Review and Application of ISO 22316

Article originally published by the BCI's Continuity Magazine, issue Q2 2017.

The long-awaited ISO 22316:2017[E] International Standard Security and resilience – Organizational resilience – Principles and attributes has arrived.  I paid my £80 and downloaded it.  At first read it doesn’t seem to offer much – a long title but just 10 pages of dry and heavily-engineered clauses.  Surely there must be value in there if only I can unlock it.  I decided to apply my own test, perhaps a little off-piste as far as conventional review goes, but relevant for many.  I chose Brexit.

Let’s talk about it briefly.  Brexit is not just there to be enjoyed by us British, it is an international phenomenon.  So, set aside personal views and think about it neutrally, from the point of view of your organisation. Whether you are based in Manchester, Milan or Melbourne, whether you represent a charity, public body, plc or small business, there is a good chance it may affect what you do, and if the 22316 Standard can help you deal with this, so much the better. 

I chose Brexit because it represents a systemic, multi-faceted, enduring, changing and complex risk. It carries the possibility of both losses and opportunities that may be linked and, circumstantially may be felt differently by each of us at different times.  It is a moving feast (or famine) and organizational resilience seems to be a necessary stabilising quality if we are all to complete the journey acceptably.

My approach has been to work through the Standard, interpreting the guidance it offers with Brexit as my subject.  What follows is modestly informed opinion and will undoubtedly not apply for all, but reflects my search for value in the widest sense. 

Attributes for organizational resilience

Standards are by their nature generic and require interpretation for the context in which they are applied.  You can’t pick one up and expect to extract an instant list of tasks you must perform to comply – you must work at it, or maybe ask a specialist to do it for you. 

ISO 22316 begins by explaining what it means to be resilient and this amounts to preserving delivery of strategic objectives by anticipating and responding, absorbing shock and adapting to change.  It states there is no absolute measure of resilience or definitive goal but that it is possible to become more, or less resilient.  I take this to mean we cannot sensibly expect to compare between organizations as we all have different appetites but this does not prevent us from creating internal KPI as a basis for improvement or convergence.

Further, it says that resilience is brought about by the interaction of certain organizational attributes, activities and the application of specific expertise.  It points out that these interactions are then shaped by how we handle uncertainty, decision-making and behaviour.  This suggests that once we know what drives our individual resilience condition, we should be able to measure, manage and improve it.

Most of the Standard’s substance lies in three main sections.  Section 4, Principles is a distillation, possibly acting as an aide-memoir, whereas the Attributes section defines more granular resilience indicators.  Evaluation then provides a form of closed-loop control that keeps your resilience strategy aligned with organizational needs.  The rest of this paper focuses on applying the Attributes.

Attribute #1 - Shared vision and clarity of purpose

In this first of nine attributes, ISO 22316 says that organizations that clearly set out their position and communicate it effectively are more likely to be resilient.  This reflects the form of guidance used throughout and that resilience drivers will vary between organizations.  

Attribute structure is also broadly consistent, where each attribute has a headline directive statement followed by a list of capabilities that should be enhanced and demonstrated, and a list of activities that facilitate the capabilities, requiring prioritization and resourcing.  I have paraphrased these for Brexit.

In this case, the attribute implies we need all our resilience-related goals to be aligned, promoting synergy and reducing conflict, making the initiative roll smoothly.  It implies we should:

• Design a strategy that takes us safely through Brexit without compromising the business
• Get the strategy adopted by the board
• Communicate it internally and externally where appropriate
• Deliver the strategy, maximizing resilience value for the organization
• Repeat, monitor, adapt and improve

Note that the final continuous improvement point applies for all attributes and is not repeated hereafter.  It ensures the system is optimised against organizational goals, in this case for Brexit.  I’d expect it to be applied fairly frequently to deal with the rapid rate of change.

This attribute provides overall stability and directional control.  However, it begs the practical question ‘how do we select the right strategy and what are its constituent parts?’  As I explained, this is unique for you, however there are clues elsewhere and we’ll come to these later.

Attribute #2 - Understanding and influencing context

The Standard suggests that organizations who understand their context are more likely to be resilient.  Context is a term that doesn’t appear in the terminology section, but simplifying, can be taken to mean ‘everything relevant to us’.  It includes all direct and indirect external parties and internal organizational components, and all the ways they inter-relate. 

Understanding context provides a basis for us to explain and anticipate the effects of change, and this is clearly valuable for Brexit as we want to know what might happen, our very own crystal ball. 

Influencing context implies shaping our environment, internally but also persuading third parties to align with our strategy, modifying agreements and lobbying decision-makers.  It represents a powerful destiny-shaping force and is something we might aspire to.  Steps we might take include:

• Develop a detailed context model for the organization
• Think big, look beyond the immediate, up and downstream, including competitors
• Factor-in all relevant ‘climates’ such as operational, commercial, socio-political, economic
• Map all the potential Brexit-related sources of vulnerability, concentration and change
• Identify and strengthen relationships and entities that support the strategy

The idea of a contextual map is for me the beating heart of resilience management.  It provides the essential frame of reference, without which we are unable to determine the extent to which we will be affected by a change.

Attribute #3 - Effective and empowered leadership

This attribute implies resilience will be enhanced by delegation and empowerment during periods of uncertainty and disruption.  I interpret this as instruction to carefully select and appoint a Brexit programme owner with a targeted brief and appropriate delegated authority.  It implies the person should:

• Be prepared to embrace and leverage the change, address problems and seize opportunities
• Be ready to identify and promote Brexit-compatible practices
• Be technically adept, adaptable and innovative
• Be empowered to make tactical and strategic decisions

ISO 22316 seems to be saying ‘build a team with an executive leader with the experience to understand our unique position and resulting Brexit challenge, and who the Board trusts enough to wield delegated authority when unplanned-for changes demand a fast response’.  Again, this won’t apply for all businesses, but seems appropriate for those who perceive a major threat.

Attribute #4 - Creating a resilient culture

A strong culture implies a close-knit organization whose members share consistent and ingrained values and beliefs.  A weak or dilute culture suggests variance, fragmentation, uncertainty, fragility and diluted resilience.   It follows that those with a strong culture are more likely to be resilient.

This applies for Brexit, due to its multi-faceted profile and its strong political, economic, social and - at times emotional implications for individuals within and outside the work place.  It implies we might enhance our cultural resilience like this:

• Find out what drives employee attitude to Brexit and whether views are shared
• Determine whether people will broadly resist or support the strategy
• Decide how to position, promote and deliver the strategy, building support
• Encourage people to innovate, improve and support the strategy
• Empower people to identify and communicate Brexit-related threats and opportunities

Culture is a slow-moving beast.  It has inertia and naturally resists any wholesale change of mindset, implying that a resilient culture will not be created overnight, either in the general sense or for Brexit.  It means that in the short term we may need to work with what we have and search for supportive influences that may already be present, adding only culturally compatible new ideas.

In the UK, Brexit has already caused divisions along unexpected lines, between friends, businesses, even within families, with many still holding opposing views.  With so great a divide, there seems little chance of imposing a Brexit position on a workforce and it would be ill-advised to even consider this.  However, organizational prosperity and survival is already in the shared interest and I’d suggest this is the common ground on which strategy promotion and culture-building might be based.

Attribute #5 - Shared Information and Knowledge

Every day we are faced with a barrage of Brexit-related news items of varying substance and credibility, many with the potential to influence or directly affect us and our relationship partners.  We somehow must process this flow, deciding what is real and what is not, but also second-guessing how our interested parties such as customers, suppliers, regulators and competitors may respond. The recent reported influence of fake news is clear illustration of this. 

ISO 22316 suggests an organisation’s resilience will be enhanced when all available related knowledge is appropriately shared, analysed and applied.  Maximising this for Brexit means we might:

• Harness a wide, varied and credible range of relevant data and knowledge sources
• Define criteria to identify, validate and value what we collect
• Assign specialists to manage, analyse, add value and distribute as information
• Use the information to update the context model for Brexit
• Use the model to trigger and fuel decisions, and improve the Brexit strategy
• Share the results across the business and externally if applicable

Where Brexit is concerned and perhaps generally, intelligence drives resilience.  Clearly, we need to respond acceptably quickly to all kinds of change so we are not disadvantaged, and this in turn relies on high-grade information, analysis, judgement and executive decision-making.  It makes this an important attribute.

Attribute #6 - Availability of Resources

The Standard implies that resilience will be enhanced if the resources required to align with the organization’s resilience objectives are made available, including an allowance for adaptation.  These include aspects relating to people, premises, technology, finance and information.

For those who perceive little or no Brexit-related threat, no specific action will be planned or dedicated resources required.  However, for others, particularly in the UK and the EU, Brexit may be a headline item, a threat demanding a planned response.  Where this is the case, it becomes a matter of ensuring the strategy is sufficiently resourced to be implemented as intended. The following are checks you might wish to make:

• Does the strategy clearly define acceptable levels of business during Brexit?
• Do we know how Brexit changes will affect resourcing and how we will deal with it?
• Do we face Brexit-induced failures of supply and/or demand?
• Do we need to increase or reduce our capacity and can we do this acceptably?
• Do we need to diversify or replicate resources or build-in redundancy?
• Do we have the skills and abilities we need to respond acceptably?
• Do we have the inherent flexibility to redeploy and adjust in time?
• Do we look ahead, take account of change and anticipate what might happen?

It’s tempting to put off resilience resourcing decisions for the obvious reason that they consume investment but will yield no return if the planned-for situation fails to materialise.  Business continuity faces this on a frequent basis – why would I buy a duplicate production line when current capacity doesn’t demand it?  Alternatives are discussed in various papers on our website.

Attribute #7 - Development and Co-ordination of Management Disciplines

At first glance this seems to be a classic catch-all statement of the obvious that says your resilience will be enhanced if you are good at every management discipline.  However, this is reasonable if you accept that any deviation from best practice or omission does indeed potentially leave a hole in your defences, implying a reduction in resilience.  It is clearly a valid and relevant indicator.

Moreover, if you did this just as part of your response for Brexit, the benefits would be felt in potentially many other ways, improving resilience generally and making management more effective, efficient and communicative.  With this in mind and specifically for Brexit, I believe you might consider:

• Engaging the 20 disciplines with a common purpose of enabling the Brexit strategy
• Adapt existing processes, roles and responsibilities so they interact efficiently
• Searching for and plug any material gaps between disciplines, removing duplication
• Keeping the web of disciplines elastic so it can flex and adapt as Brexit demands change
• Establishing communications and reporting so all are kept informed and coordinated

Note that the 20 include disciplines cited in ISO 22316 include asset management, crisis management, governance, fraud control and so on.  Not all organizations will implement or recognise all the disciplines formally, however, they will generally be present in some shape or form.

The clause seems to sum up what BS 65000, a forerunner to ISO 22316, called coherence.  Specifically, the joining-up of related key disciplines into a collaborative resilient whole with no gaps or overlaps, rather than in relatively closed silos, creating an environment for Brexit and other major programmes.  

Attribute #8 - Supporting Continual Improvement

No organization has faced Brexit before and it is fair to assume that whilst some larger firms’ management systems architecture will accommodate it as another a major change, the experience will be completely new for others.  I expect that most who decide to act in a structured way will establish a project whose remit and execution will evolve sporadically, improving only when driven to do so or when an idea emerges. 

Continual improvement is a mindset that accepts we can always do things better and this applies particularly for resilience.  It means we systematically and intentionally keep improving the context model, quality of information and each of the other attributes listed here.  A simplified framework applying this for Brexit might include:

• Make innovation and improvement part of the strategy, make it habitual
• Regularly scan for changes, accommodating them by adapting the strategy
• Plan improvements, assign resources and make them happen
• Carry out regular reviews and monitor what you achieved against goals

It should be possible to improve your Brexit journey by including continual improvement in your project’s design.  Methods for doing this are well-documented and enshrined in the Plan-Do-Check-Act Deming model which are readily accessible and I won’t repeat here. 

Attribute #9 – Ability to anticipate and Managing change

Change drives risk and resilience.  If things didn’t change, equipment would never wear out, rainfall would be standard and Brexit would not happen.  Some changes we can anticipate and plan for, others come out of the blue or must be imagined because they are outside our experience.  In any case, anticipation and readiness is preferable, and the degree to which we develop and systematise this will influence our adaptive capability and resilience. 

As we have seen, Brexit is far from a straightforward change.  It means we need a mechanism that ensures we are not surprised or shocked by what it brings, leaving us well-placed to respond and continue with business.  ISO 22316 alludes to steps we can take to build this adaptive capability and these might include:

• Regularly updating the context model and using it to look ahead, scanning for change
• Modelling change scenarios and developing response tactics for those that seem likely
• Exploring alternatives, ways to deliver on commitments, dual suppliers, diversifying
• Planning to respond and absorb the shock of unexpected announcements
• Influencing changes before and after they materialise
• Being ready to adapt without impacting delivery, compromising vision or core values

At headline level, Brexit now seems a certainty.  At almost every other level the potential remains for surprise and no-one can guess how it will unravel, globally, nationally or at organization level.  Faced with this, our choices are to either move with the herd and hope to arrive intact, or we can seize the initiative becoming proactive, adaptive and influential. 

Evaluating contributory factors

The nine attributes tell us what we should expect of a resilient organization.  Part 6 of ISO 22316 explains how we can evaluate these capabilities for ourselves and offers a governance framework with which to do this.  Again, there is little if any practical guidance here to help you decide on acceptable levels of attainment for each attribute, or explanation of how to bring about improvements in each as this must be determined by you.    

Apply this framework for Brexit and you get a management system that converges on targets set by top management for each of the resilience attributes.  It (the system) needs to be delivered by a programme or existing compatible process that is kept running for the duration of Brexit.  Delivered as described, it should continually evolve to track Brexit’s changing shape and improve so it aligns with the organization’s Brexit-specific and general resilience objectives or success criteria.

To make it work you need to set your own attribute targets and thresholds, monitor and measure your performance against these, identify and close out any gaps you find, innovate and report on how you’re doing.  If you follow the guidance, over time your capability should mature and the process you’ve applied should become ingrained and optimised.  More to the point, you should be able to absorb, adapt and accommodate just about anything Brexit sends your way.

Conclusion

ISO 22316 is specified to address whole organizational resilience, so is it valid to apply it singularly in respect of Brexit?  Is it reasonable to expect it to work in this way and could we take a similar tack against other systemic threats, such as pandemic or the effects of a solar flare? 

I believe the answer is yes to both, since applied as intended to the whole organization, it would encompass Brexit, maybe defining a programme within a programme, and I imagine this is how Brexit appears in many organizations’ risk registers and board agendas. It comes down to scope and only needs standalone treatment if there is no over-arching resilience programme in place to deliver it.

Can we use the Standard to help prepare for Brexit?  Again, I think the answer is yes.  Use the headings as capability indicators and build a context model and you gain a whole-situation view from your organization’s standpoint.  Use it to evaluate Brexit-related threats and plan how you will adapt and deal with them. 

Finally, ISO 22316 defines an approach that helps you improve.  It isn’t an off-the-shelf solution that you can buy and turn on to instantly case-harden your organization.  It’s more like a generic recipe for say, tacos with few tasteful ingredients.  However, if you are willing to supply your filling, there is a strong chance you will like the outcome.  This is not a surprise, it’s simply the way standards are.

You can read about preparing for Brexit by downloading our whitepaper below: