Last week I was sitting in a one-day marketing workshop and was asked to introduce myself and employer to the room. Describing our company’s focus on risk and resilience to a room occupied by small business owners, I found myself talking about making businesses more resilient to disruption and in doing so coming to the actualisation that much of what I have read and been taught with respect to building resilience is not necessarily applicable to small businesses of the type that I was sitting with.
Indeed, the ‘Resilience landscape’ – if I can call it that – is inevitably dominated by attention to large national and multi-national companies. It is the likes of PriceWaterhouseCoopers (PWC), EY, and Zurich who produce much of the business information relating to resilience as a concept. Look at ‘resilience professionals’ on sites such as LinkedIn and you will inevitably find individuals working for national/international providers of utilities and energy, or global insurance firms, or large healthcare or local Government organisations.
This focus on larger organisations also translates into much of the literature also being produced on ‘Organisational Resilience’. Research, both professional and academic, has made clear the need for resilience to be considered at ‘board level’, of ‘integrating disaster recovery, business continuity and risk management’, of ‘of breaking silos’, and even having a Chief Resilience Officer (CRO). Whilst these are certainly valid points in the study of Organisational Resilience, they seem language more appropriate for the corporate world rather than the SME businesses I deal with on a day-to-day basis.
When discussing organisational reliance and SME’s, Sullivan-Taylor & Branicki (2011: p11) point out some of the crucial differences between larger and smaller organisations in terms of organisational resilience. Larger organisations are more organised, with more resources, with greater technical knowledge. SME’s however tend to be more rapid in their response to a high-impact event, even if their response is muddled and uncoordinated, a result of a much simplified decision-making structure.
My point is therefore that we as professionals dealing with organisational resilience should make sure that a degree of nuance is included in any framework relating to OR, one that realises the additional challenges in dealing with SME’s. In 2008, McManus, Seville, Vargo and Brunsdon (2008: p81) noted; “The task of building more resilient organizations is complicated by an inability to translate the concept of resilience into tangible working constructs for organizations.” This seems particularly true in the case of SME’s who are limited in terms of their resources, organisational structure, and specialist security/risk/resilience knowledge. Indeed, SME’s continue to remain statistically less resilient than larger companies (Stephenson, 2010: 208) and it is therefore essential that security partners ensure that these customers receive the necessary support and advice in terms of building resilience.
Such solutions must be practical, cost-effective, low-maintenance and situated within a clear business framework that highlights a return on investment. They should recognise the high failure rate of small businesses and realise that issues as cash flow, liquidity and seasonal fluctuations are more likely to dominate organisational resilience discussions within a small business than disaster recovery, emergency planning and systems resilience. The challenges are therefore significantly different than dealing with larger national or international companies – although the limitations in organisation, technology and resources conspire to make building resilience in SME’s often just as challenging.
Oakpark Security will shortly be publishing some practical advice for SME’s on developing a greater resilience to disruption. This will be made available at no cost through our website so please check back shortly.
As always, if you have any comments or thoughts on my blog, please feel free to contact me at firstname.lastname@example.org.