RiskUKAugust2017

More documents

Recommendations

Info

ISO 22316: Preparing for Brexit The long-awaited ISO 22316:2017 Security and Resilience – Organisational Resilience – Principles and Attributes has arrived. At first read it doesn’t seem to offer much – a long title, but just ten pages of what might be construed as rather dry and heavilyengineered clauses. Surely, there must be value in there if only it can be unlocked? John Robinson decided to apply his own test that’s perhaps a little ‘off-piste’ as far as conventional reviews go, but relevant for many: Brexit John Robinson MSc CEng FBCI: Managing Director of INONI 14 www.risk-uk.com Brexit isn’t just there to be ‘enjoyed’ by us British. Rather, it’s an international phenomenon. Set aside your personal views and think about it neutrally from the perspective of your organisation. Whether you’re based in Manchester, Milan or Melbourne, whether you represent a charity, a public body or a plc, there’s a good chance Brexit may affect what it is you do as a practising professional and, if ISO 22316 can help you deal with this, so much the better. Brexit represents a systemic, multi-faceted, enduring, changing and complex risk. It carries the possibility of both losses and opportunities that may be linked and, circumstantially, felt differently by each of us at different times. It’s a moving feast or famine and business resilience seems to be a necessary stabilising quality if we’re to complete the ‘exit’ journey acceptably. The approach adopted here is to work through the International Standard, interpreting the guidance it offers with Brexit as the subject. What follows is modestly informed opinion and will undoubtedly not apply for all, but reflects a personal search for value in the widest sense. By their very nature standards are generic and require interpretation for the context in which they’re applied. You simply cannot pick one up and expect to extract an instant list of tasks that must be performed in order for compliance. Instead, you must work at it (or maybe ask a specialist to do it for you). ISO 22316 begins by explaining what it means to be resilient. In short, this amounts to preserving the delivery of strategic objectives by anticipating and responding, absorbing shock and adapting to change. It states that there’s no absolute measure of resilience or a definitive goal, but that it’s possible to become more (or less) resilient. We cannot sensibly expect to compare between organisations as we all have different resilience appetites, but this truism doesn’t prevent us from creating internal Key Performance Indicators as a basis for improvement or convergence. Further, ISO 22316 states that resilience is brought about by the interaction of certain organisational attributes and activities and the application of specific expertise. It points out that these interactions are then shaped by how we handle uncertainty, decision-making and behaviour. This suggests that, once we know what drives our individual resilience condition, we should then be able to measure, manage and improve upon it. Most of the ISO document’s substance lies in three main sections. Section 4: Principles is a distillation, possibly acting as an aide-memoire, whereas the Attributes section defines more granular resilience indicators. Evaluation then provides a form of closed-loop control that keeps your resilience strategy aligned with organisational needs. The remainder of this discourse focuses on applying the Attributes. Clarity of purpose In this first of nine Attributes, ISO outlines that organisations clearly setting out their position and communicating it effectively are more likely to be resilient. This reflects the form of guidance used throughout and that resilience drivers will vary between organisations. Attribute structure is also broadly consistent, wherein each Attribute has a headline directive statement followed by a list of capabilities that should be enhanced and demonstrated and a list of activities that facilitate the capabilities, requiring prioritisation and resourcing. In this case, the ‘Clarity of purpose’ Attribute implies that we need all our resilience-related goals to be aligned, promoting synergy and reducing conflict and making the initiative roll smoothly. It implies that we should design a strategy that takes us safely through Brexit without compromising the business, make sure the strategy is adopted by the Board, communicate it internally and externally where appropriate, deliver the strategy while maximising resilience value for the organisation and repeat, monitor, adapt and improve. Note that the final continuous improvement point applies for all attributes and isn’t repeated hereafter. It ensures the system is optimised against organisational goals, in this case for Brexit. One would expect it to be applied fairly frequently to deal with the rapid rate of change. This Attribute provides overall stability and directional control. However, it begs the practical question: “How do we select the right strategy and what are its constituent parts?” As previously explained, this is unique for you. However, there are clues elsewhere and we’ll come to them in due course. Understanding context ISO 22316 suggests that organisations who understand their context are more likely to be resilient. Context is a term that doesn’t appear in the terminology listings, but in simplifying
Opinion: ISO 22316 Security and Organisational Resilience (Part One) the term it can be taken to mean ‘everything relevant to us’. It includes all direct and indirect external parties and internal organisational components, in addition to all of the ways in which they interrelate. Understanding context provides a basis for us to explain and anticipate the effects of change, and this is clearly valuable for Brexit as we want to know what might happen. It’s our very own crystal ball. Influencing context implies shaping our environment internally, but also persuading third parties to align with our strategy, modifying agreements and lobbying decisionmakers. It represents a powerful destinyshaping force and is something to which we might aspire. Steps we may take include developing a detailed context model for the organisation, thinking big and looking beyond the immediate (up and downstream and including a focus on competitors), factoring-in all relevant ‘climates’ such as operational, commercial, socio-political and economic, mapping all the potential Brexitrelated sources of vulnerability, concentration and change and both identifying and strengthening relationships and entities that support the strategy. For me, the idea of a contextual map is the beating heart of resilience management. Effective leadership This Attribute implies that resilience will be enhanced by delegation and empowerment during periods of uncertainty and disruption. I would interpret this as instruction to carefully select and appoint a Brexit programme owner with a targeted brief and delegated authority. It implies that the nominated individual should be prepared to embrace and leverage the change, address problems and seize opportunities, be ready to identify and promote Brexit-compatible practices, be technically adept, adaptable, innovative and empowered to make tactical and strategic decisions. ISO 22316 seems to be saying: ‘Build a team with an executive leader with the experience to understand our unique position and resulting Brexit challenge, and whom the Board trusts enough to wield delegated authority when unplanned-for changes demand a fast response.’ Again, this will not apply for all businesses, but seems appropriate for those who perceive a major threat. Creating a resilient culture A strong culture implies a close-knit organisation whose members share consistent and ingrained values and beliefs. A weak or dilute culture suggests variance, fragmentation, uncertainty, fragility and diluted resilience. It follows that those with a strong culture are more likely to be resilient. This applies for Brexit due to its multi-faceted profile and its strong political, economic, social and emotional implications for individuals both within and outside of the workplace. It implies that we might enhance our cultural resilience by finding out what drives employees’ attitudes to Brexit and whether views are shared, determining if people will broadly resist or support the strategy, deciding how to position, promote and deliver the strategy while building support, encouraging people to innovate, improve and back the strategy and empowering them to identify and communicate Brexitrelated threats and opportunities. Culture is a slow-moving beast. It has inertia and naturally resists any wholesale change of mindset, implying that a resilient culture will not be created overnight, either in the general sense or, indeed, for Brexit. It also means that, in the short term, we may need to work with what we have and search for supportive influences that might already be present, adding only culturally-compatible new ideas. In the UK, Brexit has already caused divisions along unexpected lines between friends, businesses and even within families, with many still holding opposing views. With so great a divide, there seems little chance of imposing a Brexit position on a workforce. Indeed, it would be ill-advised to even consider doing so. *Next month: Attribute 5 (Shared information and knowledge), Attribute 6 (Availability of resources), Attribute 7 (Development and co-ordination of management disciplines), Attribute 8 (Supporting continual improvement) and Attribute 9 (Ability to anticipate and manage change) in focus “Brexit represents a systemic, multi-faceted, enduring, changing and complex risk. It carries the possibility of both losses and opportunities that may be linked” 15 www.risk-uk.com
Page 1 and 2: August 2017 www.risk-uk.com Securit
Page 3 and 4: August 2017 Contents 44 Meet The Se
Page 5 and 6: Editorial Comment Many applications
Page 7 and 8: News Update “Clarification on reg
Page 9 and 10: News Analysis: Counter-Terrorism Pr
Page 11 and 12: News Special: BSIA Security Personn
Page 16 and 17: All Things Being Equal recommends t
Page 18 and 19: Institute of Risk Management Are yo
Page 20 and 21: BSIA Briefing References 1 https://
Page 22 and 23: Physical and IT Security Convergenc
Page 24 and 25: State of Mind: Developing ‘Risk C
Page 26 and 27: On The Mark: Safeguarding Your Comp
Page 28 and 29: Touched By A Physical Presence Phys
Page 30 and 31: Net2 Entry Touch Smart, Simple Door
Page 32 and 33: FIRE SAFETY New Qualifications for
Page 34 and 35: FIRE SAFETY False Fire Alarm Manage
Page 36 and 37: FIRE SAFETY Fire Alarms and Detecti
Page 38 and 39: FIRE SAFETY Audible and Visual Prot
Page 40 and 41: FIRE SAFETY Following the Grenfell
Page 42 and 43: FIRE SAFETY Emergency Lighting Stan
Page 44 and 45: Meet The Security Company This is t
Page 46 and 47: Advertisement Feature Reaping the B
Page 48 and 49: The Security Institute’s View rel
Page 50 and 51: Resilience Revisited: Turning Our A
Page 53 and 54: FIA Technical Briefing Fire Prevent
Page 55 and 56: FRONTIER PITTS Protecting Your Worl
Page 57 and 58: Security Services: Best Practice Ca
Page 59 and 60: A New Model for Guarding Cardinal's
Page 61 and 62: Cyber Security: Risk Management for
Page 63 and 64:
Training and Career Development equ
Page 65 and 66:
Risk in Action St George in the Eas
Page 67 and 68:
Technology in Focus Vista unveils V
Page 69 and 70:
Appointments Helen Ball Helen Ball
Page 71 and 72:
BENCHMARK Smart Solutions BENCHMARK
Page 73 and 74:
CCTV CCTV Rapid Deployment Digital
Page 75:
SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKAugust2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?