Resilience, Yes - But Get It Right!

More than ever before, resilience is today a question of securing future existence. The demand is for organizational structures that are able to adapt continuously to changing conditions in their environment. In the same vein, holistic levels of protection for resilience are required — both technically and organizationally. Taken together, such measures and processes are orchestrated in business continuity management (BCM).

Some analysts have discerned the collapse of Lehman Brothers as the starting point of a time of full-blown crises: first the related global financial crisis, then in 2015 the so-called refugee crisis, followed only a little later by the justifiable declaration of the climate crisis. The hopes of some that the disorder and chaos would be limited to a single decade were dashed with the start of the COVID-19 pandemic. Then, just when tensions appeared to be easing, a war starts in the middle of Europe. The crises are overlapping. We are all forced to accept the realities of our world and to respond.

The vehement impact of the changes triggered by the crises, destruction, and disruption of recent years will probably not become fully clear for several years to come. This is true for our planet, our society, and our economy. Crises do not happen in a vacuum, nor do they disappear on their own. They can all be traced back to the interaction of the various players in the global community.

Some of these players and companies understand how to deal with disruption and crises better than others. They are commonly described as being more resilient. The inflationary use of the term has reduced its impact to almost zero today. And yet it encompasses a characteristic that, in view of the developments coming our way, can be described without reservation as the most important of all.

How do systems respond to shocks?

The term resilience is derived from the Latin verb resilire and means more or less “to bounce back” or “to rebound.” Resilience was first used as a yardstick in physics to express the resistance of materials. The term describes the ability of a substance to return to its original shape after being deformed by pressure or force. A sponge, for instance, has much higher resilience than a piece of wood.

Taking this simple principle as a starting point, resilience research today analyzes complex systems and their behavior when confronted by shocks and disruptions. To put it simply: how resiliently does a system respond to a crisis? A system in this sense can be a country or an organization of any size and purpose or even a single individual.

Referring again to the physical concept, the term “bounce back” often appears and refers to the ability to return to the initial state after a disturbance. When used in reference to current crises, it describes the desire to restore the state of affairs that existed prior to the moment triggering the disruption once the specific event has passed. This desire ignores the fact that every crisis also brings change, however. It is never possible to return to the previous position.

The expanded concept of resilience

Researchers therefore find an expanded concept of resilience more useful. It was first employed by ecologist C. S. Holling in his 1973 paper, “Resilience and Stability of Ecological Systems.” He writes here: “If we are dealing with a system profoundly affected by changes external to it, and continually confronted by the unexpected, the constancy of its behavior becomes less important than the persistence of the relationships. Attention shifts, therefore, to the qualitative and to questions of existence [...].”

Florian Roth from the Fraunhofer Institute for Systems and Innovation Research ISI draws on this understanding of resilience to advocate the use of the term “bounce forward.” What he means is the ability of the system to adapt continuously to changing environmental conditions and so to mature in the long term rather than to return to its previous state after a shock event has passed. In his book, Nassim Taleb also argues for “random affinity” systems with a kind of hyper-robustness that he calls “anti-fragility.”

Although this sounds simple, it is often associated with challenges in practice. Building resilience that can handle a specific situation precisely is virtually impossible. After all, no one can ever foresee all conceivable crisis scenarios that might occur within complex system relationships. And since this is not possible, the essential issue is the acquisition of the ability to adapt constantly and to have key skills and critical resources at hand at all times.

For companies, this means initiating measures that do not aim solely at restoring the previous status as quickly as possible, but pursue instead far-sighted and sustainable further development of the business.  While Holling spoke of the relationship to the climate and society, his comments are equally relevant in a business context and for each and every one of us; today, more than ever, resilience is a question of future existence.

We know the discussion from “fail fast,” the culture of mistakes that is a part of the genetic make-up of startups with high acceptance (for failures and new beginnings) in the USA, but lower tolerance for mistakes in the EU and even more so in autocratic systems. When crises overlap, it becomes more direct and immediate: survival becomes a matter of supply chain availability, finances, employee talent and skills, data and process, resources, climate, etc.

Business continuity management as a response to crises

Every critical incident represents a potential threat to a company’s existence. It might be a global financial or health crisis, armed conflicts, or even a comparatively simple attack on the company’s own IT infrastructure. In such a situation, will my company as a market participant still be a reliable player for others (customer, supplier, partner, employer, financer)? In accounting, for example, the principle of “going concern” is used as a forecast criterion for the next twelve months. Could due payments be guided? In a world determined by “black swan” disruptions, the assessments must be constantly repeated.

In the same vein, holistic levels of protection for resilience are required — both technically and organizationally. Such measures and processes are collectively known under the term of business continuity management (BCM). Its goal is to ensure survival with the aid of two components. One is the installation of preventive measures to avoid or mitigate effects from a disruptive event, i.e., to increase the resilience of business processes. The other is the concrete preparation of measures once such an event has occurred, including plans classified according to emergencies, crises, and disasters.

A first step for management must be to provide a concrete overview in risk management of the assets (“assets at risk”) during harmful events and the resulting causal chains, e.g., in scenarios. For cyber-resilience, this means taking a structured approach for working through all conceivable security vulnerabilities. What would be the impact on assets for what types of attacks via what attack paths (“vectors”)?  The company’s own IT systems should be secured in accordance with the state of technology or “market standard as a minimum”; compliance requirements should be reviewed to ensure they have been met, and emergency and recovery plans should be drawn up. Supply chains must be reviewed and secured; price shocks, economic cycle and demand fluctuations or failures along with other emergency and crisis scenarios must be simulated. The overall view that has been obtained can then be used for the development of strategies that are derived from the overall risk determination, that contribute to the BCM (or IT SCM) and cyber-security, and that promote the robustness of existing systems — and so of the organization as a whole.

If they are to reach this point, companies must discard the traditional view of separate (IT) systems. Along with the technical aspects, BCM implementation includes its own process organization, committees, reporting chains, communication plans, and other elements. Objects of this implementation are the critical resources for the company. One path to resilience is the ability to repurpose flexibly existing resources of all kinds. Adaptability and, in the event of disruptions, the ability to respond agilely are essential. This shows that security issues can by no means be reduced to a question that concerns IT only. The organization must be viewed holistically.

One insight we can glean from resilience research is the ability to specifically leverage existing, valuable resources to overcome crises. Companies that are not content merely to overcome a crisis, but go on to develop their business in the midst of changing environmental conditions, can not only survive crises, but will be even stronger when the crises have passed. They are the ones who can be trusted to have a future.