A resilient organization aligns its strategy, operations, management systems, governance structure, and decision support capabilities so that it can adjust to continually changing risks, rebound from disruptions of any type including those that involve primary earnings drivers, and create advantages both through ability to respond and through beneficial changes brought about by absorbing new learning. It should be able to withstand the widest range of threats, including natural disaster, hazardous economic and market conditions, fraudulent employee behavior, IT infrastructure failure, disruptions of independent supply chains, disruption of customer channels, intellectual property theft, inability to respond to emerging conditions, and a host of other factors. Resilience should accomplish several objectives that are only achievable by combining a unified view of risk management with flexible and rapid response. Among these objectives are:
- Protecting the business from change and mitigating or benefitting from any change that might occur
- Mitigating risk that arises in any area of business and technology
- Identifying and decreasing reliance on nonresilient programs, processes, and procedures
- Enabling the business to adaptively respond to internal and external pressures
- Strengthening and enhancing business processes by improving governance and flexibility
- Using disruptions to improve efficiency and develop more effective responses, rather than merely focusing upon survival
- Reducing insurance costs and exposure to uninsured losses by providing enhanced oversight and a better understanding of response
The goal of resilience is not just recovery or continuity, but transformation from reactive to proactive and then to adaptive. Recovery efforts have demonstrated the value of several principles that constitute the core of business resilience, including:
- Mission focus. All resilience measures need to focus on the core business processes and values of the company at all times, ensuring the confidence of customers, partners, and suppliers. This is often critical to recovery, particularly from situations that might impact the reputation of the firm.
- Risk management. A thorough risk management program is essential, including a business impact analysis and development of mitigation strategies for key threats. Risk needs to be understood and evaluated in a unified way across the enterprise.
- Agile local empowerment. Empowerment of managers and workers who are close to the crisis, either geographically or by specific area of the threat (IT security, for example), ensure that lines of authority are known and response can begin immediately.
- Agile structural flexibility. The capability to realign organizational structure to meet new needs of the changed business or technological situation is vital. This realignment may require immediate and radical changes to existing hierarchies.
- Agile collaborative capability. The capability to cooperate with other businesses, outside organizations, and others, as needed, to meet recovery demands is also important. This is often critical to success, particularly in catastrophes that involve an entire region or business sector.
- Practice and rehearsal. Practice, rehearsal, and simulation of recovery locates weaknesses in resilience and strengthens the ability to recover. Rehearsals and simulations demonstrate the current recovery capability and prepare employees to respond to the real thing.
- Absorption of new learning. This involves the capability of learning from adversity and developing stronger and more focused business processes, using the disaster as a platform for beneficial transformation.
Resilience has become a concern of businesses operating in every sector and risen to the fore with events such as earthquakes in New Zealand and Japan, flooding in Australia and Thailand, hurricanes and flooding along the US East Coast, and fires in California. Other events have included the global economic crisis and major recent technological changes involving mobility and cloud IT.
Concepts of agility, adaptability, and resilience have been in development for at least the past four decades, with both progress and need accelerating recently in the wake of economic and technological change. These concepts, which began as lean manufacturing, have gained further validation through work on complex adaptive mechanisms and through practical application at the process level in software development, where methodologies such as Scrum and XP have provided significant benefits to companies in meeting the challenges of change.
As a result of growing concern, resilience has come under investigation over the past several years, particularly in the context of integration with existing IT solutions. Because it involves other aspects of risk management, auditing, and compliance and must incorporate the whole enterprise, we have seen the emergence of several frameworks and approaches aligned with existing management frameworks, such as ITIL, COBIT, and CMM. These frameworks, including the IBM Resilience Framework and its Resilience Maturity Model (RMM) and the CERT Resilience Management Model (also RMM), provide guidance for incorporating various elements into a resilience program.