Cyber risk has been a dominant topic in boardrooms for some years, leading to significant investments in expertise, technology and management systems. However, there is now a new challenger for executive time in the form of ‘resilience’, which has been recently codified under a new international standard, ISO/IEC 22316:2017. With this new Standard, organisational resilience is defined as the ability of an organisation to absorb and adapt in a changing environment.
As with cyber, digital transformation by organisations is a key driver for the increasing profile of resilience. Customer expectations for service availability have changed significantly in recent years with the new service mantra being ‘always on’ adopted in many areas. Boards are, therefore, demanding assurances on resilience. This makes sense, given that for many organisations protecting the availability of services for customers is just as important as protecting their data.
We can trace the rise of resilience back to high profile incidents such as:
- RBS Group’s week-long service outage for key retail banking services in June 2012, which affected 6.5 million customers and led to fines and compensation payments totalling some £112 million. This event led to a sector-wide examination of practices around service availability. One key conclusion by the regulator from this incident was that firms need to re-orientate towards withstanding disruptive events and minimising risk, not just recovering from incidents.
- The Great East Japan Earthquake in March 2011 affected many manufacturing companies and highlighted the fragility of lean, just-in-time global supply chains to external events. A number of companies consequently re-engineered their supply chains for resilience by bringing production closer to end customer markets, revisiting inventory policies and provisions for alternative suppliers.
Resilience thinking introduces a requirement to understand value chains and their internal and external dependencies. This is typically achieved by linking key products and services through to activities and underlying resources. This mapping provides top management with a clear line of sight from strategy through to execution, allowing them to make risk-based decisions on where investment in resilience will bring the greatest reward.
Enhancing resilience is not limited to managing disruptive events more effectively. It also places a new emphasis on an organisation understanding its external environment and developing both an anticipative and adaptive capacity to prepare and respond to events. Enhancing resilience also mandates the need to develop or better integrate a number of capabilities including horizon scanning.
BSI’s model for organisational resilience helpfully sets out three essential elements and three domains where it is critically important to achieve organisational resilience. The three elements are product excellence, product reliability and people behaviour, while the three domains are operational resilience, supply chain resilience and information resilience. The model serves as a valuable reference point for those embarking on the resilience journey.
If some of the discussion around resilience sounds like business continuity in ‘old money’, then this would be correct to a degree. The Business Continuity Institute noted in their positioning statement on resilience published in February 2016 that business continuity management was a contributing discipline rather than the sole discipline involved in enhancing resilience. Nonetheless, business continuity professionals are well placed to take a lead on resilience given their insight into value chains.
In conclusion, enhancing resilience with its direct link to customer experience, loyalty and brand reputation is a powerful indicator of business intent. Executives will be looking to their organisations for champions to help shape and adapt the concepts outlined in the ISO 22316 Standard, to the business priorities of the organisation. It would be no surprise, therefore, if the resilience wave were to reach a new level of co-existence with cyber risk in board discussions over the coming 12 months, and as organisations become more cyber prepared, resilience becomes the dominant theme thereafter.