Organizational Resilience: How Companies Can Navigate Security Threats — and Even Grow Stronger as a Result

It’s impossible to prepare for every single security threat facing your business. You can identify all the potential dangers that you’ve seen before —- petty crime, fire, natural disaster, fraud — and build detailed, fully resourced response plans for each one. But there’s always the possibility that a “black swan” disaster is waiting in one of your blind spots. And we all have blind spots. 

Fortunately, your team isn’t helpless. The key is to develop organizational resilience. While you can’t prepare for every eventuality, it’s possible to develop culture, systems and policies that let your organization respond to and even grow as a result of these unexpected shocks to your system, whether you’re struggling with a rise in shoplifting, credit card scams or something even worse. 

The good news is that you don’t have to do it alone. Your security contractor should be able to offer expert advice on developing and employing resilience as a strategy.  

What is organizational resilience?

Organizational resilience is the ability to encounter some type of disruption, large or small, and emerge from it stronger. After the last few years — with a global pandemic, war in Ukraine, massive supply chain disruptions, and political and social unrest — a growing number of companies have expressed interest in this strategy. After living through so many unexpected events, they’re looking for a way to be ready for any possible challenge.

Not only does organizational resilience make it easier for organizations to respond to crises, it can also deliver real benefits for your company. Resilient companies are more likely to adopt new (and smarter) policies and make investments that ultimately pay off in big ways, such as stronger financial returns. 

During the 2008 economic crisis, McKinsey & Co. found that 10% of publicly traded companies in its research base — what McKinsey called “resilients” —  were able to grow their EBITDA by 10% before the crisis hit its lowest point in 2009, while similar businesses had lost 15%.

And research from the BCG Henderson Institute shows that 30% of a company’s total shareholder return occurred during the 11% of quarters when a crisis occurred. Meaning that, if a company responded well during a challenge, it could generate almost three times the results of work done in a less chaotic period.

When it comes to security matters, organizational resilience can also increase your ability to prevent worst-case scenarios, such as the loss of life or the business shutting down for weeks.  

How to develop organizational resilience

Researchers have spent years researching the best practices for encouraging resilience. Here are some of the most common and effective.

You can’t prepare for everything, but prepare for what you can

Resilient organizations take the time to identify the most likely security and safety threats and develop playbooks for either preventing or responding to those events, whether that’s a significant weather event, an armed encounter, a run of burglaries or some other concern. Those playbooks — which should be regularly updated — typically cover:

  • Incident response: How to respond to the event as it’s happening 
  • Crisis communications: Who needs to be contacted and how to reach out to them, along with systems that can function in the event of widespread outages
  • Business continuity: How to bring critical functions back online as rapidly as possible, which could continue plans for backup locations, temporary outsourcing, alternative suppliers and more.

Your security contractor could be an important contributor to the development of these plans, whether the contractor helps identify potential threats or recommends best practices for specific use cases.

Many security firms can also pick up critical emergency functions that your team might not typically staff for, like serving as a liaison with police and the press.

While all departments will contribute to preparations, IT should be an essential part of your preparations. That includes devoting the necessary sources to prevent or limit technology-related risks such as ransomware, data breaches and other losses. IT should also invest in tools that allow the organization get up and running again after an emergency, such as backup data storage and remote-working devices and apps. 

Again, check with your security contractor. They may have a technology division that can suggest potential tools, implement them for you or — if your team oversees its own solution — run penetration tests to ensure everything is working correctly.  

Smart, speedy decisions

Let’s say that your business operates in a region where earthquakes almost never occur — and then suddenly, a major quake strikes. Because it’s so uncommon, you don’t have a playbook to govern your response. What should you do?

During a crisis, it’s important for organizations to make good decisions quickly. To do that, you must clarify who has the responsibility for making different kinds of choices. Otherwise, it can lead to delays as the team tries to get input from every single decision-maker. 

(Note that we said good decisions, not perfect decisions. In a crisis, a good decision made quickly is usually more useful than a perfect decision next week.)

According to McKinsey & Co., resilient organizations take time in advance to spell out what types of decisions should be made at each level of the organization. That way, the C-suite can weigh in on decisions that should be made at that level, while others that are lower in the chain of command have the flexibility to respond to other questions.  

Consider bringing your security contractor into these discussions, too. They may have detailed expertise in challenges that your team hasn’t experienced before. 

Meetings are for problem-solving

To make the most of their time, some resilient organizations use their meetings to discuss problems and develop solutions — and only do those two things. That means no presentations. 

All the relevant information is sent along in advance, and it’s the responsibility of the attendees to review that information before the meeting. That way, the meetings can be laser-focused on creative problem-solving. 

Empowered teams

One way to get more done during crisis? Assign a small team with representatives from different key departments or functions to tackle the problem, and then give them room to work without specifying exactly how to solve the problem. There’s less bureaucracy, but crucial viewpoints are still represented in the decision-making process. And because the solution isn’t prescribed, you give the team freedom to find an out-of-box way forward.

Of course, there’s more to it than just setting up a team. They need to have a clear idea of what needs to occur, as well as limits on what they can’t or shouldn’t do. There also needs to be accountability to hold those teams responsible for their efforts.

Accountability and psychological safety 

Part of resilience means learning from challenges, so smart organizations have systems in place to conduct postmortems and similar reviews of their responses, so they can identify what worked (and should be repeated) and what didn’t (so it can be avoided). 

At the same time, resilient organizations also make a habit of psychological safety – making it possible for employees to speak up, take reasonable risks and even fail without being penalized. Without that grace, team members will be much less likely to bring forward new ideas and make valuable but unexpected contributions. 

Adaptable leadership

Resilient leaders not only manage a crisis, they find a way to learn from the experience and teach their teams to grow from it, McKinsey found. Part of that involves using “challenging leadership” — that is, they challenge their teams to find new ways to solve problems and achieve goals.

Talent and culture

Ultimately, resilient organizations are made up of resilient people who are motivated by the organization’s purpose and feel empowered to take action when necessary. It’s possible to recruit and hire for those characteristics, but it’s more important to create a culture where they’re encouraged and reinforced on a daily basis. That way, when an emergency occurs, your team instinctively knows how to react.

In a hot job market, turnover can be a threat, too, so in resilient organizations, the HR function will identify potential skill gaps, especially in the most crucial roles, and find ways to keep the employee pipeline full. That might mean adjusting job requirements to accept applicants that don’t have a traditional degree or experience, or adapting the hiring process to accelerate offers and help the organization compete against other businesses that are looking for new hires. 

Resilient organizations also invest in the ongoing development and education of their people, identifying their potential and helping them develop those strengths so they can be put to greater use. That investment can also help the organization improve its retention of key personnel. 

The bottom line on organizational resilience

In a world that feels more unsettled than ever, it’s critical for businesses to develop and practice resilience, so they not only survive new challenges, but come back stronger as a result. 

Emergency preparation is a big part of that, but smart leaders also teach best practices — like empowered teams, psychological safety and agile decision-making — that allow their teams to learn from the experience. By making the correct investments in policies, people, planning and equipment, you can turn even the toughest challenge into a way forward.

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

theft of trade secrets: A business man with his head in his hands dispairingnover the loss of his trade secrets. Theft of trade secrets is big problem for businesses.

Theft of Trade Secrets: How to Prevent the Loss of Key Intellectual Property

By Chesley Brown | August 2, 2022

Written by: James Hart The names have been changed, but the following story is a compilation of real situations faced by real businesses. Doug Medford had never considered himself paranoid. But there were too many…

Read More

How to Prepare for a Cyberattack

By Chesley Brown | April 6, 2022

Written by: Dell Spry At Chesley Brown, nothing is more sacrosanct than the safety and security of our clients. It is our intention to keep you educated, updated, and informed as world events continue to…

Read More
Picture of the Empire State Building in the foreground on September 11th with the buring World Trade Towers in the background

How the Events of September 11th Have Impacted National Security

By Chesley Brown | September 2, 2021

How Has National Security Evolved Since September 11th, 2001? Written by: Dell Spry As I sit and write this paper, Afghanistan is collapsing.  It is not my intention to point the finger at anyone and…

Read More
The Colonial Pipeline Attack revealed how underprepared our nation's critical infrastructure is to outside threats.

A Nation Under Attack: The Colonial Pipeline Attack

By Chesley Brown | May 20, 2021

Written by: Dell Spry Introduction: Before the Colonial Pipeline Attack In earlier centuries wars were fought between nation states to acquire water and fertile land. Then came the quest for natural resources; gold, silver, oil.…

Read More
security risk firm at a A office tower

Reasons to Hire an Outside Security Risk Firm

By Chesley Brown | February 2, 2021

The security services industry is one of the fastest growing industries in America today. With so many disruptive technologies, emerging threats, and the growing frequency of natural disasters, its easy to understand why — It…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work