Building Organizational Resilience: a Holistic Approach

Emergencies, disasters or crises can happen at any time and without warning. Organizations are faced with many possible events with the potential to disrupt business continuity, ranging from severe weather events, earthquakes, loss of key staff during a global pandemic, cybercrime to loss of critical infrastructure in a fire or terrorist attack.

Within the context of threats from unwanted or potential harmful events, an incident is any situation that, if not managed or handled properly, can escalate into an emergency, disaster, or crisis situation and may result in an interruption of normal business operations. According to Disaster Recovery Institute’s International Glossary for Resilience (2022), an emergency is a sudden, urgent, usually unexpected occurrence or situation in which there is probable danger to life or property and requires immediate action. A disaster is an event that causes significant or widespread damage to property or loss of life and has the potential to disrupt critical functions, processes or services for an unacceptable period of time. A crisis can have both direct and indirect impacts on brand, reputation or trust in an organization and threatens the organization's viability or shareholder value. Emergency, disaster and crisis are related terms. What emergencies, disasters or crises have in common is that they can threaten the wellbeing of employees, customers or the public and have the potential to disrupt or shuts down operations all together. Disruptions range from short-term interruptions of normal business processes or operations to more long-term unavailability of critical business functions (Supriadi and Pheng, 2018; Reciprocity, 2020). Preparing for and managing incidents, emergencies, disasters or crisis situations includes prevention, mitigation, response and recovery—as well as a plan that outline how an organization will continue operating in the event of a disruption.

There are relationships between Incident Management, Emergency Response, Disaster Recovery, Crisis Management, Business Continuity Management—and then there is also Risk Management. The aim of Incident Management is to prevent or resolve issues adversely impacting—or with the potential of impacting—the business and prevent escalation and reoccurrence. Emergency Response refers to actions to minimize or contain the eventual negative effects in the immediate aftermath of an emergency or for as long as an emergency situation prevails (Bird, 2012). Disaster recovery involves restoring or re-establishing technological infra-structure and capabilities after a serious interruption. Crisis management includes the high-level command and control aspects of recognizing a crisis situation, communicating internally and externally and leading the crisis response until it is under control. In general, the purpose of crisis management is to prevent or minimize harm to the organization's profitability or revenue stream, reputation, and operational capacity. Business Continuity Management is concerned with ensuring that critical business functions can continue working at an acceptable predefined level with minimal downtime during or following a disruption (NC State University, 2008;?KPMG, 2020). Disruption or downtime can be caused by various unpredictable events.

When it comes to risks, ISO?31000:2018 provides a framework for company wide or Enterprise Risk Management (ISO, 2018). Technical aspects of hazards and loss exposures are the main focus of traditional risk management practices. In response to an increasingly volatile and rapidly changing risk climate, company-wide or Enterprise Risk Management on the other hand, has elevated Risk Management to a more strategic function and level in many organizations. The fundamental elements of Enterprise Risk Management are the assessment of significant risks and the implementation of appropriate risk responses. As such, a comprehensive Enterprise Risk Management framework serves as the foundation for creating mitigation, preparedness, response, and recovery plans (CGMA, 2013; U. S. Government Accountability Office, 2016; Claypole, 2021). A holistic view on Incident Management, Emergency Response, Disaster Recovery, Crisis Management, Business Continuity and Risk Management helps organizations plan for and predict problems, quickly pivot as needed, respond and recover from inevitable disruptions and is fundamental in building a resilient organization (Hiles, 2011; Sahebjamnia, Torabi and Mansouri, 2015; Natale, Poppensieker and Thun, 2022).

Leadership of an organization committed to resilience is fostering a culture that anticipates and is prepared for the unexpected. The concept of High-Reliability Organizations has also been given considerable attention in this regard. Research on High-Reliability Organizations was originally carried out in high-risk environments with aircraft carriers and nuclear submarines (Thorogood, 2013). The central point of High-Reliability Organizations is that new threats continuously emerge and uncertainty is endemic. The COVID-19 pandemic, the power outages in Texas as a result of winter storm Uri, the war in the Ukraine, staffing shortages, to just name a few, show that organizations should always expect the unexpected and, somewhat paradoxically, cannot necessarily plan for everything because information is imperfect and it is impossible to know everything. A lot of organizations and industries could certainly benefit from High-Reliability Organizations theory or similar concepts of creating an environment and organizational culture in which people “expect the unexpected” and even very weak signs that some kind of change or danger is approaching is detected early and responding to or make decisions with a sense of urgency to prevent failure, disruption or catastrophic consequences (Coutu, 2003; Agwu, Labib and Hadleigh-Dunn, 2019).

There is not necessarily specific guidance or a model how to integrate or how Incident Management, Emergency Response, Disaster Recovery, Crisis Management, Business Continuity Management and Risk Management must interact or how they must report. There has been much discussion about the relation between in particular the Business Continuity function and Risk Management. Some organizations consider Business Continuity Management part of the company-wide or Enterprise Risk Management function, while others put these two related but different concepts side-by-side (McCrackan, 2005; Krell, 2006; Toplis, 2018). Each require different approaches, have different objectives and involve strategic, tactical and operational decisions with a different level of complexity or timeframes. What may be cause for confusion are the overlapping of activities and responsibilities. Whilst the structure and how the Business Continuity Management function is positioned relative to Incident Management, Emergency Response, Disaster Recovery, Crisis Management or Enterprise Risk Management may be impacted by organizational culture, staff competencies, organization size, etc., a holistic approach is a prerequisite for effective decision making and building resilience.

References:

DRI International. (2022). International Glossary for Resilience. [online] Available at: https://drii.org/ resources/viewglossary.

Supriadi, L, Pheng, L. (2018). Business Continuity Management in Construction. [online] Singapore Springer Singapore. Available at: https://link.springer.com/book/10.1007/978-981-10-5487-7.?

Reciprocity. (2020). Business Continuity vs Disaster Recovery: What’s the Difference. [online] Available at: https://reciprocity.com/resources/business-continuity-vs-disaster-recovery-whats-the- difference/.?

Bird, L. (2012). Dictionary of Business Continuity Management Terms. 2nd ed. Business Continuity Institute (BCI).?

NC State University (2008). Role of Risk Managers and Continuity Planning. [online] ERM Initiative. Available at: https://erm.ncsu.edu/library/article/risk-continuity-planning.

KPMG (2020). Crisis Management & Business Continuity Guide. https://assets.kpmg/content/dam/ kpmg/ca/pdf/2020/03/cyber-resilience-crisis-business-continuity-planning-en.pdf.?

ISO (2018). ISO 31000:2018. [online] ISO. Available at: https://www.iso.org/standard/65694.html.?

CGMA (2013). Enterprise Risk Management (ERM). [online] Available at: https://www.cgma.org/ resources/tools/essential-tools/enterpise-risk-management.html.?

U. S. Government Accountability Office (2016). Enterprise Risk Management: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk. [online] Available at: https:// www.gao.gov/products/gao-17-63.?

Claypole, A. (2021). Traditional risk management vs enterprise risk management. [online] Ideagen. Available at: https://www.ideagen.com/thought-leadership/blog/traditional-risk-management- vs-enterprise-risk-management-which-approach-is-best.?

Hiles, A. (2011). The definitive handbook of business continuity management. Hoboken, N.J.: Wiley.?

Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A. (2015). Integrated business continuity and disaster recovery planning: Towards organizational resilience. European Journal of Operational Research, [online] 242(1), pp.261–273. doi:10.1016/j.ejor.2014.09.055.?

Natale, A., Poppensieker, T. and Thun, M. (2022). From risk management to strategic resilience | McKinsey. [online] Available at: https://www.mckinsey.com/capabilities/risk-and-resilience/ our-insights/from-risk-management-to-strategic-resilience.?

Thorogood, J. (2013). Is There a Place for High-Reliability Organizations in Drilling? SPE Drilling & Completion, 28(03), pp.263–269. doi:10.2118/151338-pa.?

Coutu, D. (2003). Sense and Reliability. [online] Harvard Business Review. Available at: https://hbr.org/ 2003/04/sense-and-reliability.?

Agwu, A.E., Labib, A. and Hadleigh-Dunn, S. (2019). Disaster prevention through a harmonized framework for high reliability organisations. Safety Science, 111, pp.298–312. doi:10.1016/ j.ssci.2018.09.005.?

McCrackan, A. (2005). Is business continuity a subset of risk management? [online] Available at: https://www.continuitycentral.com/feature0178.htm.?

Toplis, L. (2018). The relationship between Business Continuity and Risk Management. [online] Available at: https://www.bcpbuilder.com/2018/11/21/business-continuity-risk-management/.?