ICOR Presents: ISO/TC 223 Societal Security...ISO 22398: Guideline for exercises and testing ISO /...

ICOR Presents: ISO/TC 223 Societal Security

International Standardization Aimed atIncreasing Crisis and Continuity Management

Capabilities and Awareness in Order to Improve the Resilience of Society

ISO/TC 223: Early Beginnings

©2012 ICOR ALL RIGHTS RESERVED 2

ISO/TC 223 got its start with the sinking of the Russian submarine Kursk in the Barents Sea in Sept. 2000.

The international community lacked the tools necessary to cooperate effectively in emergency situations, resulting in an initiative from the Russian standards organization, GOST, to establish ISO/TC 223.

From “Civil Defence” to “Societal Security”

In 2001, originally titled, “Civil Defence” with the intention to standardize emergency procedures

After the 9/11 attacks as well as a surge in natural disasters, ISO conducted an assessment in 2005 to begin in earnest and renamed it “Societal Security” to broaden its approach from just “Civil”


Early Optimism & Resulting Challenges

Build on 5 major works in emergency management from Australia, Israel, Japan, UK, and USA

ISO/PAS 22399:2007 Societal security – Guideline for Incident Preparedness and Operational Continuity Management

However – none of the countries wanted to use the new standard in replacement of their national standards…


To what extent are countries prepared to relinquish their own solutions in search for common ground?

ISO/TC 223 Societal Security - Restarted

Technical Committee formed by ISO in

2008 in the area of Societal Security

Aim to increase crisis management and business continuity capabilities through improved

• Technical,

• Human,

• Organizational, and

• Functional interoperability as well as

• Shared situational awareness

5©2012 ICOR ALL RIGHTS RESERVED

ISO/TC 223 Societal Security

TC 223 develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures.

Its all-hazards perspective covers adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident.

The area of societal security is multi-disciplinary and involves actors from both the public and private sectors.

An emphasis on developing deliverables that will contribute to improving the resilience of society



ISO/TC 223 aspires to answer how individuals, organizations, communities and society can

Anticipate, prevent, prepare for, respond to and recover from disruptive events potentially resulting in an incident, emergency, crisis or disaster

Protect assets (human, physical, intangible and environmental) from disruptive events

Identify, assess, and leverage their capacity and capabilities to withstand disruptive events.



ISO/TC 223 provides tools to enhance

capacity and demonstrate improved

performance through:

Standardization for the prevention and management of disruptive events

Standardization to promote collaboration and coordination of incident identification, response and recovery

Standardization for the design, deployment and evaluation of technical capabilities.



Approximately 45 countries are participating with 17 others observing. At this time there are six work groups working on the following initiatives:1. Framework Standard on Societal Security

Management

2. Terminology

3. Emergency Management

4. Preparedness & Continuity

5. Video Surveillance

6. Mass Evacuation

Within each Work Group are different Project Teams that work on specific standards.


The US Delegation: NFPA / ANSI


ISO 223 Societal Security SeriesISO 22300: Terminology – published May 2012ISO 22301: BCMS – published May 2012ISO 22311: Video surveillance-Export interoperabilityISO / TR 22312: Technological capabilities – published 2010ISO 22313: BCMS Guidelines – published August 2012?ISO 22315: Mass EvacuationISO 22320: Emergency management – Requirements for incident response –published December 2011ISO 22322: Emergency management – Public warning

ISO 223XX: Organizational Resilience ISO 22324: Emergency management–Colour coded alert ISO 22325: Emergency management – Guidelines for emergency capability assessmentISO 22351: Emergency management – Shared information awarenessISO 22397: Public/Private partnerships - Guidelines to set up partnership agreementsISO 22398: Guideline for exercises and testing

ISO / PAS 22399 Guideline for incident preparedness and operational continuity management – published in 2007


Types of Standards

Management System Standards

Specify requirements that can be applied to any organization, regardless of the product it makes or the service it performs

• Auditable

• Organizations can be certified to these standards as complying with their requirements

– ISO 22301 is the only standard in this series that is a management system standard


Types of Standards

Guidance


Types of Standards

Technical Report


Types of Standards

Published Document


Types of Standards

Publicly Available Specification

A step in the process of standardization. It includes useful and practical information that can be made available quickly to suit the market need of the developers and users of a product, process or service.


Standards Divided by Discipline

Emergency Management

(Public Sector)

ISO 22311: Video surveillance-Export interoperability

ISO 22315: Mass Evacuation

ISO 22320: Emergency management – Requirements for incident response

ISO 22322: Emergency management – Public warning

ISO 22324: Emergency management – Colour coded alert

ISO 22325: Emergency management – Guidelines for emergency capability assessment

ISO 22351: Emergency management – Shared information awareness

Business Continuity

(Private Sector)

ISO 22301: BCMS Requirements

ISO 22313: BCMS Guidelines

ISO 223XX: Organizational Resilience Principles & Guidance


ISO 22300: TerminologyISO 22312: Technological capabilitiesISO 22397: Public/Private partnerships ISO 22398: Guidelines for exercises ISO 22399: Guidelines for Incident Preparedness & Operational Continuity Management

Both

Emergency Management Standards(Public Sector)


ISO 22311: Video Surveillance -Export Interoperability


ISO 22311: Video Surveillance -Export Interoperability

Purpose of the Standard: Video-

surveillance is a crucial asset in intelligence

collection, crime prevention, crisis

management, and forensic applications, etc.

The minimum requirement in societal security is for the authorities to be able to rapidly use the data collected by different CCTV systems from given locations.


Video Surveillance-Export Interoperability

Provides an export interoperability profile

which constitutes the exchange format and

minimum technical requirements that ensure

that the digital video-surveillance contents

exported

Are compatible with the replay systems,

Establish an appropriate level of quality and

Contain all the context information (metadata) necessary for their processing.


Video Surveillance-Export Interoperability

It is crucial for societal security that present

and future video-surveillance systems

implement this interface to allow efficient

forensic processing of the material

produced, often in massive quantities.

This standard also contains provisions to

ensure that citizen privacy measures can be

implemented.


Video-Surveillance Systems Generic Architecture

A CCTV system usually consists of hardware, software and human elements.

A CCTV system for security applications presented as functional blocks, which portray the various parts and functions of the system, as well as the interactions with the human stakeholders


The Following Graphics are Provided

Functional blocks of a CCTV system for security applications

Generic files organization

Structure of the Audio-Video Package XML description and integration in the folder

Arrangement of the XML Descriptor

Arrangement of the descriptive metadata

Sensor metadata items

Event metadata items


Minimum Requirements for Interoperability

The implementation of this standard shall be such that widely available OS independent tools will allow for minimal processing of received standard files by societal security organizations, ensuring as a minimum the following and any combination thereof:

Videos and metadata display;

Direct access to the metadata without display of the videos;

Selection of content time slots;

Access to the sources defined by name or scene-location.




Israel

WWII Bomb

US Wildfires

Philippines Typhoon


Governments and Emergency Management

Agencies have a duty to prepare to

evacuate areas in readiness for major

catastrophic incidents.

There is no template for the assessment of

the plans for mass evacuation.

Plans are developed using different

assumptions, relying on different data, and

are often specific to immediate hazards

rather than being broad in scope.



Purpose: To develop a framework against

which planners can assess their planning for

mass evacuation.

The framework will allow planners identify how well developed are their plans and where additional resources might add value.

The content of the standard will, in part, be informed by a 10-country, 3 year EU project on how countries prepare for mass evacuation.



Covers 6 planning activities:

1. Preparing the public to evacuate;

2. Understanding the evacuation zone;

3. Making evacuation decisions;

4. Disseminating the warning message;

5. Evacuating pedestrians and traffic; and

6. Shelter management.



Will specify a consistent structure to plan for

mass evacuation for a range of risks.

Will cover the following tasks

Analyzing evacuation situations,

Preparing,

Training & exercising,

A common framework for debriefing/assessing response.


ISO 22320: Requirements for Incident Response



Published November 2011

Overall approach to preventing emergencies and managing those that occur with a focus on international, national, regional, or local incidentsSpecifies minimum requirements for effective incident response• Utilizes the “command and control” process

• Decision support

• Traceability

• Information management

• Interoperability

32©2012 ICOR ALL RIGHTS RESERVED©2012 ICOR ALL RIGHTS RESERVED


Purpose: Need for a multi-national and multi-organizational approach for responding to an incident

Enables incident response organizations to improve their capabilities in handling all types of emergencies

Specifies minimum requirements for effective incident response


Process of Providing Operational Information


Planning & Direction

Analysis & Production

Dissemination & Information

Collection

Processing &

Exploitation

Mission

Multiple Hierarchical Command & Control Process

ISO 22322: Public Warning



Purpose: Effective incident response needs structured and pre-planned public warning which is the message broadcasted by organizations dealing with societal security tasks to ensure safety and security of the public and the vital functions of society.

Public warning consists of alert message and notification message.

It is necessary to establish a framework risk identification, hazard monitoring, decision making, warning dissemination and evaluation.



All organizations which are responsible for contributing to or issuing a public warning

Should be aware of the system so that relevant, accurate, reliable, and timely information will be disseminated promptly (who);

Should take continuous efforts to raise and maintain public awareness about the process of public warning (to whom);

Should use all available means and technologies systematically and redundantly to ensure the highest quality of information (how);

Should specify the following four elements for safety action: when, where, what hazard, and how to cope with (what).




Hazard Identification

Public Warning Process

Hazard Monitoring

Area Identification

Warning Activation

Warning Area

Warning Methods

Warning Dissemination

People at risk

, reso

urces, and

coordination

Monitoring &

Review

Implementation

Planning / Decision-Making

Public Warning



ISO 22324: Colour-Coded Alert


ISO 22325: Emergency Capability Assessment


ISO 22325: Emergency Capability Assessment

Purpose: Provide organizations with key elements and an assessment tool in order to

determine the organization's state of

emergency capability.

Will seek to provide

• Road map

• Assessment model

• Assessment procedure

• Assessment criteria

• Assessment tool


ISO 22325: Key Elements

1. Leadership2. Resources3. Resource Management4. Risk Management 5. Rick Analysis6. Information & Communication7. Command & Control8. Coordination & Cooperation9. Structure10. Planning11. Exercise & Training12. Hazard Mitigation13. Hazard Mitigation14. Activation


Four Level Maturity Model


Assessment Procedure


ISO 22351: Shared Situation Awareness


ISO 22351: Shared Situation Awareness

A new standard not yet published in any manner – a new project.


Standards for Both Public & Private Sectors


ISO 22300 Societal Security - Terminology


Societal Security “Definition please?”


Purpose: Contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used.

6 categories

• 2.1 Societal security

• 2.2 Management of societal security

• 2.3 Operational – Risk reduction

• 2.4 Operational – Exercise

• 2.5 Operational – Recovery

• 2.6 Technology



2.1 Societal security defined

Protection of society from, and response to incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures

Civil protection

• Measures taken and systems implemented to

preserve the lives and health of citizens, their

properties, and their environment from unnatural events



ISO 22300 Societal Security – Terminology

All-Hazards

Disaster

Risk

Consequence

Threat

Risk Management

Business Continuity

Event

HazardCrisis

Incident

Mitigation Resilience

2.1 Societal Security



Capacity

Business Impact Analysis

Exercise Program

Risk Source

Emergency Management

Policy

Risk Owner

Performance

Objective

Partnership Mutual Aid Agreement

2.2 Management of Societal Security

Competence

Conformity / Nonconformity

Effectiveness

Corrective Action

Residual Risk

Continual Improvement



Vulnerability

Contingency

Risk Assessment

Work Environment

Training Probability

Test / Testing

2.3 Operational –

Risk Reduction

Prioritized Activities



Scenario

After-action Report

Inject

Drill

Exercise Coordinator

Script Monitoring

Observer

Exercise

Functional Exercise

2.4 Operational -

Exercise

Exercise Safety Officer

Full-Scale Exercise

Strategic Exercise

Exercise Annual Plan



Coordination

Recovery

Improvisation

Protection

Shelter in Place

Operational Information

Incident Response

Command & Control

2.5 Operational -Recovery

Incident Command



Forensic

CCTV System

2.6 Technology

Video-Surveillance

Scene Location

ISO 22312 Societal Security –Technological Capabilities


ISO 22312 Societal Security –Technological Capabilities

A Technical Report that outlines the work of the Technical Committee for ISO 223ANSI-Homeland Security Standards Panel (HSSP)

BEN BT/WG 161 Protection of the Citizen

ISO/IEC/ITU-T/SAG-S

Asian-Pacific Economic Cooperation (APEC) and Standards Australia Initiative

Documents work completed at the launch of the project


ISO 22397:Public-Private Partnership Agreements


ISO 22397:Public-Private Partnership Agreements

Purpose: Addresses principles, planning and development of partnership agreements with the objective of

Managing relations among relevant organizations,

Promoting interoperability, Enabling governance and

Fulfilling of the agreement.

The modeling framework should lead to benefits such as:

Structure to avoid and resolve conflicts among the organizations;

Synergy in the use of organizations' resources to achieve objectives;Trust and sharing common procedures;


ISO 22398: Guidelines for Exercises



Purpose: Describes the procedures

necessary for planning, implementing,

managing, evaluating, reporting and

improving exercises, and the testing designs

to assess the readiness of an organization

to perform the mission.



4 Establishing the foundation

4.1 Needs and gap analysis

4.2 Base of support

4.3 Framework

4.4 Scope

4.5 Exercises within the system

4.6 Planning Document



5 Planning & design

5.1.1 Developing aim and performance objectives

5.1.2 Team management

5.1.3 Risk management & information security

5.1.4 Environmental aspects

5.1.5 Gender and diversity aspects

5.1.6 Logistics

5.1.7 Communication

5.1.8 Resources





5.2 Design & development

5.2.1 General

5.2.2 Selecting exercise type

5.2.3 Exercise types

5.2.4 Exercise methods

5.2.5 Preparing scenarios

5.2.6 Documentation

5.2.7 Records

5.2.8 Intervention



Discussion Based

Seminar

Workshop

Tabletop

Game

Operational Based

Simulation

Drill

Functional

Full-scale





6 Conducting Exercises

6.1 Run through

6.2 Briefing

6.3 Launch

6.4 Wrap up

6.5 Post exercise briefing

6.6 Observation



7 Improvement

7.1 After action review

7.2 Evaluation

7.3 After action report

7.4 Management review

7.5 Corrective action

7.6 Implement follow up


ISO/PAS 22399: Guidelines for IncidentPreparedness & Operational Continuity Management



Purpose: Provide general guidance for an organization to develop its own specific performance criteria for incident preparedness and operational continuity and design an appropriate management system.

Excludes specific emergency response activities such as disaster relief and social infrastructure recovery



This standard has essentially been replaced with ISO 22301 and ISO 22313, however it has some good information in it. It has not yet been retired, but it is not being reviewed for updating.


Business Continuity Management Standards(Private Sector)


Published May 2012 - Developed from BS 25999-2:2007

Scope of the standardApplicable to all types and sizes of organizations that wish to:• Establish, implement, maintain, & improve a BCMS;

• Assure conformance with stated BCM policy;

• Demonstrate conformance to others;

• Seek certification/registration of its BCMS by an accredited third party certification body; or

• Make a self-determination and self-declaration of conformance with this International Standard.

ISO 22301: BCMS - Requirements


Plan-Do-Check-Act Cycle Applied to BCMS

Establish

(Plan)

Implement & Operate

(Do)

Monitor & Review

(Check)

Maintain & Improve

(Act)


Continual improvement of preparedness & continuity management system

Interested

Parties

Requirements

for

preparedness

& continuity

management

Interested Parties

Managed preparedness & continuity

ISO 22313: Guidance

This International

Standard provides

guidance to ISO

22301 for setting up

and managing an

effective business

continuity

management system

(BCMS)

.81©2012 ICOR ALL RIGHTS RESERVED

8.1.1 BCM Program Elements

©2012 ICOR ALL RIGHTS RESERVED82From ISO 22313

BS 25999-2 & ISO 22301 Comparison


BS 25999-2 ISO 22301

Context of the Organization ---- 4.1 & 4.2.1

Legal & Regulatory 3.2.1.1 4.2.2

Scope & Objectives 3.2.1 4.3 & 4.4

Management Commitment / Provision of Resources

3.2.3 & 3.2.4 5 & 7

Policy 3.2.2 5.3

Documentation 3.4 7.5

BIA 4.1.1 8.0, 8.1 & 8.2

Risk Assessment 4.1.2 & 4.1.3 8.2.3 & 6.1

Strategy 4.2 8.3

Plan Documentation / Implementation 4.3 6.2, 8.4 & 7.4

Training & Awareness 3.3 7.3

Exercising & Testing 4.4.2 8.5

Program Maintenance & Improvement 4.4.3,5, & 6 9 & 10

*Reference Excel Comparison Document

Review of ISO 22301 by Category

4. Context of the Organization

5. Leadership

6. Planning

7. Support

8. Operation*

9. Performance evaluation

10. Improvement

*contains bulk of the requirements


4 Context of the Organization

4.1 Understanding the organization and its

context

85

Internal Factors External Factors

©2012 ICOR ALL RIGHTS RESERVED

4.2 Understanding Needs & Expectations of Interested Parties


From ISO 22313

4.3 Determining Scope of the System


The whole organization?

Or part of the organization?

Scope of Program vs. Scope of Certification


Scope: BCM Program

Scope: Certification

88

5 Leadership


Demonstrated

Management Commitment

BCM Policy

Roles, Responsibilities & Authorities

Defined

Management Shall Demonstrate Leadership

6 Planning

• Assure the BCMS can achieve its intended outcomes

• Prevent undesired effects

• Realize opportunities for improvement• Evaluate the need to plan actions to address these

risks and opportunities

6.1 Actions to Address Risks &

Opportunities

• Be consistent with policy• Take account of the minimum level of products and

services acceptable to achieve its objectives

• Be measurable• Take into account requirements

• Be monitored and updated as appropriate

6.2 BC Objectives & Plans to Achieve Them


7 Support

91

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented Information


8 Operation

92

8.1 Operational Planning & Control

8.2 BIA & Risk Assessment

8.3 Business Continuity Strategy

8.4 Business Continuity Procedures

8.5 Exercising & Testing


8.1 Operational Planning & Control

The organization shall determine, plan, implement, and control those activities needed to address the risks and opportunities bya) Establish criteria for those activities or

processes

b) Implementing controls

c) Keeping documented information to demonstrate that they have been carried out as planned

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary

Including those that are contracted out or outsourced©2012 ICOR ALL RIGHTS RESERVED 93

8.2 The BIA & Risk Assessment

The organization shall have a formal and documented process for business impact analysis and risk assessment that:


BIA & RA

Establishes context

Defines criteria

Evaluates potential impact of a disruptive

incident

Accounts for legal and other

requirements

Includes systematic analysis

Prioritization of risk treatments

and costs

Defines required output

Information is kept up to date and confidential

From ISO 22313

8.2.2 Assessing Potential Impacts Over Time


Consequences of

Non-complianceDamage to

Reputation

Effects on Staff &

Public Well-Being

Deterioration of Product or Service QualityReputation Reduced Financial

Viability

Environmental Damage

From ISO 22313

New Term: MBCO

Minimum Business Continuity Objective (MBCO)

Minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption


Normal Operations

During a Disruption


ISO 31000 Risk Management Process

What may happen and why?

What are the consequences?

What is the probability?

How to mitigate or reduce

probability of the risk?



The process needs to take into consideration

Financial

Governmental

Societal obligations

The organization should understand the threats to and vulnerabilities of each resource required for each activity and in particular those

Required by activities with high priority

With significant replacement lead-time

ISO 31000

Document the Risk Management Strategy

Product/Service at Risk

Accept RiskChange, Suspend,

or Terminate Produce/Service

Transfer / Mitigate Risk

Document & Sign Off = Risk Management Program

Business Continuity

Options to continue

operations at pre-defined

levels

People Facilities TechnologyPhysical Assets

Supply Chain

Data & Information


8.3.1 Determination & Selection of Strategies


Control or mitigate

Financing / Insurance Acceptance

Remove Risk to

Activity Cease or Change the Activity

Transfer Risk to another part of the Organization or a

Third Party

From ISO 22313

8.3.1 Determination & Selection of Strategies


Resource Relocation Redundancy Resource & Skills

Replacement

Temporary Workaround

Manual Procedures

Asset Restoration

From ISO 22313

8.3.2 Establishing Resource Requirements

102

Facilities, Equipment

, Utilities & Consumables

Information, Data, Technology &

Telecommunications

Systems

Employees & Stakeholders

Transportation,

Partners & Suppliers

Reputation Finance

From ISO 22313


8.3.3 Protection & Mitigation


Limit the impact of a disruption on

the organization’s key services

Shorten the period of disruption

Reduce the likelihood of a disruption

The organization shall consider proactive measures that:

8.4 Establish & Implement BC Procedures

65

8.4.1 General

8.4.2 Incident Response Structure

8.4.3 Warning & Communication

8.4.4 Business Continuity Plans

8.4.5 Recovery


8.4.1 Establish & Implement BC Procedures

a) Establish an appropriate internal and external communications protocol

b) Be specific regarding the immediate steps that are to be taken during a disruption

c) Be flexible to respond to unanticipated threats and changing internal and external conditions


The procedures shall:

8.4.1 Establish & Implement BC Procedures

d) Focus on the impact of events that could potentially disrupt operations

e) Be developed based on stated assumptions and an analysis of interdependencies

f) Be effective in minimizing consequences through implementation of appropriate mitigation strategies


The procedures shall:

8.4.2 Incident Response Structure

The organization shall establish, document, and implement procedures and a management structure to respond to a


Strategic

Tactical

Operational

disruptive incident using personnel with the necessary responsibility, authority, and competence to manage an incident.

8.4.3 Warning and Communication

The organization shall establish, implement, and maintain procedures for

a) Detecting an incident

b) Regular monitoring of an incident

c) Internal communication within the organization and receiving, documenting, and responding to communication from interested parties

d) Receiving, documenting, and responding to any national or regional risk advisory system or equivalent


8.4.3 Communication and Warning

e) Assuring availability of the means of communication during a disruptive event

f) Facilitating structured communication with emergency responders

g) Recording of vital information about the incident, actions taken and decisions made


8.4.4 Business Continuity Plans

The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe.

Such procedures shall address the requirements of those who will use them.


8.4.4.3 Specific Types of Procedures

111

8.4.4.3.1 Incident / Strategic

8.4.4.3.2 Communications

8.4.4.3.3 Incident & Welfare

8.4.4.3.4 Resuming Activities

8.4.4.3.5 Recovery of ICT

©2012 ICOR ALL RIGHTS RESERVED From ISO 22313

8.4.5 Recovery

Goal: Get operations back to the state they were in before the incident.

Repair damage

Migrate operations from temporary premises back to restored or new location

©2012 ICOR ALL RIGHTS RESERVED From ISO 22313 112

8.5 Exercising & Testing

The organization shall conduct exercises and tests that:a) Are consistent with the scope of the BCMS;

b) Are based on appropriate scenarios that are well planned with clearly defined aims and objectives;

c) Taken together over time validate the whole of its business continuity arrangements involving relevant interested parties;

d) Minimize the risk of disruption to operations;

e) Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements;

f) Are reviewed within the context of promoting continual improvement; and

g) Are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.


Sections 9 & 10: Continuous Improvement


9 Performance Evaluation

9.1 Monitoring, Measurement, Analysis, and Evaluation

9.2 Internal Audit

9.3 Management Review


10 Improvement

10.1 Nonconformity and corrective action

The organization shall:

a) Identify nonconformities; and

b) React to the nonconformities, and as applicable

1. Take action to control, contain and correct them;

2. Deal with the consequences

©2012 ICOR ALL RIGHTS RESERVED116

10.2 Continual Improvement

The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS.

NOTE: The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.


ISO 223XX: Organizational Resilience Guidelines


ISO 223XX: Organizational Resilience Guidelines

New proposed outline

Organizational Resilience Defined

What are the Benefits of Enhanced Resilience?

Behaviors that Support Resilience

Principles & Models that Support Resilience

Relationship to Risk Management

Measuring & Building Adaptive Capacity


What is Organizational Resilience?


Organizational resilience is the adaptive capacity adaptive capacity adaptive capacity adaptive capacity of

an organization in a complex and changing

environment.

ISO 22300

o Planning and decision-taking in order to build and sustain the adaptive capacity

of an organization in complex and rapidly changing circumstances;

o Achieving the agile treatment of a broad range of risks uniquely applicable to each organization; and

o Creating a culture that takes full advantage of adaptive change to meet its objectives and aims.

Benefits of Enhanced Resilience

Organizations with adaptive

cultures, innovative thinkers and inner

strength thrive in the face of unpredictable

markets. As such, building resilience has

daily business benefits.


Valikangas (2010)

Enhanced

Leadership

CapacityImproved

Performance

Ability to

Change as

Needed

Resilience Objectives


An organization accepts that adversity may cause it to cease operating

Exist in a reduced form after adversity

Regain pre-adversity position quickly and effectively

Improve aspects of its functioning so that it not only survives but possibly gains from event

Focus on Protection, Performance & Adaptation


Protection of

business systems.

These systems

need to be robust

enough to survive

various assaults

and/or intrusions.

Adaptation is

required when

circumstances

change, demanding

a change in the

business focus,

structure and

processes.

Performance

refers to the need

to get things right

the first time and

to move quickly to

correct errors.

Behaviors that Support Resilience


Open Communication: Communicate as openly and regularly as possible with all concerned stakeholders.

Honesty: Staff need to know that when they receive information it is truthful.

Authenticity: Do what you say. There must be alignment between the purpose and values of the

organization and what they do.

Deep Knowledge & Expertise: Extensive

training and exercises. Succession planning around key roles.

The Principles Model of Resilience

Resilience is an outcome

Resilience is not a static trait

Resilience is not a single trait

Resilience is multi-dimensional

Resilience exists over a range of conditions

Resilience is founded upon good risk management


Volume 25, No.02, April 2010

The Progression of Resilience Maturity


Static Model vs Principles Model


Integrated Functions Model


Attributional Model


Composite Model


Herringbone Model


Resilience Triangle Model


Resilience Strategies Model


Characteristics that Support a Resilient State


Ability to

recognize precedence

Ambiguity Tolerance

Creativity &

Agility

Stress Coping

Learnability

Risk Management Can Increase Resilience


2010 study by FM Global showed a positive correlation between earnings stability of a company and their investment in physical loss prevention.

Pursuing strong physical risk management processes and systems to prevent the likelihood and losses, a company will potentially reap a measurable reduction in earnings viability.

(40% less volatile than companies with less advance risk management)

Resilience Benchmark Survey


Dimensions & Indicators of Resilience


Questions?

Lynnda Nelson

President, ICOR

[email protected]

866-765-8321 North America

+1630-705-0910 International

www.theICOR.org

Jim Nelson

Chair, ICOR

President, [email protected]

866-629-6327www.BusinessContinuitySvcs.com


ICOR Presents: ISO/TC 223 Societal Security...ISO 22398: Guideline for exercises and testing ISO /...

Documents

Transcript of ICOR Presents: ISO/TC 223 Societal Security...ISO 22398: Guideline for exercises and testing ISO /...