This week's bulletin has been written by guest author Gianna Detoni FBCI, President and Founder of PANTA RAY.
Up until a few years ago, it was rare to meet people who were able to answer this simple question: “what does resilience mean?”
The term was well-known in the scientific contest, particularly in engineering (the resilience of materials) and in medicine (psychological resilience). Some pioneering organizations already started using it 12-13 years ago, but they were only a few champions.
In a short time, the fascinating and powerful concept of resilience woke up the souls and minds of the wise people, those who believe safety and security are only possible through the involvement of each and every individual and a methodology that can systematically assist people in the correct practice.
From then on, the resilience principles spread around quite quickly. Nowadays, there is no industry, academy or any other sector that does not debate about resilience.
As a matter of fact, if you run any kind of business, the two factors that will keep your organization wealthy and successful are 1) excellent resilience and 2) sustainable profits.
Usually, both results are obtained with the guidance of advanced, innovative and ethical managers. These kinds of professionals do consider that having a strong resilience is an investment, not a cost.
They also look for profits that are sustainable in the years. These managers will not just produce wealth today in exchange for risks in the future. Moreover, they will respect the ethical standards (no frauds, no pollution, no fiscal evasion, and no bribes).
The term is so applicable to the good management of an organization that I believe any company or Institution that aims to be efficient, modern and competitive should focus on having a sound resilience.
During my long professional career, I was very lucky to work for a company that invested a lot on it and now that I run my own Company, I am happy to be able to apply in practice what I preach in theory.
But how do you gain sound resilience? In the past few years, many professionals of different disciplines used the concept of resilience. I would say that there has been a race to claim the predominance of one discipline over the other in terms of ‘implementing resilience’.
Many people still claim that their matter of expertise (whether it be Cybersecurity, Risk Management, Business Continuity, Crisis Management, Disaster Recovery and many others) guarantees itself a solid resilience.
I think that the document issued by the Business Continuity Institute in 2016 (BCI Statement on Organizational Resilience), then followed by the Manifesto for Organizational Resilience, finally clarified once and for all what it really means.
In addition, the most authoritative perspective comes from the International Standards Organization. The ISO 22316 - Security and resilience — Organizational resilience — Principles and attributes - was issued in March 2017 and, in my opinion, provides the final, correct interpretation of the term.
The truth is that none of the above-mentioned disciplines can make you achieve resilience on their own; however, the advanced application of all of them together (plus many others) may help you reach a very good level of resilience.
I consider myself an expert on Business Continuity, Risk and Crisis Management. In addition, I used to manage the Technology and Operations of a multinational firm and mine was an international role.
I am pointing this out to signify that I have experience in managing control and back office functions, as well as IT. If all this experience of mine was sufficient, without thinking twice I would change my title to ‘Resilience’ officer or expert.
Unfortunately, I don’t think so, and this is not just me being modest – it’s the absolute truth. I do not have all the skills and knowledge that make up a 360-degree resilience officer. But then, does he or she even exist?
Nevertheless, I think that each Company should appoint a specific individual for the management of their organization’s Resilience. There are at least five reasons that tell you this would be a smart, productive choice.
Everyone together for a common goal: the objective of everyone in Risk Management, Business Continuity Management, Crisis Management, Cyber Security is the same, that is, protecting the Company’s assets. Whether it be data, people, or any physical asset, all of the above roles – and many others within an organization – are heading towards the same objective. Hence, why not have them sit together around the same table?
A matter of consistency and coordination: the way things work today in most Companies are not efficient nor effective. Risk Managers perform Risk Assessments, while Business Continuity Managers perform a Risk and Threat Assessments. They currently do two separate analysis and hardly talk to each other. If they performed a single analysis, joining their forces, not only would this be more efficient and cost effective, but also result in a more compelling and proficient job for the organization.
A strong synergy among resilience professionals: if all the above-mentioned managers reported to the same manager, the Resilience Manager, chances are there would be many benefits for their professions.After all, the ancient Latin motto ‘divide et impera’ (divide and rule) is nowadays a bit old-fashioned – and did not work very well 2000 years ago either.
They would get to share information that is currently kept secret in every silo. As they’re working separately, these people don’t share any of the crucial information they have, and this has a negative impact on everyone’s job.
They would learn from each other. By joining their forces, these professionals would not only get information they could only dream of before, but also access to competences and knowledge that was precluded. Result: an improved game for anyone at the table, and a better resilience for the entire organization.
A brand-new mind-set: if all these professionals are kept separate, they will go on doing what they’ve always done; their checklist. With a common manager and common objectives, they would also have a shared vision and go beyond their backyard.I’ll make an example with evacuation plans. The classic approach to an evacuation plan is the following: at the end of the test, the responsible person reconciles people at an assembly point, calls the test off and sends everyone back to work. Job done.While if the plan’s been done within a resilience management framework, this is what happens: the manager reconciles all the individuals, including those missing, and then would ask everyone this question: who knows what to do if we could not go back to the building? A Resilience Manager would make sure the vision is always there and, as a result, everything will be stronger, more realistic and efficient.
Independence and impartiality: how can the watchmen depend on the watched? Today, Information Security often sits under the IT department. This inevitably makes their job impaired. What if they were reporting to a Resilience Manager, instead? Independence is key.
My vision for the – not so far – future is that a position like the ‘Resilience Manager’ or the ‘Chief Resilience Officer’ will be very common across the industries.
Having more than 40 years of working experience, I remember those times when very few companies had a CFO (Chief Financial Officer). Well, my bet is that in a few years, we will see the CRO (Chief Resilience Officer) as common as the CFO in a Company.
Recently, many cities have been appointing their own Chief Resilience Officers. The role will be as prestigious as any other leadership task and the organizations will suffer less crises.
Today, the most successful organizations are quite mature on the resilience techniques and I believe that having a vision of prevention, as well as a control culture, has a great positive influence on the approach towards business as well.
Too often we have seen Managers with poor values, looking for short-term profits, leaving the organization in deep crisis because the business revolved against them (e.g. derivatives, subprimes, lack of innovation, etc.). It’s now time to shift this paradigm and build a generation of successful Resilience Managers.
This article was originally posted on the BCI's website, as part of BCI Education Month.
About the Author
Gianna Detoni - FBCI, is considered one of the most experienced professional in international techniques of Continuity and Resiliency. The Business Continuity Institute gave her a most prestigious recognition as she won the European Award ‘Continuity & Resilience Industry Personality of the Year 2017’. She is now a candidate for the same Award at the global level. In her role as BCI Approved Instructor, she assisted in the creation of the current edition of the Good Practice Guidelines of the BCI. Gianna Detoni presented the organizational models of Risk Resiliency in the most influential conferences and round tables in Italy and worldwide.