The eagerly-awaited first edition of ISO/IEC 22316:2017 (ISO 22316) was published at the end of March 2017. While the document is relatively short, it is packed full of thought-provoking ideas on one of the hottest topics: that of organisational resilience.
The Standard offers an introductory definition which immediately establishes clear blue water from other standards in the Societal Security stable, specifically ISO 22301:2012, which focused on dealing with business disruptions:
Organisational resilience is the ability of an organisation to absorb and adapt in a changing environment1
While URM will be publishing more detailed guidance in the autumn, here is our initial assessment on the top 5 take-aways from this new Standard:
- Organisations can only be more or less resilient. There is no absolute measure or definitive goal according to the Standard. In this context, an enhanced level of resilience can contribute to an improved ability to anticipate and address risks and vulnerabilities. However, you would not expect a leadership team to declare its organisation as “resilient” under this definition.
- The Standard is about holistic organisational resilience2. It does not limit itself to specific operational resources or activities such as IT or supply chain resilience. It recommends, for example, a broadening of thinking to consider the effect of culture on resilience. It also recommends not just building an understanding of external context but establishing the capability to influence it.
- It is multi-discipline. 20 management disciplines are offered for consideration including the ones you might expect such as business continuity management and information security management, but it also cites others such as financial control, strategic planning and human resource management.
- Enhanced organisational resilience is an outcome of effectively managing risk. Where there is a strategic organisational goal of enhancing resilience, this needs to be supported by the implementation of an effective risk management framework and process. As such, we would see ISO 31000:2009 as a natural baseline from which to build out a robust risk management framework and process to enhance organisational resilience.
- It is not a certification standard. The focus of this Standard is on principles, attributes, and activities that support an organisation in enhancing its resilience. This is a practicable position to take while the concepts around resilience are still evolving and the underlying mix of contributing disciplines are subject to their own varying standards and regulations.
While ISO 22316 is unlikely to be the final word on the subject, it does raise the bar when organisations look to enhance organisational resilience. The ISO Committee’s decision to extend the scope of resilience to consider change as well as disruption along with emphasising the multi-discipline nature of resilience building is to be applauded.
In summary, the Standard presents the following 3 key benefits of improved organisational resilience:
- Improved ability to anticipate and address risks and vulnerabilities
- Increased co-ordination and integration of management disciplines to improve coherence and performance
- Greater understanding of interested parties and dependencies that support strategic goals and objectives
Notes: a copy of ISO 22316 can be procured online from the BSI or ISO directly.