RiskUKSeptember2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Opinion: ISO 22316 Security and Organisational Resilience (Part Two)<br />
with no gaps or overlaps, rather than in<br />
relatively closed silos, creating an environment<br />
for Brexit and other major programmes.<br />
Continual improvement<br />
No organisation has faced Brexit before and it’s<br />
fair to assume that, while some larger firms’<br />
management systems architecture will<br />
accommodate it as just another major change,<br />
the experience will be very new for others. Most<br />
who decide to act in a structured way will<br />
establish a project whose remit and execution<br />
will evolve sporadically, improving only when<br />
driven to do so or when an idea emerges.<br />
Continual improvement is a mindset that<br />
accepts we can always do things better and this<br />
applies particularly to resilience. It means we<br />
systematically and intentionally keep improving<br />
the context model, quality of information and<br />
each of the other attributes listed.<br />
A simplified framework applying this for<br />
Brexit might include making innovation and<br />
improvement part of the strategy and habitual,<br />
regularly scanning for changes and<br />
accommodating them by adapting the strategy,<br />
planning improvements, assigning resources<br />
and making them happen and carrying out<br />
regular reviews while also monitoring what has<br />
been achieved against goals set.<br />
Change drives risk and resilience. If things<br />
didn’t change, equipment would never wear<br />
out, rainfall would be standard and Brexit<br />
wouldn’t happen. Some changes we can<br />
anticipate and plan for, others come out of the<br />
blue or must be imagined because they’re<br />
outside of our experience. In any case,<br />
anticipation and readiness is preferable. The<br />
degree to which we develop and systematise<br />
this will influence our adaptive resilience.<br />
As we’ve seen, Brexit is far from a<br />
straightforward change. It means we need a<br />
mechanism that ensures we’re not surprised or<br />
shocked by what it brings, leaving us wellplaced<br />
to respond and continue with business.<br />
Steps that we can take to build this adaptive<br />
capability might include regularly updating the<br />
context model and using it to look ahead while<br />
scanning for change, modelling change<br />
scenarios and developing response tactics for<br />
those that seem likely, exploring alternatives as<br />
well as ways to deliver on commitments, dual<br />
suppliers and diversifying, planning to respond<br />
and absorb the shock of unexpected<br />
announcements, influencing changes before<br />
and after they materialise and being ready to<br />
adapt without impacting delivery or<br />
compromising vision or core values.<br />
At the headline level, Brexit now seems a<br />
certainty. At almost every other level, though,<br />
the potential remains for surprise. No-one can<br />
be certain how it will unravel, either globally,<br />
nationally or at the organisation level. Our<br />
choices are to either move with the herd and<br />
hope to arrive intact or seize the initiative by<br />
becoming proactive, adaptive and influential.<br />
Contributory factors<br />
The nine attributes focused upon in Part One<br />
and in this month’s article tell us what we<br />
should expect of a resilient organisation. Part 6<br />
of ISO 22316 explains how we can evaluate<br />
these capabilities for ourselves and offers a<br />
governance framework with which to do this.<br />
Again, there’s little if any practical guidance<br />
here to help you decide on acceptable levels of<br />
attainment for each attribute, or a detailed<br />
explanation of how to bring about<br />
improvements in each as this must be<br />
determined by the host organisation.<br />
Apply this framework for Brexit and you<br />
derive a management system that converges on<br />
targets set by top management for each of the<br />
resilience attributes. It – ie the system – needs<br />
to be delivered by a programme or an existing<br />
compatible process that’s kept running for the<br />
duration of Brexit. Delivered as described, it<br />
should continually evolve to track Brexit’s<br />
changing shape and improve such that it aligns<br />
with the organisation’s Brexit-specific and<br />
general resilience objectives or success criteria.<br />
To make it work, you need to set your own<br />
attribute targets and thresholds and monitor<br />
and measure your performance against them.<br />
“Where Brexit’s concerned, and perhaps generally<br />
speaking, intelligence drives resilience. Clearly, we need to<br />
respond acceptably quickly to all kinds of change”<br />
15<br />
www.risk-uk.com