Having a strategy in place that can help to deal with an unplanned event while it’s actually happening is vital in order to protect both people and property. Peter Webster looks to demystify the concept of organisational resilience and explains why this hugely important topic should be on the radars of public and private sector enterprises.
Over the last few years, the ways in which today’s organisations address the key issues of security, preparedness, risk and survivability in the event of an unplanned or unexpected event have increasingly fallen under the spotlight at all levels, including that of central Government. Organisational resilience is used to determine how adaptable, competitive, agile and robust an enterprise is found to be, and serves to encourage a proactive and determined attitude towards dealing with incidents.
Back in late 2014, the British Standards Institution (BSI) published BS 65000 Guidance for Organisational Resilience. This landmark document provides an overview of resilience, describing the foundations required and explaining how to build capabilities in this area. It deals with an organisation’s capacity to anticipate, respond and adapt, all of which could be crucial to its ongoing survival.
This British Standard can help to enhance these practices through the integration of those disciplines essential for resilience.
BS 65000 also references other activities including risk management, horizon scanning and change management as part of what might be termed ‘the bigger picture’.
On the launch of BS 65000, Anne Hayes (head of market development for governance and risk at the BSI) summed up the concept by stating: “Organisations that are resilient behave in a very specific way and have long understood what this means to their long-term success. They adopt a proactive approach towards governing themselves and have pinpointed the importance of being forewarned. Organisational resilience works alongside existing risk, crisis and business continuity management strategies to provide a solid defence against a tough business climate.”
Given both the anticipated and unanticipated challenges that could emerge and threaten the operational effectiveness of a thriving enterprise, it’s therefore important to define and treat organisational resilience differently to either disaster recovery or business continuity. While these two processes deal with the immediate after-effects of an event, organisational resilience is concerned with what happens during an event, and particularly during its initial stages where mismanagement can so easily occur.
‘It will never happen to us…’
‘It will never happen to us’ is an attitude that, unfortunately, continues to prevail within some organisations that fail to acknowledge the dangers to which they could be exposed either directly or indirectly.
Even though the world has become a more dangerous place since 2001, the need for organisational resilience shouldn’t be thought of only in terms of countering terrorism. There are also potential problems associated with more natural disasters. Fire, wind, flooding and even sinkholes can have a devastating impact.
Such occurrences are not uncommon, either. The period spanning December 2013 to January 2014 witnessed devastation across large parts of the UK after torrential rain triggered flooding and affected many businesses.
Major cities are not immune. As recently as February this year, flood alerts were put in place for London and the Thames Barrier closed after the river burst its banks due to tides and heavy rain. A total of 16 warnings were issued for areas near the banks of the River Thames as water levels reached almost as high as the pavements in some parts of central London.
There are three key elements to organisational resilience: anticipation, preparation and response. Preparing in advance for something untoward happening that could prevent an enterprise from functioning cannot be left to chance. It involves being aware of a situation, the risks, any vulnerabilities and the capabilities required to deal with them, as well as the need to be able to make informed tactical and strategic decisions.
One way to maximise the effectiveness of such a strategy is by integrating and co-ordinating the various operational disciplines within an organisation.
This type of holistic response is an extension of the concept of convergence and involves lots of different departments using a comprehensive strategy rather than working in silos. Such an approach highlights vulnerabilities within the three areas of physical, people and process risks that are possible across infrastructure, operations and specific events.
The biggest barrier to adopting a collaborative and inclusive approach towards dealing with risk has little to do with external influences and everything to do with internal cross-departmental cultures.
However, once this issue is addressed, a system that combines technology, processes, safeguards, management and systems within a single integrated risk framework can be developed. This requires a meticulous approach towards mapping an organisation’s assets and processes through the completion of completely unbiased vulnerability and impact assessments. Only once completed and analysed can the right response be configured.
While all of the above is vital, so too is stakeholder buy-in. Processes and training are required to ensure that all employees are ‘security aware’. This should be considered as a priority when it comes to building effective prevention, detection and response. Processes are dependent upon the implementation of policy. Therefore, strict adherence is needed in the event of something happening.
Certain individuals must also be given decision-making responsibilities for major calls, such as whether to evacuate, invacuate or even lock down a given premises. It’s important to note that this should extend all the way up the corporate hierarchy, as management needs to lead at the highest level to ensure effective integration, oversight and budget allocation.
Security clearly forms an important part of organisational resilience, regardless of whether it applies to physical, financial, personnel, cyber or any other assets. Put simply, a security breach could compromise an organisation’s ability to function, and is therefore a key consideration when it comes to resilience.
Effective resilience requires more than a defensive security and protection approach. It also necessitates the use of an organisation’s inherent strength to withstand a crisis.
Specialist service providers
Using a specialist security services provider that can deal with the wider issues surrounding organisational resilience makes sense. The ability to complete strategic security reviews, develop corporate security policy and strategy documents, carry out risk and threat assessments and security audits, as well as train personnel, can prove invaluable and should never be underestimated by practising risk and security management professionals.
A security specialist offering a detailed disaster management service will also be able to assist by implementing technology that can help when it comes to making crucial decisions at the time.
Take, for instance, a scenario where a Control Room has been compromised. Usually, if there’s an all-out evacuation, nobody will be able to view CCTV camera images, so they effectively become useless. However, if linked to a remote monitoring facility, it would be possible to take control of the cameras and see what’s going on.
In the event that the main cameras should be disabled, the installation of covert HD micro-cameras in light switches and smoke detectors, for example, could monitor a potentially hostile situation, helping to bring the episode towards a speedier conclusion by passing reconnaissance information directly to the police and the Emergency Services.
Similarly, online crime reporting and intelligence sharing tools are transforming how businesses and law enforcement authorities are using CCTV. Following an incident, CCTV footage and images of suspects can be automatically uploaded directly to the police, along with a full paperless witness statement. The victim is given a crime reference number at the same time and, once the incident has been reported, it’s dealt with by the police service (which also provides feedback through the system).
Regular status reports are then forwarded to the business and victim by the system. In order to prevent crime, offender images and intelligence may be shared within an organisation, as well as chosen business networks and communities, thereby helping them to become more resilient.
Enterprises that take organisational resilience seriously undoubtedly increase their chances of maintaining successful and thriving enterprises able to deal positively with unplanned events on an immediate basis, rather than relying upon a disaster recovery or business continuity strategy to activate.
Peter Webster is CEO of Corps Security