| Organisational resilience takes all appropriate actions to help ensure the organisation’s continued viability |
In this day and age, the traditional components of security officers, cameras, access control and alarm systems aren’t enough to protect a company or organisation.
No matter how good your preparations, security sometimes breaks down, and bad things happen. That can take a toll on a business. Today, security’s role extends to organisational resilience.
What is organisational resilience? The ASIS International American National Standard on Organisational Resilience (OR) defines it as “a management framework for action planning and decision making needed to anticipate, prevent if possible, and prepare for and respond to a disruptive incident (emergency, crisis or disaster). It enhances an organisation’s capacity to manage and survive the event and take all appropriate actions to help ensure the organisation’s continued viability.”
Organisational resilience is perhaps the most important responsibility that security has today. It goes beyond traditional security and provides business value to the organisation by ensuring business continuity.
“Businesses are in business to create value,” says Marc Siegel, the commissioner, global standards initiative for ASIS International’s European Bureau. “Crisis management is the process of facilitating the recovery of business functions after an event.”
That idea suggests a new way of conceiving of the role of security. Traditionally, the idea that security could and probably would break down one day went unspoken and unrecognised.
| see bigger image |
Today, we know better. Good security organisations and systems work fine most of the time. Sometimes, though, airplanes fly into buildings and people with guns burst into company offices and start shooting. Now, the security team becomes a response, recovery and business continuity team.
Response, of course, comes first. In the case of an active shooter, for instance, the response and recovery work would involve calling the police, hustling people to safety when possible, providing first aid for the injured, supporting the police when they arrive and initiating recovery plans that will enable business to continue with as little downtime as possible.
Then comes recovery. How did this event affect the company’s ability to do business? How can you help organise a return to full service capabilities?
Identifying and recovering from problems
Response and recovery deals with a variety of threats to a business, criminal and otherwise. For instance, Siegel once consulted with a client that generated hazardous materials during manufacturing. Disposing of the waste cost so much that the company found it easier and less expensive to store the waste in barrels at the plant.
Was on-site storage really less expensive? The barrels cluttered up the plant and created an eyesore for neighbors. As the company’s security consultant, Siegel decided to check. After all, storing hazardous material on site seemed like a safety risk.
“When we investigated, we found that it was not really a hazardous waste problem,” he says. “It was an accounting problem. Purchasing was buying chemicals in bulk to for the volume discounts.”
| Building OR begins with eliminating security silos and divisional silos within a business |
“While that seemed like a good idea, when we added in the lifecycle costs of the chemicals, including final disposal, we discovered that it was actually more cost effective to buy smaller quantities of chemicals, generate less waste and pay a reasonable disposal fee.”
By solving the hazardous waste problem, Siegel solved two other problems no one had noticed before. The workers felt safer with the hazardous materials gone and grew more efficient, and the neighbours saw that the waste had been cleaned up and grew more comfortable with the plant. Overall, OR improved.
Building organisational resilience
“Building OR begins with eliminating security silos and divisional silos within a business,” Siegel says. “We have to begin thinking of ourselves as risk managers. We have to get to know the managers in other divisions and the risks they need help managing. There are risks in every department, and so everyone is part of risk management solutions.”
“In the end, OR is the outcome of hitting the sweet spot between business management and risk management processes,” says Siegel.