Not only since Corona, but increasingly since then and especially since Russia’s illegal attack on Ukraine, the buzzword “resilience” seems to be omnipresent. An incessant line of events, articles and entire books on this subject often leave the casual observer rather perplexed by the sheer number of steps seemingly necessary to achieve the noble goal of “resilience”. Accordingly, the following article addresses the question which aspects of this concept make sense and which are more likely some sort of consultant’s bullshit bingo.
1. What is resilience and what does an implementation mean for a medium-sized company?
The term resilience originated in materials research (here) and later found its way into psychology (here). In simplified terms, resilience is understood as psychological resistance or the ability to survive difficult life situations without lasting impairment. More precisely, resilience is understood as the ability of a system or a society to quickly overcome a (sudden) crisis and to restore its ability to function and act as quickly as possible (here). The central dimensions of this concept are thus the resilience and regenerative capacity of (technical and societal) systems (here, in German).
“Resilience has subsets of robustness and redundancy” states German futurologist Matthias Horx in ” Zukunft wagen” (p. 237, in German). However, the establishment of robustness and redundancy in organizations and processes required to increase resilience will always be at the expense of efficiency – in other words, it will run counter to the common mantras of business administration about “optimization” or the “mini-max principle”.
Even if one can certainly criticize numerous regulatory complexes – belonging to the topic area of “compliance” – as bureaucratic (see only here, in German), at least the fundamentals of numerous of these regulations should lead to more resilience in companies. There is no need to look at the fire regulations, which, for example, require fire extinguishers on the company’s premises. Regulations on the capitalization and maintenance of companies also certainly lead to greater financial resilience in companies, albeit with the actual aim of protecting creditors. And the regulations (some of which are still planned) on the protection of whistleblowers (see my comments on this here) should lead to (criminal) undesirable developments in companies being identified more quickly and thus eliminated more quickly. Whether these regulations in their concrete version and practical application indeed always lead to these “unintended benefits” remains to be seen – but every business manager is free to interpret these regulations in this sense.
2. Why is resilience needed right now – and to what extent?
A non-question, one might think – given the “world disorder” (here, in German) we are living in right now. In the face of rising financing costs in the wake of inflationary trends, potential blackouts due to possible gas and electricity shortages, and the seemingly endless stream of reports about cyber attacks in Germany, “resilience” is being preached as a panacea. There is no speech by politicians and managers who, in the face of VUCA (here), do not refer to the necessity of resilience in one form or another.
And that’s where the problem starts, because “resilience” is not the same as “resilience”: what may still be far from “resilience” for a “High Reliability Organization” (HRO, here, but see also Horx, loc. cit., p. 237), such as the fire department, rescue services or – currently – an army, may already be “overkill” seriously undermining profitability in a medium-sized manufacturing company. For example, 90% of the “daily work” of members of military special units consists of training and exercises, a training intensity that is simply not feasible in “normal” companies. Consequently, “resilience” is not to be seen as an “on/off” mechanism, but rather, in the best case, as a step-by-step, predominantly practical (!), process, the scope of which depends significantly on the respective company and its user environment.
Thus, the old credo of the “tailor-made solution”, not “one size fits all”, also applies to the topic of “resilience”. Fortunately, at least in this area, no “standard” has yet (been) developed. This is because many of these “standards” are designed to meet the requirements of large companies and corporations and often follow the profit logic of the consultants behind these standards. If the management thus has a relatively free hand in “hardening” resilience in the company as a whole, this does not mean, however, that rules do not exist that must be observed in individual areas: For example, the complex of “compliance” already mentioned above (which is already excessive in itself) must of course be observed. This includes, in particular, rules pertaining to the creation and maintenance of risk management system may be used as a guideline. The individual measures of “business continuity management” should then be based on the correspondingly required risk analysis (here). With ISO 22301, there is also a standard (suitable for use as a guide), and there are also numerous “low-threshold” offers, such as the “Emergency Plan Folder” of the VR Association (here, in German) or the “Crisis Communication Guide” of the German Federal Ministry of the Interior (here, in German), to name just a few.
3. Just get started (in practice!)
It’s easy to get lost in the canon of current literature on this topic, but that’s exactly what shouldn’t happen. Increasing resilience in a company is first and foremost a purely practical matter – although some preliminary theoretical considerations should not be an obstacle. In addition, however, since (psychological) resilience is first and foremost a mental matter, one should already strengthen one’s personal resilience or that of the company by simply dealing with the issues arising from this topic not only theoretically (for example, by way of a scenario analysis), but actually practically. “Just get started” should be the motto here.
In my post “Crisis management – when the going gets tough” for example, I recommended establishing a “telephone cascade” (i.e., systematically informing all employees by means of prepared telephone lists) that can be used to reach and summon employees as quickly as possible in the event of a crisis. In addition, dealing (practically and constructively) with issues that are perceived as unpleasant can promote resilience. For example, training employees to become company fire wardens or company paramedics may not only help with business continuity management, but also build the mental strength of the entire workforce within the company. In view of “blackouts” that cannot be ruled out today, the procurement (and “interconnection”) of a mobile power station (i.e., a larger battery) could prevent data loss. If you think that something like this is standard, I recommend reading the case of this kitchen manufacturer from southern Germany here (in German).
In addition to these more practical and mentally strengthening measures, the focus of the business manager in this critical economic situation should naturally be on improving profitability and liquidity. Probably not entirely without ulterior motives, the Institute of German Certified Public Accountants (IDW) recently pointed out that the focus of the coming season would be on risk management (!), depreciation practices and the quality of forecasts for 2023 (here, in German). Against this background, managing directors should, for example, also deal with the practice of receivables management in their company (see with me already here and here) and – not only from a compliance point of view with the contractual partners (“KYC”, cf. here).
Conclusion: “Resilience” is on everyone’s lips. Beyond the usual consultant’s bullshit bingo, the principles behind the psychological concept are important and correct. The – not clearly defined – subject area has numerous overlaps with other areas, such as risk management. There are also sets of rules designed for sub-areas of the resilience topic (mostly more for larger companies), but these are suitable as guidelines. Otherwise, however, every business manager must develop his or her own initiative to make his or her company weatherproof. The variety of possible measures is almost unlimited, but one should not be deterred by this. The motto should be simply do it. And if that means buying an oversized battery (“power station”) to back up the data servers, that’s okay, too. You just shouldn’t leave it at that.