Organisational Resilience by Steelhenge Constulting

Organisational Resilience

MARCH 2012

This paper responds to a need expressed by members of the BCI Partnership for clarity on what Organisational Resilience is, what is required to achieve resilience in organisations and what disciplines contribute, and how they contribute to a coherent and optimised approach to dealing with issues of Organisational Resilience. It aims were to: •

Provide a working definition of organisational resilience

•

Identify the existing independent disciplines that contribute to achieving organisational resilience

•

Discuss the potential utility of mapping the relationships between these disciplines to resilience – why map resilience?

•

Present various possible methods to map resilience – how to map resilience?

•

Propose future steps for the development and utility of an organisational resilience model

The paper is the output of a BCI membership subgroup co‐ordinated by the BCI Partnership. It does not set out to provide a comprehensive “one size fits all” approach or model of organisational resilience, nor does it represent the views of the BCI or any other organisation. It is intended to be used as a platform for stimulating debate among BCI practitioners about organisational resilience to progress understanding and development at a practical level. Authors and Editors: Dominic Cockram, Dr Claudia Van Den Heuvel Contributors: Steve Wicks, Ken Simpson, Charley Newnham, Ray Ferrara, Lynda McMullen, Roger Kember, Mike Lees, David Lloyd, Robert Hall, Ken Wratten, Jackie Woodland, John Matthews, Eugene Taylor, Phil Irwin, Dr Robert Macfarlane, Jeff Lewis To comment directly on this paper, please contact Dominic Cockram, Chair of the BCI Partnership Subgroup: dc@steelhenge.co.uk

APPROACH

The approach taken has been to build the paper in clear stages: 1) Establish an understanding of the resilience landscape and a definition of resilience 2) Use the landscape and definition to set out the key requirements of a resilient organisation 3) Provide an assessment of the capabilities needed to deliver the “resilient requirements” 4) Establish what disciplines will provide or support those key capabilities 5) Develop a series of diagrams or models that help to show the inter‐actions of the disciplines and promote discussion This approach was derived after several initial stages and was established as the most logical way in which to develop the paper. WHAT IS ORGANISATIONAL RESILIENCE?

Resilience is an abstract term that is used substantially across a range of disciplines, such as psychology, sociology, economics, ecology, engineering and network theory, to name but a few. What constitutes resilience is a topic of considerable debate, and meanings differ depending on the nature of the discipline or context in which they are being used. In its most general human context, resilience is defined as “the ability to recover from or adjust easily to misfortune or change”.1 Definitions stemming from a systems thinking approach expand on this and include the ability to anticipate, respond and adapt to, and/or rapidly recover from a disruptive event.2 Tensions remain across the various disciplines that define resilience, where some focus entirely on an entity’s ability to absorb and adapt to impact, and others include the ability to anticipate and mitigate damage. However, in its most generally accepted form, the term resilience refers to the way in which any entity or system achieves an end state of ‘keeping going’. While definitions from these sectors are useful for aiding an understanding of what is meant by resilience in general, this paper is concerned with the meaning of the term in the context of an organisation. The term organisation here is proposed to include an entity within either the private or public sector, for profit and non‐profit, and of any given size. This paper focuses on what an organisation requires to demonstrate resilience, and does not discuss 1 Webster’s dictionary 2 Tierney, K. J. (2005). “Response, Recovery, and Resilience.” Panel Presentation at the United Nations World Conference on Disaster Reduction, Kobe, Japan, January 21.

the concepts of societal or community resilience which have been comprehensively covered in other recent BCI papers3. Perhaps most informative to constructing a definition of organisational resilience are the definitions stemming from the field of “Resilience Engineering”. This field takes on a proactive approach that is aimed primarily at understanding an organisation’s ability to cope with complexity under pressure in order to obtain success. Additionally, it adopts both a process‐focused and systems thinking approach to define how people learn and adapt to create safety amidst adversity and strain, or within a faulty environment. Resilience in this field is defined as “the intrinsic ability of an organisation (or system) to maintain or regain a dynamically stable state, which allows it to continue operation after a major mishap and/or the presence of a continuous stress”.4 More specifically, the field coins the term Operational Resilience to describe what resilience means for an entire organisation after a crisis or non‐ strategic disruption; this is defined as “the processes and related practices by which an organisation designs, develops, implements, and controls strategies for protecting and sustaining high value services, related business processes, and associated assets”.5 While every organisation is unique in the pathway it takes to achieve the desired end‐state of “being resilient”, this paper posits that organisational resilience requires both a preventative capacity as well as an adaptive capacity in response to the occurrence of disruptions. This paper therefore defines organisational resilience as “the capacity of an organisation to plan for and adapt to change or disruption, through anticipation, protection, responsive capacity and recoverability”. KEY REQUIREMENTS OF RESILIENT ORGANISATIONS

Previous studies have identified many organisational mechanisms and characteristics embedded in everyday practices that contribute to an organisation’s resilience. These include organisational cultures that are flexible, just and promote learning, and the corresponding behavioural manifestations of these cultures displayed by staff members at all operational levels during business as usual. Specifically, behaviours that have been identified as being displayed by resilient organisations include monitoring, detecting and reacting to issues that could have an impact on the organisation’s performance (thereby building awareness), and the promotion of 3

Benn, P. (2011). “Managing for Resilience” Hollnagel, E., Woods, D.D., Leveson, N. (2004). Resilience Engineering, concepts and precepts. ISBN 0‐7546‐4641‐6. Hampshire: Ashgate Publishing Limited, pp. 229‐233. 5 Caralli, R. et al. (2010). Improving Operational Resilience Processes: The CERT Resilience Management Model. IEEE International Conference on Privacy, Security, Risk and Trust. 4

continuous improvement through sensitivity to failures and tolerance of errors. The existence of these cultures and their accompanying behavioural manifestations therefore directly enhance organisational resilience by creating the following characteristics to a greater or lesser degree: Redundancy Reliability Anticipation Preparedness Adaptive capacity Learning capacity Culture and behaviour play a large role in successfully resilient organisations and they have been placed to one side here to some extent in our review of the disciplines and their mapping. They support the characteristics in many different ways and should be the subject of further work following this paper. THE CAPABILITIES THAT PROVIDE RESILIENCE

Resilience is a concept rather than a discipline, function or process, and organisations strive to achieve it as a goal. Thus it has key dimensions or capabilities that form the parts that make it a whole, where organisations require all capabilities in order to be fully resilient. These include: i)

the capability to assess risks and threats, to anticipate a disruption and mitigate, avoid it or prevent it from occurring

ii)

the capability to plan and prepare for disruption, thereby protecting the organisation

iii)

the capability to adapt or respond to and manage a disruption successfully, thereby preventing a disruption from spreading its impacts

iv)

the capability to recover to a new “normal” state after a disruption.

If an organisation builds these capabilities it will have built a resilient capacity for itself which will ensure it ‘keeps going’ after disruptions and is able to return to business as usual 5

in a timely manner. Competence in one area of resilience does not necessarily predict competence in a latter stage in a linear deterministic way; however, it does increase the probability of competence across the other stages. Disruptive events here are seen as “conditions or events that interrupt or impede normal operations by creating discontinuity, confusion, disorder, or displacement”.6 Disruptions can be of varying size and origin, where, for example, major external disruptions include natural disasters or terrorism, and small internal disruptions include errors in the form of interferences with routines or internal stresses on business processes or systems. Failure of resilience represents an inability to respond and adapt to such disruptions or changes in the system and a loss of performance in achieving objectives or goals in some way. This is often referred to as “system brittleness”7’ which describes the system of an organisation that is unable to adapt to unanticipated disruptions, and whereby (some section of) that system collapses or breaks down when it is affected by the interference of internal or external factors. In order to expand an understanding of organisational resilience, those disciplines that contribute to the development of these capabilities above must be identified, and the relationships between those disciplines and resilience established. To maintain successful but separate disciplines is not enough to create resilience and they must be integrated and coherent to generate a closely knitted and therefore strong blanket of resilience. “MAPPING” ORGANISATIONAL RESILIENCE

If organisations wish to become more resilient in an increasingly threatening world, a crucial first step involves creating an understanding of how organisational resilience actually is developed, and how it may be fostered by assessing the contributions of its constituent parts. Two pertinent questions that emerge are therefore: why should organisational resilience be mapped, and if it is to be mapped, how should that be done in order to create an informative and clear understanding of the concept? Organisational resilience is an evolving concept and as yet there are a limited number of research studies that address the concept, with a growing group providing an approach to modelling, creating, and measuring organisational resilience.

A. M. Madni, S. Jackson. (2009). Towards a Conceptual Framework for Resilience Engineering. IEEE Systems Journal 3(2): 181‐191 7 Costa, W.,Voshell, M.,Branlat, M.,Woods, D.,Gomes, J., Buarque, L. Resilience and brittleness in a nuclear emergency response simulation: focusing on team coordination activity. In: Proceedings of the third symposium on resilience engineering, Juan‐les‐Pins, France, October 28–30,2008.

The current status is that many organisations retain silos of excellence, with very little cross over in key areas and often not much central control within an overarching resilience approach. There are those who maintain that Risk should become the overarching discipline, and some that BCM is the only truly holistic solution which crosses all boundaries. There are many views and several institutes and associations all of whom espouse their own approach as being the “best”. This paper should not and does not set out to seek a solution to this situation but rather to demonstrate where the key contributions lie in terms of the disciplines and how they could be mapped usefully. From an initial perspective, by mapping the disciplines we can establish those areas of overlap or inter‐connectivity. This should then allow us to:

assess and measure the areas of overlap for integration benefits and possible economies

develop metrics for the assessment and measurement of resilience based against a single disciplinary audit and an overlap/inter‐connection assessment

develop a clear resilience concept based upon a landscape of required connections and behaviours within an organisation

build Key Performance Indicators based against a more detailed set of requirements

develop plans based upon better integration and inter‐connection expectations

Mapping resilience may provide a basis or platform for designing a resilience measurement or benchmarking tool. This type of benchmarking tool may be tailored to any organisation’s individual needs and business processes in order to measure their level of resilience, which will foster increased understanding of what resilience is for them and how they can improve their resilience capability. Specifically, a tailored resilience measurement tool can be used by an organisation to measure their strengths or points of resilience within their systems, as well as identify crucial gaps or vulnerabilities that require addressing to prevent future disruption. Identifying and measuring commonalities across an organisation’s (as of yet) independent disciplines will reduce duplicate efforts and expenditures, thereby enhancing both efficacy and efficiency in their approach to both creating and enhancing organisational resilience. Different approaches to mapping organisational resilience may fulfil the above aims to a greater or lesser extent; for example, some may be better at identifying the commonalities between fields while others may more clearly illustrate the main unique contributions of every discipline. The method chosen to mapping organisational resilience is therefore one that warrants careful consideration and may differ per organisation or entity doing the mapping.

THE DISCIPLINES THAT SUPPORT ORGANISATIONAL RESILIENCE

This paper is concerned with how independent yet related disciplines that exist within organisations may serve to both create and enhance organisational resilience. Those that contribute to the key dimensions should include: Risk management ‐ ANTICIPATION Business Continuity management – ANTICIPATION, ADAPTATION, RECOVERY Crisis and Communication Management – RESPONSE and RECOVERY Security management (including building & facilities management) ‐ PROTECTION Information Assurance and Security – PROTECTION and RESPONSE Health, safety and environmental management ‐ ANTICIPATION The contribution of these and other disciplines is subjective and will differ by organisation. There are arguments for the inclusion of Human Resources, Financial Management and Strategic Planning as well as other key areas that can be contributory to resilience but for the purposes of this paper, it is felt that these disciplines outlined above are the most relevant and provide a good starting point. POTENTIAL MAPPING APPROACHES

Multiple methods exist which may be utilised in the mapping process, which are generic and subject to whichever disciplines are identified and included by those doing the “mapping”. Potential mapping methods identified by the subgroup during the production of this paper include: i) tables or matrices illustrating the disciplines required during both business as usual and during incident response and recovery, and in which of these phases each discipline contributes most to ii) diagrams depicting the relationships or processes by which the individual disciplines create or foster resilience iii) mind‐maps and Venn diagrams depicting the commonalities, and overlapping functions of each of the contributing disciplines in their contributions to resilience

MAPPING ORGANISATIONAL RESILIENCE IN A TABLE OR MATRIX

The table below presents an attempt to tabulate the disciplines according to the four phases of resilience identified above. Table 1: The disciplines existing within each phase of development

Anticipation

Protection & Planning

Response

Recovery

Threats

Security

Crisis Management

Business Continuity

Insurance awareness

Information Assurance

Communications

Insurance

Strategic risk

Health, Safety and Environment

IT Disaster Recovery

Leadership

Operational risk

Insurance

Business Continuity

Financial risk

Governance, Compliance and Audit

IT and Work area DR

Business Continuity

This method was useful to identify where, or at which phase of the resilience process in a chronological timeline each discipline potentially provides the greatest contribution, and therefore may help focus an organisation’s efforts and attention at any given time in the resilience process. Tables serve a good initial starting point to organise one’s thinking and structure the organisational resilience debate. At the same time, this approach did not fully inform our understanding of organisational resilience, as the constrictions imposed by the nature of the table and its boundaries created a highly static “map”. This prevented the ability to identify or depict commonalities or overlaps among the disciplines and phases of resilience, and resulted in a repetitive or redundant presentation of information across any of the table’s cells with regards to the disciplines required for resilience.

MAPPING ORGANISATIONAL RESILIENCE USING DIAGRAMS

Several diagrams are presented below which were developed to map the disciplines and the specific behaviours or goals within each of those disciplines required for resilience. Figure 1 incorporates a chronological feature and takes a process approach to defining what phase of resilience each discipline contributes greatest to; indicating that one phase of resilience cannot fully be met if the earlier phase has not been addressed. At its centre is presented core set or list of generic behaviours or skills that are believed to be required across all disciplines, and therefore across all phases, to foster resilience.

Figure 1: The chronological process by which disciplines contribute to the development of a resilience capability and the core behaviours required

Figure 2 is based around the core aspects of any organisation and sets out the disciplines and behaviours required within each of those to create a resilient organisation. It is more complex but it does allow greater flexibility in showing all aspects of “resilience” and has scope to grow into a more comprehensive concept.

Figure 2: The key facets of resilience and their associated disciplines, functions or areas

These sorts of diagrams may be more beneficial to understanding the unique contributions of each discipline to overall resilience, the potential outputs created by those disciplines. Additionally, they better serve to illustrate a chronological or sequential path to the process of creating resilience. However, the potential overlaps between the disciplines in terms of the required behaviours for optimal creation of resilience were once again difficult to display using this format. As with the table, this method was found to be too static in nature to truly capture the links or relationships between the individual disciplines and overall resilience. Specifically, the disciplines could not easily be assigned to one chronological “phase” of the resilience process, and the varying degrees or levels of influence of the disciplines across multiple phases, and, importantly overlaps between the disciplines’ contributions were not illustrated.

MAPPING ORGANISATIONAL RESILIENCE USING A MINDMAP

Two different types of mind‐maps were created in an attempt to address this shortcoming and illustrate the overlaps between the individual disciplines in terms of contributions to organisational resilience. Figure 3 is a mind‐map in which the main activities of each discipline and the links between the disciplines are set out. This is quite informative and could have scope to be built up into a broader view, detailing more specifically the key discipline activities. Ultimately all it would show, however, is where there are touch points in other disciplines.

Figure 3: Mind map of the disciplines and their potential relationship links or interfaces

Figure 4 extrapolates the information gained from the links depicted in the mind map above into a Venn diagram, which more clearly depicts the existing overlaps between the disciplines. This is much more limited in showing only broad areas but could develop if those overlaps contained the areas that caused them.

Figure 4: A Venn diagram depicting the overlapping relationships between the disciplines that contribute to resilience

Figure 5 illustrates the disciplines as the building blocks of resilience as set out earlier and attempts to demonstrate their relationships through their contribution to each aspect required to deliver a resilient organisation. Although somewhat simplistic at this stage, the hierarchical approach seems to work well in terms of demonstrating the various disciplines and how they directly inter‐act through systems, processes and behaviours which are all key to a resilient organisation. Following this stage of development, the next would be to identify the cross over point and inter‐ actions in each key area at Level 2 as those areas whereby resilience can be improved beyond silos and where integration should be occurring.

Figure 5: Resilience as a hierarchical model

A CONTINUING JOURNEY: FUTURE STEPS

Mind‐maps were found to be most useful for depicting the interlinking relationships between the individual disciplines, and, with more work, this may serve to allow an organisation to focus efforts on reducing duplicated or redundant efforts when creating or fostering resilience. The levels of detail beyond the scope of this paper must be investigated next, where the groups of disciplines meet, to identify the synergies, supporting activities, redundancy, duplication and integration‐or not‐ in order to derive a better understanding of how the resilience can be improved.

CONCLUSION

The endeavour to map the contributions of individual resilience disciplines to organisational resilience is a fruitful yet challenging one. This paper has presented multiple methods tried and tested by contributors in an initial attempt to pave the road towards creating a structured resilience map. It illustrates the existing debate in response to the question “what is organisational resilience and how can we map its contributing disciplines?” Pursuing this work will begin to provide a structured and systematic approach that organisations may tailor to their own needs to ensure resilience is being fostered across their systems and processes. Such an approach or tool or benchmark can only serve to improve and help organisations become stronger and more resilient in today’s world of closely integrated threats and risks. It is interesting also to note that work is currently underway – and has been for sometime – to establish an ISO 22323 Standard for Organisational Resilience, and that there is also an ASIS Operational Resilience Standard SPC.1.2009 in place in the USA. The subject has been, and is being, approached from a variety of directions and aspects and further development here should aim to support and add clarity by delivering clear views from the key communities such as the membership of the BCI. Attached to this paper is the opportunity for comment in the BCI survey (https://www.surveymonkey.com/s/OrganisationalResilience2012 ) in order to develop a further view of how the user community sees these matters being taken forward and where they perceive the best use of effort to be applied. In this way, further work can be focused on those areas which add best value to those who need it.