People: The Missing Link in Organisational Resilience
The concept of Organisational Resilience has gained a lot of attention in recent years. Once traditionally viewed to be synonymous with Business Continuity Management practices, it has developed to consider a range of other operational pillars including risk management, physical and information security and education. This paper reports on a research project, which collected data via a series of qualitative interviews. The findings present a general view from security professionals that people play a vital contributory role to building the resilience of an organisation. A group of 6 senior security practitioners and executives suggested that the communication abilities and the soft skills possessed by individuals contributed towards the levels of resilience within an organisation, particularly during periods of crisis.
Keywords · Organisation Resilience · People · Security · Risk · Culture
Influenced by the direct impacts upon people and organisations, and the systemic damage that large scale attacks such as the one on the Twin Towers on September 11th 2001 could have upon national infrastructures and stability, academic research has been carried out to identify the potential impacts of such attacks and considered mitigations, while both nations and commercial organisations have invested in security structures and systems, aiming to increase resilience to threats and hazards (Hurley, 2006). In an effort to increase resilience levels across Critical National Infrastructure (CNI), the UK Cabinet Office (2018) published the Public Summary of Sector Security and Resilience Plans, which provides guidelines to help organisations to reduce their vulnerabilities to threats and hazards and to improve recovery abilities. Once viewed to be synonymous with Business Continuity Management, the ability to work through a disruption as outlined in the International Standard ISO 22301, Organisational Resilience is now increasingly recognised to consist of other pillars including cyber security, physical security, incident management and disaster recovery, as reflected in ISO 22316:2017 Security and Resilience-Organisational Resilience-Principles and Attributes. Despite such efforts to provide guidance on this area, a lack of agreement still surrounds what Organisational Resilience (OR) is and what it consists of, particularly in terms of the role that people play. In an effort to bridge the gap between the identified process constructs and the role of people, this exploratory research will act as a preliminary study to consider this area, through investigating the views of a number of senior security practitioners and executives.
2. Background — What is Organisational Resilience it and how do we increase it?
An agile, robust and adaptive mind-set, culture and business architecture will be fundamental to the survival of organisations in the future. Not only will this be crucial during periods of crises and challenge, but the existence of these states will be defining factors between those that flourish and those that fail to survive such periods. The recognition of this has increased since the attacks on the Twin Towers on September 11th 2001, with both public and private sector organisations increasing their focus and investment on risk mitigations and defensive measures, designed to counter the prevalent terrorist threat (Blalock, Kadiyali & Simon, 2007, 731–755; Coaffee, 2004, 201–211). The attack on the World Trade Centre and the Pentagon on this date marked the beginning of the present period of increased awareness levels and the growing appetite for security systems. The design and implementation of physical security systems designed to deter, detect, delay, deny, respond to or destroy threats and threat actors, once left to security and facilities managers to oversee on small and challenging budgets, became a strategic concern of business boards, who increasingly became aware of the relationship between security and business continuity (Dalton, 2003). The implementation of security systems to protect assets has in fact been recognised as such an important business resource during periods of geopolitical instability that in time it may arguably be viewed by investors to offer a competitive advantage to organisations, particularly those that operate in frontier environments. Ranges of legislative and regulatory controls have also been put in place across the world, in order to guide and enforce organisations to safeguard information assets. One such example is the EU General Data Protection Regulation, enforced on the 25th May 2018 (Tankard, 2016, 5–8). Encouraged by the prospect of fines of up to 4% of the total global turnover from a preceding year, organisations have reviewed data protection and sharing processes, in order to ensure that effective systems are in place. The changes required to fulfil the requirements within organisations that have actively aligned themselves to the requirements outlined in standards such as ISO 27001 will have been small. Mature approaches to security adoption such as this will also recognise the close and important relationship between physical security and information security, as a layered approach to the security of information assets will view effective physical security measures to be one of the first lines of defence. In particular, the recognition by both physical and information security experts of the importance of an effective identity and access management system (IAM) to both physical locations and electronic systems, has contributed to the convergence of security approaches (Koohong, & Kim, 2015). The development of such resilient structures and systems has increasingly become a concern for all organisations and business leaders (Bell, 2002), with this strategic concern encouraging the development of the Organisational Resilience (OR) standards BS65000: 2014 and ISO 22316: 2017, which have suggested that OR consists of a mixture of risk management, security and good business practices. However, despite the publication of such standards and models including the Resilience Analysis Grid (Hollnagel, 2010), differences in the level of understanding and the conformity of practice may be widespread in a number of industries, including the security profession itself.
OR is considered to be “the ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper” (BS65000, 2014). Academic research is playing a role in changing the way that security and standards such as this are viewed by commercial organisations, with ISO 22316 potentially being representative of the increasing paradigm shift away from security disciplines and practitioners being considered in distinct silos towards a closely aligned or converged approach, where the relationship between the themes of risk and resilience and the practices of information and physical security is more distinct, with each being viewed to be interrelated. The study of risk and the adoption of standards such as ISO 31000 Risk Management: 2018 should underpin the design and subsequent implementation of security and resilience systems and solutions. Accepting that risk is the product of the level of vulnerability to a system or asset and the likelihood and consequence of the realisation of a threat or hazard it faces, security and resilience system designers primarily influence the level of risk to an organisation through reducing the level of vulnerability. This can be achieved through adopting security practices that are designed to provide protection to people, premises, physical property and information. Given that organisations possess an array of tangible, intangible and mixed assets, systems designed by security practitioners have been adopted and standards achieved in order to increase and maintain physical and information security, thereby improving the ability to monitor environments, to anticipate and respond to situations (Hollnagel, 2010). As they are increasingly recognised as an integral element of a business, possessing a view of existing business assets and an understanding of how complex systems exist and operate, security practitioners within organisations have increasingly played a key role in defining what resilience is, both generically and within specific environments, and in subsequently leading on the design and implementation of systems designed to increase resilience. The ISO standard 22316 Security and Resilience, Organisational Resilience, Principles and Attributes is reflective of this in acting as a group of management disciplines including ISO 27001 Information Security Management and ISO 22301 Societal Security — Business Continuity Management Systems. This is a positive move towards the development of a model which as suggested by Hollnagel (2010) can provide organisations with processes to follow in order to deal with traditional disruptions and events, like IT failures or premises fires, but also with an effective resilience programme which can help organisations to prepare for other threats resulting from political, legal, demographic, or perhaps climate-related changes. Being well trained and experienced in planning for the safe execution of operational activities in high risk and potentially hostile environments, security practitioners may be well placed to support the development of such a model.
The guidelines outlined in the OR standard ISO 22316 encourage organisations regardless of industry to consider the adoption of a range of processes and systems, to suit their own environment and situation, through implementing and managing a range of disciplines, based upon a platform of effective risk management. Despite these recommendations, differences between the ways in which organisations approach resilience programmes exist. In a review of existing models of resilience, Gibson and Tarrant (2010) identify how previous research concentrating on an integrated functions model of resilience has previously leaned towards developing and improving business continuity management approaches alongside security and crisis management processes. A positive element of resilience programmes, which adopt an integrated functions approach, is the view that risk management is a foundation for all activities. This is in congruence with the approach of many security practitioners, who view the identification of threats, vulnerabilities and the calculation of the likelihood of such events taking place, as a preliminary phase in the design of a security system. The models considered in the review by Gibson and Tarrant (2010) each demonstrate the multidimensional nature of OR, yet the authors recognise that none of the models considered, attempt to describe resilience itself, but rather concentrate on attributes, which may contribute to resilience. Recognising that OR may also be influenced by the ability of a workforce to cope with unexpected crises (Duchek, 2019), questions remain as to how resilience can be developed within an organisation and the models such as the one outlined by Gibson and Tarrant (2010) effectively adopted.
The importance of resilience is further emphasised in a statement by Hollnagel (2010), who contends that “if an organisation is resilient, then it is also safe” (pp.1). In an article considering how to measure an organisations’ resilience through the Resilience Analysis Grid, the author outlines four abilities that may be essential to resilience; the ability to respond, the ability to monitor, the ability to anticipate and the ability to learn. Agreeing that these themes are relevant guides to assist in the construction of a resilience programme, the present research was carried out with the aim of identifying opportunities for improvements in the understanding and measurement of OR, which could support the areas identified by authors such as Hollnagel (2010). In addition, this research considers the contribution that people make to OR, which emerging findings suggest may be paramount during a crisis situation and as such may warrant further investigation in order to assist those responsible for the design and implementation of resilience programmes (Duchek, 2019; Horne & Orr 1998; Weick 1993). Recognising the increased interest in OR and the ways to increase it within businesses from across a broad spectrum of industries (Pollock, 2016), a study to determine the views of security practitioners and to potentially identify positive developments in this area may make a valuable contribution to research.
As this study intended to consider elements of OR which may be subtle and only identifiable to individuals within an organisation, qualitative research methods were adopted through the consideration of a number of research questions, aiming to contribute to the overarching objective to identify and critically analyse the importance of people to Organisational Resilience;
· What are the key pillars of Organisational Resilience?
· How do these pillars link together to improve Organisation Resilience?
· How do people contribute to each of these pillars?
· How can people increase the resilience of an organisation?
This research contributes to the growing understanding of the different pillars that may act as constructs of OR and it provides an insight into the important part people within organisations may play. Recognising that participant engagement would be crucial in order to derive valuable meaning from any data that was generated in the course of the investigation, a small and select number of participants were asked to participate in a short interview. In line with the sampling stages suggested by Taherdoost (2016), a clearly defined target population was identified from within the security industry of individuals that were responsible for leading elements of resilience programmes within a number of organisations. As an exploratory case study, this research gathered and analysed qualitative data including the findings from the interviews with this small snowball sample group (Breweton & Millward, 2001). The six responses to ten questions were analysed. This data provided a valuable insight into the views of security practitioners including the identification of the importance of people to OR. In accordance the view of Yin (2011), participants were selected “based on their anticipated richness and relevance of information in relation to the study’s research questions” (p. 311). Such an approach further mitigated the risk of generating copious amounts of superfluous data, which is recognised to be a potential outcome with research focused upon a developing area of study. The semi-structured interview participants were each selected because of their professional experience within security, having performed security roles for an average of 18 years. Although some of the individuals interviewed shared employers, this was not considered to have impacted the result reliability given the structure of the questions asked. The informal style of the series of elite interviews offered opportunities for the development of further lines of enquiry, in the area of OR. While previous research such as this has tended to review the technical guidelines and standards which exist to assist organisations to develop security and business continuity systems, they do not provide insights into the thoughts of security practitioners, who may often find themselves responsible for leading and delivering large scale organisational resilience programmes. The data collected was analysed through the use of thematic analysis, which can be used to identify themes in qualitative data and to develop an understanding of the subjective views held by participants. These views were developed through the personal experiences of participants and so although they suggest an interesting development in OR, the research findings are only reflective of the views of this sample group.
4. Main findings and discussion
The discussion will be structured according to the four main themes that emerged during the course of this investigation.
Organisational Resilience is the result of a number of things
Six participants were first asked what Organisational Resilience meant to them. While the concept of OR has gained greater structure and consistency in recent years, academics are still striving to solidify the conceptual base of OR (Burnard & Bhamra, 2011). Potentially reflective of the security backgrounds of participants, it was clear that the ability to respond to events and crises was viewed to be a critical aspect of OR, with all of the participants also holding the view that it is closely related to business continuity. In addition to all six participants identifying the security components of OR, three of the participants in the present research held the view that OR also consists of a number of other tools and practices, including due diligence and insurance. For example, as demonstrated by three extracts below:
R1: ‘Ultimately it’s having the tools and resilience to bounce back when things go wrong. But I guess the way that I see it, the way the company sees it, is it’s not as just the systems, policies and processes that we put in place, but it’s things like having the correct insurance, operating correctly in various parts of the world, as we operate all over the world. Also doing due diligence, not just on our clients but also our suppliers and our operatives’.
R3: ‘There’s a lot of confusion with what resilience means in Organisational Resilience. I tend to find a lot of people think resilience is what we would call resistance and how you fend off particular threats. But for me, resilience is about (when) you’ve already been affected by something, and it’s about how organisations interconnected or interdepartmentally bounce back from some sort of setback. But more than that, it’s not just about getting back to baseline recovery. It’s about using that resilience as an advancement as well and advancing business objectives.
R2: ‘From my personal perspective I’d say that Organisational Resilience is a company’s ability to deal with change and any events that may happen that could affect the business’.
Extracts from research interviews May 2019
Risk and resilience are intrinsically linked
All six participants identified a link when asked to describe the relationship between risk and resilience, viewing that the existence and identification of risk resulted in the development of resilience. This has theoretical support given that the risk management processes of identifying, quantifying and planning to mitigate risks bears close resemblance to the International Standard for Security and Resilience (ISO 22316: 2017) description of resilience as the ability of an organisation to anticipate, prepare for, respond and adapt to a changing environment (Butler, 2018). Butler (2018) increases the association between the two concepts further by suggesting that there is a necessity for organisations to develop resilience, in order to effectively manage negative risks and to maximise potentially beneficial opportunities. This association has also been identified by the UN Office for Disaster Risk Reduction (UNISDR), which has encouraged the development of a culture of disaster prevention across the private sector, through the introduction of the Sendai Framework for Disaster Risk Reduction (Aitsi-Selmi et al., 2015). The framework recognises the interconnection between risk and resilience and encourages risk-informed development and resilient investments to be made by private organisations (Abe et al., 2019). While this approach aims to increase business and therefore national preparedness to natural catastrophes, the cultivation of risk-aware businesses and the encouragement of a resilience approach rather than a traditional ‘business as usual’ approach which focuses upon business continuity management procedures and transferred risk through insurance, has been increasingly adopted across both public and private sectors. Responses to this question included;
R1: ‘I think the relationship is, risk allows you to have better resilience by exploring the different types of risk, hazards and problems you may face within an organisation, allows you to put in steps and processes, control measures or mitigation which in turn builds resilience within your organisation. So, unless you identify those risks, you’ll never have a resilient business or organisation’.
R4: ‘I think organisational resilience, is in some instances a reaction to risks. But I also think that the risk assessment process is skewed towards non-human elements of risk mitigation’.
R6: ‘That’s a very, very tough question because risk is tempered only by the people that are actually involved in taking of those risks, and what they consider risks to be and that’s going to vary. We have four managing directors within our company and I would suggest that their ideas of risk are all completely different, and, ideas of managing that risk and, and putting plans in place to manage that risk again are all completely different, so it has to be sold to all four people based on different perceptions and ideas and parameters, is hand in hand…risk and resilience is hand in hand. If you haven’t got risk, then why would you put resilient measures in place?’.
Extracts from research interviews May 2019
It is difficult to measure Organisational Resilience
Of the six participants that were asked how they measure OR, the three that responded that they are responsible for measuring it emphasised the associated challenges. The difficulty is reflected by the debate about whether OR actually exists prior to a crisis or whether it is something that’s formed during one (Mendonca, 2008). Lee, Vargo and Seville (2013) identify that the difficulties in measuring OR are further exasperated by variations in the definitions attached to the concept and the constructs that form it. Given the lack of clarity of what OR is, organisations may subsequently find it difficult to prioritise requirements and to make appropriate investments to improve areas which contribute to OR (Stephenson, Vargo & Seville, 2010). Related to the challenges of justifying investment in resources which may not provide an attractive financial return through the generation of profit, the difficulty in measuring OR may be increased by the fact that it may comprise social and cultural attributes which are difficult to measure, such as its ability to communicate across cultural, social and organisational boundaries (Flin et al., 2000). Responses to the question of how participants measure OR included;
R1: ‘I think it’s tough to accurately measure organisational resilience. I guess one way we do that is by stress testing, running through models or problems.
R3: ‘It’s sort of dependent on each organisation. Speaking for ourselves, having structure throughout the business. So, if someone’s away, or something does go wrong, and someone… the person that normally deals with things, there is sort of someone else within the business just to step up and take on that role’.
R4: ‘How I measure it, it is the ability to work… continue to work without the use of an IT system, a communication methodology, a building or other aspect of the infrastructure, and still continue with the role or work that I would wish to do’.
Extracts from research interviews May 2019
People play a crucial role in developing and maintaining Organisational Resilience
All six interview participants expressed an opinion that people play a crucial role in developing and maintaining OR. This is supported by research by Lee, Vargo and Seville (2013) who also identified the importance of people and emphasised that situational awareness and the way that people manage uncertainty may be vital to the way that an organisation responds to an incident or crisis (Crichton et al., 2005; Masys, 2005). Furthermore, the way that humans respond to the aftermath of crises or a disturbance will determine how an organisation learns from an experience (Hollnagel et al., 2008). The importance of people to the resilience of organisations was demonstrated in response to the terrorist attacks of September 11th, when the ability to adapt and respond to dynamic and potentially high risk situations may have been determined by the cultures and behaviour’s that existed within workforces, rather than in existing processes and technologies (Kendra & Wachtendorf, 2003). The human influence in the form of organisational culture has been emphasised by research from a six-year research programme focusing upon improving OR in New Zealand, a country which has experienced a series of large-scale critical infrastructure failings, as a result of both natural disasters and system failings (Seville et al., 2007). The research findings suggested that OR is closely related to organisational culture, which influences the way organisations perform in concert with shared visions and values during crises and communicate with internal and external stakeholders. The authors emphasise the importance of this during crises and in particular the existence of informal networks, which will support leadership structures to make decisions and to direct activities which may not have been rehearsed previously but need to take place during fluid and often complex situations. The effectiveness of this is influenced by the strength of the shared vision which exists within an organisation, the levels of trust amongst employees and their commitment to an organisation and each other. Such findings were supported by the participants when asked to provide their views on the importance of the human contribution to OR.
R1: ‘The human element is probably the most crucial part. But I think if you break it down, and I touched on this earlier, making sure that the leadership are involved in understanding what we as security professionals are doing across the board is crucial. But in addition, it is just as important that our staff on the ground, our contractors our third parties and suppliers are also communicated with’.
R2: ‘The human contribution is probably the main area really. I like to focus on systems, systems failure and systems recovery during the design or Organisation Resilience programmes, but it’s the human element that plays the biggest part in how quickly we can adapt and recover during crises.
R3: ‘I think that the human factor is key to Organisation Resilience. Also, if you look at a major issue that has occurred in the past for businesses, it’s usually caused by some sort of human error somewhere along the line’.
R4: ‘The human contribution is crucial to Organisational Resilience. The way that people communicate during crises, the way that instructions based upon policies and procedures are communicated across teams can have a major effect on how an organisation performs’.
R5: ‘So, from a personal experience, I think that the human side is the biggest factor, in its resilience, its ability to work in adversity or to work when other aspects of the organisation are not available or under attack’.
R6: ‘It’s essential, you can’t not have it. At the end of the day decisions still need to be made by boots on the ground. In addition, you have got to act during a crisis or event with feeling, empathy and compassion when things go wrong’.
Extracts from research interviews May 2019
Although recognising that the small sample size of only six participants limits the ability to make generalised statements based upon the findings (Dworkin, 2012), it is within the guidelines outlined by Braun and Clarke (2013) for research carrying out thematic analysis interviews, who recommend a sample size of 6–10 participants. This small-scale study did consider the views of Organisational Resilience amongst practicing security professionals and it identified that the components of risk and resilience systems and practices identified by the participants were similar to the four abilities of resilience identified by Hollnagel (2010). In addition to these, a common theme identified during the course of this investigation was the view that people are a crucial factor to the formation and maintenance of Organisational Resilience. While the importance of people to the concept of Organisational Resilience was identified by the participants, a larger research project could determine ways of measuring and improving the human component. This is in concert with the suggestion that Organisational Resilience is dependent upon much more than developing security policies and educating employees about their roles and responsibilities (Burnard & Bhamra, 2011; McManus et al., 2008; Freeman, 2000; Wood, 2000), and managing the programmes designed to deliver improvements to security systems. Effective and appropriate levels of OR may in fact be reliant upon the development of an effective work culture which views security to be important (Conolly, 2000). Both Verton (2000) and Nosworthy (2000) support this view that business security is dependent upon an appropriate business culture and in response to such findings, the UK Centre for the Protection of National Infrastructure encourage organisations to embed security within a work culture in such a way that it is viewed to be a responsibility shared across a workforce (www.cpni.gov.uk, accessed 10.12.19). Alongside the importance of people to maintaining the security of an organisation from external threats, the ability of people to display perseverance and the ability to survive periods of stress and crises will be the determining factor in whether an organisation has the resilience to survive. The important contribution of people to Organisational Resilience is particularly apparent during crises that threaten an organisation and result in a belief that decisions must be made swiftly (Pearson & Clair, 1998). A theme identified amongst participants was the importance of communication skills and potentially the suggestion that soft skills and the emotional intelligence of employees may be an important factor. This is in concert with the suggestion raised by Schoenberg (2005) that effective crisis management may be dependent upon the preparation of leadership structures and in particular, effective communication.
The pressures and threats that organisations face in the future will increase in volume and complexity as the strains of dwindling resources increases and regional and national instabilities quickly overflow into nations through pressures upon global networks that are crucial to the survival of organisations. Developments in technologies and training opportunities have improved security systems and organisations have recognised the importance of increasing and maintaining OR. The concept of OR has developed beyond the view that it is another way of describing business continuity management and crisis recovery mechanisms into something which includes a holistic approach to business risk management, physical and cyber security. The findings of this research suggest that people are as equally important to OR as processes and technologies. Future research could consider how this could be measured and fundamentally improved.