In early December 2015, I attended my second International Standards Organisation (ISO) Symposium as a member of the Security and Resilience Technical Committee. Representing the interests of the BCI community in Australia, most of my time at the symposium was spent in Working Group 2, whose key objective was to work on the new Organisational Resilience standard (ISO22316) in preparation for public comment and subsequent publication.
Working Group 2 brought together technical experts from around the world including UK, USA, Canada, Germany, Switzerland, and, of course, Australia. Many faces were familiar having worked with them in early 2015 on ISO TS 22317 BIA and it was great to reunite.
The task at hand was a significant challenge – especially compared to my earlier ISO22317 experience. BIA was fairly straight-forward with great clarity in the minds of the working group, whereas Organisational Resilience was very different.
The OR Challenge
The challenge of defining a standard for Organisational Resilience stems from a variety of issues. Resilience means different things to different people. My involvement in OR at an International Standards level has provided me a relatively unique perspective of the big picture issues.
An earlier concept of OR introduced the concept of Levels of OR,the idea being that, as an organisation, you could decide to what extent you were going to implement an OR capability. However, some argued that OR cannot be measured; that OR was really a journey or pursuit and, as such, Levels have no meaning.
Those who emphasised the ISO 31000 Risk Management approach as a principle focus felt that the constructs of Threat Assessment, Consequence and Likelihood were the key influences for OR and, in turn, should be part of the core construct for the standards. For me, the subtle difference between Risk Management and the Management of Risk has been lost in the global debate to date. This subtle difference needs to be teased out, so the important relationship between the use of the 31000 standards and the broader concept of OR can be clearly delineated.
The Business Continuity sector disagreed with the sentiment that BC is a subset of Risk Management and felt that BC is a more appropriate driving influence for OR since bouncing back was relative to a disaster actually striking rather than something that might never happen.
While these debates were happening, others were making sure that other management disciplines were not being forgotten. Here some argued the merits of management disciplines that were already governed by ISO standards (e.g. Information Security Management, Change Management, Quality Management etc.) while others argued that there are a myriad of management disciplines and corporate attributes that were not defined by standards that have strong applicability to the core philosophy of OR (e.g. attributes of leadership, culture, empowerment etc.).
3 Key considerations we took when developing ISO 22316
The version of ISO 22316 OR that will soon be issued for public review is, in my opinion, a well-balanced document. Not because I had a hand in this standard but because I was part of a solid process that:
- Took into account the concerns of all those who provided feedback;
- Went back to grass-roots to define the core philosophical meaning of OR; and
- Challenged our personal beliefs (and prejudices).
Strict rules to abide by or more of a guide?
ISO 22316 is a guidance document – its content is not mandatory and you can’t be measured against it. If your organisation does decide to head down the OR path then know that there is no target in absolute terms – no definitive goal – no quantifiable measure. It’s about a journey that enhances your resilience by improving the way you think, lead, collaborate, and empower.
It really is the journey and not the destination. It’s about improving your adaptability to changing environments.
Our award-winning Business Continuity software, Linus Revive, provides you with everything you need to enhances your resilience and adapt to the ever changing threats in your environment.
To learn more about how your organistion can holistically manage your BC processes, contact the Linus team today.