By Dominic Cockram
The more I hear of the current discourse on organisational resilience, the more uncomfortable I find myself feeling.
The concept has been around for a long time and was brought sharply into focus in 2014 by the British Standard, BS 65000: Guidance on Organisational Resilience. As one of the editors, I was party to vivid and lengthy discussions and much positive disagreement as we ranged around the topic of organisational resilience, what it meant and how best to set it out in a standard. In the end, what came out was a ‘Guidance’ and that was an excellent result. Resilience is a complex and many faceted concept and it would have been wrong to go too far in framing an approach at this stage.
More and more, though, the resilience discussion I hear focuses on two areas.
Firstly what I would term, the operational use of the language: referencing ‘assess, anticipate, mitigate, and recovery from disruptive events’. This is excellent conversation but it is really about no more than good risk management and business continuity. Good that it is being discussed, but it has been since the 90s.
Secondly, a separate discussion looks at the much wider meaning of resilience and the ‘big picture’ aspects of what it takes to make a business resilient.
There is a considerable gap between the two and potentially a problem.
I have therefore come to the view that there is ’strategic’ and ‘operational’ resilience – in some ways the big picture and the corresponding small print. They are related but focus on very different areas.
‘Strategic resilience’ is about the broader and more ambitious concept of organisational resilience at a strategic level and concerns ensuring your organisation’s culture, strategy, values and behaviours lead to over-arching business resilience.
This is as opposed to the more prosaic and practical protective elements of the ‘operational resilience’ world of security, risk, business continuity, and crisis management to name a few. These protective elements are ‘time banded in their focus, dealing much more with the here and now – short to mid-term – and much more a part of everyday life for a business continuity or risk manager.
How your HR strategy is supporting the future talent pool in decades to come, what the likely changes are to the business over the next 20 years, how to face new sectoral disruptor technologies or concepts, for example, are all factors of the strategic resilience world and extremely important.
The problem is, it seems to me, that these two worlds will very rarely (if ever) collide.
I see audiences of resilience conferences turned off by presentations on ‘strategic resilience’ as it’s a topic that is discussed almost exclusively at Board level about future business strategy. And that is where it should stay, with it being the remit of Strategy Directors and CEOs. Strategic resilience is very much alive in any good business considering the resilience of its future planning and horizon scanning. But this is a discussion that the continuity world is unlikely, in reality, to get a toe into.
So, where does this leave us?
Without doubt, resilience is an excellent ‘wrapper’ term for bringing together a coherent approach and concept for the protection of a business – coordinating the key disciplines that support, protect, prepare and respond in a business and making them take a wider view of the world in which they sit.
However, the strategic resilience aspects should be retained more in the Boardroom – recognised as being critically important but separate from operational resilience. One is about the short and mid-term, the other the long term.
In a perfect world they should link up, but in most businesses this is unlikely.
This difference should be reconciled in the next groups of standards (ISO:22316 and possible revision of BS: 65000) and the discussions focused on relevant and applicable concepts that can be usefully applied to each audience.
Maybe therefore we have two approaches – one at each level to ensure that both are properly addressed.