Our world is undergoing unprecedented and unpredictable change, very quickly. If you are not aiming for resilience, it can be game over!
Severe shocks and catastrophic events will become more common, less predictable and unfold quickly. The sources of risk will be wider and cover climate change, cyber threats, technological revolutions, economic shocks and geopolitical instability.
Strengthening organisational resilience to prepare for a wider range of eventualities has never been more important. Understanding your risks and vulnerabilities is a crucial step in building a resilient organisation so that you can plan to continue in business. Unfortunately, many organisations have remained relentlessly focused on short and medium-term risks.
We believe that improving resilience should be a strategic goal for the board and the leadership team. Improving resilience is also important for good governance, good business practice and effective risk management.
What is resilience?
ISO 22316:2017 Organisational resilience — Principles and attributes, defines organisational resilience as “the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
Great definition but missing the word ‘anticipate’ the changing environment – although anticipate is included in the standard.
ITIL 4 on the other hand, defines resilience as “the ability of an organisation to anticipate, prepare for, respond to, and adapt to both incremental changes and sudden disruptions from an external perspective.” Again, a good definition, but what about disruptions from an internal perspective.
Lets not get too hung up on definitions. A broader, hybrid definition or theme of organisational resilience is “the ability to anticipate, plan, withstand, survive and thrive in the face of anticipated and unanticipated shocks that are internal and external to the organisation.” Why?
- ‘anticipate, plan, withstand, survive and thrive’ are actions the organisation can consciously take. By anticipating shocks you are ready to respond if they are both incremental or sudden.
- shocks can be anticipated (like Donald Rumsfeld’s known, unknowns), unanticipated or improbable (like Nassim Nicholas Taleb’s black swan events)
- shocks can be internal (like the Enron scandal) or external (like the COVID-19 pandemic) to the organisation.
Shocks are real, not theoretical. Organisations must be prepared.
The 6 pillars of resilience
Remember, anticipating and understanding the wide range of risk events and sources is a critical first step to building a resilient organisation. Implementing a range of preventative and detective controls that include plans, policies, procedures, actions etc) help to address the risks. The response plans are often ‘corrective’ controls designed to restore and improve an organisations position after a disruption or shock.
To achieve resilience, the traditional Business Continuity Plan (BCP) can be helpful, but it may not be enough. In our view, an organisation needs to strengthen these 6 pillars of resilience.
If cash is king, then working capital is a God! Resilient organisations maintain a strong capital position and adequate liquidity to withstand abrupt decreases in revenue, higher costs, or credit difficulties. They undertake financial modelling, what-if-analysis and scenario testing exploring a range of financial eventualities. Regular monitoring of the financial position and financial ratios allow the organisation to identify early warning signs of most financial shocks.
Without financial resilience, operational resilience and technological resilience cannot be maintained.
The key response plan to a sudden financial shock is the Financial Recovery Plan which should identify a range of recovery options.
Resilient organisations retain robust production/service delivery capacity that can meet fluctuations in demand, scale up and down not just react to disruption. They set and meet minimum quality standards and minimise interruptions from failures of individual suppliers or distributors from natural catastrophes and climate change to geopolitical events. They can run lean using just-in-time principals, but also build redundancies and diversify within in their supply chain. They have effective insurance programs…just in case.
The two responses plans here include the Business Continuity Plan and the Contingency Plan for third parties, outsourced arrangements and key vendors.
Depending on the organisation, nature of its activities and range of stakeholders, Emergency Management Planning for a range of hazards is also important.
From listed companies to the local pizzeria, information technology (IT) is at the heart of any successful business. Resilient organisations invest in robust, secure, and adaptable information and communication infrastructure. They are security conscious. They have several redundancies. They are cyber resilient and well prepared to handle cyber risks and avoid technological and communication breakdowns. Its also about changing, adapting and aligning technology to customer demand and user service delivery preferences.
The response to a technology failure includes the IT Disaster Recovery Plan and Data Breach Incident Response Plan. The IT Strategy Roadmap on the other hand will ensure alignment of technology to the strategy, business needs and user requirements.
Talented people are an organisations most valuable asset. Resilient organisations employ the best talent they can afford, develop talent equitably, upskill or reskill personnel quickly. They have a flexible, empowered and highly engaged workforce and maintain sound succession plans throughout the business. Strategy, vision, mission, culture and desired actions reinforce each other. Delegations, policies and procedures support business processes, but allow for fast and agile decision making when needed.
The key response plans to a sudden shock in workforce safety and capability include the Emergency Evacuation Plan, the Succession Plan and the Pandemic Plan.
More resilient organisations have a robust yet agile business model. They seek innovation, embrace change and promote entrepreneurship. Their business model can respond to substantial changes in consumer demand, the competitive environment, technology advancements, and the regulatory landscape. Organisational resilience is integrated into strategic planning and considered in risk aware decision-making to take maximum advantage of unexpected upside or adapt to negative changes. They use what if analysis, rationalise the ‘why’ we do what we do. They consider various options under different assumptions and reviewing and challenging of the strategy is a critical part of the planning.
They use a range of strategic management tools such as the SWOT analysis, Porters 5 forces, PESTEL model etc to inform their strategic planning. They understand the value of taking risk and potential consequences if the strategic risks are not management well.
There is no single response plan here, but the Strategic Plan is the main playbook. But, the plan needs to be nimble and agile, outline specific activities with regular evaluation of key performance indicators and monitoring of the internal actions and external environment. The Strategic Plan can also be complimented by a range of other plans, management projects and actions e.g. Business Plan, Marketing Plan.
A failure in other pillars such as financial resilience, operational resilience or technological resilience will require a revision of the Strategic Plan and effective implementation of the appropriate response plan to minimise the shock.
Brand resilient organisations keep their brand promise via their actions and words. They recognise the value of their reputation. They are open and transparent. They understand, listen to and communicate with their stakeholders. They anticipate and address societal expectations such as diversity and inclusion, social responsibility and respond to criticism in a timely and responsible manner that is in line with their brand promise.
The most important response plan to a sudden brand or reputational shock is the Crisis Management Plan. Also important during crisis management and in all the responses to any shock is an effective Communication Plan.
All response plans should also include a ‘lessons learned’ action to allow the organisation to strengthen controls, enhance resilience and improve a future response.
Our 6 pillars should be a guide for most organisations. The elements may change depending on the individual organisation.
What is your organisation missing? Where are the resilience gaps?
Putting resilience into practice
In order to take your resilience framework from theory to practice, a number of activities outlined in ISO 22316:2017 are necessary.
- Articulate a shared vision and clarity of purpose – This provides strategic direction, coherence and clarity in all decision-making.
- Understand the organisation’s internal and external environments – This helps the organisation make more effective strategic decisions about the priorities for resilience, and think beyond current activities, strategy, and organisational boundaries.
- Leadership – Organisational resilience is enhanced by strong leadership that develops and encourages others to lead under a range of conditions and circumstances, including during periods of uncertainty and disruption.
- Supportive culture – Creating a culture that is supportive of organisational resilience demonstrates a commitment to, and existence of, shared beliefs and values, positive attitudes and behaviour.
- Shared information and knowledge – Organisational resilience is enhanced when knowledge is widely shared where appropriate and applied. Learning from experience and learning from each other is encouraged.
- Availability of resources – Develop and allocate resources, such as people, premises, technology, finance and information, to anticipate and address vulnerabilities that support the 6 pillars of resilience (see above).
- Management discipline – All management disciplines are coordinated so that they individually and collectively contribute to the organisation’s purpose and the protection of what it values.
- Continual improvement – Resilience is improved when organisations continually monitor their performance against a pre-determined criteria to learn and improve from experience and take advantage of opportunities. Organisations create and encourage a culture of continual improvement across all areas.
- Continually anticipate and managing change – Resilience is enhanced when an organisation has the ability to anticipate, plan, and respond to change.
It’s not too late
If your organisation fell a little short in resilience during the Covid-19 pandemic, it’s not too late. Crises should be catalysts for transformation and can create a unique opportunity to rethink resilience. So, what can you do?
Look for opportunities
As the saying says – ‘never waste a good crisis’. Strive to gain an edge amid adversity by skilfully responding to new circumstances. Crises may also be the most effective pretext for hastening long-term revolutionary change.
A crisis may look tactical and operational in the near term, but in the long run, new business requirements and opportunities from failed competitors may arise.
Collaboration among employees, consumers, suppliers and other stakeholders is critical. Resilience requires an understanding of these inter-dependencies and how the connections between various components within the organisation and its environment alter under stress.
Promote diversity of thought
Resilience is dependent on the ability to develop alternate responses to events, which is dependent on the ability to perceive things with new eyes. Resilient companies encourage cognitive variety and recognise the importance of different perspectives from different people.
Change is good. Resilience is more about creating organisations and supporting systems that are built on constant change and experimentation than it is about making occasional adjustments in extreme circumstances. This is done partly to avoid rigidity and partly because iterative incremental adjustment is far less risky than a massive one-time adjustment.
How we can help you be more resilient
We are here to help strengthen organisational resilience. Our resilience capabilities include designing and developing a wide range of response plans to enhance your resilience posture and capabilities. These response plans include:
- Business continuity plan
- Contingency plan
- Pandemic plan
- Succession plan
- Crisis management plan
- Financial recovery plan
- IT-Disaster recovery plan
- Data breach incident response plan
- Emergency management plan
Be more resilient to a wide range of shocks and contact us to discuss any gaps in your resilience framework.