Chapter 2: Issues & Literature Review

Posted on August 18, 2012


Oops.  I promised to post more…

You’ve already had the Introduction so here’s Chapter 2 which is the “Issue & Literature Review”.  My Dad, who was one of my marvellous proof readers, refers to this chapter as the one where I “completely destroyed the US’s national standard for resilience.”  Um… I wouldn’t have put it quite like that but, yes, I personally think it’s a very, very poor excuse for a “standard”.  Sorry to be so blunt, but, well, you can read my arguments for yourself and decide whether you agree or not.

Feel free to comment at the end if you like.  Opinions and debates always welcome.

For the sources of the quotes, please use the Bibliography (which includes links to those available on the  web).

For the sources of the quotes, please use the Bibliography (which includes links to those available on the  web).

Don’t forget that it’s fine for you to use this work for your own purposes, so long as you credit the source. For private or commercial purposes please credit Charley Newnham and include a link to her Linked In profile. For academic purposes please click here for the complete reference



 Resilience: if you think of it in terms of the Gold Rush then you’d be pretty depressed right now, because the last nugget of gold would be gone.  But the good thing is, with innovation, there isn’t a last nugget.  Every new thing creates two new questions and two new opportunities”

Jeff Bezos, founder of (2003)

This chapter critically evaluates relevant issues and published literature.   As this work is intended to be useful to senior organisational leaders, the most recent possible literature is used.

The first section of the chapter seeks to define “organisational resilience” in light of diverse academic and professional offerings.  The second establishes how academia considers organisational resilience might be achieved, reviewing professional standards and guidelines and analysing them in light of key academic texts.   The possibility of identifying factors that most impact organisational resilience, measuring organisational resilience and, by extension, measuring a leader’s propensity to act with behaviours that induce organisational resilience is examined in the subsequent section of the literature review.  At the end of the chapter, the summary includes a list of lines of enquiry identified for primary research, based on questions raised or not answered by the issues and literature review.

The chapter is organised under the headings:

  • What is organisational resilience?
  • How is organisational resilience achieved?
  • Can organisational resilience be measured?
  • Summary

2.1 What is organisational resilience?

In this emerging discipline, there is little consensus on the definition of organisational resilience (e.e. Braes & Brooks, 2010 and Comfort, Boin & Demchak, 2010).  The narrative of Designing Resilience (Comfort, Boin, & Demchak, 2010) shares a journey from a somewhat operational definition at the beginning of the book to one that is rather more holistic and strategic at the end.  This section takes a similar journey, albeit with different inputs, and comes to similar though not identical conclusions.

The Oxford English Dictionary states “resilience” is a noun meaning “the ability of a substance or object to spring back into shape” or “the capacity to recovery quickly from difficulties; toughness” (Oxford Dictionaries, 2011).   But in the context of an organisation, academics don’t agree on definitions nor common understandings of what it is nor how it may be achieved (Braes & Brooks, 2010).

Some definitions appear based on the dictionary’s notion of bouncing back.  These refer to resilience as an organisation’s capacity to recover to its original state quickly after a sudden change or high impact disruptions, e.g. Ferudi (2007) and McEntire (2007).  Others consider it a far more strategic concept, which not only assists recovery to the original state, but helps an organisation minimise the possibility of crisis at a strategic rather than a functional level (e.g. Valikangas, 2010 and Comfort, Boin & Demchak, 2010).  Here, resilience also embraces new possibilities that may be presented via the potential crisis that may increase opportunities for prosperity.

There is a third argument, however, that both the above concepts encourage resilience to be considered as (albeit sometimes sophisticated) business continuity management.  They argue that this view is too narrow[1] and have considered organisational resilience in light of psychological, social and ecological resilience, and how that resilience capability encompasses a seemingly natural adaptation to environmental change that permits on-going generational survival without the danger of crisis (Sutcliffe & Vogus, 2003).  This train of thought concurs with the findings of a very recent study contesting that the only proof of organisational resilience is total or on-going longevity (Carmeli & Markman, 2011). This idea offers a practical insight, as businesses also fail for reasons other than a unexpected disruption or sudden crisis. For example, some expand too quickly (Bannatyne, 2011) or without due discipline (Collins, 2009) lack the strategic governance for growth (Carmeli & Markman, 2011) or simply fail to respond to gradual decline, often due to poor or unrealistic situational awareness (Collins, 2009).   Carmeli & Markman (2011) argue resilient companies don’t settle for endurance but seeks to thrive: “corporate resilience is about neither crisis management nor turnaround programs… it is not reactive but proactive organisational conditioning”.

Horne & Orr (1998) cite a 1992 study by Peters and Waterman offering a list of “excellent companies”; 18 months later more than 30% of those companies were no longer considered “excellent” and new research showed “the majority had failed to adapt to changes in the external environment”.  So, moving away from the notion that resilience is a recoverycapability and acknowledging it is the capability for an organisation to endure and thrive with or without obvious disruption is useful.

Socio-ecological system theory defines resilience as “the capacity of a system to absorb disturbance and reorganize while undergoing change so as to still retain essentially the same function, structure, identity, and feedbacks” (Walker, Holling, Carpenter, & Kinsig, 2004) but this is closely linked with “transformability”, or the “capacity to create a fundamentally new system when ecological, economic, or social structures make the existing system untenable” (Walker, Holling, Carpenter, & Kinsig, 2004).  Applying these tightly coupled socio-ecological theories in an organisational context addresses both sides of the resilience coin: the operational notion of recovery and endurance and the strategic concept of proactive conditioning to survive and thrive without suffering any noticeable disruption.

However, there may be potential practical issues with adopting a strategic definition of resilience.  In an organisational context, measures for resilience must usually be cost-justified and thus measurable (Sheffi, 2005).   Thus it may be hard to justify some resilience measures that protect an organisation from disruption if the disruption that was avoided cannot be identified.   For example, in 1994, terrorists hijacked an Air France plane and attempted to fly it into the Eiffel Tower; in 1995 the US foiled an Islamic terror plot to simultaneously hijack eleven commercial flights; yet it didn’t occur to any airline to place locks on cockpit doors as a precautionary measure (Bazerman & Watkins, 2008).  Taleb’s parable (2007) offers a potential explanation:

Assume that a legislator with courage, influence, intellect, vision and perseverance manages to enact a law that goes into universal effect and employment on September 10, 2001; it imposes continuously locked bullet-proofed doors in every cockpit (at high cost to the struggling airlines) just in case terrorists decide to use planes…. This legislation is not a popular measure among the airline personnel, as it complicates their lives.  But it certainly would have prevented 9/11.  The person who imposed locks… gets no statues in public squares, not so much as a quick mention… in his obituary, “Joe Smith, who helped avoid the disaster of 9.11 died of complications of liver disease”.  Seeing how superfluous his measure was, and how it squandered resources, the public with great help from airline pilots, might well boot him out of office… He will retire, depressed, with a great sense of failure. I wish I could go to his funeral but, reader, I can’t find him.”  (Taleb, 2007)

While Taleb’s account may be fictional, it demonstrates the difficulty of being able to justify the value of precautionary measures taken for resilience in the period before the measure is required, and to maintain its justification when the event it prevents does not occur.   Organisations are statistically more likely to invest in resilience after a disruption, crisis or otherwise negative incident (Seville, Vargo, Stevenson, & Stephenson, 2011), which points to an operational rather than a strategic understanding of the concept.

Recent work from the renowned New Zealand based Resilient Organisations institution, including that by McManus (2008) and Stephenson (2011) suggest that factors indicating organisation resilience can be split into three dimensions: Situational Awareness, Management of Keystone Vulnerabilities and Adaptive Capacity.  This concurs with Sutcliffe and Vogus’s opinion that resilience is a capacity.  Acknowledging the aim of longevity demanded by Carmeli & Markham (2011), our working definition, which may be used with or without the bracketed text, is therefore:

Organisational resilience is the strategic and operational, planned and adaptive, capacity of an organisation [in a socio-technical system to eradicate, avoid or minimise organisational crises] to thrive and achieve longevity.

However, given the lack of consistent agreement regarding definition, a line of enquiry was included in the primary research to better understand if organisations generally consider organisational resilience to be a strategic capability or a business interruption management system.


2.2 How is organisational resilience achieved?

Literature examined herein may be categorised as professional guidance and academic texts.  As organisations may be likely to consult professional guidance before academic texts, guidance is examined first.

2.21 Professional Guidance

Professional guidance can be offered in many guises. The contribution of national and international standards, and postgraduate education, is examined below.

Standards claiming to assist organisational resilience include national and international standards for Business Continuity (BSI, 2011), Risk Management (ISO, 2009) and Information Security (BSI, 2011).  However, he title of the American National Standard, Organizational Resilience: Security, Preparedness, And Continuity Management Systems (ASIS, 2009) implies that it provides definitive input.  For brevity, it will be referred to herein as ANSOR.  This standard has been adopted by, among others, the US Department for Homeland Security ‘s Private Sector Preparedness program and the Federal Emergency Management Agency (FEMA, 2010).

ANSOR was created by ann association for security professionals. It was later adopted by the US and the Netherlands as a national standard.  As per its title, the Standard appears to suggest that resilience is achieved by bringing together the functions of security, emergency preparedness and business continuity with some specific considerations. Claiming to be “a management system… to anticipate, prevent if possible, and prepare for and respond to a disruptive incident (emergency, crisis and disaster)… [by] enhancing security, preparedness, response, continuity and resilience” (ASIS, 2009) via a systems approach, it appears to lean heavily on existing standards for related topics (e.g. Risk Management (ISO, 2009) Information Security (BSI, 2011) and BS25999 for Business Continuity (BSI, 2011)).

One might conclude that ANSOR does four things well.  Firstly, it identifies the business functions its writers believe conduct the resilience effort. These are security (information and physical), risk management, business continuity and crisis management, recognizing internal and external dependencies and supply chains as crucial considerations.  The functions identified concur with the writing of the more operational academic authors, for example, Braes & Brooks (2010) who cite: “enterprise risk management, business continuity management, crisis management, physical security and cyber security” and network and supply chain dependencies (Sheffi, 2005).  Secondly, the standard attempts to include Crisis Management. After BS25999, the standard for Business Continuity, was published it was widely suggested an accompanying standard in Crisis Management was required (ISO, 2006). The high level of detail that ANSOR includes on Crisis Management – especially compared with other functions in the title – suggests an attempt to bridge that gap. Thirdly, it requires the named functions to work together.  As shown later, the scholars endorse this.  Fourthly it doesn’t contradict a resilience certification consortium explanation that the difference between resilience and continuity is that resilience encompasses planned change as well as unplanned events (BRCCI, 2011).

While the scholarly notion that “rather than being rare and extraordinary… resilience emerges from relatively ordinary adaptive processes” (Sutcliffe & Vogus, 2003) must be acknowledged, ANSOR only claims to be a management system that deals with disruptive incidents, therefore adopting a business continuity-based approach that is very limited in its ability to contribute to overall organisational resilience.   As the academic texts will show later, this standard would need to include many other functions and organisational capabilities  to provide robust guidance on organisational resilience.

The researcher was unable to establish what an organisation would gain from adopting ANSOR instead, or as well as, the existing standards for each function, which each present as more thorough and authoritative than ANSOR.  ANSOR’s approach is unbalanced: risk and crisis management are described in detail (with some bizarrely detailed notes, such as a requirement to have access control at the door of crisis rooms) while, at the other end of the scale, physical and information security are barely mentioned.  It furthermore fails to address any of existing issues with risk management processes (an issue of importance that is considered on page 28).   It also requires organisations to create metrics to monitor resilience performance but does not explain how resilience can be measured.

In summary the implication of ANSOR’s title, that following the guidance will result in organisational resilience, is not supported by this study.

Meanwhile, BS25999 for Business Continuity (BSI, 2006) states it should be considered “a holistic management process that identifies potential threats… and the impacts to business operations… and the capability for an effective response” (BSI, 2006).  As this resembles some definitions of resilience as per the previous section, it merits consideration in a quest for resilience guidance.   BS25999 is the fastest selling British Standard of all time (BSI Workshop, 2010), providing a clear approach to identifying, mitigating and managing potential disruptions to business.  Criticisms include the lack of crisis management guidance which is currently being remedied by publicly available specification PAS:200 (BSI Shop, 2011), a precursor to a British Standard on Crisis Management.   As previously stated, single functions may contribute towards resilience but cannot produce it; BS25999 makes no claim that its guidance will result in organisational resilience.

Considering the professional standards in light of operational verses strategic guidance – where operational relates “to the routine functioning and activities of an organization” and strategic relates to “to the identification of long-term or overall aims and interests and the means of achieving them (Oxford Dictionaries, 2011) – suggests that BS25999 and other functional standards are useful aids to assisting operational resilience.

Some academics, e.g. Sheffi (2005) focus on operational resilience.  Leading university courses on resilience are often made up of predominantly operational functions; Cranfield University’s own MSc Resilience course, for example, includes modules on risk, business continuity, crisis management, technology, supply chain, and security (Cranfield, 2011).  However, as shown later, many academics (e.g. Sutcliffe & Vogus, 2003) argue that the scope for resilience is far more complex than the sum of output from these functions/disciplines.   This is, perhaps, reflected in Cranfield’s syllabus by the inclusion of a module titled Strategy for Resilience.  While the frequently named functions  – risk, business continuity, security, crisis management, etc. hereafter referred to collectively as ‘resilience units’) – clearly contribute an organisation’s resilience, previously discussed indications that these aren’t the only contributing factors will be explored further as other academic texts are considered.

It is particularly important to reach a conclusion regarding the level of contribution to resilience that the resilience units provide because a new unit name is emerging.  A search on business-focused social media site, Linked In, suggests units with the word “resilience” in their titles are beginning to appear[2], for example Resilience Department, Business Resilience and Resilience and Risk.  In some cases the researcher’s personal acquaintance with some of the units appearing in the search offers the suggestion that some of these new units are renamed business continuity units or business continuity units that have joined forces with risk management teams.  No data explaining the ‘normal duties’ of a business unit called ‘resilience’ could be sourced, but it appeared possible the title may imply a belief that resilience can be achieved mainly by via work of this function: primary research was therefore undertaken by this study to understand the scope and responsibilities of these units.

2.22 Academic Texts

This section uses four books and one academic paper as the basis against which to consider other literature.  These five items were chosen for their focus on organisational resilience; the combination of mainstream availability and author credibility and; because they each take very different approaches.  Other literature is considered around these books by Sheffi (2005), Valikangas (2010), Beer (2009), Collins (2009) and the Carmeli & Markman (2011) paper.  Key ideas from the five focussing texts are summarized in Table 2.1

Table 2.1: Some key ideas for organisational resilience from selected texts

 Author (Year)IdeasYossi Sheffi (2005)

  • Organise for responsive action
  • Assess the vulnerabilities
  • Reduce the likelihood of disruptions
  • Collaborate for security
  • Build in redundancies
  • Design resilient supply chains
  • Invest in training and culture

Michael Beer (2009)

  • Invest in leadership and employees
  • Develop a culture of emotional attachment to the company and internal community
  • Provide resources to enable high performance
  • Harness organisational learning to discipline change

Jim Collins (2009)

  • Recruit the right people for leadership
  • Strategies embrace disciplined thought
  • Action is disciplined
  • Build the company to last:
    • Without dependence on a charismatic leader
    • Preserving core values and reason for being

Liisa Valikangas (2010)

  • Rehearse everything: “resilience is not a strategy; it is a rehearsal
  • Manage consequences of past performance
  • Invest in innovation
  • Design with robustness, sustainable, evolvable with redundancy
  • Embrace natural selection and understand serendipity in all areas, and/or subject to resilience tests
  • Ensure adaptability and mobility

Carmeli & Markman (2011)

  • Organic and controlled expansion/growth
  • In depth organisational understanding
  • Strong strategic governance
  • Supporting tactics: save power by achieving objectives through others or via efficient resource deployment; maintain a stronghold base; isolate adversaries; create forward outposts

There is no suggestion that the books disagree with the notion that high resilience minimises the possibility of incident or decline, and that this provides competitive advantage, but their approaches to the issue are very different.  Carmeli & Markham’s paper (2011) is based on case studies and contends that organisational resilience is proved by longevity.

Sheffi (2005) provides an operationally focused text, concentrating on functions such as risk and supply chain management, and building a culture for redundancy and flexibility. This text is most noticeably aligned with an operational approach and, though strategic requirements are considered, he considers resilience primarily from disruption management viewpoint.  Valikangas (2010 is strategic and conceptual, advocating investment in knowledge management, innovation, “building resilience” and rehearsing strategies.  Her material might be considered light on explaining how to practice what is preached.  Beer (2009) takes a very different stance.  He builds resilience vicariously, by creating a highly committed workforce: “High Commitment, High Performance”(HCHP).  Collins (2009) examines how firms can avoid slipping into slow-burn failure that they may not even notice – possibly because profits are still increasing  – by defining decline in five stages (see Figure 2a).   Carmeli & Markman’s (2011) conclusions are based on studying 150 companies against the Roman Empire, which endured for over 1000 years. Further to their belief that resilience is not about disruption but proactive conditioning to survive and thrive, they argue it is achieved by “capture” (expansion) and governance strategies – see Figure 2b – that are completed “only after [the organisation learns how] to systematically combine, align and reinforce the two strategies.”

Figure 2a – Collins (2009) 5 Stages of Decline

Figure 2b: Capture-Governance Matrix (Carmeli & Markman, 2011)

Despite their diverse approaches, themes emerge from these academic works. Those that appear to be most valued across the works are examined below, but it may be useful to note that the underpinning discursive thread lead this study to four key conclusions.  Firstly, organisational resilience is a holistic concept requiring both strategic activity led by those at the very top of the organisation and operational activity inherent across the organisation.  Secondly, deep organisational learning and understanding, realistic situational awareness and robust governance (e.g. Collins, 2001 & Carmelli & Markman, 2011) are vital.  Thirdly, resilience will not completely protect an organisation from disruption so its resilience plan will require business continuity and crisis management processes (Valikangas, 2010).  And finally, many of the processes contributing to the resilience capacity should be an intrinsic part of a strategic risk management process but the best of these are flawed due to lack of data about the future, the heuristic nature of human beings (Gardner, 2009) and an on-going perception of risk management being something only risk managers do (Rowe, 2004).

Solid Values and Purpose.  More resilient organisations tend to have strong corporate values and a clear understanding of their place in the world (Sheffi, 2005) which is interesting if only because the same is true of resilient people (Jackson, Firtko, & Edenborough, 2007).  Valikangas (2010) argues that, like resilient individuals, these companies are also likely to sacrifice short-term gains in favour of long-term goals, while Beer (2009) argues that it goes further than this, and leaders must “accept constraints with regard to firm purpose and values, strategy, financial and cultural risks” to prioritise, achieve and maintain resilience.  Beer argues, for example, the leaders of failed investment banks Bear Sterns and Merrill Lynch didn’t “have the aspirations, the higher moral purpose, or the savvy to build a resilient organisation capable of sustained advantage” (Beer, 2009) because short-term profit was their priority. The consensus among the authors is that when organisations are motivated by strong values and shared purpose, leaders and employees are inherently more committed to the firm’s resilience and longevity.  Valikangas (2010) suggests this enables “organisational resilience beyond the leadership’s ability” especially when accompanied by a culture encouraging resourcefulness, robustness and adaptive capacity while Beer goes so far as to suggest that resilience is increased when leaders accept constraints to organisational values, strategies and financial and cultural risks in pursuance of maintaining key values and purpose. This suggests that organisations that believe they have inherently higher moral purposes (which may be easier to identify in charity and not-for-profit organisations) or accept constraints such as those outlined by Beer, may have a higher propensity for resilient behaviours.  This hypothesis was tested via a two lines of enquiry in the primary research.

Optimistic v Pessimistic Outlook. The first sentence of the previous paragraph notes a similarity between tendencies of resilient organisations and resilient people.   It is therefore interesting to consider whether more similarities may exist. However, in the field of human resilience there is consensus that “realistic optimism” – hope based on an understanding of the circumstances surrounding oneself – is the key (e.g. Seligman, 2011).  Menkes (2011), asserts realistic optimism to be a vital leadership attribute that requires both “an awareness of circumstance” and “a sense of agency” which concurs with organisational requirements for resilience (Valikangas, 2010 & Collins, 2009).  On the other hand, human psychology studies also show risk is most accurately assessed by those with mild depression – a proposition known as ‘depressive realism’ (Alloy & Abramson, 1979).  Research into potential links between an individual’s optimistic/pessimistic outlook for their organisation and their propensity for behaviours impacting organisational resilience could not be found, so a line of enquiry was included in the primary research.

Understanding Vulnerabilities & Risk. The ability to identify and manage vulnerabilities and risk is vital for resilience.  Collins (2009) and Valikangas (2010) consider this to be a strategic task as well as an operational one, with as much importance given to long-term horizon scanning as to identifying operational hazards.  However, there are fundamental issues with the ‘science’ of risk management.  It is properly calculated by multiplying statistical probability by the cost of impact; in reality, risk management is often done by ‘guesstimate’ with heuristics playing a significant role (Gardner, 2009).  Furthermore, the perception can often be that ‘proper’ risk management, as per the guidelines (ISO, 2009), is done by risk managers.  It can therefore be difficult to achieve genuine engagement (Rowe, 2004). Specialist risk managers often feel isolated from general operations, unable to get time with senior management, and believe valuable “risk management data” is “largely ignored” (Strategic Risk, 2008) and is therefore rarely considered to be part of the strategic corporate effort. Yet the seemingly ‘sudden’ disappearances of large companies such as Woolworths, DeLorean, RCA, Arthur Andersen, TWA and Bear Sterns (Daily Finance, 2011) and fraudulent events such as the Barings Bank  collapse (Leeson, 1995) and Enron scandal (BBC, 2002) show risk assessing longer term strategies and current activity at the highest level is prudent.  The impacts of terrorist events such as 7/7, and particularly 9/11 which resulted more than 18,000 businesses being “dislocated, disrupted or destroyed” (Makinen, 2002), have widened the scope of ‘risk’ and registers to increasingly include hazards such as terrorism, employee and leadership issues, crime (Ronndahl, 2005) and supply chains (Sheffi, 2005) yet these particular additions may simply enforce the idea that risk is an operational task.

For resilient strategic decisions to be “informed by facts, not politics” (Beer, 2009) a sound approach to understanding vulnerabilities is required, yet the corporate risk management process can often appear divorced from the corporate strategists as, perhaps, may be demonstrated by its lack of presence in the standards (e.g. ANSOR).

Comprehensive Strategy, Innovation and Governance.Valikangas (2010) asserts constant innovation is vital for resilience, even though it “is too often viewed as merely a distraction – until it pays off”.  Beer (2005) and Collins (2009) preach innovation with a more cautious tone, suggesting incremental development based on existing capabilities and testing before committing high levels of resource.  Balance may perhaps be achieved by Valikangas’s (2005) notion of rehearsing everything, Collins’s (2009) reckoning that innovation must be disciplined and controlled, and Carmeli & Markman (2011) declaring considered expansion, which may include innovation, undertaken with learned and total governance, to be at the very core of resilience in an organisation.

Understanding of Networks.  Though Valikangas’s (2011) work on resilience appears conceptual, when broken down it appears to place intrinsic value on the importance of understanding everything in the organisation as a component in a network.  Staff inside the organisation, relationships outside the organisation, supply chains, technology systems, processes with interdependencies, and even transport and neighbours are essentially networks.  Perrow’s (1999) theory of normal accidents tells us that tighter networks arising from coupled technologies and increasing supply chain variables give more opportunity for mishap, particularly if their linkages are misunderstood.  Understanding these enables the identification of flexibility, redundancy, and opportunities (or the potential for them) and how they might be leveraged when required.   Creating and maintaining social networks and capital can provide substantial resilience capability (Putman, 2000) as demonstrated by Johnson’s (2010) case studies of organisations that successfully leveraged their social capital in times of need.

Business Continuity, Crisis Management Strategies. None of the texts claim that disruption or crisis can be eradicated; Beer (2005) believes crises are “inevitable” when a company exists for a sustained period of time.  Business continuity and crisis management measures enable a company to better respond to and recover from an disruption or incident (BSI, 2006) and those that enable the organisation to identify and take advantage of new opportunities presented due to such events may offer competitive advantage (Valikangas, 2010).  Business Continuity and Crisis Management strategies and planning and tools are therefore essential components of an organisation’s resilience toolkit.                                               

Comprehensive Organisational Understanding and Knowledge Management.  Harnessing learning, retaining knowledge and understanding the organisation is a recurring theme for resilience in all five of the chosen resilience texts.   Truly understanding how things work, interrelate and depend on each other, being able to notice deviations from the norm, and being able to establish the cause of issues (Valikangas, 2010) is vital, as is being able to spot near-misses and “near misses masquerading as successes” (Madsen, 2011).   Information and learning must be tested before being considered knowledge to avoid “dangerous attribution errors” (Gino & Pisano, 2011) and because making robust strategy and operational decisions depend on it (Carmeli & Markman, 2011).    Collins’ (2009) observation that many companies didn’t realise that they were in decline explains potential consequences of lack of understanding and, perhaps, not knowing the difference between organisational effort, chance and serendipity (Valikangas, 2010).  As Beer (2009) notes, “The evidence is overwhelming; declines in organisational performance are almost always caused when leaders avoid realities that are known to everyone… in virtually [every case study we conducted] people at lower levels across multiple functions know the truth”.   Other authors might refer to these indications as “weak signals” (e.g. Medonca, Cunha, Kaivo-oja, 2004) or “accumulation of latent error” (e.g. Rananujam & Goodman, 2003).

 However, understanding how many organisations function can be as complex as their size, networks and tightly coupled systems (Perrow, 1999) and increasingly long supply chains (Sheffi, 2005).  Knowledge that was easily shared in times past may now be held by specialists, suppliers or otherwise held outside the company itself and, as the saying goes “knowledge is power” (Praverand, 1980). Like risk management, capturing learning and knowledge is one of the areas that many organisations find notoriously difficult (Alvesson & Karreman, 2011). De Long and Fahey (2000) found that an organisation’s pro-activity on information sharing and knowledge management depends entirely on its cultural norms.

Culture for Resilience.  Culture is important to resilience, and not just for knowledge management.  Organisational academic Rosabeth Moss Kanter (2011) injects, “resilience is not simply an individual characteristic… Teams that are immersed in a culture of accountability, collaboration and initiative are more likely to believe they can weather any storm… The lesson for leaders is clear: build the cornerstones of confidence – accountability, collaboration, and initiative – when times are good.”  Many concur that a culture of accountability coupled with a commitment to learning is key, (e.g. Lafley, 2011) and, as company culture is invariably dictated by the decisions of its leaders (George, Sleeth, & Siders, 1999), it is the leaders who choose whether resilience is a priority for the organisation.

If leaders choose resilience, building such a “culture takes years… [but is] easily liquidated with a few bad decisions” (Beer, 2009) suggesting it is fragile.  While Sheffi (2005) might encourage the culture to value flexibility and/or redundancy, Beer (2009) prioritises cultivating a highly committed workforce to achieve resilience. In addition to investment in staff capabilities he states this means avoiding layoffs “at all costs” asserting “companies with employment stability outperform their competitors” (Beer, 2009).  Sheffi (2005) isn’t alone in advocating appropriate redundancy and flexibility and is particularly supported by Valikangas (2011) in many areas including systems, technology capacity, stock, and supply chains.  No literature to refute these notions was found but, in tough economic times, one might imagine the cost justification for adding or maintaining redundancy and avoiding staff cuts wherever possible may be a challenge.

Rehearsing.  Valikangas is not alone in suggesting that resilience strategies should rehearsed regularly to ensure they are fit-for-purpose and may be relied upon (Valikangas, 2010), however, the notion of exercising is most prominent in texts regarding business continuity and crisis management arrangements (e.g. BSI, 2006).  Valikangas (2010) takes this much further, proposing organisational leaders practice not just contingency arrangements but for strategies, policies and plans in general, suggesting that while practice might not make perfect it certainly enhances the understanding and potential of the capability.

2.23 Summary


Table 2.2 shows a summary of key features of organisational resilience as discussed above.

Table 2.2: Summary of some key features of an organisational resilience after Sheffi (2005), Valikangas (2010), Beer (2009), Collins (2009) and Carmeli & Markham (2011)

Feature Contribution to resilience
Strong corporate values Inherent strategic and operational direction on what must be upheld and what might be sacrificed
Strong governance Control, understanding and order
Intelligent social capital Useful relationships; forgiveness more attainable; better situational awareness
Strategic vulnerability identification Situational awareness; opportunity to manage/understand risks
Operational vulnerability identification and management Situational awareness; opportunity to manage/understand risks including security, technology, supply chain, etc.
Knowledge management Understanding increases capability and flexibility
Disciplined innovation and growth Discipline minimises potential for mistakes; appropriate innovation/growth may ensures on-going relevance
Understood dependencies/networks Understood networks – including people, technology and supply chain – might be leveraged/protected
Business continuity plans In the event of disruption, critical normal business may continue seamlessly
Crisis management arrangements In the event of crisis, management above and beyond business continuity can be implemented

Reviewing this body of evidence suggests that achieve resilience an organisation should strive for strong values, comprehensive governance, thorough strategic and operational vulnerability identification processes, disciplined innovation, excellent knowledge management, and have solid crisis and continuity planning arrangements in place.  The more resilient companies also understand their networks (and interdependencies, including supply chains),cultivate appropriate social capital, rehearse their resiliency measures and their business continuity and crisis management plans, and seek to embed all these elements into a culture that clearly values its people and its resilience capabilities.   This is not an exhaustive list of organisational resilience indicators, but offers an insight to some of the key themes provided by these authors.

This evidence concurs with Sutcliffe & Vogus’s (2003) statement that “resilience emerges from relatively ordinary adaptive processes”.   Yet this work has already shown that some of these capabilities, particularly around strategizing risk information, managing knowledge, and understanding networks, are among the most difficult for organisations to achieve for a variety of reasons including uncertainty, human nature, complexities, or costs.  Additionally, none of the authors suggest metrics for measuring resilience, nor the value thereof, which adds to the challenge of justifying the pursuance of enhancing the resilience capability.  The need to understand the scope of “Resilience” units that are emerging in organisations was identified in the previous section.   This information may also shed light on whether resilience units are assisting with the more difficult aspects of enhancing resilience capability.

A summary of the lines of enquiry for primary research identified in this section is included at the end of the chapter.

2.3 Can organisational resilience be measured?

The saying that “what can’t be measured can’t be managed” (Drucker, 1993) often translates, according to business leaders such as Dragon’s Den’s Duncan Bannatyne (2011), into the need for Key Performance Indicators (KPIs) and metrics.

Resilience is a capability and, as such, is not easily measurable: “resilience is always active within an organisation but may only be visible during the post-crisis phases” (Stephenson, 2011). However, without visibility of links between resilience, longevity, survival and competitiveness, the ability to create viable business cases for resilience measures may be compromised. Organisations require mechanisms to decide whether the costs of resilience – e.g. financial outlay, slower growth, less profit, restrictions on change – are justified (Sheffi, 2005).   As previously noted, both ANSOR and BS25999 require metrics and monitoring.  ANSOR for “operations that have a material impact on its performance” (ASIS, 2009) and BS25999 for “business continuity capability” (BSI, 2006).  Neither standard offers guidance nor methodology on how to do this.

So can ‘organisational resilience’ or a ‘resilience capability’ be measured?  Some academics suggest it can, but a search for scholarly offerings provided a few explanations of what might be measured but not how it should be done.   A paper by Stephenson (2011) provides a thorough methodology and its indicating factors closely match those identified in the previous section, and is therefore is examined in more detail later in this section.

Mallak (1998) asserts that organisational resilience is dependent on the individual resilience of those who work within it.  Acknowledging he could not measure it directly (another cited example of this is “wisdom, which cannot be directly observed but may be a combination of factors such as scepticism and curiosity” (Mallak, 1998)) he provides a list of indicators for six key attributes on his resilience scale: “goal-directed solution seeking; avoidance; critical understanding; role dependence; source reliance; and resource access”.  In common with the few other papers available to the researcher (see below), it appears that, rather than offering a tool to assign objective numerical values to measure an amount or volume of resilience capability within an organisation, the authors proffer assigning perceived values to a number of factors that the author(s) claim indicate resilience within the organisation.  In a number of cases it appears these are considered benchmarking tools rather than exact ‘measures’. For example, the Multidisciplinary Centre for Earthquake Engineering Research (MCEER) at the University of Buffalo use a “4R Framework” of indicators: robustness, redundancy, resourcefulness and rapidity (Teirny & Bruneau, 2007) while Sutcliffe (2007) – which is also cited by Stephenson (2011) – appears to concur with Beer’s (2009) notion that high reliability often indicates high resilience while considering metrics for their key resilience indicators: ‘anticipation’ and ‘containment’.

Stephenson (2011) critiques most of the above-mentioned studies as well as more by Somer, Weick, Sutcliffe and Panton.  She concludes their results contribute to the knowledge but are all limited by shortcomings in sampling and lack of quantitative testing to date. Acknowledging that organisations need metrics, Stephenson continues with the work of her sponsor, the Resilient Organisations Research Group (ResOrgs), to propose resilience indicators complete with a metric measurement offering (Stephenson, Benchmarking the Resilience of Organisations, 2011).   Examining the above frameworks in light of the literature reviewed in 2.2 How is Resilience Achieved? suggests clear similarities in findings, including MCEERs markers: redundancy, resourcefulness and rapidity (Teirny & Bruneau, 2007), and Sutcliffe’s (2007) anticipation and containment.  However, the tool explained by Stephenson (2011) is of particular interest to this study due to the obviously close correlation between the key indicators for resilience identified by the literature review, and the factors identified and used in the tool[3].

It is noted that the tool belongs to ResOrgs, a multi-disciplinary team of academic researchers, state sponsored by New Zealand, operating under the auspices of two universities: Auckland and Canterbury[4].   The detailed methodology of the tool proposed is provided by Stephenson’s PhD paper, which was later reworked for publication by ResOrgs in 2011 (see Stephenson, 2011).  The tool was also  summarized succinctly in academic papers elsewhere, e.g. a paper in the Australian Journal of Emergency Management by Stephenson, Vargo & Seville (2010). “Stephenson, 2011” is more heavily referenced herein, however, since the primary research of this dissertation relies heavily on the underlying detail and methodology of the tool.

Figure 2c shows the key factors identified by Stephenson’s tool along its horizontal axis.

Figure 2c: An example of output from a modified version of Stephenson’s Business Resilience Tool

Though this study did not test the tool, close examination of the work suggests several reasons to conclude that it has a number of shortcomings as a pure measurement tool. For example:

  • The tool only creates values for the capabilities identified for resilience, as per Figure 2c. Though the indicators closely match the indicators identified in this study, no claim is made (by Stephenson (2011) or this work) that the list is exhaustive or fully explains the resilience capability.
  • The methodology requires employees to provide their individual perception of the organisation’s capability level for each resilience factor.  Though the requirement for a significant number of employees to participate enhances the opportunity for a realistic reflection of the actual level of capability (Rowntree, 2000), individual and group perceptions – as already noted with regard to risk assessment – are often fundamentally flawed (Gardner, 2009).
  • The term “measurement” implies that consistently identical results would be achieved for one organisation if the process were repeated several times by different pools of participants within the organisation (Social Research Methods, 2006).  There is no evidence that this testing has been undertaken; Stephenson appears to reflect this by referring to the process as a “benchmarking” tool (Stephenson, 2011) in her academic work.

Based on this, it must be concluded that this study has not identified a way to measure total organisational resilience. This was not an unexpected result given the issues associated with uncertainty (Gardner, 2009): how can organisations be made resilient when exactly what the future holds is unknown, and how can the utility of resilience measures be evaluated if the things they protected us from did not happen (Taleb, 2007)?

However, it must also be concluded that there are a number of positive uses for Stephenson’s benchmarking tool in the resilience arena.  The factors identified concur with the literature review herein, suggesting confirmation that the factors benchmarked by the tool provide significant contributions to organisational resilience. The robust, academic methodology provides organisations with a visual representation of their employee’s perception of the capability level of each of these factors, which may highlight areas for improvement.  And, of course, by choosing to better understand their resilience capability via a route that involves employees, organisations are investing in a culture for resilience.

The tool is also particularly useful for the research purposes of this study, which includes the aim to determine whether a leader’s individual propensity for resilient behaviours (PRB) can be measured. Stephenson’s tool asks individuals to describe their perception of an organisation’s propensity to invest in behaviours that enhance organisational resilience.   If the same questions were asked of an individual leader, in terms of their own personal behaviour rather than their perceptions for the organisation, a resulting benchmark value could be assigned to their individual propensity for the identified behaviour to enhance organisational resilience.  Thus Stephenson’s tool could be adapted to measure an individual leader’s PRB by asking the individual to respond with regard to his/her own behaviour as opposed to that of the organisation.


 2.4 Chapter Summary

This chapter has provided some answers to the first four objectives identified in the research focus (see page 13), but also presented a number of new lines of enquiry for primary research.

The definition of organisational resilience (question 1) is a matter of debate in the professional world, but academic texts allow us to determine and use the working definition provided on page 20.   A diverse range of academic literature provided common themes on how resilience is achieved (question 2), and this is summarized on pages 31/32, though it is noted that this list is indicative but not exhaustive.   However, it is apparent that professional guidance may suggest resilience is achieved simply by combining the efforts of those they consider to be the ‘resilience units’: risk management, business continuity, physical and information security and crisis management.  This study must conclude therefore, that the guidance provided by the professional standards is misleading as though the ‘resilience units’ are clearly a vital part of the overall resilience capability, they remain only a slice of that capability.

This study was not able to identify an objective, reliable method of measuring organisational resilience (question 3) in the true sense of the word ‘measure’.  However, the factors identified via the literature review concur with those used in Stephenson’s resilience benchmarking tool (Stephenson, 2011) which provides scales to gauge and place values on individual and group perceptions of the factors identified by the tool (and this study) as key contributors toward capabilities that enhance organisational resilience.  Since Stephenson’s tool already captures perceptions for individuals regarding the organisation, the tool could be adapted to enquire about an individual’s propensity for resilient behaviour (PRB) instead of that of their organisation.  Thus (question 4) an individual leader’s PRB – for those factors identified – might be gauged.

Two questions were not answered by this literature review and these were added to the lines of enquiry for primary research.


2.41 Lines of Enquiry for Primary Research 

The primary research aims to provide insight on the two outstanding research questions:

  1. Establish organisational leaders’ understanding of the term organisation resilience
  2. Identify circumstances in which a leader’s PRB might be predicted or improved

 The following lines of enquiry for primary research were identified in the Issue and Literature Review:

  1. Do organisations understand the concept of resilience to be a strategic capability or a functional business interruption management system?
  2. What are the scope and responsibilities of business units called “Resilience”?
  3. Are organisations with significant ‘moral purposes’ (e.g. charities and not-for-profit) led by people with higher propensities for resilient behaviour?

10. Do leaders who believe that accepting constraints to organisational values, strategy, financial and cultural risks is likely to increase resilience have higher propensities for resilient behaviours.

11. Does the presence of realistic optimism in the leaders of an organisation impact the propensity for behaviours that contribute to organisational resilience?

12. Are “Resilience” units assisting with the more difficult aspects of enhancing the resilience capability?

[1] This notion, and the link to Sutcliffe & Vogus (2003), was provided to this study by Ned Powley, Assistant Professor of Management at the US Naval Postgraduate School at Michigan University, in a personal email discussion on 16 August 2011 prompted by discussion on this study’s blog at

[3]  The author of “Stephenson, 2011”, Amy Lee (nee Stephenson) was in touch with this study via its accompanying blog and offered her then-still unpublished PhD paper produced during her time with ResOrgs.

[4] All ResOrg’s published works may be found in full at

Posted in: Uncategorized