Compared to just a few years ago there are now dozens of forward-thinking research environments looking specifically at the broad topic of resilience. Not just operating cultures, risks, threats, crisis management, or business continuity in isolation, but a much wider convergence of issues where, to summarise Aristotle over 2000 years ago, ‘The whole is greater than the sum of the parts’. In short, joining up the dots to create a synergised collection of otherwise discrete activities: to shift from silos to synergy in a world of mutating threats and opportunities, all underpinned by a sense of constant uncertainty, with the knowledge that the future bears little resemblance to the past.
Take just one research environment: the Stockholm Resilience Centre, Stockholm University, which, after a great deal of research, has just published a report that finds risks to humankind are getting stuck in 14 ‘evolutionary dead ends’, ranging from global climate tipping points to misaligned artificial intelligence, chemical pollution, and accelerating infectious diseases. Moreover, 12 ‘traps’ are in an advanced state, meaning that we are on the verge of getting stuck to a degree where it becomes very difficult to ever get out (if you have a minute, look up ‘Anthropocene’).
I only mention such dystopian forecasts as I believe that they authenticate the breadth of work by the Stockholm Resilience Centre and point towards mechanisms to mitigate and cope. On which point, a few weeks ago the same authors published a very readable paper that zoomed in on the topic of infectious diseases (i.e. COVID-19), perhaps being aware that the risk of a pandemic, at least in the UK, has persistently/uniquely occupied the very top of all National Risk Registers since 2008.
Their findings reinforce previous research showing that ‘resilience is often poorly articulated …. and merely used as a general attribute for recovery or as a path to ‘bounce back’ as fast as possible [e.g. business continuity?]. The importance of resilience capacities for living and developing with changing circumstances and uncertain futures is largely absent’. I agree. This leads me nicely to the point in my article: how, nowadays, might we accurately describe what organizational resilience is: and is not?
For this I am going to stick with the Stockholm Resilience Centre’s research for a bit longer, not least as their findings are thorough, up to date, and unbiased. They also chime with my own belief, insofar that resilience is having the capacities to live and develop with change and uncertainty in a world where fixed business continuity management processes certainly have considerable value (that I will always support and encourage wherever applicable), but are most often at an operational level, within prescribed boundaries, and symbolised by adherence to plans aimed at restoring functions to what existed at a yesterday date when they were hopefully last updated.
Now it’s different: today we have to be far more agile and innovative to maintain critical activities in the face of prolonged uncertainty and ever changing threat landscapes: all in a world of ‘permacrisis’. With most socioeconomic dials already into the red zone and alarms sounding on numerous risk assessments, we need to build on yesterday and head for tomorrow, often without any preferred sense of certainty. By any standards that’s a tall order, but it’s the world that we live in.
The new research I refer to highlights adaptive capacities to absorb shocks and learn from them, to navigate uncertainty and surprise, to keep options alive, and to create space for innovation. To which I would add agility, abandoning blame cultures, and taking a broad organizational focus, not just operational.
To quote from BS 65000, the organizational resilience guidance standard, ‘Resilience is a strategic concern …. from the very top of an organization through its governance and risk management.…cutting across silos, organizational structures, and hierarchies, with operational activities aligned with strategic priorities’. Such operational activities include health & safety, information security, physical security, business continuity etc. In other words, organizational resilience spans executive and operational levels, with business continuity being a very important part of the latter (I am also mindful that BS 65000 lists 20 other ‘operational disciplines’ in the same group shared with business continuity).
I am likely to be branded a heretic by some colleagues who I have known and admired for many years as I believe it’s inaccurate to refer to business continuity and organizational resilience. For me, and progressively many others, it all should come under organizational resilience. Therefore, business continuity is not an interchangeable title with organizational resilience as the latter should encompass the other, along with various activities (although the usual situation has these activities only loosely connected at best). Nor in my opinion is business continuity the sole ‘beating heart’ of organizational resilience. If it was, an explanatory diagram of organizational resilience would simply illustrate business continuity dominating a large central position, solely nourishing a cluster of other actions/aspirations with little space for innovation or agility. I believe this would be a misrepresentation of organizational resilience where the whole is indeed greater than the sum of the parts, represented by the following diagram:
- In this illustration I have shown on the left some of the relevant business activities, aspirations and objectives already identified by the BSI (listed by them under Product, Leadership Process and People) to hopefully explain what I mean. For example: business continuity, risk management, governance, corporate social responsibility, adaptive capacity, innovation, horizon scanning, and reputation management as broadly discrete features.
- On the right I have attempted to illustrate how they might better come together to collectively identify (in all directions) strengths, weaknesses, risks, threats, and opportunities to the whole, rather than as separate entities. Ideally sharing the same doctrine, risk appetite, and purpose, where mistakes become learning opportunities and the drivers are leadership, vision, and culture.
I also note that the World Economic Forum has quite rightly pointed out that organizational resilience is not a response to risk, per se, which can often be quantified, but rather to uncertainty, which most often cannot, and therein lies a problem: in a world where terms like ‘black swan’ and ‘one in one hundred year’ events have lost all significance, recent lessons have accelerated the importance of replacing traditional risk and business continuity models with something more collective and dynamic.
The UK Government last year published a ‘Resilience Framework’ document which is a good read and under the Cabinet Office Economic and Domestic Secretariat (EDS) and Emergency Planning College (EPC) we now have a ‘Resilience Directorate’. Whilst these are moves in the right direction, I agree with the analysis of the National Preparedness Commission which reports that ‘the determination to remain focussed on ‘civil contingency risks’ feels somewhat dated and constrained in a world characterised by connected risks with cascading impacts…’.
We therefore need far more collaboration between public and private sectors and to move the topic of uncertainty into the forefront of organizational strategy and implementation across both (another article perhaps?).
In a world where the extraordinary has become commonplace and the unexpected is now regularly anticipated, predictability takes on a different meaning, so the need to anticipate and allow for adaptive capacity has never been greater. Some of the comparative benefits of organizational resilience might be listed as:
- Realising that organizational resilience is not a choice between risk, continuity, and adaptability. Rather, it is a synthesis of all three – and more.
- Demonstrating a capacity to improvise, innovate, and experiment in addressing challenges and exploiting opportunities. It’s about a culture of shared purpose.
- Creating the means, incentives, and imperatives to share information about risks, incidents, near misses, vulnerabilities, and opportunities, across the organization and with partners and other interested entities, including competitors where this could realise mutual benefit. It’s therefore important to dismantle blame cultures, which are a major impediment to learning.
- A 360-degree connected capability to better detect, mitigate, respond, recover, learn, and adapt to any disruptive challenge that might impact either, or every, layer in the organization and its supply routes. It also reduces overheads by having one overall coordinator, albeit with managers at key positions – but all sharing exactly the same objective.
So where does all this leave us?
In the past we could just about get away with reacting to one specific shock or event, but the threat landscape today and tomorrow has mutated to become more complicated than ever before. I therefore believe that more proactive, cross functional, joined-up, and agile strategies are urgently needed to identify, mitigate, and adapt to this new landscape. It’s about replacing traditional silos with synergy where purpose, doctrines, and governance are all shared.
It is imperative to stop pressing the snooze button and at last realise that Aristotle was absolutely right.
Peter Power FBCI FIRM BA JP has considerable hands-on experience of real time events and for many years has supported various governments and organizations in several different countries. He occasionally appears on TV and radio as an expert guest and is a Vice Chairman of the Resilience Association. He is also a past member of the UK Security Review Commission (IPPR) and previous Chairman of the World Conference on Disaster Management. Peter is a co-author of the UK Cabinet Office / BSI standard on Crisis Management (BS11200) and in an earlier life was instrumental in helping to create/promulgate the UK ‘Gold/Silver/Bronze’ Crisis Command System. He is quoted in the UK Government Guide on Integrated Emergency Management and is the author of many guidebooks, including the original UK Govt. (then DTI) issued guidebook on business continuity. Nowadays his focus is very much on promoting organizational resilience.
For me Peter articulates things very well. The end aim and benefits really is the collective capacity and capability and, just as important to the people involved, how to understand it. It’s simply about making the bad days better.
There is a great deal of discussion of BCM dressed as Operational and or Organizational Resilience, but on its own, we should know that BCM doesn’t provide the Resilience with a capital R.
All of the intrinsically linked capabilities and governance and compliance requirements that Peter demonstrates, plus more and leadership and incident management, provide the Resilience if they’re truly genetically linked as part of the organization’s DNA.
But of course it still won’t make the business immune from stresses. However it should make it (through its people) be simply better prepared and enabled because they bought themselves some time before it hit the fan.
To try and sell BCM as the key element to Organizational Resilience would be misleading (in my experience) simply because it’s part of it, rather than being it.
Paul Kudray, Head of Resilience.