Organisational resilience – overcoming crises and change

Your expert for questions

Jens Greiner
Director, Forensic Services at PwC Germany
Tel.: +49 69 9585-5831
Email

Now more than ever, companies are facing constraints – supply chain disruption, for example – as a result of factors such as economic sanctions. Business is also coming under threat from a large number of risks that are now commonplace, such as cyberattacks. The ability to anticipate changing circumstances, adapt to them, weather disruption and recover quickly – known as organisational resilience – has long been a key competency for successful companies.

The good news is that there are now international standards in place such as ISO 22316 to support systematic development of organisational resilience. Executives can use these standards to fulfil their duty to minimise the extent and consequences of risks, threats and change.

Three steps to increase the resilience of your organisation

Today more than ever, companies are working in an environment of continuous change, also referred to as the VUCA world (volatility, uncertainty, complexity, ambiguity). The Covid-19 pandemic and current geopolitical conflicts have shown how quickly and dramatically realities that were taken for granted can change, and how important successful crisis management and business continuity management are. But even aside from the effects of major global events, there are numerous disruptive scenarios that pose enormous challenges for companies. These include ransomware attacks, natural disasters, financial crises and the unexpected loss of key personnel.

No wonder companies are increasingly focusing on organisational resilience. Organisational resilience describes the ability of organisations to prepare for and adapt to changing circumstances and to be resilient to disruption – whether the disruption is caused by a deliberate attack, an accident, a natural disaster or another event. According to the PwC Global Crisis Survey 2021, seven out of every ten organisations are planning to invest more in increasing resilience and breaking down silos around resilience functions. This affects numerous disciplines, such as asset management, business continuity management and crisis management, as well as quality management, risk management and supply chain management.

Relevant guidelines and best practices for organisational resilience

There are now a number of international standards and best practices that companies should use to implement organisational resilience. The most important of these is ISO 22316 (Security and Resilience – Organisational Resilience – Principles and Attributes). This standard is applicable to organisations of all shapes and sizes, and is not limited to any specific industries or sectors. The standard lists a series of principles and characteristics of organisational resilience and provides companies with guidelines for evaluating relevant factors.

In addition to this central standard for organisational resilience, we have developed our own resilience model, taking into account additional guidelines. These include ISO 22301 (Societal Security Business Continuity Management Systems), ISO 31000 (Risk Management) and ISO 27001 (Information Security Management). The BCI Good Practice Guidelines are also available specifically for business continuity, while applying the NIST (SP) 800 160 standard will ensure better cyber resilience.

Check-up: get an overview and identify relationships between disciplines

A three-stage approach to building resilience has proven its worth in practice, ranging from initial stocktaking and identifying current resilience to targeted strengthening of individual capabilities. The first step is to get an overview of the relevant stakeholders and individual resilience disciplines and their degrees of development. Who is in charge of particular key functions? How do individual areas affect one another? Targeted workshops can provide quick answers to these questions. This allows you to ascertain your company’s current position in areas such as business continuity management, crisis management and physical security.

When carrying out this assessment, it is important to consider interfaces and relationships between individual disciplines. For example, this will help to identify the areas in which there are initial overlaps and synergies, and those where a silo mentality still prevails. Simulations of company-wide disruption are another tried-and-tested tool. In addition to senior executives, managers from relevant resilience functions should also be involved in these exercises. Getting hands-on with difficult situations not only prepares employees for emergencies, but usually also highlights starting points for quick-win improvements.

Diagnosis: determine operational maturity and develop a resilience roadmap

The aim of the second step on the way to a resilient organisation is to create transparency on the current state of your organisational resilience and establish a plan to achieve the level of resilience you want. How resilient is your company in reality? What’s your resilience like compared to your competitors? To get a clear picture of the status quo, it is essential to review your organisation’s approach to resilience, as well as key policies, procedures, plans and scenario strategies.

Using our proprietary resilience model, we will assess your operational maturity based on eight core elements:

1. Governance and culture
2. Framework and procedures
3. Situational awareness
4. Interfaces and integration
5. Capabilities and capacity
6. Technology and tools
   
7. Training and awareness
8. Continuous monitoring

Based on the assessment, a roadmap for practical implementation can then be developed to strengthen your resilience in the long term.

Boost resilience: targeted expansion of prioritised key areas

The third step focuses on systematic development of specific capabilities. The first phase involves prioritising the affected fields of activity and setting targets for these capabilities. Once you’ve done this, appropriate measures need to be taken to make targeted improvements to your company’s capabilities and individual resilience. To increase resilience in the long term, organisations should also regularly validate and test their own capabilities – for example, by using simulations.