Wolfgang Mahr Both management systems standards on information security (ISO 27001) and business continuity (ISO 22301), while trying to encompass the whole organization, still lack components and dimensions to holistically protect an enterprise. The concept of resilience expands these approaches and enhances the preparedness and development of organizations.
Resilience – What’s this?
Do we really need this new approach? What’s actually new? There are so many standards already – will we ever cope? Another certification? We do this all the time!
These are all good and valid questions and statements. The concept of resilience is not new. If we interpret the definition of resilience as the “ability… to absorb and adapt in a changing environment,” we realize that Mother Nature (evolution) has successfully applied this principle for quite some time. As such, it is quite reasonable to adopt this approach also for organizations (run by humans). For long-time stability and growth there is no other recipe than the ability to adapt.
Yet another standard?
The new standard ISO 22316 provides guidance (recommends an approach) to enhance an organization’s resilience. It does so by proposing principles, attributes, and activities contributing to more resilient organizations. This standard (a guidance document) cannot be used to certify an organization; rather, it serves as an umbrella covering a range of management disciplines, which all need to be sufficiently mature and able to interact with each other in a synergistic fashion.
Two of these management disciplines are information security (ISO 27001) and business continuity (ISO 22301). These system management standards serve to properly implement the respective approach, and organizations may get certified against these two standards.
Organizational resilience expands the concept of preparedness also to threats that might develop slowly, but still would be fatal for the organization if not properly anticipated. While the above-mentioned system management standards deal with classic disruptive, sudden events (such as IT breakdowns or a factory fire), a resilience approach also deals with political, legal, demographic, climate-related, and other threats, which would not impact the organization from one moment to the next, but maybe months and years down the road. How many world-leading organizations have vanished because they were not resilient enough: Swissair, Kodak, Nokia, …?
Structured approach
One of the greatest values of ISO 22316 is based on the fact that it proposes a structured approach to resilience. While organizations may have more or less successfully been on a path to resilience (especially those that have implemented an ISMS or BCMS according to ISO 27001 or ISO 22301), the new guidance document on organizational resilience provides concrete guidance on what to undertake.
Principles
The foundation of resilience is based on a couple of principles. Let’s discuss two examples:
- The behaviors of all members of an organization need to contribute to organizational resilience, and any passive or counter-productive behavior should be avoided. This also means that the workforce should consist of resilient people itself, building resilience from the bottom up. If there is non-engagement within the workforce, a high degree of absenteeism, or if the workforce is kind of fighting against management, these are behaviors not contributing to organizational resilience.
- Diversity of skills is very important, as new threats, challenges, and opportunities may originate from different areas within the organization or from its environment. Only if management and the complete workforce has a 360° view of what it is possibly threatening or is possibly an opportunity, an organization can increase their level of resilience.
Attributes
Based on these basic principles, an organization should exhibit a range of attributes, supporting it on its path to enhanced resilience. Again, let us have a look at two of the proposed attributes:
- Understanding the context of the organization. This is very important in contributing to organizational resilience, not only as a part of managing risk, but also identifying opportunities. See also: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization).
- Continual improvement. Of course, standing still is falling back. This is why ISO 22316, no surprise, did not fail to mention this attribute. This is nothing new for users of systems management standards. Read also: The blessing of continuous improvement in ISO 22301.
Activities
The third level of this approach proposes a range of activities, also contributing to the final goal, for example:
- Individual goals are to be aligned with the organization’s goals
- Clarity about the organization’s purpose, which may need to be changed
- Follow up on innovative ideas
- Think beyond current activities
Management disciplines
Last, but not least, an organization is suggested to implement and refine a range of management disciplines. We already know two of them: information security and business continuity. ISO 22316 proposes a range of additional management disciplines to be nurtured, e.g.:
- Environmental management
- Facilities management
- Financial control
- Health and safety management
- Quality management
- Risk management
On top of that, business intelligence, monitoring of customer trends as well as political, environmental, and legal requirements, contributes to organizational resilience.
Do we need organizational resilience?
It’s hard to imagine an organization that would not benefit from implementing a structured approach to organizational resilience. In today’s highly competitive environment, nurturing this pillar of strength of an organization might be one of the “secrets” to sustainable success. In short, an organization needs to identify and implement their key management disciplines (such as information security according to ISO 27001 and BCM with ISO 22301). This is the foundation to build organizational resilience; ISO 22316 is the proper tool for that purpose.
Download this white paper: Clause-by-clause explanation of ISO 22301 to see how to increase you organization’s resilience using ISO 22301.
