With ISO 22316:2017 Security and Resilience – Organisational Resilience – Principles and Attributes now upon us, John Robinson decided to apply his own test – focused on Brexit – in a bid to ascertain what’s of value in this document for security, risk and resilience professionals. Following on from last month’s initial discourse, the focus now turns towards areas including shared information and knowledge and support for continual improvement.
Every day we’re faced with a barrage of Brexit-related news items of varying substance and credibility, many with the potential to influence or directly affect us and our relationship partners. Somehow we must process this media flow, deciding what’s real and what isn’t, but also second-guess how interested parties such as customers, suppliers, regulators and competitors may respond. The influence of fake news is an illustration of this.
ISO suggests an organisation’s resilience will be enhanced when all available related knowledge is appropriately shared, analysed and applied. Maximising this for Brexit means that we might harness a wide, varied and credible range of relevant data and knowledge sources, define criteria to identify, validate and value what we collect, assign specialists to manage, analyse, add value and distribute it as information, use the information to update the context model for Brexit, use the model to trigger and fuel decisions and improve the Brexit strategy and share results across the business (and externally if/where applicable).
Where Brexit’s concerned, and perhaps generally speaking, intelligence drives resilience. Clearly, we need to respond acceptably quickly to all kinds of change such that we’re not disadvantaged. This in turn relies on high-grade information, analysis, judgement and executive decision-making. It makes shared information an important attribute.
ISO 22316 implies that resilience will be enhanced if the resources required to align with the organisation’s own resilience objectives are made available, including an allowance for adaptation. Aspects relating to people, premises, technology, finance and information will inevitably be part of the overall mix.
For those who perceive little or no Brexit-related threat, no specific action will be planned or dedicated resources required. However, for others, and particularly so in the UK and the EU, Brexit may be a headline item: a threat demanding a planned response.
Where this is the case, it becomes a matter of ensuring the strategy is sufficiently resourced to be implemented as intended. Some checks you might wish to make are as follows:
*does the strategy clearly define acceptable levels of business during Brexit?
*do we know how Brexit changes will affect resourcing and how we’ll deal with it?
*do we face Brexit-induced failures of supply and/or demand?
*do we need to increase or reduce our capacity and can we do this acceptably?
*do we need to diversify or replicate resources or build-in redundancy?
*do we have the skills and abilities we need to respond acceptably?
*do we have the inherent flexibility to redeploy and adjust in time?
*do we look ahead, take account of change and anticipate what might happen?
It’s tempting to put off resilience resourcing decisions for the obvious reason that they consume investment, but will yield no return if the planned-for situation fails to materialise. As a discipline, business continuity faces this dilemma on a frequent basis.
Attribute 7 is all about the development and co-ordination of management disciplines. At first glance, this seems to be a classic catch-all statement of the obvious that says your resilience will be enhanced if you’re good at every management discipline. However, this is reasonable if you accept that any deviation from Best Practice or omission does indeed potentially leave a hole in your defences, implying a reduction in resilience. It’s clearly a valid and relevant indicator.
Moreover, if you did this just as part of your response to Brexit, the benefits would be felt in (potentially) many other ways, improving resilience generally and making management more effective, efficient and communicative.
With this in mind, and specifically for Brexit, you might consider engaging the 20 disciplines with a common purpose of enabling the Brexit strategy, adapting existing processes, roles and responsibilities so they interact efficiently, searching for and plugging any material gaps between disciplines (thus removing duplication), keeping the web of disciplines elastic (such that it can flex and adapt as Brexit demands change) and establishing communications and reporting such that all parties are kept informed and co-ordinated.
Note that the 20 include disciplines such as asset management, crisis management, governance, fraud control and so on. Not all organisations will implement or recognise all of these disciplines. However, they will generally be present in some shape or form.
The clause seems to sum up what BS 65000 called ‘coherence’: the joining-up of related key disciplines into a collaborative resilient whole with no gaps or overlaps, rather than in relatively closed silos, creating an environment for Brexit and other major programmes.
No organisation has faced Brexit before and it’s fair to assume that, while some larger firms’ management systems architecture will accommodate it as just another major change, the experience will be very new for others. Most who decide to act in a structured way will establish a project whose remit and execution will evolve sporadically, improving only when driven to do so or when an idea emerges.
Continual improvement is a mindset that accepts we can always do things better and this applies particularly to resilience. It means we systematically and intentionally keep improving the context model, quality of information and each of the other attributes listed.
A simplified framework applying this for Brexit might include making innovation and improvement part of the strategy and habitual, regularly scanning for changes and accommodating them by adapting the strategy, planning improvements, assigning resources and making them happen and carrying out regular reviews while also monitoring what has been achieved against goals set.
Change drives risk and resilience. If things didn’t change, equipment would never wear out, rainfall would be standard and Brexit wouldn’t happen. Some changes we can anticipate and plan for, others come out of the blue or must be imagined because they’re outside of our experience. In any case, anticipation and readiness is preferable. The degree to which we develop and systematise this will influence our adaptive resilience.
As we’ve seen, Brexit is far from a straightforward change. It means we need a mechanism that ensures we’re not surprised or shocked by what it brings, leaving us well-placed to respond and continue with business.
Steps that we can take to build this adaptive capability might include regularly updating the context model and using it to look ahead while scanning for change, modelling change scenarios and developing response tactics for those that seem likely, exploring alternatives as well as ways to deliver on commitments, dual suppliers and diversifying, planning to respond and absorb the shock of unexpected announcements, influencing changes before and after they materialise and being ready to adapt without impacting delivery or compromising vision or core values.
At the headline level, Brexit now seems a certainty. At almost every other level, though, the potential remains for surprise. No-one can be certain how it will unravel, either globally, nationally or at the organisation level. Our choices are to either move with the herd and hope to arrive intact or seize the initiative by becoming proactive, adaptive and influential.
The nine attributes focused upon in Part One and in this month’s article tell us what we should expect of a resilient organisation. Part 6 of ISO 22316 explains how we can evaluate these capabilities for ourselves and offers a governance framework with which to do this. Again, there’s little if any practical guidance here to help you decide on acceptable levels of attainment for each attribute, or a detailed explanation of how to bring about improvements in each as this must be determined by the host organisation.
Apply this framework for Brexit and you derive a management system that converges on targets set by top management for each of the resilience attributes. It – ie the system – needs to be delivered by a programme or an existing compatible process that’s kept running for the duration of Brexit. Delivered as described, it should continually evolve to track Brexit’s changing shape and improve such that it aligns with the organisation’s Brexit-specific and general resilience objectives or success criteria.
To make it work, you need to set your own attribute targets and thresholds and monitor and measure your performance against them.
John Robinson MSc CEng FBCI is Managing Director of INONI
John Robinson is a business continuity and resilience professional with over 20 years’ related consultancy and software experience. He has provided expertise to organisations worldwide, delivering technology and business-related solutions for the public, private and voluntary sectors