The long-awaited ISO 22316:2017 Security and Resilience – Organisational Resilience – Principles and Attributes has arrived. At first read it doesn’t seem to offer much – a long title, but just ten pages of what might be construed as rather dry and heavily-engineered clauses. Surely, there must be value in there if only it can be unlocked? John Robinson decided to apply his own test that’s perhaps a little ‘off-piste’ as far as conventional reviews go, but relevant for many: Brexit.
Brexit isn’t just there to be ‘enjoyed’ by us British. Rather, it’s an international phenomenon. Set aside your personal views and think about it neutrally from the perspective of your organisation. Whether you’re based in Manchester, Milan or Melbourne, whether you represent a charity, a public body or a plc, there’s a good chance Brexit may affect what it is you do as a practising professional and, if ISO 22316 can help you deal with this, so much the better.
Brexit represents a systemic, multi-faceted, enduring, changing and complex risk. It carries the possibility of both losses and opportunities that may be linked and, circumstantially, felt differently by each of us at different times. It’s a moving feast or famine and business resilience seems to be a necessary stabilising quality if we’re to complete the ‘exit’ journey acceptably.
The approach adopted here is to work through the International Standard, interpreting the guidance it offers with Brexit as the subject. What follows is modestly informed opinion and will undoubtedly not apply for all, but reflects a personal search for value in the widest sense.
By their very nature standards are generic and require interpretation for the context in which they’re applied. You simply cannot pick one up and expect to extract an instant list of tasks that must be performed in order for compliance. Instead, you must work at it (or maybe ask a specialist to do it for you).
ISO 22316 begins by explaining what it means to be resilient. In short, this amounts to preserving the delivery of strategic objectives by anticipating and responding, absorbing shock and adapting to change. It states that there’s no absolute measure of resilience or a definitive goal, but that it’s possible to become more (or less) resilient. We cannot sensibly expect to compare between organisations as we all have different resilience appetites, but this truism doesn’t prevent us from creating internal Key Performance Indicators as a basis for improvement or convergence.
Further, ISO 22316 states that resilience is brought about by the interaction of certain organisational attributes and activities and the application of specific expertise. It points out that these interactions are then shaped by how we handle uncertainty, decision-making and behaviour. This suggests that, once we know what drives our individual resilience condition, we should then be able to measure, manage and improve upon it.
Most of the ISO document’s substance lies in three main sections. Section 4: Principles is a distillation, possibly acting as an aide-memoire, whereas the Attributes section defines more granular resilience indicators. Evaluation then provides a form of closed-loop control that keeps your resilience strategy aligned with organisational needs. The remainder of this discourse focuses on applying the Attributes.
Clarity of purpose
In this first of nine Attributes, ISO outlines that organisations clearly setting out their position and communicating it effectively are more likely to be resilient. This reflects the form of guidance used throughout and that resilience drivers will vary between organisations.
Attribute structure is also broadly consistent, wherein each Attribute has a headline directive statement followed by a list of capabilities that should be enhanced and demonstrated and a list of activities that facilitate the capabilities, requiring prioritisation and resourcing.
In this case, the ‘Clarity of purpose’ Attribute implies that we need all our resilience-related goals to be aligned, promoting synergy and reducing conflict and making the initiative roll smoothly. It implies that we should design a strategy that takes us safely through Brexit without compromising the business, make sure the strategy is adopted by the Board, communicate it internally and externally where appropriate, deliver the strategy while maximising resilience value for the organisation and repeat, monitor, adapt and improve.
Note that the final continuous improvement point applies for all attributes and isn’t repeated hereafter. It ensures the system is optimised against organisational goals, in this case for Brexit. One would expect it to be applied fairly frequently to deal with the rapid rate of change.
This Attribute provides overall stability and directional control. However, it begs the practical question: “How do we select the right strategy and what are its constituent parts?”
As previously explained, this is unique for you. However, there are clues elsewhere and we’ll come to them in due course.
ISO 22316 suggests that organisations who understand their context are more likely to be resilient. Context is a term that doesn’t appear in the terminology listings, but in simplifying the term it can be taken to mean ‘everything relevant to us’. It includes all direct and indirect external parties and internal organisational components, in addition to all of the ways in which they interrelate.
Understanding context provides a basis for us to explain and anticipate the effects of change, and this is clearly valuable for Brexit as we want to know what might happen. It’s our very own crystal ball.
Influencing context implies shaping our environment internally, but also persuading third parties to align with our strategy, modifying agreements and lobbying decision-makers. It represents a powerful destiny-shaping force and is something to which we might aspire.
Steps we may take include developing a detailed context model for the organisation, thinking big and looking beyond the immediate (up and downstream and including a focus on competitors), factoring-in all relevant ‘climates’ such as operational, commercial, socio-political and economic, mapping all the potential Brexit-related sources of vulnerability, concentration and change and both identifying and strengthening relationships and entities that support the strategy. For me, the idea of a contextual map is the beating heart of resilience management.
This Attribute implies that resilience will be enhanced by delegation and empowerment during periods of uncertainty and disruption. I would interpret this as instruction to carefully select and appoint a Brexit programme owner with a targeted brief and delegated authority.
It implies that the nominated individual should be prepared to embrace and leverage the change, address problems and seize opportunities, be ready to identify and promote Brexit-compatible practices, be technically adept, adaptable, innovative and empowered to make tactical and strategic decisions.
ISO 22316 seems to be saying: ‘Build a team with an executive leader with the experience to understand our unique position and resulting Brexit challenge, and whom the Board trusts enough to wield delegated authority when unplanned-for changes demand a fast response.’ Again, this will not apply for all businesses, but seems appropriate for those who perceive a major threat.
Creating a resilient culture
A strong culture implies a close-knit organisation whose members share consistent and ingrained values and beliefs. A weak or dilute culture suggests variance, fragmentation, uncertainty, fragility and diluted resilience. It follows that those with a strong culture are more likely to be resilient.
This applies for Brexit due to its multi-faceted profile and its strong political, economic, social and emotional implications for individuals both within and outside of the workplace. It implies that we might enhance our cultural resilience by finding out what drives employees’ attitudes to Brexit and whether views are shared, determining if people will broadly resist or support the strategy, deciding how to position, promote and deliver the strategy while building support, encouraging people to innovate, improve and back the strategy and empowering them to identify and communicate Brexit-related threats and opportunities.
Culture is a slow-moving beast. It has inertia and naturally resists any wholesale change of mindset, implying that a resilient culture will not be created overnight, either in the general sense or, indeed, for Brexit. It also means that, in the short term, we may need to work with what we have and search for supportive influences that might already be present, adding only culturally-compatible new ideas.
In the UK, Brexit has already caused divisions along unexpected lines between friends, businesses and even within families, with many still holding opposing views. With so great a divide, there seems little chance of imposing a Brexit position on a workforce. Indeed, it would be ill-advised to even consider doing so.
John Robinson MSc CEng FBCI is Managing Director of INONI
John Robinson is a business continuity and resilience professional with over 20 years’ related consultancy and software experience. He has provided expertise to organisations worldwide, delivering technology and business-related solutions for the public, private and voluntary sectors
*Part Two: Attribute 5 (Shared information and knowledge), Attribute 6 (Availability of resources), Attribute 7 (Development and co-ordination of management disciplines), Attribute 8 (Supporting continual improvement) and Attribute 9 (Ability to anticipate and manage change) in focus