Resilience (organizational)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Organizational resilience is defined as "the ability of a system to withstand changes in its environment and still function".[1] It is a capability that involves organizations either being able to endure the environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.[1]

In recent years, a new consensus of the concept of resilience emerged as a practical response to the decreasing lifespan of organisations[2] and from the key stakeholders, including boards, governments, regulators, shareholders, staff, suppliers and customers to effectively address the issues of security, preparedness, risk, and survivability.

  1. Being resilient is a proactive and determined attitude to remain a thriving enterprise (country, region, organization or company) despite the anticipated and unanticipated challenges that will emerge;
  2. Resilience moves beyond a defensive security and protection posture and applies the entity’s inherent strength to withstand crisis and deflect attacks of any nature;
  3. Resilience is the empowerment of being aware of your situation, your risks, vulnerabilities and current capabilities to deal with them, and being able to make informed tactical and strategic decisions; and,
  4. Resilience is an objectively measurable competitive differentiator (i.e., more secure, increased stakeholder and shareholder value).

An organization that realizes the benefits of the above definitions of resilience will have a high likelihood of maintaining a successful and thriving enterprise.

Previously, it was considered that 'organisational resilience' could only be generated from processes and functions such as Risk Management, Business Continuity, IT Disaster Recovery, Crisis Management, Information Security, Operational continuity, Physical Security and so on. These are recognised as key contributors to operational resilience, and “the positive ability of a system or company to adapt itself to the consequences of a catastrophic failure caused by power outage, a fire, a bomb or similar” event or as "the ability of a [system] to cope with change".[3] However, research from many academics including as Hamel & Valikangas in the Harvard Business Review,[4] Boin, Comfort & Demchak[5] and research facility ResOrgs[6] has influenced understanding and lead to new viewpoints on resilience, including that from the BSI Group,[7] being developed by ISO,[8] the Australian government,[9] ResOrgs,[6] ICSA,[10] and professional services firms such as PwC,[11] all of which recognises that processes and functions are but one element of an organisation's resilience web.


Global turbulence is expected. Competition, instability and uncertainty are constants in a changing world. Organizations face an unprecedented and growing number of potential disruptions to the status quo and the best laid strategic plans. As history repeats itself, prominent organizations will fail unless modern risk management and governance models incorporate scalable resilience metrics.

To survive and prosper in this new environment of heightened uncertainty and change, organizations must move past traditional risk and governance models and focus instead on resilience. Resilience applies at all levels: national, regional, organizational and corporate. At the national level, major infrastructure concerns and societal institutions must be robust enough, and unencumbered by legal and regulatory constraints, to serve the national good in normal operations, in crisis, and in recovery. At the regional levels, specific infrastructure assets come together in highly interdependent ways to serve local constituents and be a part of a national infrastructure. At the organizational and corporate level (which owns or operates the vast majority of our critical infrastructure assets), individual companies and operating units must ensure their business operations and service delivery capacities remain able to perform their primary business functions[12].

Business continuity and competitiveness[edit]

Yossi Sheffi extended the resilience concept to business continuity initiatives in his 2005 book The Resilient Enterprise.[13] Sheffi analyzed how disruptions can adversely affect the operations of corporations and how investments in resilience can give a business a competitive advantage over entities not prepared for various contingencies. Business organizations such as the Council on Competitiveness have embraced resilience and have tied economic competitiveness to security.[14] The Reform Institute has highlighted the need to enhance the resilience of the supply chain and electrical grid against disruptions that could cripple the U.S. economy.[15][16] Many corporations are adopting resilience and business continuity initiatives and sharing best practices.[17][18]

Many experts and leaders see resilience as a vital component to a homeland security strategy.[19][20] Hurricane Katrina demonstrated that not all catastrophic events can be prevented and a focus on response and recovery is needed.[21][22]

Growing support in Washington, D.C.[edit]

Prominent members in the United States Congress are embracing resilience. The Chairman of the Homeland Security Committee of the U.S. House of Representatives, Bennie Thompson (D-MS) declared May 2008 “Resilience Month” as the committee and its subcommittees held a series of hearings to examine the issue.[23][24] President Obama[25] and the Department of Homeland Security[26][27] have also made resilience an integral component of homeland security policy.

The Quadrennial Homeland Security Review, released by the Department of Homeland Security in February 2010, made resilience a prominent theme and one of the core missions of the U.S. homeland security enterprise.[28]

Competitive advantage in business[edit]

Business and government enterprises that are able to quickly adapt to or seize competitive advantage from sudden and/or significant changes in their environments, with minimal interruption to their enterprise missions and manageable impact to their market value, as well as adapt to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - can be described as being more resilient[29]. Leading management consultancies and national governments including the Australia, U.S. Department of Homeland Security and the UK Cabinet Office believe that an organization’s resilience, properly understood, has critical implications for its competitive posture, profitability and shareholder value.

Over the past years, business, academic and government leaders have become aware that certain organizations respond better to disruptions than other, often similarly situated, organizations. For example, a September 2003 Harvard Business Review article[30] stated that “momentum is not the force it once was” in ensuring an organization’s success. They noted the emergence of several disruptive trends — including technological discontinuities, regulatory upheavals, geopolitical shocks, industry deverticalization and disintermediation, abrupt shifts in consumer tastes, and hordes of nontraditional competitors — that require companies to become resilient to remain successful. The authors concluded that “strategic resilience is not about responding to a one-time crisis. It’s not about rebounding from a setback. It’s about continuously anticipating and adjusting to deep, secular trends that can permanently impair the earning power of a core business. It’s about having the capacity to change before the case for change becomes desperately obvious.”

Resilience also has important implications for governance processes and systems. In a 2004 white paper[31] the authors wrote that “enterprise resilience marries risk assessment, information reporting, and governance processes with strategic and business planning to create an enterprise-wide early warning capability that is embedded in the business of the company.” They explained that “Enterprise Resilience is predicated on an expanded view of risk—one that focuses on value, and therefore encompasses not only traditional risks (e.g., financial, natural hazards, physical security, legal, compliance) but also risks relating to earnings drivers (e.g., innovation, channel relationships, intellectual property) and company culture.”

Over the past decade, governments worldwide have also become increasingly focused on protecting their facilities, technologies, networks, personnel and other mission-critical assets from attack or misappropriation. The risk of cyber-terrorism and other threats to critical infrastructure are of particular concern. On March 31, 2011, the President issued Presidential Policy Directive Eight (PPD-8)[32] that directed the Secretary of the Department of Homeland Security to develop a national preparedness system with the objective of strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. The directive defined resilience as “the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies.”


Security, whether applied to physical, financial, personnel, cyber information or any other asset, entails the measures to protect against danger or loss with emphasis on being protected from dangers that originate from outside. A significant breach in security could certainly impair an organizations ability to exist, and thus is a critical concept underlying the organization’s capacity to be resilient. Resilience is proactive in positioning the company to survive and thrive given known and unknown challenges. Security, as generally practiced, provides specific protection against identified or projected circumstances.


Protection is often associated with the set of actions to harden assets to withstand identified contingencies, mitigate the damage, or make them an unattractive target. The focus is to maintain the assets’ core function and ward off harm. Typically, protection performance objectives are stated as an absolute capability against varying levels of threat (category II or greater hurricane, defined types of breaches, specific acts). Organizations plan for protection against specific threats or categories of threats. Resilience approaches the issue from a standpoint of taking reasonable protective actions, but having alternative capabilities as needed or the ability to withstand the disruption.

Crisis management[edit]

Crisis management generally refers to the set of actions and capabilities in place to effectively respond to and contain a situation. The situation can vary from natural, man-made, or environmental challenges, whether internally or externally generated. Most consider crisis management to largely consist of actions that go into play when the crisis occurs and subside after it is considered “over”. There are plans and preparations, but the actions are not often dealt with as part of normal operations. Resilience depends on effective crisis management, but would encourage more prominent treatment of crisis management capabilities throughout the company’s operation than is often the case.


Preparedness consists of the plans of actions for when the disaster or crisis strikes. Preparedness efforts are very specific sets of tactical actions (evacuation plans, sheltering plans, rehearsals, stockpiles, etc.) that the company and individuals will take to mitigate the effects of predicted disasters/crises. Resilience requires prudent and serious attention to preparations for known likely disasters, particularly those that are highly likely (e.g., hurricanes in Florida). Resiliency would address preparedness as a specific emergency management business function; but more importantly, as being impacted by numerous functions across the organization. These may include human resources, strategic planning, financial management, information technology, and risk management.

Risk management[edit]

Risk management consists of formal processes to identify threats and vulnerabilities to the company, and the mitigation approaches it will employ. Risk management is highly sophisticated and the results have application in managing the business, insurance coverage, and in attracting investors. The risk management profession is moving toward a more proactive and return on investment focus, but the traditional focus has been defensive in nature. Identifying and managing risks, particularly operational risks, is arguably the most important factor in achieving resilience; however, it is one of many factors. Resiliency has a healthy consideration of posturing for future opportunities. That is not a traditional consideration in risk management.

Making resilience reality[edit]

Some scholars have identified the four facets of resilience as preparedness, protection, response and recovery.[33] Other countries, such as the United Kingdom and Australia, are adopting the resilience concept.[34][35] In the United Kingdom, resilience is implemented locally by the Local Resilience Forum.

Measuring resilience[edit]

As part of the Canterbury University Resilient Organisations programme, ResOrgs have developed a tool for benchmarking the Resilience of Organisations.[36]

The Resilience Diagnostic is an assessment made up of 11 categories, each evaluated by a set of 5 to 7 questions. These categories are defined as either asset or liability. A person’s resilience is determined by the sum of all asset scores divided by the sum of all liability scores, producing a Resilience Ratio. The Resilience Ratio can be reflected both on an organizational and individual level and the assessment provides self-coaching options for participants. Developed in 2011 by The Resilience Institute, the Resilience Diagnostic has been used by corporations worldwide, with key insights reflected in the Global Resilience Report 2016. [37]

Resilience as an acquired skill[edit]

In Organizational Studies, resilience is often referred to as the maintenance of positive adjustment under challenging conditions. Here, resilience emerges as the response to specific interruptions of the normal. Sutcliffe and Vogus[38] argue that resilience should rather be viewed from a developmental perspective, as an ability that develops over time from continually handling risks. Resilience, then, is "the continuing ability to use internal and external resources successfully to resolve new issues". Thus, "resilience is the capacity to rebound from adversity strengthened and more resourceful".

Organizational Resilience Management Standard[edit]

ASIS International have developed and published the definitive Organizational Resilience Management Standard SPC.1-2009. Approved by ANSI and adopted by the Department of Homeland Security under the PS-Prep program, this American Standard provides a practical basis for implementation of preparedness objectives supported by ASIS ORMS (Organizational Resilience Management System) software.

See also[edit]


  1. ^ a b McCarthy, Ian P; Collard, Mark; Johnson, Michael. "Adaptive organizational resilience: an evolutionary perspective". Current Opinion in Environmental Sustainability. 28: 33–40. doi:10.1016/j.cosust.2017.07.005.
  2. ^ Sull, Donald (15 October 2009). "The Upside of Turbulence: Seizing Opportunity in an Uncertain World". HarperBusiness – via Amazon.
  3. ^ Wieland, A. & Wallenburg, C.M. (2013): The influence of relational competencies on supply chain resilience: a relational view. International Journal of Physical Distribution & Logistics Management. Vol. 43, No. 4, pp. 300-320.
  4. ^ "The Quest for Resilience". 1 September 2003.
  5. ^ "Designing Resilience: Preparing for Extreme Events eBook: Louise K. Comfort, Arjen Boin, Chris C. Demchak: Kindle Store".
  6. ^ a b "Organizational resilience research & consulting - Resilient Organisations". Resilient Organisations.
  7. ^ "BS 65000:2014 Guidance on organizational resilience".
  8. ^ "ISO 22316:2017 - Security and resilience -- Organizational resilience -- Principles and attributes".
  9. ^ "Resources".
  10. ^ ICSA. "Building a Resilient Organisation (ICSA Solutions)".
  11. ^ PricewaterhouseCoopers. "The Resilience Journal and the Risk Insights Blog".
  12. ^ Demrovsky, Chloe. Saying 'I Do' to Resilience: 10 Potential Barriers to Business Bliss. TechZone360. December 3, 2015.
  13. ^ Sheffi, Yossi (October 2005), The Resilient Enterprise: Overcoming Vulnerability for Competitive Enterprise, MIT Press
  14. ^ Transform. The Resilient Economy. Integrating Competitiveness and Security. Council on Competitiveness. July 2007.
  15. ^ Chain of Perils: Hardening the Global Supply Chain and Strengthening America's Resilience. Reform Institute. March 2008.
  16. ^ The Smart Alternative: Securing and Strengthening Our Nation's Vulnerable Electric Grid. Reform Institute. June 2008.
  17. ^ Building A Resilient Nation: Enhancing Security, Ensuring a Strong Economy. Reform Institute. October 2008.
  18. ^
  19. ^ Katherine McIntire Peters. Government Urged to Focus on Resilience in Homeland Security. Government Executive. October 1, 2008
  20. ^ James Jay Carafano. Risk and Resiliency: Developing the Right Homeland Security Public Policies for the Post-Bush Era. Testimony Before the Subcommittee on Transportation Security and Infrastructure Protection. Committee on Homeland Security. United States House of Representatives. June 24, 2008.
  21. ^
  22. ^
  23. ^ 'Resilience' Blooming Into Its Own. Homeland Security Watch. May 1, 2008.
  24. ^ Committee Leaders Pleased With Month of Hearings on Resiliency. CQ Homeland Security. May 23, 2008.
  25. ^ Homeland Security. Retrieved 2009-04-05.
  26. ^ One Team, One Mission, Securing Our Homeland. U.S. Department of Homeland Security Strategic Plan. Fiscal Years 2008-2013. U.S. Department of Homeland Security. September 2008.
  27. ^ Top Ten Challenges Facing the Next Secretary of Homeland Security. Homeland Security Advisory Council. September 2008.
  28. ^ Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland. U.S. Dept. of Homeland Security. February 2010.
  29. ^
  30. ^ Gary Hamel and Liisa Välikangis (2003). "The Quest for Resilience". Harvard Business Review.
  31. ^ "Redefining the Corporate Governance Agenda" (PDF). Booz Allen Hamilton and Weil, Gotschal and Manges LLP. 2004.
  32. ^ "PPD-8".
  33. ^ Building A Resilient Nation: Enhancing Security, Ensuring a Strong Economy report. Reform Institute. October 2008.
  34. ^ Resilient Nation. Demos. April 2009.
  35. ^ Improving Disaster Resilience. Australian Government. May 12, 2009.
  36. ^ Resilient Organisations. March 22, 2011.
  37. ^ Resilience Diagnostic. November 28, 2017.
  38. ^ Organizing for Resilience Sutcliffe, K. M., & Vogus, T. J. (2003). In K. S. Cameron, J. E. Dutton & R. E. Quinn (Eds.), Positive Organizational Scholarship: Foundations of a New Discipline (pp. 94-110). San Francisco: Berett-Koehler Publishers

Further reading[edit]

External links[edit]