Organizational Resilience Through ISO 22316 Standard: It is not a Matter of “Why” but “How”

//Organizational Resilience Through ISO 22316 Standard: It is not a Matter of “Why” but “How”

Organizational Resilience Through ISO 22316 Standard: It is not a Matter of “Why” but “How”

By: Dr. Antonius Alijoyo

26th October 2021

Organizational Resilience (OR) is important because it gives an organization the strength needed to process and overcome hardship. Many organizations have experienced hard lessons during pandemic Covid-19, as the world is still dealing with a deadly pandemic that negatively influences our social and business world. Those lacking resilience get easily overwhelmed and may turn to ineffective and unhealthy coping mechanisms. Whereas resilient organizations tap into their strengths and support systems to overcome challenges, work through problems, and even turn them into opportunities.

Question: What does it mean organizational resilience?

That is “the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions to survive and prosper” (Denyer, 2017). Resilience plays a crucial role in the survival of organizations as it is the ability to anticipate, survive in and recover from a turbulent environment with the ability to return to an original or an improved state (Chowdhury and Quaddus 2017; Brusset and Teller 2017; Pettit et al.2021/01/2). In that regard, resilience helps the organization recover control rapidly in unexpected change and maintain a general sense of comfort when managing several changes simultaneously without being affected.

Question: If organizational resilience is so important, why not all organizations take precautions and actions to build them up?

There are many reasons that organizations do not prepare and build their organizational resilience intentionally and systematically. One of them is the lack of enterprise risk management (ERM) practices, leading to the absence or insufficient risk assessment process. Therefore they don’t have a sufficient and comprehensive longer-term view of risk identification, analysis, and evaluation. As a result, they could probably fail to figure out their risk universe beyond the current horizon. Therefore they do not see any need or urgency to raise organizational resilience capability and make their organization future-ready at its earliest. Another reason is lacking standards or references that could help organizations establish their organizational resilience practically and effectively. In many cases, they found that establishing organizational resiliency is quite complex and requires a lot of resources and time-consuming exercise, whereas no such visible output and outcome could be expected and urgently needed.

Question: Is it complicated to build organizational resilience capacity and capability?

The illusion that drives many organizations about complexity in establishing and sustaining organizational resilience could be mixed up between the complexity of the object or the matter that we need to resolve and the approach of how to deal with it. In this case, the matter that drives the need of having organizational resilience could be due to the VUCA (Volatility, Uncertainty, Complexity, and Ambiguity) of the future, which is quite complex to figure out. Therefore, it might drive the opinion that the ‘how’ to deal with them is also complex and complicated. This opinion is ubiquitous as most organizational leaders recognize the VUCA issues but are not certain how to deal with them.

Question: Is there any standard or reference that organizations can use to establish and sustain their organizational leadership?

In this context, a new standard, ISO 22316, Security and resilience – Organizational resilience – Principles and attributes, has been issued to provide a framework to help organizations build and improve their resiliency effectively and practically.

Question: As a standard, what is the detail about ISO 22316, Security and resilience – Organizational resilience – Principles and attributes?

The standard contains some details of key principles, attributes, and activities. As such, James Crask, Convenor of ISO/TC 292’s working group WG 2, the group of experts that developed the standard, says improving the resilience of organizations ensures they are not only better placed for anticipating and responding to potential risks but can harness opportunities as well. Further, he also said that “The standard takes a wide view of the things that can drive resilience in an organization; many of these are behavioral and have historically been overlooked. This is why one of the key principles of the standard is to help them develop a culture that supports resilience”. Lastly, he said a very strong encouragement: “It also involves building upon existing forms of risk management, having shared values and an awareness of changing contexts, all the while underpinned by strong and empowered leadership.”

The existence of this standard would provide a tangible tool to simplify the process of building organizational resilience. As a standard, it brings a lot of help for organization’s leaders to lead, build and sustain organizational resilience more practical, simpler, and measurable. Further, it would also bring international reference and protocol organizations, which help them communicate their resilience approach to their international partners. As such, they use the same protocol, similar PDCA (Plan, Do, Check, Action) cycle. In short, resilience is rooted due to rising complexities in the business world. Therefore, it needs a practical approach rather than making the complexities we face more complex due to the use of a complex approach. Standard ISO 22316 serves the proposition and is therefore worth taking and be adopted for the organization to embrace their future by turning challenges to turn them out as opportunity, as it could turn out as threats if otherwise.

Question: How does this ISO 22316 interlink with ISO 31000 Risk Management Guidelines?

It fits and complements each other. The use of ISO 31000 and ISO 22316 help organizations not to deal with the ‘why’ risk management and organizational resilience are important but to deal effectively with ‘how’ to implement risk management and organization resilience simply and practically. As a closing, let us read together with the following citation: “The research on organizational resiliency suggests that successful firms are prepared for adversity and yet are also proactive and flexible when encountering a crisis. Resilient firms prepare for difficult situations and show a “generalized capacity to investigate, to learn, and to act, without knowing in advance what one will be called to act upon.” (Wildavsky, 1988).”


Dr. Antonius Alijoyo
Chair of National Mirror Committee Indonesia TC 262 – Risk Management and TC 309 –
Governance, Badan Standarisasi Nasional (BSN) Indonesia
Founder of Center for Governance, Risk Management, Compliance and Sustainability Studies

By |2021-10-26T07:53:11+07:00October 26th, 2021|artikel|Comments Off on Organizational Resilience Through ISO 22316 Standard: It is not a Matter of “Why” but “How”

About the Author: