Best Practices for Navigating the Path to Organizational Resilience

July 27th, 2022
Hannah Tichansky
Train station at night - fi

Organizational resilience. It’s more than a buzzword – it’s catapulted into our daily conversations through the shared experience of having to confront significant change in our lives as we continue to live and work through a global pandemic.

Certainly, in the context of the resilience of an organization, it’s been well defined for some time:

Organizational resilience is the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper. More resilient organizations can anticipate and respond to threats and opportunities, arising from sudden or gradual changes in their internal and external context. Enhancing resilience can be a strategic organizational goal, and is the outcome of good business practice and effectively managing risk.

(ISO 22316:2017)

Resilience is a key business imperative, and enhancing resilience must be a strategic organizational goal. In this business landscape of increased uncertainty and considerable change, organizations must adapt to how they can better anticipate and respond to threats and disruptions confronting their extended enterprise. While they can’t plan for everything, they can become more adaptive and responsive, putting them in a greater state of readiness for any risks that lie ahead.

Today, change is happening faster than ever- those who survive are shifting away from ‘the same old way’ of doing things with fixed pathways and siloed information, to a much more unified, fluid, and agile approach. The path to resilience is going to take a fresh approach to people, processes, and technology.

A Shift to Integrated Organizational Resilience

From cyberattacks and regulatory updates to consumer demands, changes in the market, and natural disasters, it can be difficult to imagine being prepared for every possible risk variable. Compounding this are operations that flow well under business-as-usual routines, but tend to break down when there are large events and unprecedented strain. In order to meet these risks we’re seeing post-pandemic, there is a need to move quickly with systemic processes for uncertainty, while also leaving room for improvisation and quick decision making.

Businesses need to start developing practices to support organizational resilience, holistic management of practices, and processes to tackle risks on the horizon in a way that takes into account uncertainty. According to Gartner,1 building resilience is a journey. In our opinion, each of these elements needs to work in unison in order to become truly resilient.

Managing this path to resilience not only includes business continuity and crisis response, but also includes resilience plan testing, simulation of disruptive events and how they would affect an organization, education and training, and continuous improvement. And at the heart of this are flexible business models that allow for quick, adaptive decision-making.

It’s not just about surviving a crisis. Implementing organizational resilience will set you above competitors and give you critical advantages. “Firms with more mature resilience capabilities grew at a rate of 2.4 times their industry average,” says Forrester’s Q3 2020 North American Future Fit Technology Survey.2

The Backbone of Organizational Resilience

A cornerstone of resilience is how organizations effectively anticipate and respond to a diverse and changing range of risks. These risks can be operational, cyber, compliance, reputational, or financial in nature and extend beyond the four walls of the enterprise into its entire business ecosystem, including its third parties and supply chain. With this level of complexity, organizations need to be agile in their approach. 

There are several practices and schools of thought that help organizations navigate how to approach these risks and other potential future threats. The Harvard Business Review has defined three components at the core of organizational resilience including:

  • Organizational routines: These are reliable routines and practices that have been stress tested, allowing for a systemic knowledge about how things relate, and who does what. These routines require constant examination and adjustments to allow for better ways of doing things.
  • Simple rules: These rules help organizations prioritize decisions and resources when a disruption occurs. For example: what is the top priority when a data breach occurs?
  • Improvisation: These are more spontaneous, situation-driven decisions that companies, teams, or individuals will need to make if a disruptive event were to happen. While it is impossible to predict the exact disruption that could occur, training can be done to help companies become more comfortable in making strategic, improvised decisions, without sacrificing simple rules and organizational routines already set.

These three practices should be used together as a toolkit to create awareness around organizational resilience, run simulations for potential future threats, build new processes, analyze the effectiveness of current or potential tools, and gauge effectiveness. In addition, each of these practices should not be used in a vacuum; they are interdependent. Rules, for example, might prompt improvisations under certain situations. Running simulations and crisis response training helps map out how these relationships work and what variables contribute to certain decisions and actions.

Considering these three components, many organizations are going to have to reconsider the technology they have in place to manage programs. Domain expertise and best practice ways of automating organizational routines and embedding simple rules are important, but the ability to adapt and improvise according to context is becoming even more critical.

Shake Things Up and Question the Status Quo

According to Gartner’s How to Build a Resilient and Responsive Organization, 52% of CHROs surveyed are planning to “shift from designing organization for efficiency to designing for flexibility.”3 It’s not rocket science that routines are comforting, as well as useful in setting benchmarks. However, when routines become over-utilized, not customizable, or outdated, gaps in protection can begin to appear and grow. Organizational resilience calls for constant questioning of the status quo: what’s working, what should be changed, what are we missing, etc.

To help pave your path to resilience, sit down with your risk and resilience stakeholders and spend time analyzing current tools, their effectiveness, what they do, what they could do better, and if you need to swap tools out and invest in new tools.

A key element of this process is to question assumptions behind routines; are you doing things because it’s right or because it’s how things have always been done? Questions to ask include:

  • What processes or decisions have traditionally needed to be made, or signed-off on by executives or higher management? How has this worked in times of crisis/how does this change?
  • How often do you update these processes to optimize? Do you assume you’re doing enough? How has this historically worked under pressure?
  • Where in workflow processes have issues historically arisen? Are there areas that need more resources to help mitigate these problems? How do these processes break down if you need to work quickly under pressure?
  • Do resources have the budget allocation that is needed to work effectively? If so, does this budget still work in times of crisis?
  • Are there assumptions being made regarding workflows that need to be further scrutinized/questioned? Have these assumptions been tested under pressure, or only during business-as-usual operation?
  • Have you overcomplicated processes, or created too much information or process silos?
  • How simple is it to adapt these processes in supporting technology?

Preparing for Uncertainty

So, if you find resilience gaps in your processes, how do you begin to test them under pressure, and find out what works? The answer lies in simulations and training. But how do you prepare for these events if you don’t know what they will be? It can seem like a catch-22.

Even though specific situations that arise may be unfamiliar, you can train yourself and your workforce to be prepared for uncertain situations and you can be trained to react confidently. According to the Harvard Business Review, this type of training and shift in mindset produces positive results:

“By actively training the organization to alter the combination of routines, heuristics, and improvisation on the fly to match the changing requirements of different possible scenarios, leaders can build resilience throughout their organizations. Organizations that regularly deal with fast-evolving situations—think SWAT teams and military commandos—know that it pays to practice and prepare for the unexpected while you have the luxury of time and resources, instead of trying to learn how to adapt in the middle of a storm.”

Incident Response Training, Business Resilience Training, and Business Continuity Training are all exercises that help companies prepare for and respond to a crisis. This could include training for physical threats such as natural disasters and active shooters, but also preparing for threats like cyber breaches and supply chain disruptions. These types of training routines help companies identify risks, identify priorities, create incident response plans, determine chains of command, and what steps are prioritized over others.

In addition to ensuring familiarity with chains of command, it is also important to practice more with having less. Run simulations in which one key supplier is eliminated from your value chain, or communications are down with one of your facilities; what happens to operations, and what types of contingency plans need to be developed to move forward? In addition, know your priorities for certain situations; what can be sacrificed in order to best mitigate an issue?

While an actual disruptive event or crisis may not occur in the exact way a simulation is run, performing these exercises (much like performing fire drills) will help develop muscle memory if and when an actual incident was to occur. But keep in mind that one-off simulations are not effective; make sure these are tested frequently and updated as new information, personnel, and processes are introduced.

It’s not about having all the answers. Rather, it is important to have the tools and be familiar with them in order to use them if an unknown situation arises in the future.

Best Practices for Organizational Resilience You Can Start Implementing Today

Organizational resilience does not happen overnight. Rather, it can be a massive shift in company culture and risk management strategies, and frankly, it can be uncomfortable. Everyone wants to assume that they are contributing to mitigating risks within their organization. Unfortunately, as the risk landscape evolves, so too does managing these risks. And while these practices take time, some items can be implemented at the outset to help increase efficiency and productivity.

Commit to a culture of learning:

As mentioned, becoming organizationally resilient means embracing a certain level of uncertainty. Committing to training to act quickly and with thoughtful intentions during unknown situations can help ensure continued operations during and after an event. Providing training and resources on current trends and relevant events, continued crisis response training, and encouraging employees to challenge preconceived notions is critical to building resilience.

Triage emergency and crisis response plans:

A large part of this type of training involves executing simulations based on possible future events such as cyber breaches, supply chain disruptions, physical security events, natural disasters, and even audit and compliance investigations. Make sure that workforces are familiar with what needs to be done during an event and what the incident command structure looks like.

Embrace flexibility and breaking down silos:

While employees need to understand their roles in case of a crisis, also embrace the idea that roles can be fluid and should not be overly pigeonholed into what they traditionally were. Avoid silos and encourage flexibility so people are not too entrenched in their own job responsibilities and can act in any situation. Digital processes help this as they eliminate silos and increase communication.

Have cross-divisional teams:

Ensure everyone is aware of larger business strategies and how they fit into them. Traditionally, many risk-related functions were siloed from other areas of the business, such as compliance, procurement, legal, etc. With enhanced risks on the horizon, continuing to isolate functions, processes, and technology leaves you vulnerable to supply chain and other risks. By integrating or centralizing formerly siloed processes such as third-party risk, supply chain risk, business continuity, and IT resilience, professionals can gain greater security and resilience for their organization.

Know what makes your business run:

Understand what your critical products and services are and, in turn, what is critical to your organization being able to continue to deliver them. This will include your internal operations and systems, but also third parties, suppliers, and your supply chains.

Understand how your third-party ecosystem works:

Using your TPRM tools, closely evaluate each of your suppliers and their resilience against supply chain disruption. This may involve examining their own inventories, if they operate in a concentrated region, their business continuity plans, and other risk data. In addition to the suppliers that you have direct contracts with, it is also important to know your fourth parties and nth parties- i.e., your third parties’ subcontractors and potential risks they can bring.

Ensure compliance across suppliers:

Likewise, understand how your business depends on its IT, and its third parties. Manage cyber supply chain risks by ensuring that suppliers follow cyber security standards, conduct continuous monitoring, and have contingency plans in place.

Avoid concentration risks:

Concentration risk is direct or indirect exposure, or group of exposures, that has the potential to lead to large losses that can threaten an organization’s ability to perform its core business. This type of risk can be the result of dependence on a geographic area, a single vendor, or fourth parties. Make sure your suppliers are balanced across a variety of regions so that if a disruption were to occur, you have other channels to pursue. In addition, invest in a variety of vendors and contingency plans so that if a single vendor’s operations are disrupted you have other options.

Take an integrated approach to risk and resilience:

Collectively all of the above add up to the need for a new way of managing risk and resilience programs across the extended enterprise. These programs need to be unified.  People, processes, and technology must all come together to make this work.

There will always be new threats, players, and shocks on the horizon that could disrupt business as usual. It will be the resilient organization that prospers through these challenges. Explore Risk & Resilience Magazine for more content on organizational resilience!

1. Gartner, Outlook for Organization Resilience, 2021, Roberta Witty, David Gregory, Jan. 12, 2022

2. Forrester Research, Business Resilience as a Competitive Advantage, April 2021

3. Gartner, How to Build a Resilient and Responsive Organization, 2020

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management