RiskUKAugust2017
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ISO 22316: Preparing for Brexit<br />
The long-awaited ISO<br />
22316:2017 Security<br />
and Resilience –<br />
Organisational<br />
Resilience – Principles<br />
and Attributes has<br />
arrived. At first read it<br />
doesn’t seem to offer<br />
much – a long title,<br />
but just ten pages of<br />
what might be<br />
construed as rather<br />
dry and heavilyengineered<br />
clauses.<br />
Surely, there must be<br />
value in there if only it<br />
can be unlocked? John<br />
Robinson decided to<br />
apply his own test<br />
that’s perhaps a little<br />
‘off-piste’ as far as<br />
conventional reviews<br />
go, but relevant for<br />
many: Brexit<br />
John Robinson MSc CEng FBCI:<br />
Managing Director of INONI<br />
14<br />
www.risk-uk.com<br />
Brexit isn’t just there to be ‘enjoyed’ by us<br />
British. Rather, it’s an international<br />
phenomenon. Set aside your personal<br />
views and think about it neutrally from the<br />
perspective of your organisation. Whether<br />
you’re based in Manchester, Milan or<br />
Melbourne, whether you represent a charity, a<br />
public body or a plc, there’s a good chance<br />
Brexit may affect what it is you do as a<br />
practising professional and, if ISO 22316 can<br />
help you deal with this, so much the better.<br />
Brexit represents a systemic, multi-faceted,<br />
enduring, changing and complex risk. It carries<br />
the possibility of both losses and opportunities<br />
that may be linked and, circumstantially, felt<br />
differently by each of us at different times. It’s a<br />
moving feast or famine and business resilience<br />
seems to be a necessary stabilising quality if<br />
we’re to complete the ‘exit’ journey acceptably.<br />
The approach adopted here is to work<br />
through the International Standard, interpreting<br />
the guidance it offers with Brexit as the subject.<br />
What follows is modestly informed opinion and<br />
will undoubtedly not apply for all, but reflects a<br />
personal search for value in the widest sense.<br />
By their very nature standards are generic<br />
and require interpretation for the context in<br />
which they’re applied. You simply cannot pick<br />
one up and expect to extract an instant list of<br />
tasks that must be performed in order for<br />
compliance. Instead, you must work at it (or<br />
maybe ask a specialist to do it for you).<br />
ISO 22316 begins by explaining what it<br />
means to be resilient. In short, this amounts to<br />
preserving the delivery of strategic objectives<br />
by anticipating and responding, absorbing<br />
shock and adapting to change. It states that<br />
there’s no absolute measure of resilience or a<br />
definitive goal, but that it’s possible to become<br />
more (or less) resilient. We cannot sensibly<br />
expect to compare between organisations as<br />
we all have different resilience appetites, but<br />
this truism doesn’t prevent us from creating<br />
internal Key Performance Indicators as a basis<br />
for improvement or convergence.<br />
Further, ISO 22316 states that resilience is<br />
brought about by the interaction of certain<br />
organisational attributes and activities and the<br />
application of specific expertise. It points out<br />
that these interactions are then shaped by how<br />
we handle uncertainty, decision-making and<br />
behaviour. This suggests that, once we know<br />
what drives our individual resilience condition,<br />
we should then be able to measure, manage<br />
and improve upon it.<br />
Most of the ISO document’s substance lies in<br />
three main sections. Section 4: Principles is a<br />
distillation, possibly acting as an aide-memoire,<br />
whereas the Attributes section defines more<br />
granular resilience indicators. Evaluation then<br />
provides a form of closed-loop control that<br />
keeps your resilience strategy aligned with<br />
organisational needs. The remainder of this<br />
discourse focuses on applying the Attributes.<br />
Clarity of purpose<br />
In this first of nine Attributes, ISO outlines that<br />
organisations clearly setting out their position<br />
and communicating it effectively are more likely<br />
to be resilient. This reflects the form of<br />
guidance used throughout and that resilience<br />
drivers will vary between organisations.<br />
Attribute structure is also broadly consistent,<br />
wherein each Attribute has a headline directive<br />
statement followed by a list of capabilities that<br />
should be enhanced and demonstrated and a<br />
list of activities that facilitate the capabilities,<br />
requiring prioritisation and resourcing.<br />
In this case, the ‘Clarity of purpose’ Attribute<br />
implies that we need all our resilience-related<br />
goals to be aligned, promoting synergy and<br />
reducing conflict and making the initiative roll<br />
smoothly. It implies that we should design a<br />
strategy that takes us safely through Brexit<br />
without compromising the business, make sure<br />
the strategy is adopted by the Board,<br />
communicate it internally and externally where<br />
appropriate, deliver the strategy while<br />
maximising resilience value for the organisation<br />
and repeat, monitor, adapt and improve.<br />
Note that the final continuous improvement<br />
point applies for all attributes and isn’t<br />
repeated hereafter. It ensures the system is<br />
optimised against organisational goals, in this<br />
case for Brexit. One would expect it to be<br />
applied fairly frequently to deal with the rapid<br />
rate of change.<br />
This Attribute provides overall stability and<br />
directional control. However, it begs the<br />
practical question: “How do we select the right<br />
strategy and what are its constituent parts?”<br />
As previously explained, this is unique for<br />
you. However, there are clues elsewhere and<br />
we’ll come to them in due course.<br />
Understanding context<br />
ISO 22316 suggests that organisations who<br />
understand their context are more likely to be<br />
resilient. Context is a term that doesn’t appear<br />
in the terminology listings, but in simplifying