1、BSI Standards PublicationBS 65000:2014Guidance on organizationalresiliencePublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued. The British Standards Institution 2014Published by BSI Standards Limited 2014ISBN 978 0 580 77
2、949 7ICS 03.100.01The following BSI references relate to the work on this document:Committee reference SSM/1Draft for comment 14/30258791 DCPublication historyFirst published November 2014Amendments issued since publicationDate Text affectedBS 65000:2014 BRITISH STANDARDContentsForeword iiIntroducti
3、on 11 Scope 12 Terms and definitions 23 Overview of organizational resilience 34 The organizational foundations for resilience 45 Building resilience 56 Assessing the resilience of an organization 11Bibliography 15List of figuresFigure 1 Developing resilience 6Figure 2 Maturity model for organizatio
4、nal resilience 12Figure 3 Questions to determine consistency of resilience measures withBS 65000 13Summary of pagesThis document comprises a front cover, an inside front cover, pages i to ii,pages 1 to 16, an inside back cover and a back cover.BRITISH STANDARD BS 65000:2014 The British Standards Ins
5、titution 2014 iForewordPublishing informationThis British Standard is published by BSI Standards Limited, under licence fromThe British Standards Institution, and came into effect on 30 November 2014. Itwas prepared by Technical Committee SSM/1, Societal security management.Alist of organizations re
6、presented on this committee can be obtained on requestto its secretary.Use of this documentAs a guide, this British Standard takes the form of guidance andrecommendations. It should not be quoted as if it were a specification or a codeof practice and claims of compliance cannot be made to it.It has
7、been assumed in the preparation of this British Standard that theexecution of its provisions will be entrusted to appropriately qualified andexperienced people, for whose use it has been produced.Presentational conventionsThe guidance in this standard is presented in roman (i.e. upright) type. Anyre
8、commendations are expressed in sentences in which the principal auxiliaryverb is “should”.Commentary, explanation and general informative material is presented insmaller italic type, and does not constitute a normative element.Contractual and legal considerationsThis publication does not purport to
9、include all the necessary provisions of acontract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legalobligations.BRITISH STANDARDBS 65000:2014ii The British Standards Institution 2014IntroductionResilience is a strategic objective i
10、ntended to help an organization to surviveand prosper. A highly resilient organization is also more adaptive, competitive,agile and robust than less resilient organizations.Organizational resilience is the ability of an organization to anticipate, preparefor, and respond and adapt to everything from
11、 minor everyday events to acuteshocks and chronic or incremental changes.Resilience is a relative, dynamic concept and, as such, an organization can onlybe more or less resilient. As a result, resilience is a goal, not a fixed activity orstate, and is enhanced by integrating and coordinating the var
12、ious operationaldisciplines that the organization might already be applying (see 5.4). In addition,an organization operates within a potentially complex web of interactions withother organizations, so it is essential to build resilience not only within theorganization, but across its networks, and i
13、n its interactions with others. Theorganization therefore needs to provide direction to its efforts and ensureeffective governance and risk management, as well as build resilience inpartnership with others.This British Standard gives guidance on achieving enhanced organizationalresilience. In partic
14、ular, it describes organizational resilience, articulates itsbenefits, and explains how to build resilience. To aid the integration andcoordination of the various disciplines that are essential for resilience, thestandard references other standards, published and in preparation, relating tothese dis
15、ciplines. Finally, it offers some basic models for assessing the resiliencemeasures of an organization.1 ScopeThis British Standard gives guidance on building organizational resilience by:a) clarifying the nature and scope of organizational resilience for topmanagement (see note);b) identifying the
16、principal components of resilience to enable an organizationto review its resilience and to implement and measure improvements; andc) identifying and recommending good practice already defined in existingstandards and disciplines.NOTE References to “top management” throughout this standard are to be
17、interpreted as including both of the bodies defined in 2.2 and 2.6.This standard also gives guidance on how other standards contribute to thedevelopment and management of organizational resilience with a consistentgood practice structure, using agreed terminology and practices (seeBibliography) rele
18、vant to the development and management of organizationalresilience.BRITISH STANDARD BS 65000:2014 The British Standards Institution 2014 12 Terms and definitionsFor the purposes of this British Standard, the following terms and definitionsapply.2.1 governancesystem by which the organization is direc
19、ted, controlled and held accountable toachieve its core purpose over the long termNOTE The term “corporate governance” is typically used for the governance ofprivate and publicly-listed companies or to denote governance of the wholeorganization.BS 13500:2013, modified2.2 governing bodyindividual or
20、group of people ultimately responsible and accountable for thelong-term direction and control of the organizationNOTE Governing body can in some jurisdictions be a board of directors.BS 13500:20132.3 organizational resilienceability of an organization to anticipate, prepare for, and respond and adap
21、t toincremental change and sudden disruptions in order to survive and prosper2.4 riskeffect of uncertainty on objectivesNOTE 1 An effect is a deviation from the expected positive and/or negative.NOTE 2 Objectives can have different aspects (such as financial, health and safety,and environmental goal
22、s) and can apply at different levels (such as strategic,organization-wide, project, product and process).NOTE 3 Risk is often characterized by reference to potential events andconsequences, or a combination of these.NOTE 4 Risk is often expressed in terms of a combination of the consequences ofan ev
23、ent (including changes in circumstances) and the associated likelihood ofoccurrence.NOTE 5 Uncertainty is the state, even partial, of deficiency of information relatedto understanding or knowledge of an event, its consequence, or likelihood.ISO Guide 73:20092.5 situational awarenessstate of individu
24、al and/or collective knowledge relating to past and currentevents, their implications and potential future developmentBS 11200:20142.6 top managementperson or group of people who directs and controls an organization at thehighest levelNOTE Top management has the accountability for the execution of t
25、he directionprovided by the governing body and may delegate its responsibilities whilstremaining accountable to the governing body.BS ISO/IEC 27000:2014, modifiedBRITISH STANDARDBS 65000:20142 The British Standards Institution 20143 Overview of organizational resilience3.1 PrinciplesResilience invol
26、ves dealing with disruption, uncertainty and change with clearintent, coherence and appropriate resourcing. In particular, it is a combinationof maintaining continuity through disruptive challenges, and long-term viabilityagainst a backdrop of strategic change and the changing external environment.T
27、he first of these is a precondition for, but no guarantee of, the second.Resilience is therefore a strategic concern requiring effective leadership, withdirection and enduring commitment from the very top of an organizationthrough its governance and risk management.Resilience needs to be embedded ac
28、ross the organization, cutting across silos,organizational structures and hierarchies, with operational activities alignedwith strategic priorities. In addition, the organization needs to satisfy itself thatits relationships with partners, outsourcers, suppliers and other key interestedparties are s
29、ufficiently resilient (and satisfy them of its own high level ofresilience).Resilience is inherently relative, and no organization, person, network or systemcan be absolutely resilient, as they experience constant change and operateunder varying degrees of uncertainty. An organization that is highly
30、 resilient tocertain risks might be vulnerable and less resilient if exposed to others.Organizational resilience should therefore be informed by effective riskmanagement practices (see BS ISO 31000).3.2 Benefits of building resilienceThe core strategic purpose of resilience is to enable an organizat
31、ion to surviveand prosper. However, resilience is also closely aligned with the concerns of mostmanagers, which can be summarized as follows.a) Competitiveness. Being able to continue past, recover and learn from and,where appropriate, capitalize upon the opportunities presented bydisruptions can in
32、crease value better than competitors who are less resilient.A highly resilient organization is able to identify and adapt to change anduncertainty before the case for change becomes urgent. The behaviours thatan organization develops as part of a resilient culture can also help to buildinnovation an
33、d common values and vision, and develop an ability toanticipate and adapt to change and evolve the business model.b) Coherence. A highly resilient organization aligns operational resiliencemeasures with strategic resilience objectives. The former are protective, riskcontrol and response measures, an
34、d the latter define the organization andguide its longer-term decision making. The side-to-side and top-to-bottomintegration and coherence of these is fundamental to resilience. Resilienceboth requires and allows organizational silos to become more integratedand interoperable.c) Efficiency and effec
35、tiveness. Working within a coherent and integratedframework has time- and cost-saving implications. An organizationsframework for resilience meshes together diverse components, allocatingresources to improve overall resilience, efficiency and effectiveness.d) Reputation. The coherent framework built
36、 by resilience supports theorganization in understanding and acting on the interdependency of brand,trust and reputation, thereby managing and enhancing its reputation.BRITISH STANDARD BS 65000:2014 The British Standards Institution 2014 3e) Societal/community resilience. Societal and community resi
37、lience areenhanced by organizational resilience, particularly when the organizationprovides vital products and services to the public. Resilience can also giveassurance to other interested parties, such as regulators, third parties,government, customers, partners and shareholders.3.3 Challenges to b
38、uilding resilienceTo secure the benefits of building resilience, a number of challenges anddilemmas need to be confronted:a) understanding when to take action;b) resolving potential tensions between cost and resilience in buildingjust-in-time processes and just-in-case redundancy (see 5.6);c) determ
39、ining an appropriate trade-off between controlling costs andachieving greater resilience;d) identifying when to embrace new values rather than persisting with existingbehaviours;e) resolving conflicts between the need to keep information from competitorsand the need to share information for resilien
40、ce when collaborating withothers; andf) identifying legal and regulatory constraints, as well as voluntary codesadopted by different sectors, that can limit desirable resilience actions.Each organization comes to its own decisions on these issues according to theamount and type of risk it is willing
41、 to pursue or retain, and the amount it iswilling to invest in resilience.4 The organizational foundations for resilience4.1 GeneralFor an organization to build resilience (Clause 5) it first has to have in place thefundamental attributes set out in 4.2 to 4.4 (see Figure 1). These go beyondwhat the
42、 organization does and what it has. They define the attitudes thatshape decisions and actions, and ultimately underpin resilience.4.2 Governance and accountabilityThe systems of rules, structures and processes that drive coherent decisionmaking within acceptable parameters of cost, risk and speed co
43、ntribute toresilience. Effective governance enables the exploitation of opportunity and themitigation of risk, and ensures that appropriate persons and teams areaccountable for decisions, according to the organizations nature and level ofmaturity. Effective governance also provides an environment in
44、 which innovationis encouraged and investment is well managed. Resilience is therefore anoutcome of good governance.The governing body and top management together are ultimately accountablefor ensuring that an appropriate level of resilience is achieved by theorganization alongside other desirable o
45、utcomes such as profitability, servicedelivery, quality and compliance. Indeed, where necessary, it is their obligationto define the balance to be achieved of such outcomes.BRITISH STANDARDBS 65000:20144 The British Standards Institution 20144.3 Leadership and cultureLeaders should consider the impa
46、ct of all strategies and decisions, both at thetime decisions are taken and on an ongoing basis. They should seek to build aculture in which it is normal to consider resilience within decision making. Staffshould be appropriately empowered by a culture of trust, openness andinnovation such that they
47、 are both motivated and able to assume ownership of,and address, risks and issues as they arise. Authority and responsibility should bedelegated to the individual(s) best able to make the right decision for theorganization, in times of crisis as well as during business-as-usual. Transparencyshould b
48、e encouraged and information should be proactively shared acrossinternal boundaries with interdependent partners.The leaderships approach to key stakeholders, for example customers,communities, suppliers, shareholders, regulators, partners and competition,recognizes the impact of each upon the other
49、. The organization should fosterrelationships with these groups to further its resilience objectives.4.4 Common vision and purposeThe purpose of the organization and a common vision of the future, and itsconsequent requirements for resilience, should be recognized and sharedthroughout the organization so that challenge, change and opportunity areassessed against the purpose and vision and can be acted upon accordingly.Organizational values should be embedded which contribute to resiliencethrough actively informing decision making and action throughout
