As noted in the previous columns, definitions of the concept of resilience vary within different disciplines and sectors, such as critical infrastructure, homeland security and emergency, and disaster management response. However, the common characteristics of adaptability, transformation and flexibility appear generally consistent.
While resilience has been described as “the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change” (US Council of Competitiveness, 2006), by extending this description, it is possible to extrapolate that resilience is a counter to insecurity. In this extended context, resilience addresses unknown future challenges and uncertainty; that is, the inability to know what combination of conditions will occur in the future. If the future were predictable, resilience would lose its importance because all planning would be based on a known set of conditions. But because the future is unpredictable, it is necessary to plan for a wide range of possible conditions and outcomes, including some which may be unlikely but which could result in significant harm if they are not anticipated.
To apply the resilience concept it needs to be considered in a specific context; that is, who or what needs to be made resilient to whom or what threat or risk. This is where the role of security professionals can contribute to achieving resilience in an organisation. Within the context of a business or a corporation, resilience means having the capability and skills to adapt quickly to disruptions while safeguarding people, assets and reputation and while maintaining business operations. This is directly linked to the security of those people, assets and resources.
Not all personnel or resources will be essential to maintain an organisation’s functions or critical services during a disruption. Security professionals are well placed to assist and to advise C-Suite executives to identify which assets and resources would be essential and therefore need to be made resilient, as well as identifying essential personnel. To do this requires defining what functions, elements or systems are critical and therefore need to be resilient to changes that may lead to disruption. Keep in mind that an organisation is an interconnected system composed of many different components that form different system levels. This means that an organisation can be resilient at some of the levels but not necessarily at others, meaning other parts of the organisation can be vulnerable.
Resilience is similar to vulnerability in that it cannot simply be measured in a single metric; its importance lies in the ultimate multi-dimensional outputs (the consequences) of the system for any specific inputs (risks and threats).
Detecting those risks and threats is a constant challenge. Different organisations use different processes and types of analysis to identify future potential disruptions. Some organisations do this by using trends analysis, which is a simple approach based on historical events and data to project into the future. The problem with this approach is that it assumes past events are likely or may recur, and it assumes an absence of unprecedented future events. Other organisations use a process of horizon scanning to detect early signs of potentially important developments that may lead to disruptions. It does this by determining what is constant, what changes and what constantly changes both inside and outside the organisation. This approach enables identification of unexpected issues as well as identification of persistent trends and problems that may be potential risks or threats that contribute to or cause a disruption.
Whatever approach is used, the results need to be constantly reviewed because internal and external factors change. This means that a simple tick-the-box approach cannot be used to achieve resilience.
Dr Rita Parker is a consultant advisor to organisations seeking to increase their corporate and organisational resilience and crisis management ability. She is an adjunct lecturer at the University of New South Wales at the Australian Defence Force Academy campus where she lectures on resilience and non‑traditional challenges to security from non‑state actors and arising from non-human sources. Dr Parker is also a Distinguished Fellow at the Center for Infrastructure Protection at George Mason University Law School, Virginia, USA. She is a former senior advisor to Australian federal and state governments in the area of resilience and security. Dr Parker’s work and research has been published in peer‑reviewed journals and as chapters in books Australia, Malaysia, the United States, Singapore and Germany and presented and national and international conferences. Rita holds a PhD, MBA, Grad. Dip., BA, and a Security Risk Management Diploma.