This is the second part of my review of “An Operational Framework for Resilience”. The citation is at the end of Part 1.

The model outlined in this paper included 3 objectives, or end-states, that support resilience. The next element in their framework is the 8 principles of resilience. Some of these principles relate to a single objective, while others span all three objectives.

• Threat & Hazard Limitation is linked to the objective of Resistance – it is fairly self-explanatory and simply states that you have to think about this and act ahead of time.
• Robustness is linked to the Absorption end-state.
  • Robustness in this model includes “the capacity to degrade gracefully”.
• Consequence Mitigation is linked to the restoration objective.
  • This is a fairly common thread in other literature, just using different (and a little confusing labels).
  • What this means is that we cannot avoid all impacts – so this principle asserts that we have the capability and capacity to not be overwhelmed by events.
• The remaining principles span all three objectives;
  • Adaptability – similar to sense/respond model, adjust to the unexpected – deal with the impacts/incidents that we did not plan for.
  • Risk-Informed Planning – ensure that these principles are embedded in threat, vulnerability and consequence analysis
  • Risk-Informed Investments – there can be no resilience without appropriate levels of investment.
  • Harmonization of Purpose – to be fully effective all need to be aligned – and this model is very strong on the mutually reinforcing aspects.
  • Comprehensiveness of Scope – this is perhaps one of the key principles to take away.
    • If you want to claim to be resilient then recognize that the scope is wide and interdependence makes it complex.

The model includes an interesting tool called a “resilience profile” that is proposed to be established for key functions within critical systems (remember these are socio-technical systems, not IT). The profile is made up 3 dimensions and 3 parameters.

The dimensions are;

• Performance
  • Level of capacity and quality that element/system must perform at.
• Time
  • This relates to the potential life-cycle of the adverse event, and needs to make allowance for both escalating and immediate events.
• Gravity
  • This dimension indicates if the the function being assessed plays a key role within a bigger system.
  • Critical National Infrastructure would have a high Gravity rating
  • High Gravity ratings can only tolerate low levels of performance degradation.

The parameters;

• Function
  • In many respects another label for a process
  • Most common elements of a function are key inputs, central operations and principal outputs
• Latency Limit
  • “the maximum amount of time allowable for a function to remain in a degraded … state before is msut begin to be recovered.”
  • Perhaps this would be the MTPOD – RTO
• Minimum Performance Boundary
  • the lowest acceptable level of performance
  • in Heritage BC practice this is almost always allowed to be Zero, this aspect forces us to consider that some things cannot be allowed to drop to zero performance.

Not surprisingly the output of the resilience profile looks like the picture at right – a similar model that I have used for many years (and I am sure most of you use similar tools) .

This model is fairly complex and starts fromt he premise of national security, so is perhaps too complex for many organizational needs. But I find that it has some value and should be critically considered by those wanting to better understand this quest for resilience.

Why?

• There is a great quote in the paper, attributed to Adam Rose, Uni of Southern California,
  • “resilience is in danger of becoming a vacuous buzzword from overuse and ambiguity”
  • anything that seeks to put more meaning – and especially operational meaning around this concept is helping the overall debate

• It highlights that this is a complex and wide-ranging field of endeavor
  • Like the High Reliability Management I have posted on previously we cannot me afraid of complexity
  • Keep it Simple and you remain Stupid -
• This operational framework has strong elements of traditional elements of BC and Emergency Management
  • The missions can be seen to relate to common phase approaches (Prevent, Prepare or Reduction , Readiness,  etc)
  • There are similar elements of RTO, MTPOD etc.

What do you think? Can we only cope with models that promote simplicity?

What other frameworks have you found that attempt to provide operational guidance in resilience?

Today I am reviewing a new paper I discovered on the subject of resilience. “An Operational Framework for Resilience” – the full citation is at the end of this post. Resilience for many is still just a concept, and being able to operationalize that concept is the first step to building and maintaining Organisational Resilience.

If you are looking for a quick and easy formula  to implement resilience – keep looking, it is on the shelf next to the Holy Grail. The authors state very early in the paper that “operationalizing the resilience framework presented in this article will not be easy”.

This is an American model, that has been developed from the perspective of Homeland Security and is the product of a US federally funded research program. The Obama Administration created a Resilience Directorate withing the National Security Council.

This is a long paper and a model that thankfully does not pretend that this is a simple concept. So I am splitting the review over two posts in order to do it justice.

This framework is composed of 5 elements;

• Adversary Attack Path
  • this is a Homeland Security thing and has to address resilience in the context of terrorist acts
• Objectives
  • or the End-State
• Principles
  • “conceptual lenses” for understanding resilience, which double as
  • planning criteria to help design ways and means
• Ways and Means
  • Policies, Program and activities that build capabilities
• Homeland Security Missions
  • These missions are a slight derivation from the standard phases/missions used in Emergency Management and often adopted in BCM.
    • Prevent
    • Protect
    • Respond and
    • Recover

The framework essentially starts at the end – with the objectives or end-states of resilience – and shapes the approach to achieve these outcomes. A fairly standard approach based on gap analysis. These objectives are intended to be used as the end-state applicable to “critical systems” – note that the term system is NOT used in the IT sense, but in the wider meaning of a range of socio-technical systems. In particular the authors divide systems into “Hard” (e.g computer systems, national infrastructure) )and “Soft” (e.g individuals and communities)

The model describes three mutually reinforcing objectives;

• Resistance
  • This is similar to a number of other models I have explored, the objective here is to put in place measures to reduce the damage from a threat or hazard.
  • In other models this may have been labelled robust. In this model robustness is a principle not an end-state.
  • The model explores both Active (e.g Intelligence and Evacuation) and Passive (e.g physical barriers) resistance measures
  • The higher the resistance level the less burden that the Absorption and Restoration objectives have to achieve
• Absorption
  • This end-state is more aligned to reduction of consequences before, during and after a disruptive event occurs.
  • Again both Active and Passive measures are outlined
  • Where absorption has been successful at reducing consequences the resources required to achieve restoration are reduced.
• Restoration
  • The system has been “to the extent feasible and warranted, rapidly reconstituted and reset to their pre-event state”
  • Active restoration includes the full repair, reconstruction or replacement of any damaged elements
  • Passive restoration can include indirect measures, e.g. facilitating delivery of resources to support active restoration measures

The authors neatly link these three objectives back to the “missions” as follows;

• Resistance is generally serviced by the Prevent and Protect capabilities
• Absorption is serviced by Protection capabilities and is supported by Response capabilities
• Restoration end-state is serviced by the Response and then further serviced by Recover capabilities

These objectives are intended to be viewed through the lenses of their 8 Principles of Resilience. These principles are meant to capture the essential features of resilience and provide planners with a set of criteria that can apply to designing resilient systems.

• Threat and Hazard Limitation
• Robustness
• Consequence Mitigation
• Adaptability
• Risk-Informed Planning
• Risk-Informed Investments
• Harmonization of Purposes
• Comprehensiveness of Scope

Will pick it up from here tomorrow …

How do you translate this concept of resilience to a set of operational practices?

Is the lack of a coherent operational framework a major limitation on building resilience in organisations?

Citation

Kahan, Jerome H.; Allen, Andrew C.; and George, Justin K. (2009) “An Operational Framework for Resilience,” Journal of Homeland Security and Emergency Management: Vol. 6 : Iss. 1, Article 83.
DOI: 10.2202/1547-7355.1675
Available at: http://www.bepress.com/jhsem/vol6/iss1/83

Photo Credit