8 minute read 11 Oct 2021
Minimizing chaos amid crisis through organizational resilience

Minimizing chaos amid crisis through organizational resilience

By Jake Basile

Senior Consultant, Consulting, EY Sweden

Protecting clients from the “what if?” Certified CISM, CISA, CRISC, CFE and AMBCI. Specializing in organizational resilience, including crisis, disaster, emergency and business continuity management.

8 minute read 11 Oct 2021
Related topics Cybersecurity Risk Consulting

A diligent organization resilience framework is important for a cohesive operations during crises.

In brief: 
  • Organizational resilience planning can only be achieved through an established resilience-focused culture within.
  • Today, organizations face more vulnerabilities across the board than ever before – making this an optimal time to plan for the unknown.

Minimizing chaos amid crisis through organizational resilience, the COVID-19 pandemic continues to test the overall resilience levels of organizations worldwide. At its height, the pandemic led to the closure of 20% of the small and medium-sized enterprises (SMEs) in Europe, with those numbers still recovering. An Experian analysis*) outlined that during mid-2020, bankruptcies in Finland and Sweden grew by 36% and 30% YoY, respectively. Additionally, supply chain disruptions are prevalent all over the globe now. At times, gaps and root causes are easily overlooked due to the chaos related to recovery. This is where organizational resilience can make a significant contribution.

The COVID-19 pandemic has been one of the most impactful crises in recent history. The effect it had on organizations was unprecedented across the following key areas:

  • Staff health and safety
  • Supply chain
  • Communications
  • Technology
  • Mobility
  • Profitability

Though the impact was detrimental to companies, the pandemic explicitly showcased the importance of organizational resilience. As a result, organizations have started to make resilience a priority by allocating appropriate budgets, resources and time toward ensuring the continued serviceability of customers, where applicable.
Before the pandemic, resilience planning was a chore, and work conducted in that space was brief lacking the necessary depth. It was just enough to tick the boxes.

Why should I spend my time on organizational resilience?

Organizational resilience, much like personal resilience, refers to the ability to recover after an adverse event has occurred. Such events that warrant adequate resilience planning include, but are not limited to:

  1. Cyberattacks: Ransomware, malware, phishing, Denial of Service/Distributed Denial of Service (DoS/DDoS), Structured Query Language (SQL) injections, man-in-the-middle and brute-force attacks to name a few, can drastically hinder the confidentiality, integrity and availability of critical applications. Due to the continued “work-from-home” guidance, remote workers are the main targets for cybercriminals. For example, the existence of effective measures over Virtual private network (VPN) services can reduce your organization’s reputational and financial loss.
  2. Natural disasters: Floods, fires and earthquakes (including power outages) may be infrequent in your organization. However, it only takes one instance to bring operations to a prolonged halt, especially if your data centers are nearby. An important note to keep in mind is that an organization’s critical third-party suppliers may also be at risk of the same natural disaster.
  3. Political risk and extremism: The Business Continuity Institute (BCI) 2021 Horizon Scan reflects the rise in political risk among the continued operations of organizations. All the political protests last year resulted in tremendous global losses, mainly across France (US$90m), Hong Kong (US$77m), Chile (US$2b) and Ecuador (US$821m).
  4. Pandemics: As we’ve seen over the past 18 months, businesses are very susceptible to the lack of staff and lack of “normal” foot traffic.

The identification of an organization’s critical processes and the associated recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum allowable outages (MAOs) immediately give decision-makers a good idea of where vulnerabilities may lie. Additionally, they help identify the areas which require a more scrupulous (and rapid) eye, during an organization-wide recovery – by leveraging a business impact analysis (BIA).

Proper documentation of such critical processes, their agreed-upon recovery strategies and manual workarounds in business continuity plans (BCPs) provide priceless insights. Furthermore, the documents act as reference points for recovery teams (including rescue and salvage teams) when they are tasked with the responsibility of prioritizing efforts during a crisis.

In conjunction with the BIA and BCPs, it is paramount that key systems and infrastructure (including storage services, such as the cloud) have disaster recovery plans (DRPs) reinforced with various periodic disaster recovery tests (DRTs). Tests can fall under either simulated or physical tests.

  • Simulated tests include tabletop, structured and full simulation tests.
  • Physical tests include parallel processing, partial and full interruption tests. The tests chosen depend on the systems, the type of data held, budgets and resources. As a result, the ability of recovery teams to confidently implement strategies and next steps during a business-hindering event may eventually save the organization.

Striking a balance while performing BIAs, designing comprehensive BCPs, and consequently implementing DRPs and tests can significantly increase the organization’s ability to return to business as usual, with adequate consideration for governance, testing and overall staff awareness.

Benchmarking organizational resilience

There are multiple standards followed in an attempt to comply with international guidelines and prepare for a business-hindering event.

The fundamental building blocks for the implementation of an effective organizational resilience program are comprehensive risk management processes. Such processes are used across the organization. The International Organization for Standardization (ISO) 31000:2018 – Risk Management is a globally recognized standard used across industries. However, the planning for organizational resilience requires additional approaches being embedded within the organization.

The BS 65000 Organizational Resilience standard is rapidly becoming one of the most widely cited standards in organizations worldwide.

Some widely used resilience standards are listed below:

  • The BS 65000 Organizational Resilience
  • ISO 9001 – Quality Management Systems
  • ISO 27001 – Information Security Management
  • ISO 45001 – Occupational Health and Safety

Alternatively, guidance can be obtained through National Institute of Standards and Technology (NIST) 800-34 which provides instructions, recommendations and considerations for the following:

  • Federal information system contingency planning
  • ISO/International Electrotechnical Commission (IEC)-27031 – Societal Security
  • Business Continuity Management Systems
  • BCI’s six-step process of “good practice guidelines (GPG)” – the independent body of knowledge for business continuity

The table above outlines the number of valid certifications across different regions.

Key statistics to keep in mind

The following pointers have been a part of a statistical analysis conducted over the past two years:

  • 75% of small organizations have no disaster recovery considerations in place.
  • 93% of all companies with no disaster recovery considerations in place actually encounter a disaster and close down within 12 months.
  • The average cost of compromised data in 2020 was US$3.86m.
  • On average, a single downtime costs between US$10,000m and US$5m per hour.
  • 88% of the companies around the globe were victims of spear-phishing attempts in 2019.

Handy tips to get your organization started

  • BIA

    • Have you defined what a “critical” process is for your business?
    • Have you defined your critical processes and recovery time or point objectives?
    • Have you assessed the critical processes’ dependencies (in terms of equipment, technology and resources) and alternative working arrangements?
  • BCP

    • Have you documented feasible recovery strategies for your critical processes?
    • Do you have contingencies in place if something were to happen to your key third parties or supply chain?
    • Have you tested the maximum bandwidth of your remote working technologies?
    • Have you defined your minimum service levels?
    • Have your BCPs been tested within the last 12 months?
  • IT disaster recovery

    • Do all of your “critical” systems have a DRP?
    • Were your DRPs tested in the last 12 months?
    • Is your key data backed up at an appropriate frequency? Does it match your RPO?
    • Have you implemented clustering or load balancing for fault tolerance (if needed)?
    • Is your Disaster Recovery (DR) site located at an appropriate distance from your production site?
    • Does your DR site have tested and working Heating, ventilation and air conditioning systems (HVACs), Uninterruptible power supplies (UPSs), Internet Service Providers (ISPs) and generators (as applicable)?
    • Is there an appropriate air gap to prevent ransomware from impacting your backup?
  • Crisis management response

    • Have you identified your Crisis Management Team?
    • Have you documented activation criteria?
    • Have you tested your emergency notification systems?
    • Do you have a pre-approved communication strategy and call trees to be used during a crisis?
  • Policy and framework

    • Have you formalized a business continuity, disaster recovery, incident response, emergency management and crisis management policy or framework?
    • Are these documents reviewed and updated annually?
  • Training and awareness

    • Do key personnel responsible for the organization’s response undertake annual training to better position themselves to respond to a crisis?
    • Is organizational resilience embedded into the culture of your organization?

*)Source: Experian Information Solutions Inc., web site, Nordic Bankruptcy Analysis: How has Covid-19 had an impact on the local businesses in the Nordics?, July 2020.


Embedding a disaster-aware culture within the organization helps build a workforce that is prepared for worst-case scenarios. This is crucial for mitigating danger toward staff and overall profit.

About this article

By Jake Basile

Senior Consultant, Consulting, EY Sweden

Protecting clients from the “what if?” Certified CISM, CISA, CRISC, CFE and AMBCI. Specializing in organizational resilience, including crisis, disaster, emergency and business continuity management.

Related topics Cybersecurity Risk Consulting