Why care for something like organizational resilience? We’ve got a lot of management and corporate governance tools; we’ve got a dozen or so ISO system management standards; and on top of that, there are a lot of frameworks at our disposal, helping us to better manage an organization.
One might argue about the root causes that a need to “create” something like “organizational resilience” arose from the fact that business continuity management did not provide enough protection for each and every threat to an organization. BCM is certainly the holistic discipline to prepare an organization against the impacts of sudden and large-scale events. ISO technical committee 292 (ISO/TC 292), which has developed ISO 22301:2012, the world’s first standard specifying a business continuity management system (BCMS), came up with the proposal to enhance this approach and to establish an overarching approach: describing what it would take to expand on the idea of BCM and to increase the protection envelope.
Yet, it can be observed that most organizations already try to achieve a certain degree of organizational resilience in their own interest, but it is also clear that this approach can be enhanced and put on a more systematic basis. This is one of the main objectives of ISO 22316. As there was no usable definition of organizational resilience, the subject matter has now been defined as: “ability of an organization to absorb and adapt to a changing environment”.
Similar to business continuity, we are talking about a changing environment, but the changes are no longer just short-term catastrophic effects, such as power outages, floods, or cyber-attacks, but the environment may change rather slowly, maybe even on a non-noticeable scale on a day-to-day basis. But still, these gradual changes may bring down an organization in the long-term. For example, if an organization is failing to adapt to changes in customer requirements or taste, it will have problems in the future. If an organization ignores changes in legislature, currency exchange rates, rising political instability, etc., this organization may not feel any impact next week or next month but might arrive to be in a very uncomfortable position a couple of years down the road. Frankly, this multi-dimensional challenge of managing and adapting to a changing environment appears to be a core ability of organizational resilience.
In ISO 22316, a three-pronged, structured approach involving principles, attributes, and activities is proposed. Principles provide a foundation for enhancing an organization’s resilience; attributes describe the characteristics of an organization that allows the principles to be adopted. Finally, activities guide the utilization, evaluation, and enhancement of attributes.
First of all, as a foundation, organizations need to adhere to certain principles, without which a gradual development of organizational resilience seems to be futile. As a consequence, organizations need to follow a range of principles in order to have a chance to work towards organizational resilience.
Secondly, organizations need to display certain attributes contributing to organizational resilience; they need to adopt these attributes. Finally, observing the principles and displaying the attributes, a range of activities need to take place. The common goal of these activities is to guide to the evaluation and enhancement of attributes. So we are not asking for a kind of passive properties such as possessing principles and displaying attributes, but the approach to organizational resilience consists of performing a range of favorable activities.
Consequently, because of space limitations, let us just have a look at selected examples of principles, attributes, and activities.
Examples of a favorable principle are behaviors of all members of the organization in order to contribute to organizational resilience. Passive or counter-productive behavior should be avoided. This also means that the workforce should consist of resilient people itself, in order to build resilience from the bottom up. If there is non-engagement within the workforce, a high degree of absenteeism, or if the workforce is kind of fighting against management, we see behaviors not contributing to organizational resilience;
An example of what a favorable attribute possesses is an understanding of the context of the organization. This is a very important attribute which again contributes to enhancing the organization, not only as part of managing risk, but also in order to identify opportunities. These opportunities may range from being more immune to changes in the political landscape to innovative product ideas;
Another example for a very important activity to enhance organizational resilience is the establishment of a culture of continual improvement. Of course, this approach is not unique to organizational resilience: striving to improve is part of every ISO systems management standard such as ISO 9001, ISO 27001, ISO 22301, etc.
Finally, ISO 22316 cites examples of management disciplines which need to be implemented at a high maturity level and which need to synergistically enhance each other in order to contribute to organizational resilience. Depending on the industry of the organization, some of these management disciplines might be more important than other ones. However, it can safely be assumed that such management disciplines like business continuity management, environmental management, financial control, information security management, quality management and risk management need to be established and support each other.
So, what are critical success factors contributing to organizational resilience? We certainly need a holistic and interdisciplinary approach, as organizational resilience is not a departmental responsibility, but is the responsibility of the whole organization. This starts with full management commitment (from the top) but needs to spread out to all staff of the organization: if nobody knew where the organization is heading and how to make it more resilient, management would be powerless. Organizational resilience also needs a 360° monitoring in several areas, such as legal, compliance, politics, competition, environment, market and consumer trends, foreign exchange, and others.
As organizational resilience is a young discipline, ISO 22316 is not a specification standard (you cannot as an organization be certified against it), but it provides valuable guidance on what an organization needs to undertake to progress on the path to organizational resilience.
Integrating resilience in your organization does not only bind to supporting the sustainable development of your organization but also initiates a quality culture within the working environment. Therefore, certifying against ISO 22316 through PECB will give your organization the advantage of pursuing a resilient organizational culture while having the ability of fast response to unexpected changes. The advantage of training on Organization Resilience will also be prone to elevate the performance of your employees in terms of both skills and attitudes of supporting fast changes.