People: The Missing Link in Organisational Resilience



Abstract

The concept of Organisational Resilience has gained a lot of attention in recent years. Once traditionally viewed to be synonymous with Business Continuity Management practices, it has developed to consider a range of other operational pillars including risk management, physical and information security and education. This paper reports on a research project, which collected data via a series of qualitative interviews. The findings present a general view from security professionals that people play a vital contributory role to building the resilience of an organisation. A group of 6 senior security practitioners and executives suggested that the communication abilities and the soft skills possessed by individuals contributed towards the levels of resilience within an organisation, particularly during periods of crisis.

Keywords · Organisation Resilience · People · Security · Risk · Culture


1. Introduction

Influenced by the direct impacts upon people and organisations, and the systemic damage that large scale attacks such as the one on the Twin Towers on September 11th 2001 could have upon national infrastructures and stability, academic research has been carried out to identify the potential impacts of such attacks and considered mitigations, while both nations and commercial organisations have invested in security structures and systems, aiming to increase resilience to threats and hazards (Hurley, 2006). In an effort to increase resilience levels across Critical National Infrastructure (CNI), the UK Cabinet Office (2018) published the Public Summary of Sector Security and Resilience Plans, which provides guidelines to help organisations to reduce their vulnerabilities to threats and hazards and to improve recovery abilities. Once viewed to be synonymous with Business Continuity Management, the ability to work through a disruption as outlined in the International Standard ISO 22301, Organisational Resilience is now increasingly recognised to consist of other pillars including cyber security, physical security, incident management and disaster recovery, as reflected in ISO 22316:2017 Security and Resilience-Organisational Resilience-Principles and Attributes. Despite such efforts to provide guidance on this area, a lack of agreement still