Not simply a regulation
Today, I am sharing what resilience is and isn’t from a business perspective. Many of you have asked me about the emerging resilience work. There’s so much out there that it can be confusing. First, it is not simply a regulatory requirement. In the UK, some of you may disagree as firms focus on the FCA, the PRA, and the Bank of England Operational Resilience rules. However, as I wrote about in Real Resilience, it is a business mindset, not simply a compliance tool. In addition, it is also not merely an ISO standard for Organizational Resilience. As I have spoken about previously, it is more complex, incorporating these aspects and more to obtain business plasticity and return on value.
Yes, there are regulatory inputs
Now, my colleagues across the pond may beg to differ with me. However, what resilience is and isn’t can’t be bound up in compliance. Having that narrow of a focus misses the point. For a resilience framework to be successfully supported and maintained, it gets embedded in company culture. Yes, a country’s laws or rules make it easier, but they do not establish a workable continuity. Instead, achievable organizational sustainability is evident when its value is easily understood. That means metrics and measures come into play to communicate that return on investment.
More on organizational resilience
Let me know if you interpret it differently, but organizational resilience focuses on determining overall business risk and preparing it for any contingency. Taking that further adds a survival element and a “bounce back better” attitude. Prof. David Denyer of Cranfield University first defined organizational resilience as the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions to survive and prosper. That partnership with the BSI was fruitful in advocating for more than a reactive organization instead of a sustainable one.
Then there's operational resilience
So, operational resilience is all the rage right now. Yes, regulatory drivers are pushing the evolution in this space. A narrow focus on technological capabilities and operational continuity runs parallel to other risk management activities. Under the regulatory spotlight, many financial services firms elected their risk team to spearhead the effort. Risk cannot do it alone, so this is where business continuity management, technology, third-party review, and management support are vital to successful implementation. Watch this video for an overview of the UK financial services operational resilience mandate.
It's more complex than governance
The four pillars of a resilience program are organizational security, organizational safety, business continuity, and risk management. I suppose that technological support could be another, but I see it as a resource. Yes, ISO 22316:2017 seeks to guide successful planning to help companies survive, stabilize, rebuild and be resilient, as the BSI lays out. However, its strict attention to business stability and recovery from interruptions leaves something lacking. The adage that companies consist of people comes to mind. The standard does reference the importance of culture and the right psychological environment to its credit. However, it fails to mention maintaining the well-being of its workforce.
Emotional resilience is a key component
Now, I recognize that this could be a nit on my part. Yet, it is an important one. If we evolve nothing from our shared COVID experience, it is that companies cannot function without considering the impact of emotional health on disruptive events. Employee adaptability has a much a place in resilience frameworks as the pillars I spoke of earlier. From many years of crisis management experience, I can tell you that a response is only as successful as people’s ability to handle it. That means recognizing EQ is as important as IQ and soft skills as hard ones. Leadership can impose a framework, but to thrive, it needs the backing of the employee majority.
Putting it all together
Finally, then, this speaks to organizational culture. Successful companies of the future will acknowledge that their customers, employees, board, vendor, and contract partners have critical roles to play in crisis outcomes. We want leadership, and our four-pillar specialists to lay the groundwork for continuous resilience. That starts with prioritization, a thoughtful program design, and maintenance. So, now you know what resilience is and isn’t to me. Think of it as a blueprint for business success. Let me know your thoughts in the comments below.