The Digital Technology Needed to Implement ISO 22316

Introduction

The ISO 22316: 2017 standard provides guidance to enhance organizational resilience for any size or type of entity. It, therefore, goes a long way toward answering the question, what is a resilient organization?

So, what is one? Well, resilience, here, refers to the ability of a firm to absorb and adapt to the changing (business) environment while continuing to deliver on the objectives that enable survival and prosperity.

Given the stakes involved in achieving and maintaining resilience, this guide lays out what policies, strategies, and (most importantly) digital tools are needed to implement the ISO 22316 standard.

A primer to ISO 22316

Let’s start with what the standard prescribes.

For one, ISO 22316 urges entities to install senior management that’s committed to enhancing organizational resilience – and not just organizational resilience as a general concept. The standard lays out a set of general principles that make organizations resilient in the first place.

The checklist of organizational resilience principles that senior management should follow includes the following:

• Behavior aligned with a shared vision and purpose

• Rely upon an up-to-date understanding of the organization’s context

• Rely upon an ability to absorb, adapt, and effectively respond to change

• Rely upon good governance and management

• Supported by a diversity of skills, leadership, knowledge, and experience(s)

• Coordination across management disciplines and garnered contributions from technical and scientific areas of expertise

• Rely upon effectively managing risk

Beyond following abstract principles, though, the standard advises senior leaders to make firm commitments. The resilience-enhancing activities firms should pursue include the following:

• Provide adequate resources to enhance the organization’s resilience

• Find mechanisms to ensure those investments are appropriate to the organization’s internal and external contexts

• Develop appropriate governance structures to achieve the effective coordination of organizational resilience activities

• Invest in systems that support effective implementation of organizational resilience activities and arrangements to evaluate and enhance resilience in support of  organizational requirements

• Pursue effective communications to improve understanding and decision making

Sharing information and knowledge

The subsequent guide will delve deeper into the systems needed to implement organizational resilience activities and arrangements, starting with the imperative to share information and knowledge.

Indeed, when it comes to resilience, not much gets accomplished without the right information, getting to the right people, at the right time. However, this has long proven a perennial challenge to building and enhancing organizational resilience capacity.

What’s needed, instead? Per the standard, organizations should be sharing important experiences. And those learnings should be extracted from all available sources.

This goes a long way to ensuring that information, knowledge, and learning are all valued and recognized as critical resources of the organization.

To make that happen, however, information – both coming from within and without the organization – must be readily accessible, understandable, and adequate to supporting the organization’s core objectives.

Knowledge and information, here, must be created, retained, and applied through established systems and processes. Those processes include the sharing of relevant information in a timely manner with relevant interested parties and (then) applying it in organizational learning.

Resourcing requirements in ISO 22316

As many organizations will know, achieving these information-sharing objectives isn’t easy, even those committed to implementing ISO 22316.

The standard argues that these organizations must first invest in knowledge-sharing resources, including people, premises, technology, or other assets. But it’s important to caveat this advice by saying that organizations must invest in the right knowledge-sharing resources.

To guide this search, ISO 22316 recommends resourcing the following activities:

• Taking appropriate decisions on resourcing and capacity diversification, replication, and redundancy to avoid single points of failure and respond to incidents and change, so that core services are maintained at an acceptable, pre-determined level

• Selecting and developing employees with a diverse set of skills, knowledge, and behavior that can contribute to the organization’s ability to respond and adapt to change

• Developing an ability to identify and respond to changes in a flexible manner, including modifying and redeploying capabilities, arrangements, structures, activities, and behavior to adjust to new conditions

• Routinely reviewing the suitability, availability, and allocation of resources, taking account of the impact of any changes in the organization and its context

Additionally, organizational resilience, as the standard also notes, entails continually monitoring performance against pre-determined criteria. The reason is to learn and improve from experience.

Continual improvement, as such, should be an organizational ethic or value. Demonstrated by a commitment to validate and continually improve resilience activities and capabilities, such an organizational culture would serve to ensure that larger, business objectives, strategies, and procedures are kept relevant and appropriate in supporting the changing needs of the organization (See more below).

How can senior leaders make that happen? The standard recommends prioritizing the (1) implementation of performance monitoring and evaluation mechanisms to support continual improvement and (2) ensuring that performance management criteria are responsive to changes that affect organizational objectives.

Evaluating the factors that contribute to resilience

ISO 22316 goes onto recommend an initial assessment of organizational resilience to inform the work that must be undertaken immediately. This will also have a resourcing component.

Before implementing a monitoring process, though, an organization should undertake the necessary reviews, applying agreed-upon metrics to determine the organization’s resilience.

Here, top management should gauge whether resilience is acceptable or falls short of requirements. Then, the organization should consider appropriate strategies to address significant gaps that are found in the assessment.

That’s not the end of responsibility for top management. Senior leaders should also supervise periodic reviews. These reviews would consider changes to the organization’s context, including the following:

• Changes in organizational vision, strategy, or objectives

• Major structural or business model changes, including mergers, acquisitions, and divestments

• New markets or territories that the organization has entered

• Newly introduced products and services

• Significant staff changes

• Effectiveness of improvements made since the previous review

• Feedback on the effectiveness of the organization’s resilience

• Changes in risks that need to be addressed

From there, senior leaders will have to compare outputs from evaluation processes against other related review processes, such as the results from related internal audits, incident debriefs, strategy planning, near misses, and regulatory compliance.

Top management should also confirm that monitoring arrangements are appropriate and provide input to the identification and treatment of issues before their impacts become too damaging or opportunities are missed.

Digital technologies to facilitate reporting and promote organizational resilience

The outputs from monitoring organizational resilience will likely include summary reporting. Summary reporting will give top management the necessary assessment of resilience against the attributes most relevant to the organization.

After that, senior leaders should:

• Use on-going monitoring reports to track trends in the data that have been used to evaluate organizational resilience

• Confirm that current information management systems provide essential data to support the input required for an organization’s resilience monitoring

• Use the output of the reporting process to develop action plans to enhance organizational resilience

The only problem is that not all information management systems provide essential data to support resilience activities. Again, top management must intervene; in this case considering the resilience management software platforms that can provide a comprehensive and holistic approach to resilience.

In our exhaustive review of digital tools needed to implement ISO 22316, we’ve found that the following capabilities are needed to ensure such a comprehensive and holistic approach to resilience:

Integrated resilience

Seamlessly unify operational risk management, operational resilience, business continuity management, security operations, crisis and incident management, and emergency management.

Boost resilience with effective crisis management

Organizations are likeliest to be derailed from their path to resilience in moments of acute crisis. To that end, their digital tools should empower organizations to plan, coordinate, and streamline their response efforts to minimize the negative consequences of an incident, crisis, or emergency and return operations to normal as quickly as possible with integrated threat intelligence, response plan activation, team collaboration, and post crisis reviews.

Key features should include:

Incident management

Report and manage all incidents and crises. Activate teams, assign response tasks, record decisions, facts, assumptions, and share updates with key stakeholders.

Situational awareness

Improve situational awareness with customizable dashboards that gather data using scrolling banners, live maps, and feeds to consolidate information from various sources, including news, weather, social media, traffic, and natural disaster streams.

Team activation and collaboration

Swiftly notify response teams and keep communication lines open. Team members can easily join dedicated chat groups to discuss incidents while the platform should also foster collaboration, allowing them to share important details, assess the impact of the event, and collectively devise effective response strategies.

Crisis communications

With built-in crisis communication and collaboration tools like chat, email, SMS, voice, and app push messages, the platform should make it easy to work in real-time with your team, better coordinate your response, and keep everyone informed.

Response plans and checklists

With a comprehensive library of best practices, digital technology should generate crisis and incident response action plans. Customize pre-existing strategies to align with your organization’s requirements or develop your own unique plans to effectively address your organization’s specific needs.

Exercise management

Don’t wait for a real-world crisis to test your organization’s readiness. Digital technology should offer an exercise management solution, so that you can be confident that teams are prepared to handle any situation that comes their way.

Post-incident reviews

Conduct meaningful after-action reviews, improvement activities and post incident reviews to capture the key takeaways from any incident or exercise. Learn from experience and boost your organization resilience.

Data and analytics

Analyze trends and create dashboards to visualize metrics important to your organization. Create custom reports as PDF or Word documents and share with stakeholders to improve data visibility, accountability, and lessons learned.

As noted, the maintenance of resilience involves continuous improvement. And to this end, digital tools should also fashion themselves as integrated resilience workspaces to empower organizations to cultivate a culture of continuous improvement across all major solution areas, e.g., operational risk management, operational resilience, business continuity management, security operations, crisis and incident management, and emergency management.

Finally, with the right integrated resilience management platform, resilience-pursuing firms can not only implement ISO 22316 but also gird themselves against the disruptive forces sure to come their way, by consolidating lessons learned from planning and response processes, harnessing resilience data to derive valuable insights for informed decision-making, and taking proactive actions to strengthen resilience.