Economic crises and consumer trends are just a couple of the pitfalls that can dramatically affect the way in which a given organisation does business and survives. As Mike Bluestone duly observes, resilience is the key for any business wanting to thrive in an ever-changing world.
We inhabit a world wherein the rate of change is now accelerating at speeds never seen before. Our climate is in a state of flux. There’s political instability at every turn, it seems. Consumers appear to change their minds on a whim. That’s not even mentioning the all-pervasive technology that surrounds us. That technology is advancing at exponential rates. How, then, can organisations keep pace with the scale and speed of events?
Risks, threats and vulnerabilities are the challenges that security professionals face every day. It’s rarely boring, and be it opportunist and/or organised crime, terrorism, single-issue activism or anti-social behaviour, it seems that those challenges rarely show any signs of abating.
Today’s physical and cyber security professionals are constantly grappling with the mitigation of those risks and threats. Our work is focused on the prevention of incidents and attacks, and also ensuring the ability to respond smartly and mitigate any damage.
Deterring the adversary
The traditional mantra has always been: ‘Deter the adversary, and be prepared with the best security solutions that budgets will allow’. The quality of the specific corporate security strategy (and, importantly, the commitment of the senior leadership team) will normally dictate just how effective the security regime is in the real world, but is that approach really enough? Does the implementation of strong security risk management policies, procedures and programmes adequately address the needs of large-scale public and private corporations and organisations in addition to SMEs?
Let’s pause for a moment and consider how Her Majesty’s Government – and, more specifically, the Cabinet Office – views matters, and also focus on the direction of the standards-setting bodies such as the British Standards Institution.
A few years ago, Her Majesty’s Government published its National Security Strategy and Strategic Defence and Security Review, which included a stated commitment to strengthen the UK’s domestic resilience and law enforcement capabilities against global challenges which increasingly affect our people, communities and businesses. The concept of ‘Organisational Resilience’ subsequently started to take on real resonance, not just in the world of security risk management, but also in the related disciplines of business continuity, crisis and incident management, emergency management and disaster response and recovery.
What, then, is ‘Organisational Resilience’? ‘Organisational Resilience’ is the ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.
Of course, as mentioned earlier, addressing risks, threats and vulnerabilities has historically been at the forefront of security risk management strategies, but the essence of having a resilient organisation challenges that paradigm, introducing as it does a more rounded and joined-up approach in sustaining the health and well-being of any organisation.
Risk is generally defined as ‘the likelihood that we or our property will be harmed’ and alludes to the consequences of that harm. Resilience is, however, essential when it comes to facing down risk.
Some two decades ago, attempts were made to introduce a joined-up approach to the separate security and risk-related disciplines through the concept of convergence. Convergence of security risks is a broad term which covers the multiplicity and independence of a variety of security risks facing the business. It requires a response which brings together all those dedicated to the security of the organisation to assess collective corporate risks. Risks which are looked at in isolation can increase the probability of the risk materialising.
Some observers have commented that convergence was perhaps a bit ahead of its time, and it was not embraced as widely in the corporate world as some of us thought it would be. It was, however, a serious and bold attempt at reducing the ‘silo’ mentality which existed – and, indeed, still exists to a degree – across a wide spectrum of risk management disciplines.
Many of the conventional physical and information security risks are still viewed in isolation. These risks may converge or overlap at specific points during the risk lifecycle and, as such, could become a ‘blind spot’ for the organisation or those individuals directly responsible for risk management.
‘Organisational Resilience’ focuses on the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives as well as survive and prosper. More resilient organisations can anticipate and respond to threats and opportunities arising from sudden or gradual changes in their internal and external context. Enhancing resilience can be a strategic organisational goal and is, in essence, the outcome of good business practice and effectively managing risk.
This new consensus of the concept of resilience has emerged as a practical response to risks and threats and encompasses security, preparedness, risk and survival.
Being resilient requires a proactive and determined attitude to remain a thriving enterprise (or indeed country, region or organisation) despite any challenges that may emerge. Resilience moves beyond a defensive security and protection posture and applies the entity’s inherent strength to withstand crisis and deflect attacks of any nature.
Resilience includes the empowerment of being aware of your situation, your risks, vulnerabilities and current capabilities to deal with them, and also being able to make informed tactical and strategic decisions.
With this in mind, there are guidance documents and standards available which can help security professionals and practitioners navigate their way through the resilience journey. At the forefront of published standards is ISO 22316:2017 Security and Resilience, Organisational Resilience, Principles and Attributes. Earlier standards include BS 65000 Guidance on Organisational Resilience.
ISO 22316:2017 takes a wide view of the elements that can drive resilience in an organisation. Many of these are behavioural and have historically been overlooked. This is why one of the key principles of the standard is to assist organisations in developing a culture that supports resilience. It also involves building upon existing forms of risk management, having shared values and an awareness of changing contexts underpinned by strong and empowered leadership.
Other useful standards which can assist here include BS 16000:2015 Security Management, Strategic and Operational Guidelines, BS ISO 27031 Information Technology, Security Techniques, Guidelines for Information and Communication Technology Readiness for Business Continuity, BS EN/ISO 27001 Information Security Management, ISO 22301 Business Continuity Management, BS ISO 31000 and BS 31100 Risk Management, PAS 555:2013 Cyber Security Risk Governance and Management Specification and also BS 11200:2014 Crisis Management, Guidance and Good Practice.
‘Organisational Resilience’ is now viewed as a strategic imperative for an organisation to prosper in society, whereby the individual security and risk-related disciplines can no longer exist in isolation from one another. Significantly, achieving an appropriate level of resilience can only be attained over time and built upon a firm and long-term strategy.
Mastering ‘Organisational Resilience’ requires the adoption of Best Practice and a robust business culture whereby any business improvement is delivered across the company. This approach will enable organisational leaders to take measured risks with confidence, as well as maximise any opportunities that happen to present themselves through time.
Implementing security programmes requires being mindful of the principles of resilience. Thinking should go beyond prevention and, indeed, survival and aspire towards prosperity. Moving forward after a major incident or disaster, for example, should include a firm desire to not only learn lessons from the event or events, but for that entity to become more successful, more prosperous and to thrive.
Achieving resilience requires a need to anticipate, prepare for, respond and adapt to incremental change and sudden disruption in order to successfully navigate your way through the survival stage and then prosper.
Mike Bluestone MA CSyP FSyI is Director of Corps Consult