Security and Organizational Resilience Series- POST-02
This series of posts starting on Sep 21st , will explore the role of security management in the larger organizational resilience. It is a critical goal to achieve a higher level of resilience to recover and resume activities following disruptive events, no matter their nature.
This Post-02- Municipal Security Planning with Resilience as a guiding principle
It is often difficult to relate to abstract concepts such as Resilience when one is involved in the day to day practice of security management planning dealing with the minutiae of detailed data analysis, proposing solutions and gauging the approximate costs of it all.
That is why referring to Standards may help frame the conceptual nature of these strategies. In their book, “Organizational Resilience (CRC Pres -2013) James LeFlar and Marc Siegel introduce the ANSI/ASIS SPC1.1-2009 Standard for organizational resilience. Its companion standard is ANSI/ASIS SPC4-2012, “Maturity Model for the Phased Implementation of the Organizational Resilience Management System”. While the former is a practical guidance for use in implementing an Organizational Resilience (OR) system the latter is more of a compliance framework aimed at establishing which of the 6 phases of implementation is fully deployed and is integrated in current conditions. . So for those who may wonder how security management relates to Resilience, this would be the methodology to refer to. ASIS is the premier security professionals association and one of its main values resides in its continuous intellectual property development , namely standards addressing most areas of security , emergency and business continuity management.
These 2 standards are key pieces in framing the planning of a true OR. It may seem complicated and it is as it deals with many areas of concerns. This methodology is valid for public institutions, Government and private companies. But since our interest is local government, critical infrastructure would be the first area of immediate concern. What resilience means to the planning process is that the issue is not to think in terms of a hardened fortress, but to establish all the systems that would minimize disruption and harm to people. Should an undesirable event happen, we should allow for as fast recovery as we possibly can and add other supporting measures in the immediate aftermath. For a water plany=t that could be affected that could mean a back up generator with a large capacity enough to pick up the slack in the event of a power outage. Third party risks must be dealt with e.g a sustained supply chain. If the supplier of fuel is disrupted by the outage then the generator would not last long. Other risks may present themselves in term of priorities i.e hospitals and nursing homes may be the first to be supplied with fuel!
We may start at a very conceptual level of planning , a policy level if you will but in the end implementation shows that there are practical layers requiring probing questions and firm answers.
The standards would frame the strategic outlook of OR which should result in clear policy statements and objectives. Then the security team and their colleagues in the emergency and business continuity areas would develop an understanding of the details of operations and how to achieve the OR Phase enunciated in the policy.
Tools to help us define our priorities would be Mission Criticality and Situational Security Awareness for the security area, response needs for the emergency area and support systems for the continuity area. We will explore them as we dive further into the planning methodologies.
I will continue exploring OR with a security management lens, in particular in Local Government and institutions.