What Resilience Means
MOST PEOPLE THINK of resilience as the act of recovery or restoration—a capacity to bounce back after a crisis. This is true to a point, but resilience is more than having a well-defined structure replete with plans; it is also about a mind-set and culture that self-adjusts in the light of past experiences so as to be more robust going forward. A useful working definition of resilience is the ability of people, networks, and systems to anticipate events, absorb disturbances, and adapt to new circumstances.
First, resilience is an activity or behavior, not a product or property. It arises from the conscious and consolidated abilities of individuals, organizations, and communities working together, not as discrete parts.
Second, resilience demands anticipation—thinking ahead and scoping possible scenarios in terms of both impact and probability. It is not necessarily about being preventive but about being prudent.
Third, resilience embodies the idea of an organization being able to absorb the shocks of adverse events, to take knocks and continue to operate while retaining an acceptable and recognizable level of structure and identity. It does not have to be a response to a single, disruptive event. It is more likely to take place over a prolonged period.
Lastly, and most importantly, there is the notion of adapting to new circumstances by some level of reorganization or modification. It is not a case of returning to the way things were but of introducing a new, heightened level that incorporates lessons learned and innovation for the future.
With this multifaceted definition in mind, there are certain practical components that will help a company, community, or country achieve resilience. These components include planning, experience, culture, redundancy, protection, and communication.
Planning. Effort should be devoted to anticipating dangers and adopting preparatory measures, without necessarily being threat specific. Planning and preparation come through good risk and situational awareness, impact and value mapping, security and safety management, and adequate insurance. Testing plans with multiple partners in frequent and realistic scenarios is also important.
The annual Tripartite exercises, conducted by three U.K. government entities—the Bank of England, the Financial Services Authority, and the Treasury—are a good example of improving resilience through interaction on market-wide threats. In this annual exercise, which is now in its seventh year, a scenario is introduced and the financial services industry reacts. In 2006, the exercise lasted six weeks and simulated how participants would respond to a flu pandemic. In 2011, the 87 participants addressed a cyberattack scenario. In that case, the exercise was a single day in which participants focused on re storing telecommunications and Internet connectivity as quickly as possible.
Experience. Nothing can replace experience when dealing with major disruptions. Experience can arise from past exposure to real-time events and also from exercises and other educational methods. If employees are encouraged to develop a positive approach to sharing experiences and learning the roles of others as part of a shared goal, the levels of interoperability and adaptability can be increased. This process will enhance organizational agility.
Employees should be encouraged to consider a range of plausible options for improving a structure or system. This approach allows a set of potential futures to be assessed and weighed. As employees carry out these learning exercises, they should be evaluated in a nonthreatening environment. Employees must be able to speak freely. This component will require buy-in from senior managers.
Culture. Adaptability to stressful situations is largely a behavioral response. To some degree, adaptability is determined by the cultural background and ethos that underpin the individual, organization, or community. An autocratic, hierarchical culture may be good for centralized command and control but is unlikely to allow for flexibility and initiative when that centralism is disrupted in an unstable or critical situation. Decentralization and empowerment are more likely to impart the flexibility and creativity needed in chaotic situations. In a company, this means that senior management must give up some control to reap the rewards of flexibility. Security managers must demonstrate why this is a smart approach.
Redundancy. An organization or system is more resilient if it has duplicate processes, procedures, and pathways that will operate when the first line is interrupted. The appointment of deputies and provision of adequate second-line resources are a core tenet of good business continuity.
Just-in-time deliveries and minimum stock holdings make storing up for emergencies difficult. But the problems that could arise from those practices became evident in the 2011 earthquake and tsunami in Japan. That experience may have spurred some companies to make permanent changes in supply-chain resilience.
A survey from the Business Continuity Institute, a U.K. trade association, indicates that the disruption from the 2011 disaster was more widespread and resulted in more changes to supply-chain management at the corporate level than the 1995 Kobe earthquake. For example, the survey found that the earthquake was the third largest cause of supply-chain problems in the United States in 2011, a startling finding given the natural disasters that plagued the United States in the same time period. This is because many companies had only one backup supplier and that supplier was relying on components from the same disaster area.
Clearly, companies must find a way to balance day-to-day financial considerations and the need for resilience. This requires a careful cost-benefit analysis to prevent “just-in-time” from becoming “too late.”
Protection. The physical hardening of equipment, assets, and systems also plays a role in resilience by making entities less susceptible to disruptions. It can include the shielding of electronics as well as having fail-safe procedures, firewall devices, bunkers or shelters, and networked systems. The preparation of flood defense materials and prearranged cleaning contracts were a saving grace for some companies after the wide-scale flooding that hit the United Kingdom in mid-2007.
Communication. When an emergency occurs, some companies feel it is better to say little or nothing than to generate or feed a rumor. However, a recognizable voice of authority that generates trust while assuaging people’s fears is a major component in cementing a collective response and encouraging individual resourcefulness. For example, one international bank appointed its most senior director as the voice of authority during the 2007 terrorist bombings in London. The authoritative voice of the senior director added consumer confidence to its resilience plan. Companies should be aware, however, that communication upwards and downwards requires nurturing and feedback.
Connecting the Dots
Security managers need to understand more fully how security-related disciplines, such as crisis management, business continuity, and health and safety, play a part in resilience and what the connections are between the various components. This can best be achieved by comparing the essential features of resilience to the relevant disciplines. The technique can help identify the contributions each discipline has to offer, and ensure that a more cohesive and coherent approach is achieved overall.
The results of such a comparison may be surprising. For example, according to a survey of CEOs, conducted by the Australian government, the HR function is more important in resilience than the board of directors or the business continuity function. In the study, CEO Perspectives on Organisational Resilience, CEOs rated HR so highly because they saw resilience as a cultural issue rather than a pure recovery issue.
Once these various roles are understood, companies may want to have each employee’s role in resiliency built into his or her performance criteria. In that way, resilience will be incorporated into the fabric of an organization.
Such a mapping-of-responsibilities exercise can also identify areas where no one takes responsibility. Management can then determine whether better cooperation between departments could close those gaps or what other measures might be needed. The mapping can also reveal other issues. A community or system may appear, for example, to be secure but it might not be resilient. Having sealed windows in a building may be more secure but it will not be resilient once the air conditioning fails.
Ultimately, resilience is not a technology that can be purchased; it is more a mind-set that needs to be developed. It is a cultural attitude within an organization and with the wider community, and it must permeate through all decision-making levels.
Robert Hall is director of resilience with G4S Risk Management in London.