Organizational Resilience: How Companies Can Navigate Security Threats — and Even Grow Stronger as a Result

It’s impossible to prepare for every single security threat facing your business. You can identify all the potential dangers that you’ve seen before —- petty crime, fire, natural disaster, fraud — and build detailed, fully resourced response plans for each one. But there’s always the possibility that a “black swan” disaster is waiting in one of your blind spots. And we all have blind spots. 

Fortunately, your team isn’t helpless. The key is to develop organizational resilience. While you can’t prepare for every eventuality, it’s possible to develop culture, systems and policies that let your organization respond to and even grow as a result of these unexpected shocks to your system, whether you’re struggling with a rise in shoplifting, credit card scams or something even worse. 

The good news is that you don’t have to do it alone. Your security contractor should be able to offer expert advice on developing and employing resilience as a strategy.  

What is organizational resilience?

Organizational resilience is the ability to encounter some type of disruption, large or small, and emerge from it stronger. After the last few years — with a global pandemic, war in Ukraine, massive supply chain disruptions, and political and social unrest — a growing number of companies have expressed interest in this strategy. After living through so many unexpected events, they’re looking for a way to be ready for any possible challenge.

Not only does organizational resilience make it easier for organizations to respond to crises, it can also deliver real benefits for your company. Resilient companies are more likely to adopt new (and smarter) policies and make investments that ultimately pay off in big ways, such as stronger financial returns. 

During the 2008 economic crisis, McKinsey & Co. found that 10% of publicly traded companies in its research base — what McKinsey called “resilients” —  were able to grow their EBITDA by 10% before the crisis hit its lowest point in 2009, while similar businesses had lost 15%.

And research from the BCG Henderson Institute shows that 30% of a company’s total shareholder return occurred during the 11% of quarters when a crisis occurred. Meaning that, if a company responded well during a challenge, it could generate almost three times the results of work done in a less chaotic period.

When it comes to security matters, organizational resilience can also increase your ability to prevent worst-case scenarios, such as the loss of life or the business shutting down for weeks.  

How to develop organizational resilience

Researchers have spent years researching the best practices for encouraging resilience. Here are some of the most common and effective.

You can’t prepare for everything, but prepare for what you can

Resilient organizations take the time to identify the most likely security and safety threats and develop playbooks for either preventing or responding to those events, whether that’s a significant weather event, an armed encounter, a run of burglaries or some other concern. Those playbooks — which should be regularly updated — typically cover:

  • Incident response: How to respond to the event as it’s happening 
  • Crisis communications: Who needs to be contacted and how to reach out to them, along with systems that can function in the event of widespread outages
  • Business continuity: How to bring critical functions back online as rapidly as possible, which could continue plans for backup locations, temporary outsourcing, alternative suppliers and more.

Your security contractor could be an important contributor to the development of these plans, whether the contractor helps identify potential threats or recommends best practices for specific use cases.

Many security firms can also pick up critical emergency functions that your team might not typically staff for, like serving as a liaison with police and the press.

While all departments will contribute to preparations, IT should be an essential part of your preparations. That includes devoting the necessary sources to prevent or limit technology-related risks such as ransomware, data breaches and other losses. IT should also invest in tools that allow the organization get up and running again after an emergency, such as backup data storage and remote-working devices and apps. 

Again, check with your security contractor. They may have a technology division that can suggest potential tools, implement them for you or — if your team oversees its own solution — run penetration tests to ensure everything is working correctly.  

Smart, speedy decisions

Let’s say that your business operates in a region where earthquakes almost never occur — and then suddenly, a major quake strikes. Because it’s so uncommon, you don’t have a playbook to govern your response. What should you do?

During a crisis, it’s important for organizations to make good decisions quickly. To do that, you must clarify who has the responsibility for making different kinds of choices. Otherwise, it can lead to delays as the team tries to get input from every single decision-maker. 

(Note that we said good decisions, not perfect decisions. In a crisis, a good decision made quickly is usually more useful than a perfect decision next week.)

According to McKinsey & Co., resilient organizations take time in advance to spell out what types of decisions should be made at each level of the organization. That way, the C-suite can weigh in on decisions that should be made at that level, while others that are lower in the chain of command have the flexibility to respond to other questions.  

Consider bringing your security contractor into these discussions, too. They may have detailed expertise in challenges that your team hasn’t experienced before. 

Meetings are for problem-solving

To make the most of their time, some resilient organizations use their meetings to discuss problems and develop solutions — and only do those two things. That means no presentations. 

All the relevant information is sent along in advance, and it’s the responsibility of the attendees to review that information before the meeting. That way, the meetings can be laser-focused on creative problem-solving. 

Empowered teams

One way to get more done during crisis? Assign a small team with representatives from different key departments or functions to tackle the problem, and then give them room to work without specifying exactly how to solve the problem. There’s less bureaucracy, but crucial viewpoints are still represented in the decision-making process. And because the solution isn’t prescribed, you give the team freedom to find an out-of-box way forward.

Of course, there’s more to it than just setting up a team. They need to have a clear idea of what needs to occur, as well as limits on what they can’t or shouldn’t do. There also needs to be accountability to hold those teams responsible for their efforts.

Accountability and psychological safety 

Part of resilience means learning from challenges, so smart organizations have systems in place to conduct postmortems and similar reviews of their responses, so they can identify what worked (and should be repeated) and what didn’t (so it can be avoided). 

At the same time, resilient organizations also make a habit of psychological safety – making it possible for employees to speak up, take reasonable risks and even fail without being penalized. Without that grace, team members will be much less likely to bring forward new ideas and make valuable but unexpected contributions. 

Adaptable leadership

Resilient leaders not only manage a crisis, they find a way to learn from the experience and teach their teams to grow from it, McKinsey found. Part of that involves using “challenging leadership” — that is, they challenge their teams to find new ways to solve problems and achieve goals.

Talent and culture

Ultimately, resilient organizations are made up of resilient people who are motivated by the organization’s purpose and feel empowered to take action when necessary. It’s possible to recruit and hire for those characteristics, but it’s more important to create a culture where they’re encouraged and reinforced on a daily basis. That way, when an emergency occurs, your team instinctively knows how to react.

In a hot job market, turnover can be a threat, too, so in resilient organizations, the HR function will identify potential skill gaps, especially in the most crucial roles, and find ways to keep the employee pipeline full. That might mean adjusting job requirements to accept applicants that don’t have a traditional degree or experience, or adapting the hiring process to accelerate offers and help the organization compete against other businesses that are looking for new hires. 

Resilient organizations also invest in the ongoing development and education of their people, identifying their potential and helping them develop those strengths so they can be put to greater use. That investment can also help the organization improve its retention of key personnel. 

The bottom line on organizational resilience

In a world that feels more unsettled than ever, it’s critical for businesses to develop and practice resilience, so they not only survive new challenges, but come back stronger as a result. 

Emergency preparation is a big part of that, but smart leaders also teach best practices — like empowered teams, psychological safety and agile decision-making — that allow their teams to learn from the experience. By making the correct investments in policies, people, planning and equipment, you can turn even the toughest challenge into a way forward.

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

6 new business risks crom Coronavirus

6 New Risks for Businesses post COVID-19

By Chesley Brown | May 5, 2020

Coronavirus: 6 New Business Risks Your risk management strategy can and should play an important role in managing your business’s response to the coronavirus outbreak. By implementing the right risk management strategies for coronavirus, your…

Read More
Crisis Management Process Framework diagram

5 Tips for Creating Better Crisis Management Plans

By Chesley Brown | April 29, 2020

Like a lot of people, you may be wondering what comes next for your business or organization following the Coronavirus outbreak (or any other crisis for that matter). Well, you’ve come to the right place.…

Read More

FREE DOWNLOAD Securing a New World: Security, COVID-19, and Boots on the Ground

By Chesley Brown | March 16, 2020

There can be no argument that technology has infiltrated virtually every aspect of daily life for the vast majority of people and businesses across the world. Technology is woven into the social fabric of everyday life. It monitors our movements, our interests, our purchasing power, our locations, habits, our risk to insurers, our body chemistry, and health. Our images are captured overtly and unknowingly 1000’s of times daily. It captures the best of us in amazing acts of heroism and human interaction, and it captures the worst of us; for accountability and delivery of justice.

Read More

When it Comes to Corporate Espionage, Harvard’s Dr. Lieber is Just the Tip of the Iceberg

By Chesley Brown | February 5, 2020

When it Comes to Espionage Harvard’s Dr. Lieber is Just the Tip of the Iceberg From Chesley Brown International By Dell Spry Renowned Harvard Professor Arrested for Lying About Connection to China. Feb 5th, 2020…

Read More

Chesley Brown Launches Initiative to Fight Human Trafficking

By Chesley Brown | January 13, 2020

Chesley Brown Launches New Initiative to Fight Human Trafficking From The Chesley Brown Group Risk Management [dpArticleShare] Chesley Brown, the security management experts, announced today a new training initiative to provide support to victims, families,…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work