The British Standards Institution (BSI) and the Cabinet Office Emergency Planning College have officially launched a Code of Practice for organisational resilience today. To coincide with this, Rick Cudworth’s article below outlines how the BSI’s publication of the latest BS 65000 Organisational Resilience Standard marks growing convergence across industry, regulatory bodies and academia on the principles that underpin this, which can help organisations create a more resilient future for us all.
Rick Cudworth is a recognised leader in Organisational Resilience, Operational Readiness and Strategic Risk Mitigation. He is Chair of the British Standards Institution Technical Committee for Continuity and Resilience and a member of the Cabinet Office Behavioural Science Expert Group as part of the National Security Risk Assessment process for the UK. Following a successful career as a Partner at KPMG and Deloitte, he has established consultancy firm, ResilienC. Rick also edited and contributed to the NPC’s “Resilience Reimagined: A Practical Guide for Organisations” report published in March 2021, in collaboration with Cranfield University.
Resilience is an asset that organisations should develop and nurture. More resilient organisations are better able to anticipate change and disruption, to absorb the impacts, and are quicker to adapt to the new conditions. In an era of volatility, uncertainty and change, the value of resilience has rarely been clearer or seen as more essential for an organisation’s long-term performance and success.
So, it is timely that there is growing evidence of convergence from industry, regulators, academic research and now the British Standards Institution (BSI) on the principles and practices that underpin organisational resilience.
The National Preparedness Commission’s (NPC) report, Resilience Reimagined was published in March 2021 and was well received. It identified seven practices contributing to improved organisational resilience, based on extensive stakeholder engagement conducted between November 2020 to January 2021. This included 1-2-1 interviews, focus groups and roundtables, with over 50 contributors across a diverse range of sectors including: financial services, utilities, energy, environment, transport manufacturing, food retail and logistics, defence and security, ICT, infrastructure, hospitality, and public sector bodies.
Similar practices to those identified in the NPC report were also set out in the Policy and Supervisory statements addressing operational resilience issued by the UK’s Financial Conduct Authority and Prudential Regulatory Authority, in March 2021. These statements followed a period of consultation within the financial industry and were built on the practices applied to strengthen financial resilience within the sector.
Further evidence of convergence is apparent in additional reports including: the National Infrastructure Commission’s report Anticipate, React, Recover, published in May 2020, which makes a number of recommendations to UK Government to improve the resilience of national infrastructure; and in the Organisation for Economic Co-operation and Development (OECD) report, Guidelines for Resilience Systems Analysis, published several years earlier, in 2014.
This convergence is now being advanced in a new Code of Practice for Organisational Resilience, (BS 65000:2022) published by the BSI. This article summarises some of the recommended principles and practices put forward in the Code of Practice, for helping organisations to strengthen their resilience.
Creating a resilience mindset and culture
Having the right mindset and culture within an organisation is considered a pre-requisite for organisational resilience, and one that encourages people at all levels to ask, “what if ?” and “what next ?”. Being able to discuss failure and explore the future are key aspects in developing a resilience culture.
The Code of Practice takes this further by suggesting there are four guiding principles that support a resilience mindset and culture: foresight, insight, hindsight, and oversight. This approach builds on a previous report on organisational resilience published by the BSI and Cranfield School of Management in 2017.
- Foresight requires the right organisational conditions to encourage the search for new opportunities and potential threats.
- Insight requires the creation of situational awareness and a deep understanding about what is going on within and outside the organisation.
- Hindsight means learning from experience (from success as well as failure).
- Oversight provides the framework for governance and accountability that supports and encourages the resilience of the organisation.
Together, these principles enable the organisation to anticipate and adapt to change and disruption in a timely way, and to invest in resilience measures to absorb potential impacts.
Building and maintaining resilience, by design
Organisational resilience requires more than just the right mindset and culture. It requires conscious choices to be made on where and how much to invest in resilience measures. This is usually a strategic decision not an operational or financial one. As such, strengthening organisational resilience should be part of strategy and business model considerations and not solely tasked as a risk management issue.
These choices should be supported by a robust approach which informs, builds, and maintains the resilience of the organisation.
A combination of the practices below could provide such an approach.
- Address resilience across the five capitals of financial, built, social, human, and natural. The resilience of each of these capitals (which can be translated as financial, operational, reputational, human, and environmental resilience) support each other, as change or disruption will have cascading impacts across several or all these. By considering all five capitals of organisational resilience, a more strategic perspective can be taken.
- Focus on what needs to be resilient, not from an internal perspective, but from an external one – e.g., considering customers, communities or wider society, investors, and the wider system within which they operate. This focus is initially on “what we do”, not “how we do it” and what makes it “essential” i.e., where failure can cause irreparable harm, not just inconvenience. Whilst not revolutionary, this outside-in perspective of what is essential is a key first step to helping an organisation to focus their investment on resilience where it matters most. For example, in the water industry, this may be the provision of drinkable water, or for a bank, it may include the ability to make a payment, or to be able to withstand another financial crisis. In the Code of Practice, these have been termed an organisation’s “essential outcomes”.
- Establish impact thresholds to understand how much resilience is needed. This requires an acceptance that in severe events, some impacts are inevitable, but there will be impacts which are tolerable (i.e., inconvenient, “we’ll try to avoid them if we can”) and those that are intolerable (i.e., irreparable harm such as widespread social damage or harm to vulnerable individuals, which we must avoid). Impact thresholds are a tangible form of risk appetite, requiring a deep understanding of what the impacts are likely to be across each of the five capitals should a significant event occur. As such they can be seen as a key performance indicator for resilience.
- Actively reduce vulnerabilities in how these essential outcomes are delivered or achieved. This requires an understanding of “how we do things today” and what if any contingencies exist. Are there obvious points of failure, for example an inability to generate liquidity quickly if needed, or a reliance on a fragile supply chain? Options to reduce or remove vulnerabilities can be considered by applying the principles of redundancy, diversity, modularity, or adaptability (including considering opportunities for substitution), either in isolation or in combination, to provide a best option.
- Conduct regular stress testing of the organisation’s resilience against impact thresholds using severe but plausible scenarios. This form of testing (which can be conducted through modelling) helps to identify the point at which impact thresholds may be breached despite the resilience in place. Stress testing has been instrumental in strengthening financial resilience within the financial sector and is now being applied to improve operational resilience within the sector as well. It enables the organisation to test and challenge underlying assumptions about their resilience and identify potential weak points. Importantly, it should test for failure on the basis that an organisation will learn a lot more about its resilience if it knows when and why impact thresholds might be breached and whether this is only in extreme circumstances.
Adopting these practices will enable organisations to make strategic choices about their resilience. It will provide a better understanding of where and what changes need to be made and greater appreciation of the upside value of making these changes. This in turn will enable reasonable and proportionate investment in resilience. It will also provide a more robust approach to resilience as a basis for reporting to stakeholders, including future financial reports.
It is great to see the BSI launch this new Code of Practice, together with an Executive Brief which provides more details. This will hopefully encourage further convergence on the principles and practices that can help build and maintain organisational resilience, and thereby create a more resilient future for us all.