Michael D. Moberly   August 10, 2010

Broadly speaking, organizational resilience encompasses a management systems approach that simultaneously focuses on prevention, protection, preparedness, response, mitigation, continuity, and recovery from disruptive incidents.  And, for the skeptics, organizational resilience is not merely a warmed over version of (conventional-traditional) business continuity and contingency planning.

An organizations’ ability to quickly, efficiently, and effectively adapt to change and uncertainty (risk) that are so pervasive in today’s globally competitive business (transaction) environment, is certainly being ratcheted up on management team and board agendas as a necessary and priority action item.  In organizational resilience parlance, changes in policy, market forces, environmental factors, and the vulnerability, probability, and criticality associated with materialized risks, i.e., natural, intentional, or unintentional, etc., all fall under the (business case) rationale why today’s companies require a level of resilience that fits their respective market, industry sector, and business transaction environment.  Recovery oriented (adaptive, proactive) company resilience strategies can no longer be dismissed or relegated to merely being ’after thoughts’.

The first step toward achieving organizational resilience puts the onus on management teams and boards to literally identify (recognize) the unique elements and features that are embedded and sometimes very much under their company’s radar.  In other words, what makes their company successful.  I offer this in the context that I have yet to engage a management team or board that does not hold the view that every business/company, including theirs, possesses nuanced and otherwise unique features that contribute to its success and sustainability.

Why is this necessary?, it’s because the components (elements, features, processes, practices, etc.) that define a company’s uniqueness are essentially the foundation for identifying a ‘resiliency strategy’.  A resilience strategy commences with identifying/determining ways which a management team and board can measurably improve the degree to which a company, in the context of its respective business environment, is adaptive and able to quickly recover from significant disruptions, materialized risks, and/or significant changes in the business (value-supply chain) environment.

Executable strategies that improve a company’s level of adaptability and timely recovery from disruptive events include ensuring certain (executable) processes are in place that impose (carry) specific demands and functions, as a well informed management team and board dictate so the company can remain viable for the duration of the adverse - disruptive event.

(This post was inspired by the work of Gregg Goble, Howard Fields, and Richard Cocchiara of IBM’s Resilient Business and Infrastructures Solutions unit and the work of Dr. Marc Siegel, ASIS.)

The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   August 4, 2010

Organizational resilience should not be conceived or characterized as simply an ‘insurance’ measure that provides a company with ’coverage’ if or when adverse events occur or risks actually materialize.  Rather, management teams and boards would be prudent, in today’s risk laden global business environment, to frame - adjust their organizational resilience plan so that it serves as a strategic path for moving a company, operationally speaking, from a defensive and reactive posture to having a succession - series of highly proactive responses/actions to address risks and adverse events, one aspect of which is focused on improving (exploiting) or at least sustaining, a company’s competitive position during the duress event.

Organizational resilience today, and certainly for the foreseeable future, is much more than mere defensive steps to protect a company, rather OR must also include proactive measures for actually improving a company’s competitive position throughout the duress event.  This, of course, requires company management teams and boards to recognize that materialized risks or adverse events may, for resilient companies, present valuable and exploitable competitive advantage opportunities, presuming other industry sector companies and/or competitors are experiencing similar risk events simultaneously.

So, what are the ‘building blocks’ to organizational resilience?  Goble, Fields, and Cocchiara of IBM’s ‘improving business resilience through a resilient infrastructure’ unit point to:

1. Recovery -elevates awareness to the onset of particular risks and/or adverse events which in turn enables a company to return to an acceptable state of operational normalcy and performance in an acceptable time period.

2. Hardening -is the use of strategies to make a company’s key infrastructure harder, i.e., more challenging, more difficult, and ultimately, less susceptible to certain risks and adverse events.  Hardening increases the efforts (resources, time, etc.) that adversaries must expend to actually execute a particular (man made) risk, threat, or adverse event by literally denying or, at minimum, limiting access to the infrastructure itself.  Companies should be mindful that excessive (extreme) use of infrastructure hardening tactics, can create a ‘fortress mentality’ (imagery) whereby partners, stakeholders, and valuable contributors to the company’s value-supply chain may find offensive and withdraw.

3. Redundancy - ensuring the company infrastructure has a sufficient number of ’redundancies’ (i.e., back-ups, duplications) designed/built into it relative to meeting its mission critical priorities.

4. Accessibility - the ability of a company as a whole, i.e., its employees and value-supply chain partners and stakeholders to retain the ability to access (from anywhere) the relevant and necessary (company) infrastructure, including communication systems.

5. Diversification - the goal is straightforward; create an infrastructure that can be fully operational while being physically distributed and is still capable of being effectively managed during periods of duress.  The premise of operational diversity is straightforward, don’t allow all of a company’s eggs to remain in a single basket.

6. Information Technology Autonomics - self-managing and self-regulating IT systems and infrastructure that is not vulnerable to succumbing to anticipated-projected risks and adverse events. 

The ‘Business IP and Intangible Asset Blog’ is researched, written, and produced by Mr. Moberly to provide insights and additional and sometimes alternative views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   August 3, 2010

In today’s ‘go fast, go hard, go global’ business transaction environment, management teams and boards are less inclined to dismiss or characterize materialized risks and business disruptions as merely being embarrassing events or short-lived inconveniences. 

In large part that’s because of recent events, ala BP, Massey Coal, Toyota, Wall Street, etc., coupled with a re-consideration (appreciation) for the speed which negative events can occur or certain risks materialize and literally cascade throughout an enterprise to irreversably infect and adversely affect what matters most to company’s operating in ‘intangible asset’ dominated economies, i.e., their  (a.) brand, reputation, image, and goodwill, and (b.) supply - value chain!

That, in my view, is sufficient rationale for management teams and boards to initiate organizational resilience planning, quite apart from conventional business continuity-contingency planning.  But, to further serve a company in 2010, 2011, 2012 and beyond, its useful for management teams and boards to conceive - frame their organizational resilience planning initiative in the context of a ’strategic roadmap’ to achieve business goals and objectives absent impediments and/or interruptions. 

The strategic roadmap would of course also include achieving a level of (enterprise) preparedness sufficient to effectively (1.) mitigate, counter, defend, and manage certain risks, and (2.) enable a company to recover from adverse events and/or materialized risks more speedily.

The heart of an organizational resilience program, in my view, lies in framing-conceptualizing a ’strategic roadmap’ that includes effectively designed ’infrastructures’ that are operationally resilient to the ever growing array of risks and vulnerabilities by being able to perform, at minimum, two broad, but essential functions under duress, i.e., (1.) safeguard supply - value chains by ensuring an acceptable level of preparedness and functionality exists so a company may continue to produce-deliver goods, services, products, etc., for the duration of the adverse event, and (2.)  enable a company to return to an acceptable level of operational normalcy as rapidly as possible.  

Company infrastructures are increasingly complex and nuanced however, and routinely consist of numerous disparate components and inter-dependencies, which, in most instances, extend well beyond a company’s conventional walls or perimeter by virtue of what seems to be ever evolving, dynamic, and converging chains of suppliers, distributors, partners, customers, and other stakeholders, that presumably converge to achieve (the company’s business) goals and objectives. 

Too, by framing organizational resilience planning in a ’strategic roadmap’ context, it elevates management team and board ‘buy-in’ by bringing more clarity and insight to company exposures and vulnerabilities to certain risks, particularly within the supply - value chain.

(This post was inspired by the work of Gregg Goble, Howard Fields, and Richard Cocchiara of IBM’s Resilient Business and Infrastructures Solutions unit and the work of Dr. Marc Siegel, ASIS.)

The ‘Business IP and Intangible Asset Blog’ is researched, written, and produced by Mr. Moberly to provide insights and additional and sometimes alternative views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   July 22, 2010

In Stone v. Ritter (as they did in In Re Caremark and In Re Disney) Delaware courts brought attention to board and director oversight of regulatory compliance programs and company assets by stating…

 ’boards must be kept apprised of and receive accurate information, in a timely manner, that’s sufficient to allow them and senior management to reach informed judgments about the company’s business performance and compliance with the laws…’ 

Some court decisions can be precedent setting with the arguments presented by the winning side replicated in the form of framing points for (oral, written) arguments in future (similar) cases.  The prevailing arguments in Stone v. Ritter being no exception, I presume will be replicated in other cases in which board-director fiduciary responsibility (liability) is at issue, e.g., assessing the effectiveness of board and director efforts relative to ensuring their company is compliant with certain regulatory mandates and how personally engaged they are in the oversight (stewardship, management) of their company’s compliance program.

A close and admittedly desirous reading of the Stone v. Ritter decision suggests the ruling may go a long way toward eliminating some of the ambiguities associated with board and director fiduciary responsibilities and liability by bringing clarity to what actually constitutes ‘board oversight’ of a company’s assets which presumably include, both the tangible and intangible variety.

It’s certainly not a stretch then, at least in my view, in light of the collective and recent mishaps of BP, Massey Coal, Toyota, Johnson and Johnson, etc., and the on-going legal wranglings, to anticipate that the Stone v Ritter decision is being closely reviewed with the not so improbable possibility that new litigation will be framed to extend Stone v Ritter concepts to now encompass the newly adopted ASIS/ANSI American National Standard on Organizational Resilience.  

It’s just not out of the real of possibilities to see litigation being brought by stakeholders, in fact they may be remiss if they did not do so, arguing board fiduciary responsibilities should now encompass the highly proactive  ‘organizational resilience’ practices as detailed in the ASIS/ANSI Standard.  That is, in lieu of putting more lipstick on existing business continuity and contingency approaches which remain largely reactive. 

My views are that the prudent ’best practice’ norm for companies now, and for the foreseeable future, lie in organizational resilience programs that systematically identify and actively manage risks that can potentially hinder the achievement of a companies mission which are broadly congruent with the best interests of the public, should adverse events and/or circumstances materialize.

(Thanks to the work of Rebecca Walker in her paper titled ’Board Oversight of a Compliance Program: The Implications of Stone v. Ritter’ for some additional insight.)

 The ‘Business IP and Intangible Asset Blog’ is researched, written, and produced by Mr. Moberly to provide insights and additional and sometimes alternative views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly    July 19, 2010

I research and write (produce) the ’Business IP and Intangible Asset Blog’ to provide insights and sometimes alternative views about protecting, managing, and delivering value from intangible assets.  My blog is directed primarily to company management teams, boards, entrepreneurs, researchers, and employees.  In that sense, each blog post, while sometimes inspired by the the work of others, is conceived and written in a respectful manner absent the influence of others.  Today’s post however, may appear to some, as constituting a deviation from those principles.

For example, this past week I had the pleasure (and enjoyment) of participating in and learning from a two and one half day seminar hosted by the American Society for Industrial Security International titled, ‘Organizational Resilience: Security, Preparedness and Continuity Management Systems - Requirements And Guidance For Use’.

Without equivocation, I can say my attendance/participation in the seminar was well worth my time and expense, especially in the sense of, upon completion of the seminar, being, quite literally, on the leading edge, of what I and others believe, particularly Dr. Marc Siegel, the seminars’ principle instructor, will be the standards’ relatively rapid rise in acceptance and integration by U.S. companies.

The program itself was appropriately framed by Siegel as encompassing a ’comprehensive management systems approach for the prevention, protection, preparedness, response, mitigation, continuity, and recovery for disruptive incidents resulting in emergency, crisis, or disaster’.  Given that my business and professional interests focus almost exclusively on issues related to intangible assets and intellectual property, it was important too me that I be able to adapt much of the seminars’ content, i.e., the standards themselves, to be applicable to intangibles and IP.  

After all, its an economic fact - business reality that 65+% of most company’s value, sources of revenue, and future wealth creation today lie in - are directly related to intangible assets.  Thus, a seminar on organizational resilience must fully address intangible assets.  While the seminar produced many practical deliverables to attendees, Siegel clearly and consistently recognized how essential it was to convey the new standard embody intangible assets, not solely physical-tangible assets. 

As I pointed out in my July 15th post, the requirements and guidance (accompanying the organization resilience standard), particularly as conveyed through the experienced and global eyes of Dr. Siegel, is not merely a warmed over version of (conventional-traditional) business continuity and contingency planning which still retains, in many instances, a framework and overall approach that is more reactive than proactive.

Whereas organization resilience, as conveyed in the standard itself, as well as in principle and practice, is embedded with a singularly proactive mantra, especially in terms of its approach and execution through a ‘management system’.

To be sure, the recent and on-going challenges experienced by BP, Massey Coal, Toyota, and Johnson and Johnson, and others, are but a few examples of the increasingly essential role in which a properly designed and executed organization resilience program (that encompass the requirements and guidance noted in the Standard) would have likely made a significant difference not only in the disruptive event itself (that adversely affected each company) but, how the companies response following the event. 

It now seems self-evident that an organizations’ ability to quickly, efficiently, and effectively adapt to a change, whether they be changes in policy, market forces, environmental factors, and/or disruptive events (i.e., natural, intentional, or unintentional) by implementing adaptive and proactive strategies that are recovery oriented, can not be dismissed out of hand.

In todays global business environment in which risks are very much asymmetric and ‘coming at your company 24/7′, taking time to objectively examine the benefits of the organizational resilience standard and reflecting on your company’s organizational resilience posture, can indeed, be a worthy use of time for any management team, board, and their respective stakeholders.

It is in this regard, that I encourage readers of this blog to give strong consideration to pursuing this organizational resilence seminar and closely following the work of Dr. Siegel and ASIS International on this necessary and worthy endeavor.

 The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   July 15, 2010

Becoming a risk resilient company encompasses three key elements:

1. Having management systems in place that link the control of and response to adverse and/or disruptive events to a company’s core mission through a strong sense of foreseeability and practical risk assessment.

2. Bringing conventional security and risk management systems into a balanced and synergistic framework to ensure a company is sufficiently adaptive and responsive to changes and risks within their business environment (internally, externally) that can impact their sustainability and/or survivability.

3. A culture that facilitates awareness and resistance, an immunity of sorts, to the affects of particular risks and/or adverse events which enables a company to return to an acceptable state of operational normalcy and performance in an acceptable time period should certain risks/threats actually materialize.

Operationally speaking, organizational resilience differs markedly from conventional security and/or risk management approaches due to its focus on (a.) preparedness, (b.) balancing the probability and consequences of risks, and (c.) shifting away from (risk management) being a primarily reactive activity to being a highly proactive, adaptive, and continually improving activity.

Organizational resilience is particularly well suited to the ’systems approach’ with its requisite cross-disciplinary inclusive framework that compels stakeholders to identify and examine risks as independent variables relative to vulnerability, probability, and criticality.  This includes, for example, examining risks that may have a relatively low probability for occurrence but carry inordinately high consequences, i.e., potential for significant adverse cascading effects throughout an enterprise and its external stakeholders.

Some consider the ’organizational resilience’ movement to merely be a re-packaged version of conventional business continuity and contingency planning.  Be assured, it’s not!  Much more to come on organizational resilience.

(This post was adapted from the work of Dr. Mark Siegel and the newly adopted American National Standard on Organizational Resilience.)

The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   June 21, 2010

In 2010, and for the foreseeable future, risk management must be about the interdependancy of companies intangible assets.  In the not too distant past, companies often had the twin luxuries of time and (geographical) space when dealing with risks-threats that materialized.  Time and space served as ’buffers’ for companies that routinely provided leeway insofar as how a company may elect to react (adapt) to the risk-threat at hand.  To be sure, in 2010, such luxuries no longer exist! 

In previous years, it was not always essential, nor expected, broadly speaking, for risk managers to have specific and individualized contingency-action plans in place to deal with each potential risk-threat that could possibly materialize.  Of course, there were many reasons (rationales) for this, among them being, risks-threats, when they did materialize, were less interdependant.  In other words, risks-threats could often times be compartmentalized or segregated, thereby mitigating the probability that adverse affects/consequence could literally ripple through an entire organization. 

Also, conventional risk management tended to be focused on protecing a company’s tangible - physical assets through insurance, i.e., risk transfer, in which pieces of a companies tangible assets would be insured vs. adopting a holistic perspective that included recognizing the highly interdependant nature and contributory value of intangible assets. 

But today, with 65+% of most company’s value and revenue being directly tied to intangible assets, it’s the interdependancy of a company’s intangibles, and the potential for almost instantaneous cascading affects, i.e., economic and competitive advantage hemorrhaging and undermining of asset value, etc., that must form the managerial criteria (starting point) for genuinely managing the varied and assymetric nature of company risk.

(This post was inspired by ’Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise by F. Funston and S. Wagner)

The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   June 11, 2010

The Standards and Guideliness Commission of the American Society for Industrial Security International,  produced a national standard for security titled ‘Organizational Resilience: Security, Preparedness, and Continuity Management Systems: Requirements with Guidance For Use’. (March, 2009)

This ’standard’ was approved by the American National Standards Institude as a ‘comprehensive management systems approach for security, preparedness, response, mitigation, business/operational continuity, and recovery for distruptive incidents resulting in an emergency, crisis, or disaster’.

The ASIS/ANSI standard defines

1. Organizational resilience management as systematic and coordinated activities and practices through which an organization manages its operational risks, and the associated potential threats and impacts therein.

2. An organizational resilience management program as an ongoing management and governance process supported by top management; resourced to ensure that the necessary steps taken to identify the impactof potential losses; maintain viable recovery strategies and plans; and ensure continuity of functions, products, and/or services through exercising, rehearsal, testing, training, maintenance, and assurance.

While this standard remains voluntary at this point, when its applied to ‘events of the day’, wherein business risks, risk management, and now organizational (fiscal) resilience of a global company have become routine features in the business and mainstream (politics driven) media, its quite probable the standard will be ratcheted up on company board room agendas as action items? 

In other words, will there be business influences, a sense of prudency or perhaps urgency, to elevate these best practices for organizational resilience planning and program management (as conveyed in the ASIS/ANSI standard) beyond their current voluntary status to being a driver for assurance from companies to demonstrate they are accommodating the growing political, consumer, and stakeholder pressures to be legitimately proactive in forseeing and managing risks associated with their projects, initiatives, and diverse businesses. 

There’s an important point to be made however.  A 2010 version of an organizational resilience management program should not be a mere warmed over, updated, or templated version of a conventional (previously used) ’business continuity and contingency’ plan that typically focused on company’s tangible (physical) assets. 

Rather, the economic facts and business realities associated with  global knowledge-based economies in which 65+% of most company’s value, sources of revenue, ‘building blocks’ for growth, future wealth creation, and sustainability lie in - directly evolve from intangible assets must be fully accommodated in company organizational resilience planning, and, not just as afterthoughts or incidentals to the program, rather as key and measurable action points that with consistent oversight and monitoring to reflect a company’s valuable intangibles as they are developed or acquired.

(Each ’Business IP and Intangible Asset Blog’ post is researched and written by Mr. Moberly to provide respectful and useful insights for companies, their management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.)

Michael D. Moberly   February 12, 2010

The need for company’s to have greater assurance of (their) operational continuity in an envirionment in which there are  (a.) increasing business interdependencies and alliances, (b.) lengthier and ‘just in time’ supply chains, interwoven with (c.) elevated vulnerability to - probability of disruptions with (d.) the capability of producing immediate adverse cascading impacts that ripple throughout an enterprise (internally and externally), is prompting management teams to look more objectively and critically at their standard, but seldom executed, ’business continuity and contingency plan’.

In other words, putting a much needed and warranted 2010 ’spin’ on the conventional business continuity and contingency plan by re-framing it as ‘organizational resilience’ is a good thing!

Determining (assessing) with some degree of precision, just how resilient a company really is to the growing array of asymetric risks and threats is challenging.  Many of those risks, if they materialize, their criticality can be relentless and immediate insofar as undermining and eroding a company’s value, standing, market share, and revenue streams, etc., in ways that cannot be readily mitigated or reversed without having well grounded, practical, and objective organizational resilience plans in place. 

A ’virtual’ reality (exacerbating) making organizational resilience all the more challening for company management teams, is that most company’s consumers, clients, and suppliers, (a.) have a propensity to be skeptical, synical, and less-believing of a company’s (obviously) resiliency motivated communications following an incident (ala Toyota), and (b.) can readily find satisfactory alternatives to meet their needs, either in the interim, or for the long term. 

Perhaps the single greatest challenge to designing and executing an organizational resilience plan is objectively identifying, evaluating, and achieving internal consensus about those assets, services, and business processes (all of which are intangible assets) that are the most essential insofar as measuably elevating - contributing to a company’s overall resilience, i.e., returning to a state of reasonable operational normalcy following an adverse event or act.  

Management teams that inadvertently overlook or do not specifically include a company’s intangible assets in their organizational resilience planning are, in my judgment, not merely being near-sighted or neglectful of their fiduciary responsibilities, they’re actually taking their company down a much more riskier path because:

1. 65+% of most company’s value, primary sources of revenue, building blocks for future wealth creation and sustainability lie in or directly evolve from intangible assets including intellectual property, and

2. intangible assets are typically more fragile, volatile, transportable, and susceptible to adverse information whether real or ‘hyperized’  than physical/tangible assets.

(Some aspects of this post were modified by Michael D. Moberly from ASIS Internationals’ 2009 ’Organizational Resilience’ standard.)