The standards for organizational resilience

In March 2017, the new ISO standard ISO 22316:2017 was published with the long title “Security and resilience – Organizational resilience – Principles and attributes”. The standard was developed by the Technical Committee ISO/TC 292 Security and resilience, which is also responsible for the ISO standards around ISO 22301 Business Continuity Management.

In addition to this ISO standard, BS 65000:2014 “Guidance on organizational resilience” has been available from British Standards (BSI) since 2014. We can therefore currently build on two standards on the subject of resilience. What is it about a topic that is apparently so important that two standards are dedicated to it? If you enter the search term “resilience” for german books in Amazon, you will already receive over 1,000 suggestions for filling your electronic shopping cart.

If you approach the topic of “resilience” in a foreign language, you already have over 4,000 books as a purchase option. The majority of these are personal guidebooks on strengthening resistance to stress, crises, burn out and depression. At first glance, this seems to be a true miracle weapon against all of life’s threats.

But what makes professional standardization organizations targeting companies, authorities and organizations raise this topic to a standard? In the numbering, ISO standard 22316 comes directly before the two guidelines 22317 (Business Impact Analysis) and 22318 (Supply Chain Continuity).

At first, this makes Resilience appear to be simply a sub-discipline of Business Continuity Management. However, a look at the TC 292 homepage quickly shows that the reader should not be misled by the numbering of this standard. The Technical Committee divides its standards into the areas of General, Business continuity management, Emergency management, Supply chain security management, Protective security, authenticity, integrity and trust for products and documents, Community resilience and Organizational resilience. Community resilience and organizational resilience are therefore “on a par” with BCM and not a sub-discipline.

The concept of organizational resilience

So what is the actual content of the concept of organizational resilience? What does this mean for “classic BCM” and the other safety & security disciplines? What characterizes resilient organizations and how do they get there?

The English term “resilience” is derived from the Latin term “resilire”, synonymous with “to bounce back”. The Duden dictionary defines resilience as “psychological resistance; ability to survive difficult life situations without lasting impairment.” ISO 22316:2017 defines resilience applied to organizations as “ability of an organization to absorb and adapt in changing environment”. This definition already reveals significant differences to business continuity management. Even though the term resilience is mentioned several times in ISO 22301 Business Continuity Management, BCM, according to the standard’s definition, aims to deal with abrupt disruptions, emergencies and crises: “… to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise” (ISO 22301:2012 Scope). Resilience, on the other hand, further includes resilience to small day-to-day disruptions through acute shocks to incremental change (BS 65000:2014 Introduction).

Resilient companies are better able to recognize and respond to opportunities and threats from sudden and gradual internal and external changes, according to the standard. Organizational resilience is not a management discipline in its own right, but arises from the integration of established disciplines. It is worth taking a closer look at the annex to the ISO standard, which provides examples of twenty relevant management disciplines that contribute to the achievement of organizational resilience. The disciplines listed include all GRC (Governance, Risk & Compliance) disciplines, but also communications and human resources management as well as strategic planning, quality management and controlling.

The standard emphasizes that the degree of resilience is not measurable and there is no ultimate goal for achieving it. The ISO standard is divided into a description of the principles as well as the characteristics and assessment of the factors for organizational resilience.

Phases for strengthening resilience

At this point, however, I would like to switch to the older competitor product from BSI. Basically, the definition and core statements do not differ from the ISO standard. However, in the section “Building resilience”, BS 65000:2014 maps all the important steps for implementation towards a resilient enterprise with a nice circular model.

Be informed (situational awareness):

This phase involves the continuous early identification of internal as well as external risks and opportunities (“horizon scanning”) for the identified values of the company. This includes awareness of interactions with other companies such as service providers, suppliers, competitors, and evaluation of successes, disruptions, near emergencies, exercises, audits, and experience of other companies.

Set direction:

This phase calls for the company’s top management. They must ensure that the company has a clear vision for the future and described values and priorities that are communicated to employees and interested parties. Leadership also includes an integrated, transparent, and forward-looking governance system, as well as clear roles and responsibilities for the various aspects of achieving organizational resilience.

Bring coherence:

Top leadership must establish priorities for achieving resilience and align operational activities with those priorities. The various organizational silos with operational disciplines must be coordinated and integrated to achieve this. At this point, the standard lists 21 relevant disciplines to be integrated as an example, analogous to ISO 22316:2017.

Develop adaptive capacity:

The company should be enabled to react to changing conditions through pre-planned and situation-dependent measures. This includes necessary adjustments to structures, processes and behavior. The goal is a flexible and agile organization that is able to learn from its own mistakes and the experiences of others and to respond innovatively to these requirements with new methods and structures.

Strengthen the organization:

This phase has very strong references to classic business continuity management. The company should implement specific measures to strengthen resilience in order to cope with emergencies, emerging risks and changes. Emphasis is placed here on the need for adaptability when contingency plans are not in place or do not work. Resilience should be enhanced “by design”, for example, by creating redundancy and adequate resources and capacity.

A second focus for strengthening a company’s resilience lies in its norms, values and behaviors. In particular, this includes dealing with learning from disruptions, mistakes, risks and vulnerabilities, as well as clear assignments of roles and responsibilities.

Validate and review:

Audits, tests and exercises are used to check the existing level of resilience in the company and identify measures for improvement.
How do resilient companies differ from less resilient ones?
According to ISO 22316:2017, resilient companies have the following characteristics:

• Shared goals and vision for the company,
• Understanding of the environment and collaboration with “interested parties”,
• Effective strong leadership especially in times of uncertainty and disruption,
• a corporate culture that fosters resilience,
• Sharing of information and knowledge,
• Availability of resources (human, building, technology, financial, information) to address weaknesses,
• Development and collaboration of management disciplines,
• support for continuous improvement,
• the ability to recognize change and adapt the organization.