Organizational Resilience: How Companies Can Navigate Security Threats — and Even Grow Stronger as a Result

It’s impossible to prepare for every single security threat facing your business. You can identify all the potential dangers that you’ve seen before —- petty crime, fire, natural disaster, fraud — and build detailed, fully resourced response plans for each one. But there’s always the possibility that a “black swan” disaster is waiting in one of your blind spots. And we all have blind spots. 

Fortunately, your team isn’t helpless. The key is to develop organizational resilience. While you can’t prepare for every eventuality, it’s possible to develop culture, systems and policies that let your organization respond to and even grow as a result of these unexpected shocks to your system, whether you’re struggling with a rise in shoplifting, credit card scams or something even worse. 

The good news is that you don’t have to do it alone. Your security contractor should be able to offer expert advice on developing and employing resilience as a strategy.  

What is organizational resilience?

Organizational resilience is the ability to encounter some type of disruption, large or small, and emerge from it stronger. After the last few years — with a global pandemic, war in Ukraine, massive supply chain disruptions, and political and social unrest — a growing number of companies have expressed interest in this strategy. After living through so many unexpected events, they’re looking for a way to be ready for any possible challenge.

Not only does organizational resilience make it easier for organizations to respond to crises, it can also deliver real benefits for your company. Resilient companies are more likely to adopt new (and smarter) policies and make investments that ultimately pay off in big ways, such as stronger financial returns. 

During the 2008 economic crisis, McKinsey & Co. found that 10% of publicly traded companies in its research base — what McKinsey called “resilients” —  were able to grow their EBITDA by 10% before the crisis hit its lowest point in 2009, while similar businesses had lost 15%.

And research from the BCG Henderson Institute shows that 30% of a company’s total shareholder return occurred during the 11% of quarters when a crisis occurred. Meaning that, if a company responded well during a challenge, it could generate almost three times the results of work done in a less chaotic period.

When it comes to security matters, organizational resilience can also increase your ability to prevent worst-case scenarios, such as the loss of life or the business shutting down for weeks.  

How to develop organizational resilience

Researchers have spent years researching the best practices for encouraging resilience. Here are some of the most common and effective.

You can’t prepare for everything, but prepare for what you can

Resilient organizations take the time to identify the most likely security and safety threats and develop playbooks for either preventing or responding to those events, whether that’s a significant weather event, an armed encounter, a run of burglaries or some other concern. Those playbooks — which should be regularly updated — typically cover:

• Incident response: How to respond to the event as it’s happening 
• Crisis communications: Who needs to be contacted and how to reach out to them, along with systems that can function in the event of widespread outages
• Business continuity: How to bring critical functions back online as rapidly as possible, which could continue plans for backup locations, temporary outsourcing, alternative suppliers and more.

Your security contractor could be an important contributor to the development of these plans, whether the contractor helps identify potential threats or recommends best practices for specific use cases.

Many security firms can also pick up critical emergency functions that your team might not typically staff for, like serving as a liaison with police and the press.

While all departments will contribute to preparations, IT should be an essential part of your preparations. That includes devoting the necessary sources to prevent or limit technology-related risks such as ransomware, data breaches and other losses. IT should also invest in tools that allow the organization get up and running again after an emergency, such as backup data storage and remote-working devices and apps. 

Again, check with your security contractor. They may have a technology division that can suggest potential tools, implement them for you or — if your team oversees its own solution — run penetration tests to ensure everything is working correctly.  

Smart, speedy decisions

Let’s say that your business operates in a region where earthquakes almost never occur — and then suddenly, a major quake strikes. Because it’s so uncommon, you don’t have a playbook to govern your response. What should you do?

During a crisis, it’s important for organizations to make good decisions quickly. To do that, you must clarify who has the responsibility for making different kinds of choices. Otherwise, it can lead to delays as the team tries to get input from every single decision-maker. 

(Note that we said good decisions, not perfect decisions. In a crisis, a good decision made quickly is usually more useful than a perfect decision next week.)

According to McKinsey & Co., resilient organizations take time in advance to spell out what types of decisions should be made at each level of the organization. That way, the C-suite can weigh in on decisions that should be made at that level, while others that are lower in the chain of command have the flexibility to respond to other questions.  

Consider bringing your security contractor into these discussions, too. They may have detailed expertise in challenges that your team hasn’t experienced before. 

Meetings are for problem-solving

To make the most of their time, some resilient organizations use their meetings to discuss problems and develop solutions — and only do those two things. That means no presentations. 

All the relevant information is sent along in advance, and it’s the responsibility of the attendees to review that information before the meeting. That way, the meetings can be laser-focused on creative problem-solving. 

Empowered teams

One way to get more done during crisis? Assign a small team with representatives from different key departments or functions to tackle the problem, and then give them room to work without specifying exactly how to solve the problem. There’s less bureaucracy, but crucial viewpoints are still represented in the decision-making process. And because the solution isn’t prescribed, you give the team freedom to find an out-of-box way forward.

Of course, there’s more to it than just setting up a team. They need to have a clear idea of what needs to occur, as well as limits on what they can’t or shouldn’t do. There also needs to be accountability to hold those teams responsible for their efforts.

Accountability and psychological safety 

Part of resilience means learning from challenges, so smart organizations have systems in place to conduct postmortems and similar reviews of their responses, so they can identify what worked (and should be repeated) and what didn’t (so it can be avoided). 

At the same time, resilient organizations also make a habit of psychological safety – making it possible for employees to speak up, take reasonable risks and even fail without being penalized. Without that grace, team members will be much less likely to bring forward new ideas and make valuable but unexpected contributions. 

Adaptable leadership

Resilient leaders not only manage a crisis, they find a way to learn from the experience and teach their teams to grow from it, McKinsey found. Part of that involves using “challenging leadership” — that is, they challenge their teams to find new ways to solve problems and achieve goals.

Talent and culture

Ultimately, resilient organizations are made up of resilient people who are motivated by the organization’s purpose and feel empowered to take action when necessary. It’s possible to recruit and hire for those characteristics, but it’s more important to create a culture where they’re encouraged and reinforced on a daily basis. That way, when an emergency occurs, your team instinctively knows how to react.

In a hot job market, turnover can be a threat, too, so in resilient organizations, the HR function will identify potential skill gaps, especially in the most crucial roles, and find ways to keep the employee pipeline full. That might mean adjusting job requirements to accept applicants that don’t have a traditional degree or experience, or adapting the hiring process to accelerate offers and help the organization compete against other businesses that are looking for new hires. 

Resilient organizations also invest in the ongoing development and education of their people, identifying their potential and helping them develop those strengths so they can be put to greater use. That investment can also help the organization improve its retention of key personnel. 

The bottom line on organizational resilience

In a world that feels more unsettled than ever, it’s critical for businesses to develop and practice resilience, so they not only survive new challenges, but come back stronger as a result. 

Emergency preparation is a big part of that, but smart leaders also teach best practices — like empowered teams, psychological safety and agile decision-making — that allow their teams to learn from the experience. By making the correct investments in policies, people, planning and equipment, you can turn even the toughest challenge into a way forward.