One of the favourite parts of my current role is the opportunity to talk to existing and potential customers about their business concerns, the challenges they face as business owners or managers, and the perceived risks to their enterprise. Many have spent a number of years getting to grips with the idea that ‘Risk Management’ is a more appropriate concept to discuss than ‘Security’, only to suddenly be blindsided by the introduction of the term ‘resilience’.
I have a huge amount of sympathy for these business people. The Security Industry has always been a keen proponent of jargon – risk management, cyber security, convergence, differentiation, output specification, etc etc – often for purposes of marketing rather than for actually changing the mindset of how solutions are delivered by the industry.
So what do we mean by ‘resilience’ or ‘organisational resilience’ (OR) – or should I say, what do I mean by using such terminology? The literature on the subject is exponentially increasing at present In a nutshell, OR reflects a critical shift in thinking away from questions such as ‘What is Most Likely to Happen?’ in terms of risk, and towards the ability of organisations to recover following an alarming and unexpected threat or event.
We might define ‘Organisational Resilience’ as “The organisational capability to anticipate key events from emerging trends, constantly adapt to change, and rapidly bounce back from disaster” (Marcos & Macauley: 2008, p1). To this, we might add the definition provided by BS:65000(2014) which outlines ” the ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper”.
As someone trained first and foremost in quantitative political science and statistics, traditional numerical approaches to quantifying risk initially held great appeal to me. They seemed clean, practical and with a firm base in the natural science of mathematics. However, in reality, I find such approaches restrictive, pseudo-scientific, reliant on recycled knowledge, and often unable to grasp the complexity of what is required to help customers become increasingly resilient in an uncertain world.
Conversely the concept of ‘OR’ holds such appeal to me precisely because it is intellectually liberating and thought-provoking. It challenges Risk Managers to move beyond rigid templates and instead understand the complex dynamics of the business they protect (inclusive of leadership, geopolitics, information infrastructure, communications, economics, technology and a range of other relevant criteria). It is a problem-solving rather than a mechanical process, an inclusive rather than an exclusive approach, and an evolutionary rather than a reactionary process. Indeed, it is a journey rather than an outcome. Becoming ‘resilient’ is something that I understand as a journey for organisations, one which requires constant reassessment, re-education and realignment, rather than a static plan which sits in a desk drawer.
Most importantly, the concept of OR is allowing me to expand and develop my own thinking on how best to serve the customers that I deal with during my working life at Oakpark. By refocusing our design process and working practices around ‘resilient thinking’ – to borrow from Philip Wood’s well-known book title – rather than traditional risk management grids and checklists, I am confident that we are a more effective security partner to our customers in 2016 than ever before.
I’ll be blogging more on my thoughts on Organisational Resilience shortly – as I continue my own intellectual and practical journey relating to this concept. Should you have any questions, please e-mail me at firstname.lastname@example.org.