Organizational resilience is defined as "the ability of a system to withstand changes in its environment and still function".[1] It is a capability that involves organizations either being able to endure the environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.[1]
In recent years, a new consensus of the concept of resilience emerged as a practical response to the decreasing lifespan of organisations[2] and from the key stakeholders, including boards, governments, regulators, shareholders, staff, suppliers and customers to effectively address the issues of security, preparedness, risk, and survivability.
An organization that realizes the benefits of the above definitions of resilience will have a high likelihood of maintaining a successful and thriving enterprise.
Previously, it was considered that 'organisational resilience' could only be generated from processes and functions such as Risk Management, Business Continuity, IT Disaster Recovery, Crisis Management, Information Security, Operational continuity, Physical Security and so on. These are recognised as key contributors to operational resilience, and “the positive ability of a system or company to adapt itself to the consequences of a catastrophic failure caused by power outage, a fire, a bomb or similar” event or as "the ability of a [system] to cope with change".[3] However, research from many academics including as Hamel & Valikangas in the Harvard Business Review,[4] Boin, Comfort & Demchak[5] and research facility ResOrgs[6] has influenced understanding and lead to new viewpoints on resilience, including that from the BSI Group,[7] being developed by ISO,[8] the Australian government,[9] ResOrgs,[6] ICSA,[10] and professional services firms such as PwC,[11] all of which recognises that processes and functions are but one element of an organisation's resilience web.
Global turbulence is expected. Competition, instability and uncertainty are constants in a changing world. Organizations face an unprecedented and growing number of potential disruptions to the status quo and the best laid strategic plans. As history repeats itself, prominent organizations will fail unless modern risk management and governance models incorporate scalable resilience metrics.
To survive and prosper in this new environment of heightened uncertainty and change, organizations must move past traditional risk and governance models and focus instead on resilience. Resilience applies at all levels: national, regional, organizational and corporate. At the national level, major infrastructure concerns and societal institutions must be robust enough, and unencumbered by legal and regulatory constraints, to serve the national good in normal operations, in crisis, and in recovery. At the regional levels, specific infrastructure assets come together in highly interdependent ways to serve local constituents and be a part of a national infrastructure. At the organizational and corporate level (which owns or operates the vast majority of our critical infrastructure assets), individual companies and operating units must ensure their business operations and service delivery capacities remain able to perform their primary business functions[12].
Yossi Sheffi extended the resilience concept to business continuity initiatives in his 2005 book The Resilient Enterprise.[13] Sheffi analyzed how disruptions can adversely affect the operations of corporations and how investments in resilience can give a business a competitive advantage over entities not prepared for various contingencies. Business organizations such as the Council on Competitiveness have embraced resilience and have tied economic competitiveness to security.[14] The Reform Institute has highlighted the need to enhance the resilience of the supply chain and electrical grid against disruptions that could cripple the U.S. economy.[15][16] Many corporations are adopting resilience and business continuity initiatives and sharing best practices.[17][18]
Many experts and leaders see resilience as a vital component to a homeland security strategy.[19][20] Hurricane Katrina demonstrated that not all catastrophic events can be prevented and a focus on response and recovery is needed.[21][22]
Prominent members in the United States Congress are embracing resilience. The Chairman of the Homeland Security Committee of the U.S. House of Representatives, Bennie Thompson (D-MS) declared May 2008 “Resilience Month” as the committee and its subcommittees held a series of hearings to examine the issue.[23][24] President Obama[25] and the Department of Homeland Security[26][27] have also made resilience an integral component of homeland security policy.
The Quadrennial Homeland Security Review, released by the Department of Homeland Security in February 2010, made resilience a prominent theme and one of the core missions of the U.S. homeland security enterprise.[28]
Business and government enterprises that are able to quickly adapt to or seize competitive advantage from sudden and/or significant changes in their environments, with minimal interruption to their enterprise missions and manageable impact to their market value, as well as adapt to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - can be described as being more resilient[29]. Leading management consultancies and national governments including the Australia, U.S. Department of Homeland Security and the UK Cabinet Office believe that an organization’s resilience, properly understood, has critical implications for its competitive posture, profitability and shareholder value.
Over the past years, business, academic and government leaders have become aware that certain organizations respond better to disruptions than other, often similarly situated, organizations. For example, a September 2003 Harvard Business Review article[30] stated that “momentum is not the force it once was” in ensuring an organization’s success. They noted the emergence of several disruptive trends — including technological discontinuities, regulatory upheavals, geopolitical shocks, industry deverticalization and disintermediation, abrupt shifts in consumer tastes, and hordes of nontraditional competitors — that require companies to become resilient to remain successful. The authors concluded that “strategic resilience is not about responding to a one-time crisis. It’s not about rebounding from a setback. It’s about continuously anticipating and adjusting to deep, secular trends that can permanently impair the earning power of a core business. It’s about having the capacity to change before the case for change becomes desperately obvious.”
Resilience also has important implications for governance processes and systems. In a 2004 white paper[31] the authors wrote that “enterprise resilience marries risk assessment, information reporting, and governance processes with strategic and business planning to create an enterprise-wide early warning capability that is embedded in the business of the company.” They explained that “Enterprise Resilience is predicated on an expanded view of risk—one that focuses on value, and therefore encompasses not only traditional risks (e.g., financial, natural hazards, physical security, legal, compliance) but also risks relating to earnings drivers (e.g., innovation, channel relationships, intellectual property) and company culture.”
Over the past decade, governments worldwide have also become increasingly focused on protecting their facilities, technologies, networks, personnel and other mission-critical assets from attack or misappropriation. The risk of cyber-terrorism and other threats to critical infrastructure are of particular concern. On March 31, 2011, the President issued Presidential Policy Directive Eight (PPD-8)[32] that directed the Secretary of the Department of Homeland Security to develop a national preparedness system with the objective of strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. The directive defined resilience as “the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies.”
Security, whether applied to physical, financial, personnel, cyber information or any other asset, entails the measures to protect against danger or loss with emphasis on being protected from dangers that originate from outside. A significant breach in security could certainly impair an organizations ability to exist, and thus is a critical concept underlying the organization’s capacity to be resilient. Resilience is proactive in positioning the company to survive and thrive given known and unknown challenges. Security, as generally practiced, provides specific protection against identified or projected circumstances.
Protection is often associated with the set of actions to harden assets to withstand identified contingencies, mitigate the damage, or make them an unattractive target. The focus is to maintain the assets’ core function and ward off harm. Typically, protection performance objectives are stated as an absolute capability against varying levels of threat (category II or greater hurricane, defined types of breaches, specific acts). Organizations plan for protection against specific threats or categories of threats. Resilience approaches the issue from a standpoint of taking reasonable protective actions, but having alternative capabilities as needed or the ability to withstand the disruption.
Crisis management generally refers to the set of actions and capabilities in place to effectively respond to and contain a situation. The situation can vary from natural, man-made, or environmental challenges, whether internally or externally generated. Most consider crisis management to largely consist of actions that go into play when the crisis occurs and subside after it is considered “over”. There are plans and preparations, but the actions are not often dealt with as part of normal operations. Resilience depends on effective crisis management, but would encourage more prominent treatment of crisis management capabilities throughout the company’s operation than is often the case.
Preparedness consists of the plans of actions for when the disaster or crisis strikes. Preparedness efforts are very specific sets of tactical actions (evacuation plans, sheltering plans, rehearsals, stockpiles, etc.) that the company and individuals will take to mitigate the effects of predicted disasters/crises. Resilience requires prudent and serious attention to preparations for known likely disasters, particularly those that are highly likely (e.g., hurricanes in Florida). Resiliency would address preparedness as a specific emergency management business function; but more importantly, as being impacted by numerous functions across the organization. These may include human resources, strategic planning, financial management, information technology, and risk management.
Risk management consists of formal processes to identify threats and vulnerabilities to the company, and the mitigation approaches it will employ. Risk management is highly sophisticated and the results have application in managing the business, insurance coverage, and in attracting investors. The risk management profession is moving toward a more proactive and return on investment focus, but the traditional focus has been defensive in nature. Identifying and managing risks, particularly operational risks, is arguably the most important factor in achieving resilience; however, it is one of many factors. Resiliency has a healthy consideration of posturing for future opportunities. That is not a traditional consideration in risk management.
Some scholars have identified the four facets of resilience as preparedness, protection, response and recovery.[33] Other countries, such as the United Kingdom and Australia, are adopting the resilience concept.[34][35] In the United Kingdom, resilience is implemented locally by the Local Resilience Forum.
As part of the Canterbury University Resilient Organisations programme, ResOrgs have developed a tool for benchmarking the Resilience of Organisations.[36]
The Resilience Diagnostic is an assessment made up of 11 categories, each evaluated by a set of 5 to 7 questions. These categories are defined as either asset or liability. A person’s resilience is determined by the sum of all asset scores divided by the sum of all liability scores, producing a Resilience Ratio. The Resilience Ratio can be reflected both on an organizational and individual level and the assessment provides self-coaching options for participants. Developed in 2011 by The Resilience Institute, the Resilience Diagnostic has been used by corporations worldwide, with key insights reflected in the Global Resilience Report 2016. [37]
In Organizational Studies, resilience is often referred to as the maintenance of positive adjustment under challenging conditions. Here, resilience emerges as the response to specific interruptions of the normal. Sutcliffe and Vogus[38] argue that resilience should rather be viewed from a developmental perspective, as an ability that develops over time from continually handling risks. Resilience, then, is "the continuing ability to use internal and external resources successfully to resolve new issues". Thus, "resilience is the capacity to rebound from adversity strengthened and more resourceful".
ASIS International have developed and published the definitive Organizational Resilience Management Standard SPC.1-2009. Approved by ANSI and adopted by the Department of Homeland Security under the PS-Prep program, this American Standard provides a practical basis for implementation of preparedness objectives supported by ASIS ORMS (Organizational Resilience Management System) software.