As more organizations worldwide adopt organizational resilience for their emergency response preparedness and recovery activities, it is important to review organizational resilience programs periodically to make sure the right issues are being addressed.
Savvy resilience professionals have two organizational resilience (OR) standards to help assess their programs. The first is ISO 22316:2017, Security and resilience -- Organizational resilience -- Principles and attributes. The second is British Standards Institution (BSI) 65000:2014, Guidance on organizational resilience.
Both provide details and a framework to develop and implement an operational resiliency initiative. Each can help develop an internal organizational resilience program and serve as an audit tool to ensure the controls specified in each standard are being followed.
Below are 10 questions to help facilitate a readiness review of an existing organizational resilience program. They can also develop a program framework based on standards such as those from ISO and BSI.
Use the following organizational resilience questionnaire to initiate an internal program readiness review.
- Does the program anticipate potential risks, threats and vulnerabilities?
This indicates that the program not only identifies specific risks and threats, but also identifies operational vulnerabilities that could increase the likelihood of a disruptive event occurring. Data from risk analyses, business impact analyses and other operations-focused assessments can be used to begin preparing a view of the organization's level of preparation and readiness for a disruptive event.
- Does the program proactively integrate with other management and emergency disciplines?
Most technology, operational and emergency activities operate autonomously. By establishing linkages to emergency response resources available from each discipline, the aim is to blend them together into a cohesive response framework. In short, this action attempts to break down silos among key operational entities.
Related disciplines include incident response, emergency management, facilities management and technology disaster recovery.
- Does the plan provide evidence of interactions, such as data sharing and joint exercising, across multiple departments that support strategic goals and objectives?
With better cross-department communications and information sharing, organizations can launch a more coordinated response to a disruptive event.
- Are organizational resilience principles part of the company culture?
In a culture of resilience, everything the company does should answer the question: "Have we built resilience capabilities into business processes, management activities, employee services, IT services, physical and cybersecurity practices?" Virtually anything the company does has components that will help it remain operational in a disruptive incident.
Organizations should use all emergency components in the company as part of a response, and design and implement partnerships with one or more relevant departments within the company.
- Have organizational resilience policies and procedures been developed, documented, reviewed and validated by multiple subject matter experts, and approved by senior management?
Without policies and procedures, an OR environment, as well as a culture of resilience, are virtually impossible. Auditors will examine these documents as evidence of the controls needed to establish organizational resilience.
- Have supply chains been factored into the organizational resilience framework?
The COVID-19 pandemic clearly demonstrated the importance of supply chains, and how businesses can be disrupted or shut down if those important business resources have been compromised. Smooth-running supply chains are essential elements in a resilient organization. Companies must regularly review supply chains and address and mitigate any vulnerabilities they identify.
- Has the business considered financial and operational aspects when developing organizational resilience activities?
Understanding how the company operates from a process level is essential when developing an OR framework, launching programs that respond to disruptive events, and recovering and resuming business operations as quickly as possible.
- Has the organization developed and initiated awareness and training activities?
The success of any OR program is highly dependent on employees and how they view their roles and responsibilities in a disruptive event. Awareness programs provide a continual reminder of the importance of organizational resilience to the company. New employee orientation and existing employee refresher training classes keep everyone prepared to respond in an event.
- Are organizational resilience plans and related activities regularly exercised at the organization?
Periodic exercises ensure that the plans and their procedures are fully understood by employees who will be deploying them, that the plans perform as needed in an event, and they are flexible and adaptable to a variety of situations. Related activities include business continuity and disaster recovery plans and exercises.
- Does senior management understand and support the organizational resilience program?
Without senior management support and encouragement (and funding), resilience programs are generally doomed. Senior managers must be members of the key organizational resilience response teams, where their leadership skills can help ensure that the business follows resilience procedures.