept’ and the challenge for us all is to better understand the key steps towards a resilient organisation and if that means a new PAS or standard, then so be it (possibly more relevant to our world than PAS200). Quite simply, the move to Resilience is the right thing to do to ensure the protection of our colleagues, customers and reputation.
Dr. Marc Siegel, the Commissioner heading the ASIS International Global Standards Initiative, responds to the above article.
•Date: 14th July 2010 • Region: Australia/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 28th JULY