Resilience management - readiness and response

Resilience management is an approach that seeks to build and enhance an organization's ability to withstand and adapt to disruptions, whether they be internal or external. The big idea behind resilience management is to create an environment that enables organizations to quickly recover from unexpected events and continue to operate effectively, even in the face of adversity.

To achieve this goal, resilience management involves a wide range of strategies and practices, including risk assessment, contingency planning, crisis communication, and staff training. By implementing these measures, organizations can identify potential threats and develop the capacity to respond to them in a timely and effective manner.

While resilience management has many benefits, it also has its limitations. One of the main challenges is that it can be difficult to anticipate every possible threat or disruption that an organization may face, making it hard to prepare for all eventualities. Additionally, resilience management can be resource-intensive, requiring significant investments in training, technology, and personnel. Despite these challenges, the importance of resilience management cannot be overstated. In today's fast-paced and unpredictable business environment, organizations that are able to quickly adapt and recover from disruptions are much more likely to succeed. By adopting a resilience management approach, organizations can create a culture of preparedness that enables them to respond to unexpected events with confidence and agility, ultimately enhancing their ability to thrive in an increasingly complex and competitive marketplace.

Big idea

State of the art

What is meant by resilience and resilience management?

The term resilience can be also found in the field of psychology and engineering. In the context of organisational or system resilience, the definition is: "The ability of a system or organization to respond to or recover readily from a crisis, disruptive process."^[1]

On the other hand the current understanding of managing resilience within organizations emphasizes the importance of taking a holistic and proactive approach to build resilience at individual, team, and organizational levels. This includes creating a culture that supports resilience, investing in training and development programs, developing contingency plans and risk management strategies, and using data and feedback to continuously improve resilience management practices.

Several studies have shown that organizations that prioritize resilience management are more likely to be successful in adapting to change, achieving their goals, and maintaining high levels of employee engagement and well-being. However, implementing resilience management requires a long-term commitment and a willingness to adapt to changing circumstances. ^[2]

What is difference between risk and resilience?

In general risk refers to the likelihood and impact of potential future events that may affect the success of a program, project or portfolio. Risks can be identified, assessed, and managed through risk management processes and techniques. On the other hand, resilience refers to the ability to adapt and recover from unexpected challenges or disruptions. Resilience involves building the capacity to absorb and respond to shocks and stresses, while continuing to deliver expected outcomes. In other words, risk management is focused on mitigating the likelihood and impact of potential future events, while resilience is focused on building the ability to respond to events that have already occurred or could not be predicted. Both risk management and resilience are important components of effective product, program and portfolio management.^[3]

What is relationship between risk and resilience?

Risk and resilience are related concepts but have distinct meanings in the context of a project program or portfolio management. There are two theories regarding the relationship of risk and resilience which will be discussed further:

The first one is the competing concept between risk and resilience. This first approach says that risk is a permanent factor in program and portfolio management and thus, it is not possible to fully prepare for unexpected challenges. Here, resilience is seen as something, which needs to be created without reference to risk. Furthermore, risk analysis has been criticised for not being able to predict accidents and therefor, resilience is seen as a tool which is used where probabilistic risk analysis cannot provide answers to potential threats.^[4]

On the other hand we have the complementary concept. Here, risk analysis appears as a crucial part of resilience management which is used to exploit the risk analysis by the identification of threats and stress factors. Organisations can withstand certain types of stress factors better than other types of stressors. Thus, the complementary concept promotes the integration of risk analysis as part of resilience and therefore, resilience cannot function without risk analysis.^[5]

What are the key elements of resilience management? - A framework

Resilience management is an approach that helps organizations prepare for and adapt to disruptions, whether they are caused by internal or external factors. This approach applies to project, program, and portfolio management in order to mitigate risks and ensure successful delivery. ^[6] Regarding the previously mentioned complementary approach of risk and resilience management, risk analysis is seen as part of building organizational resilience. Therefore, the following framework can be taken into consideration for successful building resilience within an organization which additionally can be applied on project, program and portfolio management^[7] :

Resilience life cycle

1. Identify - Develop an understanding of the project management process and the potential risks and challenges that may impact the project success. This involves identifying critical resources, people, and capabilities needed to manage projects effectively. Outcome categories may include project analysis, market research, stakeholder engagement, risk assessment, and strategic planning.

2. Protect/ Detect - Develop and implement appropriate measures to protect project management processes from risks that could negatively impact on the development, launch, and support. This may involve implementing measures to ensure confidentiality, integrity, and availability of information, establishing access controls and procedures for sensitive information, and training staff to follow appropriate security measures. Outcome categories may also include measures to protect intellectual property and confidential information related to product development. Develop and implement appropriate activities to detect potential issues that could impact project success. This may involve monitoring for anomalies or deviations from established development processes, as well as establishing detection processes and quality control measures. Outcome categories may also include incident reporting procedures and quality metrics to measure the project success and progress.

3. Respond/ Recover - Develop and implement appropriate activities to respond to issues that impact the project. This may involve establishing incident response plans, communication protocols, and analysis of issues to determine the root cause and appropriate mitigation strategies. Outcome categories may also include process improvements to prevent similar issues from occurring in the future. Develop and implement appropriate activities to recover from issues that impact product development, launch, and support. This may involve establishing business continuity plans to ensure that the core activity of the organisation can continue in the event of an issue or disruption, as well as developing resilience plans to minimize the impact of potential risks.

4. Improve - Outcome categories also include process improvements to enhance the resilience and recovery capabilities of management processes. Due to this iterative process, the organisation is able to reduce their vulnerability over time. Additionally, it is crucial to measure the resilience within the organisation.

Historical perspective

Resilience management has its origins in the field of disaster management, where it was developed as a way to help communities and organizations prepare for and recover from natural disasters and other crises. Over time, the concept of resilience has been applied to other domains, including business, finance, and cybersecurity, to help organizations better manage risks and disruptions. The increasing importance of resilience management in recent decades can be attributed to several underlying causes, including:

Increasing Frequency and Impact of Disasters: The frequency and impact of natural disasters, such as hurricanes, floods, and wildfires, have increased over time, leading to greater awareness of the need for resilience management.

Globalization and Interconnectedness: The increasing interconnectedness of the global economy and the rise of complex supply chains have increased the potential for disruptions to affect multiple organizations and stakeholders.

Technological Change and Cybersecurity Risks: The rapid pace of technological change has created new risks and vulnerabilities, such as cyber-attacks and data breaches, that require organizations to be more resilient.

Changing Regulatory and Legal Requirements: The changing regulatory and legal environment, including increased requirements for risk management and contingency planning, has made resilience management an essential aspect of compliance for many organizations. Recognition of the Benefits of Resilience: The growing recognition of the benefits of resilience, including increased innovation, agility, and long-term sustainability, has led many organizations to prioritize resilience management as a strategic priority. ^[8]

Application

Case analysis: BP and Deepwater Horizon

In this paragraph the case of the Deepwater Horizon incident in the year 2010 is used to do an analysis regarding resilience management and to identify the root cause which led to the catastrophe. In the end of that section, measures will be listed which could have been used to prevent the incident by applying the previous mentioned framework.

Main causes

First of all it should be mentioned that special technical expertise is required for deepwater drilling for oil and gas since it is a highly complex and technological endeavour. The Deepwater Horizon oil spill was a catastrophic oil spill that occurred on April 20, 2010, in the Gulf of Mexico. The spill was caused by an explosion and fire on the Deepwater Horizon oil rig, which was owned by Transocean and leased by BP. The explosion killed 11 people and injured 17 others, and it resulted in the largest marine oil spill in history. The main causes of the Deepwater Horizon oil spill were a combination of human error, technical failures, and organizational problems. BP had been drilling for oil in deepwater, which created new risks that were not entirely understood. The platform had not been in dry dock for repairs since 2001, and urgent repairs identified in a 2009 safety audit had not been completed. The drilling activity was complicated and challenging, and technicians often had to modify their plans because of the geological conditions thousands of meters below sea level. BP used less cement than was originally estimated and a cheaper grade of cement mixture than was normally used to avoid cost overruns. This caused huge complications in the work and contributed significantly to the accident. Furthermore, only six centralizers were used instead of the recommended twenty to increase the stability of the well casing. A negative pressure test was conducted to check for leaks in the drilling pipe, and signs of hydrocarbon gas were observed. However, the results were not entirely clear, and the decision was made to continue with the work. The combination of these factors led to the explosion and subsequent oil spill.

Analysis from a resilience management perspective

Several factors contributed to the Deepwater Horizon oil spill disaster. Firstly, BP had an inadequate safety culture and risk consciousness, and there was a lack of cooperation among the various actors. Organizational learning was also slow. These factors meant that warning signals were ignored, decision-makers lacked clarity on how to handle the complexity of the safety systems, and workers were not well-educated or trained. Secondly, BP and other actors did not follow the guiding principles of highly reliable organizations. The use of untested and cheaper technology to seal the well when they knew of the high gas pressure and the geological instability of the bedrock showed a lack of attention to technical and operational expertise. BP's top managers also lacked sufficient knowledge of the events/conditions on the platform and their associated risks. Thirdly, the fragmented offshore industry with its many service providers and independent agents contributed to the problem. These groups often had different goals, safety practices, experience levels, and training. Finally, BP prioritized short-term economic gains over high reliability and safety, which is common in the oil drilling industry with its strong R&D focus on exploration, drilling, and production technology that is often at the expense of safety. A more balanced approach was needed, where reliability and change capacity take relative precedence over efficiency. Overall, the BP disaster highlights the need for companies involved in such risky and complex operations to prioritize resilience management, develop a safety culture, and be organised as HROs where reliability and change capacity take precedence over efficiency. ^[9]

Possible prevention by applying the resilience management framework

The following measures could have been taken to prevent or mitigate the incident. Additionally, the key elements of resilience from the previous mentioned framework will be used to formulate possible preventions by sticking to the 4 steps of the framework:

Resilience and rigid response

Identify - A resilient organization should have a strong risk management process in place to identify, assess, and manage potential hazards. In the case of BP, a more rigorous and proactive risk management approach could have identified the potential for a blowout and taken steps to prevent it.

Protect/ detect - Furthermore, a resilient organization should also have a strong safety culture that promotes safe behavior and encourages employees to report potential hazards. This means to having a developed risk consciousness which means being aware of the vulnerability of the technical systems. BP's safety culture has been criticized for being too focused on meeting production targets rather than prioritizing safety. A culture that prioritizes safety and encourages reporting of near-misses could have led to earlier detection of potential problems. This may include incident reporting procedures to implement appropriate activities for identifying current issues and monitoring them.

Respond/ recover - Resilience management requires that employees are trained and competent in their roles. In the case of the Deepwater Horizon incident, there were concerns about the competency of some of the key personnel involved in the operation of the rig. Improved training and competency assessments could have helped to prevent mistakes and improve response times. Furthermore, effective communication is critical in a resilient organization, especially during a crisis. In the case of the Deepwater Horizon incident, there were communication breakdowns between the rig crew and onshore personnel that delayed the response to the blowout. Improving communication protocols and training could have prevented these delays. All these named factors, also play a role in recovering from the incident. ^[10]

Improve - Since the risk consciousness within the organisation was fairly low, there was no process in place for improving resilience. This was revealed by investigations released in 2011 which highlighted the aftermath of the disaster. These investigations also showed the deep water drilling operations were largely uncoordinated with no unified safety plans or procedure to follow. The figure "Resilience and rigid response" shows what the differences are between a resilient response and a rigid response. Having an iterative resilient management process in place, leads to a positive adjustment of the overall resilient process which decreases the vulnerability of the organisation over time. ^[11]

Limitations

Measurements of resilience

A critical factor in understanding the success of organisations and projects in handling disruptive events is to quantify the degree of their resilience. There are two groups of methods to measure resilience: deterministic and probabilistic.

Deterministic methods focus on evaluating and predicting the post-disruption recovery stage of an organisation. These methods typically use a set of predetermined rules, processes, and algorithms to calculate how the organisation should respond to a particular disruption scenario. Deterministic methods assume that the behavior of an organisation during a disruption is entirely predictable and can be modeled accurately based on the organisation's design and its response to similar past disruptions. However, deterministic methods have limitations, as they do not consider the uncertainty and randomness associated with real-world events, nor do they account for various stages of disruptive events that occur before, during, and after a disruption. Probabilistic methods, on the other hand, focus on forecasting organisational behavior before the occurrence of a disruptive event. These methods take into account the random or uncertain behavior during a disruption, and aim to predict the probability of different outcomes occurring. Probabilistic methods typically use statistical models based on either prior expert knowledge or historical data from similar disruptions to estimate the probability of specific outcomes. However, these methods may not be accurate in predicting unique disruptions, and the knowledge of experts may not be consistent, leading to variability in predictions.^[12]

Limiting factors

In this section resilience management will be discussed and evaluated when it is applicable. Hereby, resilience management can face several limitations when it comes to managing portfolio, programs and projects, including the following: ^[13]

1. Complexity of products: As highlighted in the case study of the Deepwater Horizon accident, the general operation on the deep water thrilling is a complex endeavor. As products or services become more complex, it becomes increasingly difficult to anticipate all possible risks and plan for them and additionally apply resilience management.

2. Limited resources: Resilience management requires additional resources such as time, money, and human resources. E.g. the development of risk consciousness among an organization or within a program or project can only be achieved by using more time and effort to educate all the responsible. Due to the limit of resources the ability of product management teams can be hindered to effectively plan for and manage risk but also establish a proper resilience management culture.

3. Flow of information: In some cases, product management teams may not have access to all the information needed to effectively manage risks. This can be due to limited data availability or a lack of communication between different departments within an organization, which is also emphasized by the case study of BP - Deepwater Horizon since the key decision-makers did not know in which bad condition some of their systems were. Thus, no preventive investigations or actions followed.

In conclusion, the term resilience in the context of portfolio, program and product management is deeply connected with the overall company culture and how the employees and stakeholders meet potential threats. In the case of BP and the Deepwater Horizon incident, old structures need to be overcome in order to establish resilience within a project or organization.

References

1. ↑ WILLIAM COLLINS SONS & CO. LTD (n.d.). COLLINS ENGLISH DICTIONARY - COMPLETE & UNABRIDGED 2012 DIGITAL EDITION. DICTIONARY.COM. https://www.dictionary.com/browse/resilience
2. ↑ Lengnick-Hall, C. A., Beck, T. E., & Lengnick-Hall, M. L. (2011). Developing a capacity for organizational resilience through strategic human resource management. Human Resource Management Review, 21(3), 243-255.
3. ↑ Hassenzahl, D. (n.d.). What do we Mean by Risk and Resilience? InTeGrate - Interdisciplinary Teaching about Earth for a sustainable Future. https://serc.carleton.edu/integrate/workshops/risk_resilience/what_is_rr.html.
4. ↑ Ran Bhamra, Samir Dani & Kevin Burnard (2011) Resilience: the concept, a literature review and future directions, International Journal of Production Research, 49:18, 5375-5393, DOI: 10.1080/00207543.2011.563826 .
5. ↑ Ran Bhamra, Samir Dani & Kevin Burnard (2011) Resilience: the concept, a literature review and future directions, International Journal of Production Research, 49:18, 5375-5393, DOI: 10.1080/00207543.2011.563826 .
6. ↑ El-Tawil, S., & Svetinovic, D. (2014). Resilience management in networked infrastructure systems. In Resilience engineering in practice (pp. 109-126). Ashgate Publishing.
7. ↑ National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
8. ↑ Linnenluecke, M. K., Griffiths, A., & Winn, M. I. (2013). Extreme weather events and the critical importance of anticipatory adaptation and organizational resilience in responding to impacts. Business Strategy and the Environment, 22(4), 429-443.
9. ↑ Stefan Tengblad, Margareta Oudhuis (2017). The Resilience Framework: Organizing for Sustained Viability. https://doi-org.proxy.findit.cvt.dk/10.1007/978-981-10-5314-6
10. ↑ Turner, B. A. (2011). Deepwater Horizon: a systems analysis of the Macondo disaster. Journal of Loss Prevention in the Process Industries, 24(5), 615-624.
11. ↑ Passwaters, M. (2020, April 20). Deepwater Horizon disaster, 10 years later: Changes made but scars remain. S&P Global Market Intelligence. https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/deepwater-horizon-disaster-10-years-later-changes-made-but-scars-remain-58087684
12. ↑ Zarghami, S. A., & Zwikael, O. (2022). Measuring project resilience – Learning from the past to enhance decision making in the face of disruption, Decision Support Systems. (p. 2). The Australian National University, Australia. https://doi.org/10.1016/j.dss.2022.113831.
13. ↑ Leichenko, Robin & Mcdermott, Melanie & Bezborodko, Ekaterina. (2015). Barriers, Limits and Limitations to Resilience. Journal of Extreme Events. 2, 3-5.

Annotated Bibliography

"A Guide to the Project Management Body of Knowledge (PMBOK® Guide)" - Fundamental resource about commonly used models e.g. framework, methods and artifacts.

"Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects" - Resource about the definition of risk and the fundamentals about risk management and assessment.

"Program Management: "Managing Successful Programmes“ (2011 Edition)" - Key elements of risk and issues management on the strategic, programme and project level.