Organizational resilience has been around for a decade or more as a specific management discipline, but it has yet to gain traction in many organizations. This article explores what organizational resilience is and why it is worth taking another look at.
Organizational resilience was first systemised by the British Standards Institution (BSI) in 2014 in the standard BS 65000:2014 ‘Guidance on organizational resilience’. This was followed in 2017 by the ISO International Standard ISO 22316, titled ‘Security and resilience - Organizational resilience - Principles and attributes’, and ISO is currently working on an update to this, which will be published as ISO/AWI 22316. The latter is currently in the proposal stage, so it is early in the standards development process.
BS 65000 defines organizational resilience as the: ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper. This was adapted by ISO 22316 into: the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.
There are at least 23 separate definitions of organizational resilience available via a Google search, and pulling each of these together into a word cloud produces the following result:
The key words that emerge are:
Ability: according to the Cambridge Dictionary, ability is the power or skill needed to do something – it requires proficiency and aptitude. So organizational resilience is something that must be worked on and developed: and it isn’t a plan, process, or a project, it is something much more intrinsic.
Anticipate: this is another key word and shows that organizational resilience is a proactive discipline. Anticipate implies activities such as monitoring, implementing early warning systems, horizon scanning, and risk assessment to provide the intelligence required to enable an organization to take actions before something develops into an issue.
Prepare: organizational resilience requires preparation to enable the organization to have plans, processes, strategies, and capabilities in place.
Absorb: absorb implies the ability to ‘bend not break’ – a commonly used phrase in discussions about resilience. It includes introducing things such as failover, high availability, and self-healing systems to enable automatic and instantaneous reaction to issues so that systems absorb them, ensuring that they don’t develop further. It also implies flexibility: resilient organizations are agile.
Respond: it will come as no surprise that organizational resilience involves an element of response, although this word was dropped from the ISO 22316 definition. Response involves being able to react to issues, incidents, crises, disruptions, and shocks in a managed and effective way.
Adapt: the ability to adapt is central to organizational resilience. Adaption is at the heart of survival within nature and is also vital for the long-term resilience of organizations. Organizational resilience is not just about short-term response, it requires a much more long-term view, ensuring that an organization adapts to changing conditions and pressures to not only survive but to prosper, in the words of both BS 65000 and ISO 22316.
When asked to define organizational resilience, ChatGPT, which takes its definition from a broad range of sources across the Internet, comes to a similar conclusion, providing the following: Organizational resilience refers to an organization's ability to withstand and adapt to disruptions, shocks, and challenges while maintaining its core functions, operations, and long-term viability. It involves the capacity of an organization to absorb and recover from disruptive events.
The ChatGPT definition highlights another key word: ‘withstand’. This is a defensive word and implies ‘hardening’ an organization so that rather than reacting when a process, a system, or a facility breaks, these things are designed or retro-fitted to ensure that they are much less likely to break in the first place.
When organizational resilience is broken down into its constituent parts as above, it becomes clear why it should be seen as the over-arching resilience discipline – all the other disciplines map to an aspect, or aspects, of organizational resilience, but none provide the same holistic approach.
Mapping other resilience disciplines to organizational resilience
Perhaps the two disciplines that come closest to organizational resilience are operational resilience and enterprise risk management (ERM). Indeed, the BCI Operational Resilience Report 2023, which was published during BCAW 2023, found that many organizations use concepts and tools related to operational resilience and organizational resilience interchangeably; and 31 percent of respondents to a survey for the report stated that their organization does not distinguish between the two disciplines at all. See the figure, below, taken from the report:
In reality, even if the scope of an operational resilience programme is broad enough to cover the absorb and adapt aspects of organizational resilience, the remit of ‘operational’ in the former effectively rules it out from taking the much broader holistic approach that the latter requires.
Enterprise risk management is, according to the Institute of Risk Management, an integrated and joined up approach to managing risk across an organisation and its extended networks (1). And COSO (the Committee of Sponsoring Organizations of the Treadway Commission) identifies the five interrelated components of an ERM framework as Governance and Culture; Strategy and Objective-Setting; Performance (risk identification and assessment); Review and Revision; Information, Communication, and Reporting (2).
So, while ERM takes a holistic approach to risk management and overlaps in the majority of areas, it stops short of the incident response and adaption elements contained in organizational resilience. Response as far as ERM traditionally goes is ‘What are we doing about the risks?’ - considering things such as mitigation and risk removal.
The holistic heart of organizational resilience
Holistic is the word that holds the key to an organizational resilience strategy; it is about developing an organizational culture which includes resilience in every element, in every strategic decision, in every process, in every plan, and in the way people are managed and considered. Organizational resilience is an organizational lifestyle!
Organizational resilience is also about breaking down silos – it does not require that business continuity, risk management, operational resilience, emergency planning, crisis management teams (for example) be replaced – instead it requires that these teams emerge from their silos and are managed holistically and strategically. These teams all have a part to play in the bigger picture.
However, other organizational teams also have a key role to play; and this is where the difference between organizational resilience and other resilience disciplines is emphasised.
ISO 22316 states that the design, development and coordination of management disciplines and their alignment with the organization’s strategic objectives are fundamental to enhancing organizational resilience. And the management disciplines listed by the standard are wide-ranging. ISO 22316 says that all the following have a role to play:
- Asset management;
- Business continuity management;
- Crisis management;
- Cyber security management;
- Communications management;
- Emergency management;
- Environmental management;
- Facilities management;
- Financial control;
- Fraud control;
- Health and safety management;
- Human resources management;
- Information security management;
- Information, communications and technology;
- Physical security management;
- Quality management;
- Risk management;
- Supply chain management;
- Strategic planning.
ISO 22316 emphasises that this is a sample list of management disciplines not an exhaustive one; but it serves to make the point that organizational resilience takes resilience thinking, planning, and practice far beyond its remit in other disciplines.
Another key point made by ISO 22316 is that the above management disciplines are coordinated so that they individually and collectively contribute to the organization’s purpose and the protection of what it values. And it is this coordination, with resilience as the goal, that is both the great vision and the great barrier to organizational resilience implementation.
Many resilience professionals can see the value in organizational resilience; but the reality is that very few, if any, organizations have actually implemented a true organizational resilience programme. And the reason seems blatantly obvious: it’s a very difficult thing to do!
To start to bring together all the required management disciplines together, to break down all those silos, and to change the whole organization’s culture and approach, requires a huge and visionary commitment by the board and the c-suite!
So that’s the challenge: to really take on board the breadth, depth, and possibilities of organizational resilience as the resilience discipline of the radically successful organization of the future; the organization that prospers rather than simply survives; the organization with resilience designed into every facet of its ecosystem. And once you have taken on board the vision, the next challenge is to sell it to your board and your c-suite…
- What is Enterprise Risk Management? The Institute of Risk Management: https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/ (accessed 11 May 2023)
- Enterprise Risk Management—Integrating with Strategy and Performance, The Committee of Sponsoring Organizations of the Treadway Commission, 2017