Learn how ISO 22316 complements the standards on BCM (ISO 22301) and information security (ISO 27001), enhancing organizational resilience.
Do we really need this new approach? What’s actually new?
Both management systems standards on information security (ISO 27001) and business continuity (ISO 22301), while trying to encompass the whole organization, still lack components and dimensions to holistically protect an enterprise. The concept of resilience expands these approaches and enhances the preparedness and development of organizations.
Resilience – what’s this?
Do we really need this new approach? What’s actually new? There are so many standards already – will we ever cope? Another certification? We did this all the time!
Mother Nature (the evolution) has successfully applied this principle for quite some time
Good and valid it questions and statements. The concept of resilience is not new. If we interpret the definition of resilience as “ability… to absorb and adapt in a changing environment”, we realize that Mother Nature (the evolution) has successfully applied this principle for quite some time. As such, it is quite reasonable to adopt this approach also for organizations (run by humans). For long-time stability and growth there is no other recipe than the ability to adapt. The new standard is/has been developed by ISO/TC 292.
Yet another standard?
The new standard ISO 22316 provides guidance (recommends an approach) to enhance an organization’s resilience. It does so by proposing principles, attributes and activities contributing to more resilient organizations. This standard (a guidance document), cannot be used to certify an organization. It rather serves as an umbrella covering a range of management disciplines, which all need to be sufficiently mature and in need to interact with each other in a synergistic fashion.
Organizational resilience expands the concept of preparedness
Two of these management disciplines are information security (ISO 27001) and business continuity (ISO 22301). These system management standards serve to properly implement the respective approach, and organizations may get certified against these requirements.
How many world leading organizations have vanished because they were not resilient enough?
Organizational resilience expands the concept of preparedness also to threats which might develop slowly, but still would be fatal for the organization if not properly anticipated. While the above mentioned system management standards deal with classic disruptive, sudden events (such as IT breakdowns or a factory fire) a resilience approach also deals with political, legal, demographic, climate-related and other threats, which would not impact the organization from one moment to the next, but maybe months and years down the road. How many world leading organizations have vanished because they were not resilient enough: Swissair, Kodak, Nokia, …?
One of the greatest values of ISO 22316 is based on the fact that it proposes a structured approach to resilience. While organizations may have more or less successfully been on a path to resilience (especially those that have implemented an ISMS or BCMS according to ISO 27001 or ISO 22301) the new guidance document on organizational resilience provides concrete guidance on what to undertake.
The foundation of resilience is based on a couple of principles. Let’s discuss two examples.
The behaviours of all members of an organization need to contribute to organizational resilience
- The behaviours of all members of an organization need to contribute to organizational resilience, any passive or counter-productive behaviour should be avoided. This also means that the workforce should consist of resilient people itself, building resilience from the bottom up. If there is non-engagement within the workforce, a high degree of absenteeism, or if the workforce is kind of fighting against management, these are behaviours not contributing to organizational resilience.
- Diversity of skills is very important, as new threats, challenges and opportunities may originate from different areas from within the organization or from its environment. Only if management and the complete workforce has a 360° view of what it is possibly threatening or is possibly an opportunity, an organization might increase their level of resilience.
Based on these basic principles, an organization should exhibit a range of attributes, supporting it on its path to enhanced resilience. Again, let us have a look at two of the proposed attributes.
- Understanding the context of the organization. This is very important contributing to organizational resilience, not only as a part of managing risk, but also identifying opportunities.
- Continual improvement. Of course, standing still is falling back. This is why ISO 22316, no surprise, did not fail to mention this attribute. Nothing new for users of systems management standards.
The third level of this approach proposes a range of activities, also contributing to the final goal, for example:
- Individual goals are to be aligned with the organization’s goals
- Clarity about the organization’s purpose, which may be needs to be changed
- Follow up innovative ideas
- Think beyond current activities
Last but not least, an organization is suggested to implement and refine a range of management disciplines. We already know two of them: information security and business continuity. ISO 22316 proposes a range of additional management disciplines to be nurtured, e.g,
- Environmental management
- Facilities management.
- Financial control
- Health and safety management.
- Quality management.
- Risk management
Continual improvement. Nothing new for users of systems management standards
On top of that, business intelligence, monitoring of customer trends as well as political, environmental and legal requirements contributes towards organizational resilience.
Do we need organizational resilience?
It’s hard to imagine an organization which would not benefit from implementing a structured approach to organizational resilience. In today’s highly competitive environment, nurturing this pillar of strength of an organization might be one of the “secrets” of sustainable success. In short, an organization needs to identify and implement their key management disciplines (such as information security according to ISO 27001 and BCM with ISO 22301). This is the foundation to build organizational resilience; ISO 22316 is the proper tool for that purpose.