How do we go about ‘being resilient’?
In their article, way back in the mists of time (1998 to be exact), Horne and Orr wrote at length on the concept of resilience referring to a ‘fundamental quality of individuals, groups, organizations and systems as a whole to respond productively to a significant change that disrupts the expected pattern of events without engaging in an extended period of regressive behaviour’.
Not since the Spanish Influenza in 1918, which purportedly infected about 30% of the World’s population and killed some 50 million worldwide, has the world endured such a severe pandemic as Coronavirus. If we fast forward, past the SARS outbreak in the early part of the new millennium, to the current pandemic the relevance of Horne and Orr’s statement hits home. Are we as individuals, organisations, communities and networks able to respond effectively to the rapidly changing environment and continue to function as we desire? The question of resilience, whether that of an individual, a collective, a city or society as a whole, has been brought into sharp focus.
So what does this mean to security and/or the risk practitioner? Do we point at our newly dusted down crisis management and business continuity plans, congratulating ourselves on our foresight to have attended seminars and training courses over the years, or for having brought in a business continuity consultant to re-write the manuals for a ‘small fee’? There, says the professional, ‘we are resilient because we comply with ISO 22301, BS 6500, ISO 22316 and ASISI SPC.1’.
But, is that really the case? It is suggested that global markets will only return to some normality by the middle of 2022, depending on the efficacy of vaccination programmes and the ability of viruses to mutate and thwart best-laid plans. The question is, will current plans and activities survive until we attain the much coveted ‘new normal’? The new circumstances will require additional scenario planning and the development of strategy and procedures to ensure that business can carry on with minimal interruption. Resilience is key – the ability to anticipate, prepare for, respond and adapt to disruptions so that we don’t just survive, but prosper.
The risk environment has perhaps never been more fluid as security professionals manage ‘traditional’ threats, whilst tackling other issues, such as supporting our organisations as we shift to working from home, remote video conferencing and delivering scalable services that allow for operations to continue at acceptable levels.
The IT and cyber professionals have had to cope with the increased demands of home networking and the potential vulnerabilities of operating outside the secured networks at an organisation’s premises. Equally the upsurge in video conferencing (I hope in 2019 you bought those shares in the ‘unicorn’ that is Zoom…) has put additional pressures on networks and the potential vulnerabilities with regards security and privacy.
The pandemic has changed the way we look at the world, with fundamental shifts in the way we interact socially and in our workspaces. From a security perspective, the pandemic has created winners and losers, there is a demand for new solutions to new problems such as re-purposing of established technologies like thermal imaging so that contact free passage can be made as your pass-through transport hubs, or across business campuses. Security companies have been providing additional support to organisations within the sphere of critical national infrastructure, supermarkets, or safeguarding vaccine supplies or assisting with the vaccination programmes at hospitals, clinics, prisons or the local village hall.
There has also been the requirement to radically rethink how we protect our assets, protect our supply chains and ensure we deliver viable risk mitigation with reduced numbers of security personnel and other resources. Indeed, how do we maintain operational capability and readiness given current constraints? How do we go about ‘being resilient’?
Enhancing resilience requires some fundamental changes in the way we approach activities in the workplace – whilst the term ‘organisational resilience’ is used for the whole enterprise, resilience can also be embedded in business units or specific departments. The areas that usually come under scrutiny are leadership and culture, engagement, change in mindset (focusing on the benefits of resilience as a capability, not merely a compliance exercise), situational awareness, innovation and change. Whilst there are other considerations, these areas seem to be common in much research.
Strong leadership and effective decision-making during times of uncertainty, coupled with a focus on the vision and values of the organisation, are core to enhancing resilience. Decision-making does not have to be solely the purview of senior management, employees must be provided with the authority to make decisions within their work sphere, thus allowing for quicker response from empowerment. Engagement with the workforce and ‘buy-in’ stems from a belief in the leadership that what they are doing is in the best interests of the workforce and supports the stated vision and values – trust is therefore critical.
Another key attribute is for the organisation to change its mindset – no longer merely ‘ticking boxes’ from a compliance perspective (back to our dusty business continuity folder) but understanding the value that resilience has in ensuring critical processes and operations can be maintained.
Situational awareness (some might call it ‘horizon scanning’) is critical to identifying potential disruption, and opportunities, from rapidly changing environments. Intelligence gathering is an essential requirement. There are organisations that picked up on the outbreak in Wuhan and immediately took measures to protect their employees and supply chains.
And finally, but no means least, is the requirement for innovation, creativity and change: to be open to new methods, new ways of doing things. Having an agile mind and a flexible delivery method will produce new opportunities. Think Amazon, how the company has become known for disrupting established ways of doing things through innovation and change. In the security environment, we are perhaps not the greatest at flexible delivery and instead, we may need to consider focusing on the delivery of the minimum viable product or the ‘skateboard version’ of products – potentially counter-intuitive in the security sphere! However, we have seen companies change their production outputs to meet increased requirements for items such as clinical gowns, masks and other PPE.
If we look back at how we have adapted from early 2020, a lot of what has been achieved in terms of delivering security products and services has been akin to ‘building a plane while flying it’. Progressive security companies have forged ahead with ideas, some viable, others not, that have sought to provide the ‘USP’ that others do not have. The resilient organisation is one that embraces the opportunity to develop itself and continually improve to enhance resilience. Indeed, those organisations that can face up to pandemics, earthquakes, acts of terror, political upheaval and other disruptive events and still deliver their products and services, while maintaining their integrity and vision, will have a competitive advantage over their less resilient competitors and those that concede to the ‘regressive behaviours, as outlined by Horne and Orr.