Organizational Resilience: What it could, or should, mean in the standards landscape

Brian Zawada, FBCI Brian Zawada, FBCI | Apr 04, 2012

As Posted in the Digital Edition of Continuity Insights Magazine

Admittedly, I wrote this article to better get my mind around the swirling debate regarding the concept of organizational resilience and what it means – or better yet, what it should mean – to business continuity, risk management and security professionals.  I am a member of the US Technical Advisory Group to ISO Technical Committee (TC) 223, which is charged with developing the ISO 22323 standard (Societal Security — Management system for resilience in organizations — requirements and guidance for use).  During the November 2011 meeting in Beijing, participants engaged in some great discussion regarding this standard (which is currently under development) and how it compares or fits with other risk management disciplines.  This article contains my opinions on the subject of organizational resilience, which will shape my future participation in the international standards development effort.  I welcome your comments and perspectives that I may share during future TC 223 meetings and discussions that may result in the development of ISO 22323.

Background – What’s Risk?
The ISO 31000 (Risk management – principles and guidelines) standard offers what I think is a simple, yet excellent, definition of the term risk.

  • Risk: Effect of uncertainty on objectives

This definition offers a succinct way to capture the upside of risk when exploited appropriately, and the possible downside of risk when managed poorly.  But risk isn’t just limited to the type that causes disruption to resources and activities (the purpose of the business continuity discipline).  Many other types of risk exist that an organization faces each day.  The following table offers a brief summary of such risks, which is not meant to be all inclusive.

The list above demonstrates that many disciplines must be involved to appropriately manage risk due to diverse subject matter expertise and complexity.  It’s not just about business continuity!  Can one person, department or even discipline appropriately manage this diverse risk universe?  I would argue no.  Extending that further, can one standard offer detailed requirement or guidance for each?  Certainly not.  But could a standard – or standards – offer a way to flexibly manage risks in a manner beneficial to the unique needs of an organization?  I think the answer in this case is yes, assuming one standard acts as an umbrella to make risk management both efficient and effective.  This is where the concept of organizational resilience fits (or perhaps better said, this is where it SHOULD fit).

The Concept of Organizational Resilience
I must admit, when I first read ASIS International’s SPC.1.2009 standard on organizational resilience, I didn’t get it.  To me, it seems like a standard that primarily addressed the same issues as business continuity, with a more detailed focus on risk assessment.  Here are two definitions from SPC.1, both of which are also found in early drafts of ISO 22323.

  • Resilience: Adaptive capacity of an organization in a complex and changing environment
  • Organization resilience management: Systematic and coordinated activities and practices through which an organization manages its risks of disruptive events by reducing likelihood and consequences

Based on many discussions with those involved in writing SPC.1 (by the way, this is the standard that served as the starting point for ISO 22323), as well as those that currently use it in some capacity, I was generally correct in my thinking.  Those individuals didn’t necessarily see risk assessment and mitigation as parts of business continuity.  However, most business continuity practitioners know that’s incorrect based on accepted, formalized professional practices (BCI and DRII), as well as the numerous standards that exist and highlight the need to perform such “proactive” risk assessment activities (e.g., BS 25999 and NFPA 1600).

I spoke with others that gave me some additional guidance on how SPC.1 benefited them and why it’s being used to shape an ISO standard with a similar name.  Simply put, organizational resilience represents a broader application of risk management than a singular focus on business continuity. In other words, it’s similar to ISO 31000.  Further, they mentioned that organizational resilience addresses a diverse risk landscape, such as some of the risks noted in the table above (not just availability risk).

What’s Next for This Concept and Associated Standards?
TC 223, which is charted by the International Organization for Standardization to develop and maintain a family of “societal security” related standards, defines societal security as follows:

  • Societal security: Protection of society from, and response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures

In a recent TC 223 plenary meeting, considerable work was done to help shape, among other topics, ISO 22323.  ISO 22323 focuses on operating a management system that “integrates risk assessment, anticipation, prevention, protection, deterrence, readiness, prevention, mitigation, response and recovery when managing the uncertainty of achieving objectives (risk) related to disruption (intentional, unintentional and natural)”.

There is considerable debate – inside and outside of TC 223 – regarding this standard and the concept of organizational resilience in general.  Some of the questions are:

  1. Is it appropriately different from business continuity (in theory, or as written)?
  2. Is it the right name?
  3. Does the term even translate outside of the English language?
  4. Is it even a discipline?
  5. Is it mature enough to have a “requirements” standard?
  6. Is it the same as Enterprise Risk Management (ERM)?
  7. How does ISO 22323 relate to ISO 31000?

Let’s explore each of these questions:

Q:  Is it appropriately different from business continuity (in theory, or as written)?As written today (in SPC.1 or the working draft of ISO 22323) I would say no.  Based on the work done in Beijing, there is certainly the possibility that differentiation will take place over the next twelve months.  The current writing is insufficient in describing the differences.  I suspect that the evolution of the standard will demonstrate differentiation as an umbrella risk management standard that addresses risks that include, but are not limited to, availability risk.

Q:  Does the term even translate outside of the English language?
Based on discussions with non-English speaking country representatives, it does not translate very well at all.

Q:  Is it the right name?
I don’t think so.  Beyond translation issues and even the confusion regarding the similarities between organizational resilience and business continuity, the term does not intuitively describe the intent of this specific subject matter.  I would like to see something as simple and straightforward as “risk management” or “enterprise risk management”.  Unfortunately, this may create some problems given there are other ISO technical committees focused on broader risk management beyond societal security.  Perhaps the solution is cooperation across technical committees.  We’ll have to wait and see how this effort evolves.

Q:  Is it even a discipline?
The answer to this question is a topic for debate.  Some consider organizational resilience an outcome of the risk management discipline as a whole (the organization is resilient).  Some see it as an umbrella process to coordinate risk management.  I see a little bit of both and, as a result, it may not be a discipline but a method to add value by increasing knowledge-sharing and coordination among those charged with managing risk.

Q:  Is it mature enough to have a “requirements” standard?
The answer to this question is another topic for debate.  A guidance document already exists that’s currently an ISO best seller.  Why not contribute to maturation by developing an auditable set of requirements?  After all, standards are not static documents, but instead subject to review and revision – so the approach doesn’t have to be perfect immediately.  I don’t see any harm in making the attempt to develop a requirements document that appeals to organizations that perform risk management in a broad, strategic and coordinated manner.

Q:  Is it the same as ERM?
I think it can or should be, and perhaps it should even be called ERM. Based on an excerpt from Wikipedia, “ERM in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.”

There is value in coordinating and strategically managing risk.  Certainly not every organization is mature enough or capable enough to do this right away, but I suspect many will grow into ERM concepts.  It’s those organizations that will benefit from such a standard.

Q:  How does ISO 22323 relate to ISO 31000?
The original developers of SPC.1 say the organizational resilience concept is a security implementation of ISO 31000, and recent comments made by TC 223 leaders indicate a desire to make ISO 22323 a requirements version of ISO 31000 focused on societal security issues.  This is an intriguing challenge but there is also a challenge involved.  TC 223 can only write standards based on its “societal security” charter.  In my opinion, to be most valuable, ISO 22323 needs to address a broader set of “enterprise” risks such as those introduced in the table at the beginning of this article.

For years, well before the introduction of the term “organizational resilience” and ASIS International’s SPC.1, considerable dialogue took place regarding the need for risk management convergence.  The debate regarding ISO 22323 is an extension of this debate.  I see this effort adding value if it can evolve and offer a framework to efficiently address broader, enterprise risk management.  I think all risk management professionals – including but not limited to business continuity professionals – need to stand by, be patient and prepare themselves to offer feedback on future drafts as they are released for comment.  The key is to recognize the market need for standards that help solve two major risk management challenges:

  1. Coordinate to be efficient and make risk management feasible
  2. Remove unnecessary complexity in order to improve adoption

Brian Zawada
Avalution Consulting: Business Continuity Consulting

Brian Zawada (MBCI, MBCP) is the Director of Consulting for Avalution Consulting, LLC, a US-based firm specializing in business continuity and IT disaster recovery planning.  Brian serves on the US Technical Advisory Group to ISO TC 223, and he participates in Workgroup 4, which is currently charged with developing ISO 22301, ISO 22313 and ISO 22323.  Brian can be reached via email at [email protected].