A Chief Resilience Officer’s Guide to Resilience Policy and Strategy Standard, ISO 22336

Introduction

In most organizations, resilience is likely to be a new focus. Propelled by the experience of Covid-19, many entities, whether in the private or public sector, are turning to newly minted Chief Resilience Officers (CROs) to come in and build an organizational resilience capability from the ground up.

The responsibility is immense, not only leading crisis management but also stewarding the business continuity/disaster resilience, incident response, cybersecurity, and risk management functions, too. Compounding the challenges, there simply hasn’t been that much practical guidance on how to bring together a wide array of stakeholders to help build support for resilience building.

Introducing ISO 22336: 2024: Guidelines for resilience policy and strategy

Not anymore. The international standard-making body, ISO (International Organization for Standardization) recently published guidelines for developing such a resilience capability. Put together, the recommendations constitute the bulk of ISO 22336, the international body’s first standard dedicated to resilience policy and strategy.

How does it differ from business resilience standard, ISO 22316?

Well, ISO 22316 articulated the foundational principles for organizational resilience, establishing attributes that would demonstrate that an organization is resilient. Although important in its own right, ISO 22316 is far more theoretical than ISO 22336. ISO 22336 really gets in there, laying out how to build a resilience practice, step by painstaking step, at your organization.

Of course, anyone who reads ISO standards for a living, like we do, knows that they aren’t always the most digestible. Busy executives want the key components and to learn how to get started immediately. And that’s why we developed this guide, tailor-made for resilience executives looking to get the most out of ISO 22336. In it, you’ll learn:

• How to design and formulate a resilience policy at your organization;
• How to design strategy to achieve the objectives of a resilience policy;
• How to determine priorities for implementation of your organization’s resilience initiatives; and ultimately,
• How to establish a cooperative and coordinated resilience capability

Speed to the end if you want a fact sheet on what ISO 22336 is and how to get started working towards your organizational resilience goals.

Attributes of a resilient organization

What are we striving for? Given the rapid uptick in complex crises, all organizations are looking to achieve resilience.

But what is resilience exactly? The standard defines resilience as the strategic capability to anticipate and respond to change in order to survive and prosper.

Organizations achieve resilience by pursuing a resilience strategy. A key part of the overall organizational strategy, resilience strategy establishes objectives and corresponding activities in accordance with resilience policy.

What about resilience policy? Resilience policy sets the parameters for top management to embed resilience objectives into organizational strategies.

As you know very well, there’s no discrete resilience function within the wider organization; resilient organizations have built resilient structures into the foundation of the enterprise. Resilient organizations all share the following attributes, as well:

Shared vision and clarity of purpose

The resilience policy articulates the organization’s vision and purpose with respect to its strategic objectives and commitment to continual improvement. These are shared and understood by all parties.

Understanding an influencing context

The organization aligns its organizational resilience policy and strategy with its contexts, recognizing multiple interdependencies and interactions across all dimensions of the environment in which it achieves its objectives.

The potential for changes in the organizational context is central to an effective resilience policy and to influence future conditions.

Culture supportive of organizational resilience

The resilience policy confirms top management commitment to a diverse culture at all levels of the organization.

Anticipates, absorbs, and manages change

The organization anticipates, identifies, absorbs, and manages change, and effectively manages risk to consistently deliver on its commitments.

Shared information and knowledge

The organization shares information and knowledge and implements systems so that personnel are appropriately equipped to perform their roles.

Continual improvement and evaluation

The organization assigns roles to evaluate the effectiveness of the strategy design to achieve continual improvement, so that performance management criteria are responsive to change.

Availability of resources

The organization allocates adequate resources and systems to support the effective implementation of the resilience strategy. These resources are available when required and their suitability and application routinely reviewed.

Effective and empowered leadership

The organization assigns responsibility to coordinate the resilience activities in the governance structure and defines roles and responsibilities, so that the purpose of the resilience-enhancing activities is understood and decision-making is effective.

Those responsible for designing and implementing the strategy come from different areas of the organization and cover all aspects of the business, contributing a diversity of skills, knowledge, experience, and leadership capabilities.

Coordination and alignment of systems

The organization aligns and coordinates systems and eliminates silos that create barriers among functions as the strategy is implemented to facilitate the sharing of information and skills throughout the organization.

The lifecycle of resilience policy

How to get to the promised land of resilience, though? CROs have to work through the lifecycle of resilience policy. And ISO 22336 at its best lays out exactly what that lifecycle consists of.

Fortunately for us, the lifecycle of resilience policy only includes three elements: formulation, design, and implementation.

Figure 1. The lifecycle of resilience policy

To what does each element refer?

Formulation

This is the documentation of your intention to enhance resilience and assign accountability for deliverance of the strategy. During the documentation phase, organizations establish a policy that aligns organization’s values and behaviors with a shared vision and purpose.

Design

This is the plan for a strategy that considers governance structure(s) and supports a multiplicity of skills, leadership, knowledge, and experience.

Implementation

This is the how you can effectively manage risk and adapt to change. During this stage, organizations provide adequate resources to implement the strategy and consider how it can anticipate, identify, absorb, and manage change, and coordinate and align systems.

Throughout the course of this guide, we detail each component.

Resilience policy formulation

An organization will formulate its resilience policy by considering what the objectives and expectations of that policy will be. However, the resilience policy, once formulated, is simply a high-level statement of the organization’s intention and direction for enhancing resilience.

Resilience policy itself:

• Calls for commitment from all interested parties to satisfy the organization’s expectations
• Authorizes and empowers those responsible for supporting the design and implementation of the resilience policy and strategy
• Specifies the alignment of the objectives of the policy to the desired enhancement of resilience attributes and enabling behaviors relevant to the organization
• Aligns with behaviors that shape organizational culture and foster creativity and innovation, and transformative thinking
• Refers to or integrates with new or existing organizational policies and strategies
• Communicates the importance, benefits, and outcomes of the policy
• Commits to continual improvement and maintenance of the resilience policy

In formulating resilience policy, an organization must consider its context, both internal and external. That means the organization must continually scan its contexts and the multiple system elements that influence the delivery of its objectives to identify potential changes that can impinge upon organizational resilience. Those contexts include:

To reiterate, the organization, as part of the policy formulation process, will have to examine its current internal, interdependency, interaction, and external environment to determine vulnerabilities and opportunities to achieve an enhanced state of resilience. From there, top management will go on to:

• Establish an approved approach to consultation
• Develop a shared vision and purpose for the policy that aligns with overarching organizational vision
• Establish a governance model, organizational structure, roles, and accountabilities to develop the strategy and implementation plan
• Identify human resources with the required capabilities and knowledge (i.e., diversity of skills, leadership, knowledge, and experience)
• Set the direction for the organization to enhance its ability to absorb, adapt, and effectively respond to change
• Establish protocols for coordination across management functions and contributions from technical and scientific areas of expertise
• Establish relationships with, and perceptions and values of, interested parties and their cultures
• Consider the influence and validity of assumptions in its policy objectives
• Identify any risks in achieving its organizational resilience policy objectives
• Establish the monitor and review processes
• Determine the continual improvement approach

The final element of policy formulation is communication. Communication in this context involves sharing information about the established policy with certain audiences, i.e., those both internal and external to the organization including oversight bodies.

Communication is a capability all to itself, though. Indeed, part of your job as CRO likely includes helping your organization improve internal communications.

To that end, you should be looking to establish an approved approach to communication to facilitate awareness of the resilience policy and strategy. A combination of communication methods should be used so that messages are accessible and comprehensible by all interested parties.

Resilience strategy design

Once policy is formulated, strategy must be designed to achieve the objectives of that policy. Starting with a gap analysis, top management will develop an appropriate strategy and implementation plan including annual action plans, time frames, and resource allocations. Top management will also be called on to develop and set objectives and align decision-making with the outcomes of the resilience policy.

One aspect of resilience strategy design to be particularly mindful of is embedding resilience objectives into new and existing organizational policies and strategies. This embedding of resilience objectives goes a long way towards creating a culture supportive of resilience – one of your ultimate goals as a CRO.

Of course, building and maintaining resilience are both cross-functional efforts. Designing the resilience-enhancing strategy, therefore, requires cross-functional collaboration, i.e., roping in staff across the organization regardless of position or role.

CROs might even need to seek out external parties, such as community representatives, customers, governments, supply-chain operators, even competitors. For its part, top management should consider the following when designing a resilience strategy:

• Aligning the strategy with the organization’s shared vision, organizational values, behaviors, and purpose
• Aligning of, and the potential conflicts between, the resilience strategy and other organizational strategies
• The flexibility and agility of the strategic objectives to respond to changes in organizational contexts
• Setting strategic objectives to achieve an enhanced state of desired resilience
• Establishing strategic initiatives and targets to implement the strategy
• Evaluating the success of the strategy
• Monitoring and reporting.

What of the strategy itself? That strategy should accomplish these three things:

1. Embrace change
2. Foster participation
3. Enable transformation and adaptation

Resilience strategy implementation

We’ll admit the previous two sections might have been a little theoretical, as discussions of policy and strategy can often be. The rubber really hits the road when it comes to implementing a resilience strategy and ensuring it remains up to snuff as the context shifts around and within your organization.

Here, the standard really excels in calling interested parties to remain engaged and aware. Starting with top management, stakeholders must be committed to the ongoing enhancement of resilience.

The standard also recommends creating a process for how to implement the resilience strategy. That process consists of identifying key products and services, customer segments/markets, channels, obligations, and financial/value-added outcomes.

That step might actually have been accomplished in the course of undertaking an operational resilience mapping exercise. If that’s the case, top management, once key products, services, and processes have been mapped, should establish the scope of the strategy implementation, i.e., what will the strategy cover, and then develop an associated action plan to deliver on strategy objectives. That plan should accomplish the following:

• Establish key focus areas for delivery
• Establish key performance indicators
• Develop action plans to deliver the strategy
• Allocate appropriate resources to deliver the plan
• Communicate and consult with interested parties so that the plan is effectively developed
• Inform top management on ongoing progress and delivery of the plan

As noted, top management must allocate the necessary resources to support capabilities that enhance resilience for the plan to be successful. Such resources are likely to run the gamut from qualified personnel, information and knowledge management systems (e.g., operational resilience software), and professional development and training to intangibles like relevant processes and procedures.

The standard also hones in on the role of the resilience lead, appointed to facilitate, communicate, coordinate, and promote resilience initiatives. That’s likely to be you or a deputy you’ve tapped. The specific responsibilities of that role include:

• Implementing policy objectives and initiatives to satisfy the intention and direction expressed in the policy
• Promoting awareness of resilience throughout the organization
• Supporting effective communication among interested parties
• Reporting on the performance of the resilience implementation program to top management, to be used as the basis for improvement

Continual improvement of the resilience management strategy

Of course, maintaining resilience is an ongoing endeavor. Strategy once implemented can’t be neglected.

The standard, here, makes a point of emphasizing the need to evaluate the effectiveness of the resilience framework. It even urges organizations to create clear objectives and adequate key performance indicators to frequently gauge strategy implementation progress, providing a set of relevant questions to ask to evaluate the success of the implementation. Questions include:

• Are projects respecting their deadlines?
• Are expenditures within the pre-defined budget?
• Do the systems implemented demonstrate efficacy for the organization?
• How many organizational resilience awareness sessions have been held this year for other interested parties?
• How many organizational resilience meetings have been held to harmonize the implementation of the resilience systems?
• Is the concept of continual improvement effectively pursued in the coordination and alignment of its systems?

The importance of reporting is a main takeaway of this section of the standard. As aforementioned, the resilience lead will be responsible for reporting on the program’s implementation to top management. The purpose of these reports is to ensure continual improvement of the suitability, adequacy, and effectiveness of the process. What specifically should the reports accomplish? They should:

• Communicate to top management on the progress of activities for the resilience strategic plan
• Ensure that decision makers accountable for the resilience strategic plan are aware of, coordinate, and provide updates on actions
• Inform interested parties of initiatives and decisions that enhance resilience

Resilience itself depends on your company’s internal and external context, both of which will change over time – sometimes dramatically, more often imperceptibly. As conditions change, so too must your resilience capabilities. If they don’t, they will degrade and become increasingly irrelevant.

How to stay on top of resilience arrangements once implemented? That’s where monitoring and review come in handy. These strategies must be continually reviewed so that:

• Objectives are adjusted, redirected, or replaced if their relevance and acceptability is declining
• The outputs of resilience-related strategies continue to enhance current resilience capability and potentiality for the future
• An acceptable cost-benefit margin is maintained as resilience-related strategies are adjusted
• Embedded resilience objectives continue to be relevant and can be realized when other organizational strategies are modified
• Potential conflicts with other resilience objectives are addressed as organizational strategies are

Finally, as a CRO, you know better than anyone how challenging it is to develop a resilience function at your organization.

With ISO 22336, you’re not alone in that resilience-building effort. And so, we’ve sought to explain what’s in the standard, so that you can quickly get to the work of building out or enhancing your strategic capability to anticipate and respond to change to survive and prosper.

Need a tear-away sheet, so that your team can start implementing ISO 22336 guidance today? Just print out and use the one below.

The ISO 22336 Cheat Sheet: What CROs should know

What is ISO 22336?

The ISO 22336:2024 standard offers comprehensive guidance to help organizations develop, implement, and maintain resilience policies and strategies. The standard addresses the need for integrating resilience into core business functions by aligning policies with the broader risk landscape, fostering interdependencies, and promoting continual improvement.

What’s in the standard?

Resilience context and strategic decision-making

Organizations must analyze internal, external, and interaction contexts to understand the challenges they face. A resilience mindset drives strategic thinking and supports proactive decision-making systems, allowing businesses to respond effectively to disruptions.

Developing resilience policies and strategies

A resilience policy defines the organization's approach to building resilience. The strategy outlines specific objectives and actions aligned with organizational goals. The standard promotes consistency between resilience objectives, strategies, and business processes to ensure alignment across all departments.

Suite of organizational strategies and policies

A successful resilience program must be integrated into existing organizational strategies and governance frameworks, such as business continuity, crisis management, information security, and other related programs. Policies need to reflect the consideration of risk and opportunities for improvement, ensuring that resilience remains dynamic and responsive.

Contextual awareness and risk integration

Internal, external, and interdependency contexts are essential to understanding vulnerabilities. The ISO framework encourages organizations to map interdependencies, including suppliers, partners, and critical functions, to ensure resilience across the entire value chain.

Implementation and continual improvement

The standard emphasizes the importance of strategy implementation through measurable objectives and the use of feedback mechanisms. Organizations must promote continual improvement by regularly reviewing policies, testing resilience measures, and incorporating lessons from past incidents.

Get started with resilience

1. Conduct a gap analysis. Identify existing strengths and areas for improvement.
2. Develop a resilience policy. Establish a commitment to resilience that aligns with strategic objectives.
3. Define resilience strategies. Build actionable plans that integrate resilience across departments and units.
4. Engage stakeholders. Collaborate with partners, suppliers, and employees to ensure comprehensive resilience coverage.
5. Invest in the right resilience-enhancing technologies. Next-gen, integrated solutions like Noggin provide a comprehensive and holistic approach to resilience, facilitate crucial collaboration and coordination, unlock critical insights, keep stakeholders informed, and streamline essential workflows for planning and response.
6. Implement continual improvement processes. These solutions also help you test and refine resilience measures regularly, in keeping with the standard’s guidance, through exercises and feedback.