What is Organisational Resilience?
Introduction to organisational resilience
Organisational resilience has been defined as a comprehensive management system approach that identifies and assesses risk; analyzes possible consequences and impact following disruption; examines and develops cost effective security, preparedness, and mitigation measures to protect against potentially disruptive incidents occurring; develops plans for responding to potential incidents in a professional and responsible manner including the effective mobilization of the workforce; and plans and tests business/operational continuity measures necessary to recover from disruptive incidents in the minimum possible amount of time; collectively implementing these measures to avoid as far as possible a major emergency, crisis or disaster.
Contents of the organisational resilience page
Information is provided in this section of the website to encourage better understanding of organisational resilience concepts and enable the reader to identify the benefits to be obtained from embracing these concepts and achieving improved prevention, protection, response and continuity following a serious disruptive incident.
Development of an Organisational Resilience (OR) Standard
The organisational resilience standard [ASIS SPC.1-2009] was developed and published by ASIS International and approved by the American National Standards Institute, Inc. on March 12, 2009 . This standard was adopted by the Department of Homeland Securitys for its PS-Prep Program in June 2010. The standard follows the PDCA (Plan-Do-Check-Act) model which is an approach that nearly all mainstream international standards follow. The standard is capable of being audited and can be used to support certification objectives as defined in the PS-Prep program.
Benefits accruing from achieving conformance with the OR Standard
Delivers a range of qualitative and quantitative benefits as the OR Standard is implemented:
- Provides a cost-effective approach to managing risks of disruption by providing a balanced framework for the minimization of both the likelihood and consequences of disruptive events.
- Aligns with the way successful businesses manage risk by looking at the entire risk profile. The standard focuses on the holistic resiliency of the organisation, not just business continuity management and emergency management. By emphasizing incident prevention and management, the ASIS OR Standard helps organisations anticipate and avoid problems before they develop.
- Emphasizes a balance of adaptive, proactive, and reactive strategies for making organisations resilient based on their risk profile and business environment in which they operate.
- Can be used for first, second, and third-party verification. Organisations can use the standard to improve resilience and preparedness performance, as well as demonstrate to customers, clients, and supply chain partners that the company has a robust resilience program. Applicable to organizations of all types and sizes, from public to private, small to multinational, in manufacturing, service, storage or transportation. In addition, the standard has been developed simultaneously in countries on four continents.
- Is aligned with the new ISO 31000:2009 - Risk Management which allows an organization to better integrate preparedness into its overall risk management strategy.
Comparing organisational resilience and business continuity
There is a relatively subtle but extremely important difference between organisational resilience concepts and business continuity concepts. Since the arrival of organisational resilience as a dynamic, adaptive and cost effective management discipline there has been a highly defensive response from some business continuity practitioners as the use of organizational resilience offers so much more than a response planning mechanism that concentrates mainly on recovery and resumption strategies. Business continuity has an important role in measuring and assessing risk, identifying potential incidents and then planning to respond to the incident and recover normal business operations in the minimum possible amount of time. On the other hand, organisational resilience delivers all of these disciplines in a structured ORMS format but in addition also demands a strong focus on identifying and introducing cost effective prevention and protection measures.
Three good illustrations of these differences can be taken from the following actual events:
Three good illustrations of these differences can be taken from the following actual events:
- Firstly a fairly simple example. A medical institution had an incident where a new born baby was snatched from one of its maternity wards by an estranged parent. It is fairly easy to see that prevention or protection in this case is a much stronger strategy than responding to the incident after the event with much hand wringing and counselling. Simply raising security levels to avoid such occurrences is the correct option.
- In a second example, consider the strategic differences in preparing for a potential swine flu epidemic. A response and recovery approach would normally focus on managing the organisation and its operations after critical staffing levels have suddenly dropped following the onset of an epidemic. A protection and prevention approach would also prepare for a similar set of response and recovery activities but would also equally focus on prevention and protection which in this case would be educating its workforce on improving sanitization procedures at home, outside the home and in the office prior to the infection actually striking to reduce the chances of the infection spreading to the organisation's staff.
- A third critical illustration of the benefits of ORMS over BCMS can be seen in the area of airport and air travel security. The increased terrorism risk ever present in modern air travel has resulted in all major airports seriously increasing the level of preventative and protective security. In this area of risk management nearly all the focus has been on prevention and protection activities rather than response and recovery activities and it is fairly easy to see why.
Business continuity strategies tend to be reactive in nature although it is recognized that there is advance planning incorporated within this reactive process. Organisational resilience incorporates adaptive, proactive and reactive strategies thereby developing procedures and processes that reduce the risk of these disruptive events actually happening.
No comments:
Post a Comment