Setting a Coherent Organizational Resilience Policy

A critical first step in establishing an effective organizational resilience management system is to put in place a coherent organizational resilience management policy. This OR management policy should reflect a clear commitment to the protection of human, environmental, technological and other physical assets, anticipate and prepare for potentially adverse events, as well as provide for business and operational continuity.

This policy should act as the driver for implementing and improving the OR management system, so that organizations can maintain and enhance their sustainability and resilience. This policy should therefore reflect the top management's commitment to comply with applicable legal and regulatory requirements, cover prevention, preparedness, and mitigation of disruptive incidents; and ensure continual improvement.

"Why should I define a policy when I have already some response plans" you may ask. The simple answer is that response plans should be developed within a framework that clearly establishes the broader context for the OR management system. This broader context should be structured to ensure that the OR management policy:

• is appropriate to the nature and scale of potential threats, hazards, risks, and impacts to the organization's activities, functions, products, and services;
• includes a commitment to employee and community life safety as the first priority;
• includes a commitment to continual improvement;
• includes a commitment to enhanced organizational sustainability and resilience;
• includes a commitment to risk prevention, reduction, and mitigation;
• includes a commitment to comply with applicable legal requirements and with other requirements to which the organization subscribes;
• provides a framework for setting and reviewing OR management objectives and targets;
• is documented, implemented, and maintained;
• makes reference to limitations and exclusions;
• determines and documents the risk tolerance in relation to the scope of the management system;
• is communicated to all appropriate persons working for or on behalf of the organization;
• is available to relevant stakeholders in a relevant format;
• includes a designated policy ownership and/or responsible point of contact;
• is reviewed at planned intervals and when significant changes occur;
• is signed by top management and a documented review of the policy relevancy is conducted annually;

When determining OR management policy it is important to recognize that an organizational resilience process offers a much wider range of protection than a process that focuses purely on business continuity response planning. Whereas the business continuity process has a clear emphasis on developing a planned response to disruptive incidents, an organizational resilience also offers a strong focus on prevention and protection measures in addition to coverage of the continuity requirements. This broader level of protection should naturally be reflected in the OR management policy statement.

Achieving this important first step will put you well on the way towards meeting your organization's resilience, continuity and recovery goals.

The author of this article, Terry Hewett, is Project Director for a collaborative project between ASIS International and Easy2solve delivering an exciting and highly affordable range of organizational resilience and continuity management tools. This easy to use software supports conformance measurement; risk analysis; impact assessment; component mapping; protection and prevention measures; crisis management, continuity planning and incident management. Further details at www.organizational-resilience.com.