p0temkin - Fotolia
Prepare for the unknown with an organizational resilience model
An organizational resilience strategy is far-reaching, involving many facets of IT and the business -- from disaster recovery to supply chain management.
While exact definitions of organizational resilience vary, several key characteristics are fundamental to the concept.
Resilience refers to an organization's ability to absorb the effects of a disruptive event, adapt to the circumstances associated with the event and then recover its people, processes, technologies and operations to a point where it can return to business as usual.
To achieve organizational resilience, a company must deeply understand its business and be familiar with resilience standards. It must also follow a specific set of steps to implement and validate an organizational resilience model.
Organizational resilience standards
There are three formal standards for organizational resilience:
- ASIS International1-2009 Organizational resilience: Security, preparedness, and continuity management systems -- Requirements with guidance for use (2009)
- British Standards Institution BS 65000 Guidance for organizational resilience (2014)
- International Organization for Standardization ISO 22316:2017 Security and resilience -- Organizational resilience -- Principles and attributes (2017)
Each covers the fundamental concepts of organizational resilience and offers guidance on how to establish and maintain an organizational resilience management initiative. The three standards are listed in chronological order, which reflects how the overall approach to organizational resilience has changed gradually over the years. What has evolved, specifically, is how organizations establish organizational resilience, as well as how they measure, monitor, test and improve it.
An organizational resilience model
Various frameworks of organizational resilience have been put forward to help organizations establish their own model. Figure 1 represents one such model and its associated framework.
This model and framework includes the primary domains that are essential for organizational resilience: operations management, risk and threat management, corporate leadership, human behavior, organizational culture and business strategies. Each of these domains must be fully engaged and collaborative throughout the development of organizational resilience, as each has a critical stake in the company.
Figure 1 also includes six essential operational elements that the organization needs to achieve resilience: business continuity and disaster recovery (BCDR); IT; facilities management; physical security management; financial management; and supply chain management. Disruptions to, or failures of, any or all of these attributes can affect the organization's ability to recover and resume business operations.
To establish a resilient organization, you must achieve balance across all areas of the company, especially those that support business operations and manage resources to mitigate risk.
How to achieve organizational resilience
The Plan-Do-Check-Act model -- advocated by the ISO, ASIS International and other standards organizations -- helps illustrate the steps toward organizational resilience.
After senior management forms and approves an organizational resilience team, the organization must gather information on how the business operates from all levels of the firm. This includes examining the company's people, processes, technologies, facilities, culture and leadership. The resilience team should perform a detailed risk analysis to identify all potential risks, threats and vulnerabilities. It must also analyze the actions the organization will take to mitigate disruptive events.
Once the team gathers such data, and any additional data it requires, it should define the criteria for turning the company into a resilient organization. Then, the team can develop a plan to achieve the desired resilience.
In this phase, the plan to achieve resilience is transformed into action steps. Upon completion, these steps will result in a resilient organization, as defined by the project team.
The next important step is to develop a project plan that details the necessary activities to establish and validate resilience. Perform the project steps and review and assess the completion of each step to ensure proper completion. Activities such as awareness and training, leadership briefings, and periodic status checks are all part of implementation.
After completing the resilience initiatives, the team must test and validate them to ensure all responsible parties are familiar with their duties and activities in an emergency. Based on testing activities, the team reviews and updates any policies and procedures that emanate from resilience initiatives.
After validating resilience activities, the team should update plans, policies and procedures as needed. It should also perform periodic reviews, assessments and audits, and regularly brief senior leadership and employees to keep all staff informed.