One of the things that this pandemic has made clear is that not all organizations, even those that might in principle be comparable, have the same ability to adapt to change. And, obviously, those that were able to do so and innovate nimbly had a significant advantage over the rest. If we add to this ability to adapt and thrive in the long term, we are approaching the concept of “organizational resilience”, also called “corporate resilience”.
Organizational resilience seeks to improve the positioning of the organization to be able to anticipate and exploit any type of change, even those derived from a crisis, adapting to thrive, not just to “survive”. The focus is, therefore, to ensure that the organization remains relevant, viable and competitive over time, responding positively to change.
This has to do with the ability to meet its objectives, assimilating a changing environment and adapting to it, as well as anticipating and responding to threats and opportunities that arise, whether derived from sudden or gradual, internal or external changes. This definition of resilience, despite not being rigorous, is aligned with respect to the British Standards Institution -BS 65000 (2014) and ISO 22316:2019 Standards; which are the most widely applied international standards in relation to this practice.
While organizational resilience is an issue that has been on the agenda of Executive Management in the last decade, the dynamism and strong competition present in virtually all sectors of activity, and now the pandemic, has reminded them that being prepared to overcome the unexpected is key to thriving and -therefore- a priority need. On the other hand, the resilience of institutions belonging to regulated sectors, under SEC supervision, or providing critical services at the country level, is also a concern of governments and relevant regulatory bodies.
This concept of organizational resilience does not replace business continuity, it complements it. When an organization plans its operational continuity (or business continuity), it seeks either to minimize the possibility of being in a contingency situation, or to guarantee its response capacity in case this contingency materializes; or both; thus ensuring the “going concern” or “business in progress” principle, which assumes that the company presents a statement of Financial Position or Balance Sheet that supports its sustainability over time.
Ensuring business continuity is undoubtedly extremely valuable, we would say mandatory and not easy. But it allows to ensure its competitive positioning if the sector and customers continue to behave in a similar way as they have been doing; therefore, it is not enough to ensure the long-term prosperity of the organization. And this is where the concept of resilience acquires meaning and relevance. This need for adaptation is not new for organizations, although it is not formally managed, since historically they have been adapting their business models to be able to respond to the challenges they face. But the ability to evolve achieved by many of them does not allow them to successfully absorb the changes they face, increasingly accelerated and disruptive; let alone anticipate them. In addition, quite contrary to what some Executives think, innovating is not improvising and resilience is not a matter of chance.
Resilience capacity can be built and developed. Moreover, improving its level of resilience should be a strategic goal of every organization; and to achieve it, it must work on a set of clearly identified practices, which, although they are not alien to it, are usually not visualized in an integrated manner under this approach. These practices may have different degrees of maturity and integration in each organization, which means that the path to be followed for their development is unique. These practices are:
Business Continuity Management. This is a fundamental pillar to work on the development of resilience. In the event that the change to be faced by the organization, unexpected or not, causes the interruption of its operations, it is essential to be able to ensure a planned response capacity. This will avoid disastrous surprises, giving it vital “oxygen” in those first moments, while the other mechanisms to achieve resilience are triggered. Business continuity planning is –therefore- key to achieving an adequate level of resilience, as it ensures the scenario from which you start. Bringing our knowledge and experience in this discipline, we have assisted several clients in the design of robust business continuity solutions, which allowed them to successfully respond to the pandemic, positioning them very well to continue developing their resilience capacity. Among them stands out The Directorate General of Taxation (DGI), for the effort and seriousness with which they assumed this work, as well as for the criticality of their mission and the achievements attained. In the linked press release, the Acct. Margarita Faral, current General Director of Revenue, expresses how having worked on the planning of operational continuity helped them to successfully navigate this ordeal. (Link to the note)
Strategic Planning. It allows defining the vision and purpose of the organization in the long term and communicating them effectively to all levels; additionally determining the short and medium term objectives. These allow to “focus” the activities to be developed and to allocate the organization’s resources in an optimal way, in order to guarantee their efficient achievement (focus and alignment). These objectives are also a key input to lead a robust risk management practice. Finally, it provides the necessary metrics and monitoring mechanisms to determine to what extent the organization is capturing the planned benefits; being able to react accordingly, allowing to “re-align ranks” and change its direction agilely if necessary, adjusting the focus and alignment.
Integrated Risk Management (Enterprise Risk Management – ERM). Once the organization has clearly defined its course, it is in a position to execute a robust and effective risk management that provides valuable information to support decision making. Having clearly defined objectives will guide the identification of risks and ensure their relevance, since it will focus on those whose materialization could compromise the achievement of the former. On the other hand, it will be possible to estimate their potential impact in a simpler and more realistic way, considering which objectives could compromise their occurrence and how. Undoubtedly, having good mechanisms to identify and respond to risks is key when working on resilience, as it enables a proactive approach.
Change management. Usually the responses to the risks, as well as the actions defined to take advantage of the identified opportunities, entail the implementation of some change in the organization. The ability to lead this process, promoting the early adoption of such changes, provides organizations with essential flexibility to improve their resilience. This practice must take into account the cultural characteristics of the organization and the specific situation in which it finds itself, being able to promote the efficient implementation of eventual “adjustments” with respect to the strategy if necessary.
Security and CyberSecurity, Security and cybersecurity strategies are a fundamental pillar for implementing a proactive approach to resilience, and include or are integrated with incident management of this nature. Both practices require robust technology risk management, which must be integrated or at least aligned with operational risk management. Likewise, these strategies must generate alerts before potential contingencies derived from the identified risks and/or incidents, for input to operational continuity management strategies.
In addition, there are other practices that may be necessary to articulate and enhance the above, which are usually considered implicitly, or “unconsciously”, and have to do with the governance, culture, values and leadership of the organization. And depending on the sector of activity in question, it may be important to complement the practices described above considering other “subsidiaries”, such as: environmental management, facilities management, financial control, fraud control, occupational health management and human resources management.
An important aspect to keep in mind when developing resilience is that the “theoretical” implementation of the above practices will not provide any benefit, which will clearly be evidenced through the success or failure achieved. This work is not a theoretical exercise, it is about ensuring the sustainability of the organization.
In this sense, there is a set of characteristics that are developed in organizations with optimal levels of resilience, which should therefore be promoted, and allow the identification of metrics to evaluate this level. The main ones are:
- Adaptation: it can be measured taking into account the organization’s capacity to create diversity under a controlled risk profile and refers to its ability to organize and respond to a change, expected or not, and manage it as an opportunity. This requires being attentive to the environment and identifying and understanding these potential changes in a timely manner.
- Confidence: it refers to the ability to monetize satisfactory relationships with the interested and define how to invest to strengthen them. When the relationship of the organization with its interested ones is based on specific bonds of friendship, it is not the organization itself that is the recipient of all the trust cultivated.
- Agility: it is evidenced by the organization’s ability to make the necessary decisions and implement them at the required speed, having the opportunity to act faster than the competition.
- Relevance: in this case, the aim is to measure how “relevant” the products and/or services provided by the organization are for the customers, and it has to do with their capacity to meet their needs. For which, in addition to pursuing their quality, their flexibility must be maintained.
- Coherence: it refers to the ability to make decisions, in an articulated but aligned way, ensuring that it is important to achieve the greatest benefit at the corporate level. It is important to be able to act as cells capable of managing and deciding individually but in a coordinated way, allowing to be more agile and reinforcing the relationship between the different areas of the organization.
- Reliability: from the point of view of customers, it has to do with the ability to provide them with services on a consistent basis according to what is specified in relation to quality and timeliness.
For all of the above, organizational resilience implies a broader approach than business continuity planning and requires a long-term vision, practice, discipline and commitment.
Main challenges faced by organizations when working on developing their level of resilience.
- Although Executives tend to have a strategic approach to the issue, middle and operational management continue to view it as a business continuity problem, and –therefore- do not generate the management information required by Senior Management.
- There is no clear and shared vision on the subject. Everyone in the organization has their own definition of resilience and it is usually quite operational, referring directly to business continuity, security incident management, etc.; and not so much in relation to innovation and adaptation capabilities.
- The understanding of the context, considering both the internal and external environment, is neither realistic or objective; nor is there a clear understanding of their mutual influence; which makes it difficult to make effective strategic decisions on priorities for resilience.
- Working on resilience development requires the participation of many teams within the organization, most with different priorities and disparate hierarchical lines, making it difficult for them to operate in a cohesive, integrated and coordinated manner, managing common priorities and approach.
- The management practices on which resilience development is based are not robust, in particular there are no solid operational continuity strategies.
- In many cases, operational continuity planning and resilience planning activities are disparate and not connected. Even in some cases there are many activities linked to ensuring operational continuity that are disjointed from each other, and –obviously- apart from those that have to do with resilience.
- Few organizations have adequately prepared their Executives to perform in real crises, which often leads to ineffective, erroneous or slow decision-making in times of tension.
As organizations improve their resilience, they will be much better prepared to work under stress in increasingly dynamic environments; and they will certainly not have to wait for the next pandemic to put it to the test. Organizations that are able to seize the disruptive as an opportunity will have a significant advantage over the rest in any context.
 The U.S. Securities and Exchange Commission (SEC) is an agency that regulates markets with the goal of protecting investors and maintaining the integrity of securities markets.