An Executive’s Guide to Organizational Resilience Standard ISO 22316

What business leaders are saying about organizational resilience

Many of today’s business leaders ascended to the top in the pre-COVID era. They would be forgiven for not having heard of organizational resilience. 

The ability of an enterprise to absorb and adapt in a changing environment wasn’t on too many people’s radars when the business environment was relatively predictable.

Now, that the environment is anything but, business leaders – the only people with visibility across the entire enterprise – must reorient their organizational cultures towards anticipating and responding to threats and seizing opportunities that arise from sudden changes.

Why: those that don’t stand to lose everything.

Unfortunately, a cursory look at the state of resilience suggests too many enterprises aren’t prepared. 

When polled in 2021, a staggering 95 per cent of business leaders reported that their crisis management capabilities need improvementⁱ. More than 30 per cent acknowledged that they didn’t have a designated core crisis response team when the pandemic first struckⁱⁱ. And only 35 per cent had a very relevant crisis response planⁱⁱⁱ. 

When polled in 2021, a staggering 95% of business leaders reported that their crisis management capabilities need improvementⁱ. 

More than 30% acknowledged that they didn’t have a designated core crisis response team when the pandemic first struckⁱⁱ. 

And only 35% had a very relevant crisis response planⁱⁱⁱ. 

Sure, many of those same leaders have used the pandemic as an opportunity to invest in their preparation and response capabilities. Yet, they now face a new challenge.

Staff isn’t on the same page. Indeed, only 16 per cent of staff respondents are very aware of the role of resilience in the organization^iv. 

Indeed, only 16% of staff respondents are very aware of the role of resilience in the organization^iv.

Courtesy of the Great Resignation, the few staffers that were aware might have cycled out. The question, therefore, becomes, what can senior leaders do to achieve organizational resilience?

Although each organization has its unique pressure points, there are some shared, organizational-resilience best practices – practices that business leaders should strive to inculcate in staff. 

Many of the practices are found in international standard, ISO 22316: 2017. The standard provides guidance to enhance organizational resilience for any size or type of entity. 

What are the main takeaways for senior leaders? This decision-maker’s guide to ISO 22316 lays them out. 

General organizational resilience principles senior leaders should understand

The biggest question ISO 22316 answers is what are resilient organizations? They are the entities that can absorb and adapt to the changing (business) environment while continuing to deliver on the objectives that enable survival and prosperity.

Such entities will have top management committed to enhancing organizational resilience, having understood the general principles that make organizations resilient in the first place. A checklist of those principles includes the following:

• Their behavior is aligned with a shared vision and purpose
• They rely upon an up-to-date understanding of the organization’s context
• They rely upon an ability to absorb, adapt, and effectively respond to change
• They rely upon good governance and management
• They are supported by a diversity of skills, leadership, knowledge, and experience(s)
• They have coordinated across management disciplines and garnered contributions from technical and scientific areas of expertise
• They rely upon effectively managing risk

Following that, senior leaders of resilient organizations will have demonstrated commitment to the following resilience-enhancing activities:

• Providing adequate resources to enhance the organization’s resilience
• Finding mechanisms to ensure those investments are appropriate to the organization’s internal and external contexts
• Developing appropriate governance structures to achieve the effective coordination of organizational resilience activities
• Investing in systems that support effective implementation of organizational resilience activities and arrangements to evaluate and enhance resilience in support of organizational requirements
• Pursuing effective communications to improve understanding and decision making

Per ISO 22316, senior leaders of resilient organizations will have also developed and encouraged others to lead under a range of conditions and circumstances, including during periods of uncertainty and disruptions. That’s because those leaders prioritize and resource the following activities:

• Developing trusted and respected leaders who act with integrity and are committed to a sustained focus on organizational resilience
• Assigning roles and responsibilities for enhancing organizational resilience
• Encouraging the creation and sharing of lessons learned about success and failure and promote the adoption of better practice
• Empowering all levels of the organization to make decisions that protect and enhance the resilience of the organization

Sharing information and knowledge

Of course, not all responsibility for organizational resilience hangs with top management. After all, even with the best leaders, not much can get accomplished without the right information, getting to the right people, at the right time – a perennial challenge to building and enhancing organizational resilience capacity. 

What does ISO 22316 say about sharing information and knowledge? Firstly, the standard encourages the sharing of important experiences. Entities should also ensure that information, knowledge, and learning is valued – that they are recognized as critical resources of the organization. Learnings should also be extracted from all available sources. 

To make that happen, information must be readily accessible, understandable, and adequate to supporting the organization’s core objectives. 

Indeed, knowledge and information must be created, retained, and applied through established systems and processes. Those processes include the sharing of relevant information in a timely manner with relevant interested parties and (then) applying it in organizational learning. 

Resourcing requirements

However, achieving information-sharing objectives isn’t always easy. Organizations must first invest in the right knowledge-sharing resources. Those resources include people, premises, technology, or other assets. 

Beyond that, ISO 22316 recommends resourcing the following activities: 

• Taking appropriate decisions on resourcing and capacity diversification, replication, and redundancy to avoid single points of failure and respond to incidents and change, so that core services are maintained at an acceptable, pre-determined level
• Selecting and developing employees with a diverse set of skills, knowledge, and behavior that can contribute to the organization’s ability to respond and adapt to change
• Developing an ability to identify and respond to changes in a flexible manner, including modifying and redeploying capabilities, arrangements, structures, activities, and behavior to adjust to new conditions
• Routinely reviewing the suitability, availability, and allocation of resources, taking account of the impact of any changes in the organization and its context

Organizational resilience also entails continually monitoring performance against pre-determined criteria. The reason is to learn and improve from experience.

Continual improvement, as such, should be an organizational ethic or value. Demonstrated by a commitment to validate and continually improve resilience activities and capabilities, such an organizational culture would serve to ensure that larger, business objectives, strategies, and procedures are kept relevant and appropriate in supporting the changing needs of the organization (See more below). 

How can senior leaders make that happen? The standard recommends prioritizing the following activities:

• Implement performance monitoring and evaluation mechanisms to support continual improvement
• Ensure that performance management criteria are responsive to changes that affect organizational objectives

Attributes of organizational resilience cultures

Cultures supportive of organizational resilience demonstrate commitment to and the existence of shared beliefs and values as well as positive attitudes and behaviors. They have also prioritized and resourced the following activities: 

• Determine the beliefs, values, and behavior within the organization that define organizational culture
• Identify core values and behavior that enhance organizational resilience and establish criteria that can be applied to assess individual performance
• Engage people at all levels to promote the organization’s values
• Foster creativity and innovation that enhances organizational resilience
• Empower people to identify and communicate threats and opportunities and to take action that will benefit the organization
• Monitor and review organizational culture to detect any changes that may influence organizational resilience. 

Evaluating the factors that contribute to resilience

The standard goes on to emphasize the importance of evaluation activities. These are activities that provide intelligence and management information on how strategies and objectives for organizational resilience continue to meet the needs of the organization, or where there are opportunities for improvement. 

Beyond establishing processes to allow for continuous measurement, organizations should also target measurement and monitoring activities to the specific attributes of the organization that enhance resilience. Routinely, an organization should also evaluate the effectiveness of its resilience approach and objectives against those attributes. 

How to determine performance measures, though? Measures should be selected based on the sector in which the organization operates, in addition to criteria determined by top management and the organizational culture. 

Indeed, most organizations already collect performance data. Much of that data can likely be applied to a resilience assessment. Sources, here, might include existing management information and internal audit reports, business review processes, and project reporting. 

Top management again has an outsized role; senior leaders should also:

• Determine the appropriate objectives for organizational resilience
• Develop measurement criteria to be used to monitor and evaluate the status of the organization’s resilience attributes
• Monitor and evaluate the organization’s overall resilience maturity and performance
• Identify what needs to be evaluated and monitored as well as the methods that will produce valid results and a continuous assessment of organizational resilience
• Determine the thresholds at which the output from the evaluation will be considered acceptable
• Decide how evaluation and monitoring arrangements will parallel, support, or be integrated into existing monitoring processes
• Establish how the results from monitoring and measurement will be analyzed, evaluated, and reported

ISO 22316 goes onto recommend an initial assessment of organizational resilience to inform the work that must be undertaken immediately

Before implementing a monitoring process, though, an organization should undertake the necessary reviews, applying agreed-upon metrics to determine the organization’s resilience. Here, top management should gauge whether resilience is acceptable or falls short of requirements. Then, the organization should consider appropriate strategies to address significant gaps that are found in the assessment. 

That’s not the end of responsibility for top management. Senior leaders should also supervise periodic reviews. These reviews would consider changes to the organization’s context, including the following: 

• Changes in organizational vision, strategy, or objectives
• Major structural or business model changes, including mergers, acquisitions, and divestments
• New markets or territories that the organization has entered
• Newly introduced products and services
• Significant staff changes 
• Effectiveness of improvements made since the previous review
• Feedback on the effectiveness of the organization’s resilience
• Changes in risks that need to be addressed

Technologies to facilitate reporting and promote organizational resilience

The outputs from monitoring organizational resilience will likely include summary reporting. Summary reporting will give top management the necessary assessment of resilience against the attributes most relevant to the organization.

After that, senior leaders should: 

• Use on-going monitoring reports to track trends in the data that have been used to evaluate organizational resilience
• Confirm that current information management systems provide essential data to support the input required for an organization’s resilience monitoring
• Use the output of the reporting process to develop action plans to enhance organizational resilience

The only problem is that not all information management systems provide essential data to support resilience activities. Again, top management must intervene; in this case considering the critical event management software platforms that can promote resilience.

Key capabilities to consider include the following:

• Crisis management. Advanced solutions apply best practices to plan for, respond to, and manage critical events and exercises. Built on international standards, such as ISO 22398, the solutions enable faster response, better collaboration using plans and playbooks, smart workflows, and real-time dashboards and insights, ensuring better incident response, decision-making, and continuous improvement.
• Incident response plans and checklists. Best-practice libraries come included do organisations can easily create crisis strategies and action plans for different types of events that define the required strategy, action items, completion time targets, and people involved.
• Critical infrastructure protection. Innovative solutions keep up with the escalating risk to key assets, assessing those risks in advance and monitoring critical facilities throughout the emergency response process. 
• Welfare checks. The solutions enable organisations to send welfare check messages to their event response staff or any other type of contact. Organisations can easily collect their replies to identify who needs assistance and prioritise follow-up actions.
• Crisis communications. These single systems help organisations manage complex communications, centralising, approving, and standardising their crisis response. these solutions provide effective communication pathways for all aspects of incident management.
• Emergency management. These tools provided all that is needed to manage any incident effectively through the entire lifecycle of mitigation, preparedness, response, and recovery, following ISO, ICS, and other national standards. They keep your whole team following the same plans, communicating on the same platform, and viewing the same operating picture - from any place or device.
• Incident and resource mapping. Comes equipped with powerful mapping tools to create multilayers maps, integrating both external feeds and any information housed within the platform.
• Operational cycle management. These systems support the battle rhythm of your response operations, understanding and tracking reporting periods.
• Community lifeline monitoring. These systems provide executive-level insight into safety threats to the public and to staff, by regularly assessing community lifelines.

By now, senior leaders understand that the risk profiles of their organizations have gone up dramatically. They also know that implementing organizational resilience promoting activities is the only way to stay ahead.

However, staff isn’t always on the same page. As the only people with visibility across the entire organization, top management must intervene.

What to do? As this guide has laid out, ISO 22316 provides a set of best practices to which senior leaders must adhere. They can implement these best practices, in tandem with critical event management platforms such as Noggin, to ensure better incident response, decision-making, and continuous improvement of resilience-enhancing activities. 

Sources

i. Kristin Rivera and Dave Stainback, PWC: Global Crisis Survey 2021: Building resilience for the future. Available at https://www.pwc.com/gx/en/crisis/pwc-global-crisis-survey-2021.pdf. 

ii. Ibid. 

iii. Ibid. 

iv. Rachael Elliott and David Lea, BCI: The Future of Business Continuity & Resilience Report 2021. Available at https://www.thebci.org/uploads/assets/43c79e75-bea2-49e9-b2a4fa46b0209234/BCI-0007o-Future-of-BC ReportSinglesLow.pdf