Xebia Background Header Wave

What is resilience? What distinguishes the various types of resilience? How does this impact your business design and IT design? This article will provide some foundational views on resilience as reference.

Oxford Dictionary defines resilience as: 
“the capacity to recover quickly from difficulties; toughness.” [<a href="https://www.oxfordlearnersdictionaries.com/definition/english/resilience">Oxford</a>].

Organizations need a purpose

The goal of any organization is to be and stay relevant to all its stakeholders [op’tLand-2008], since an organization is an intentionally created cooperative of human beings [Dietz-2013]. So when the intention is not fulfilled anymore, then the cooperation has no purpose and the organization will stop existing.

If an organization is purposeful, and it is intentionally designed then the organization design plays an important role, else there is no intention and no purpose with a certain societal purpose [Daft 2010].

A short history

Since 2008 businesses are designed for resilience.

The challenge to our organizations is that the surrounding context is changing very quickly. This is caused by your world being hyper-connected. Every business in the world is challenged by startups and new competitors. The start-up boom post-2008 provided the skills to business to continuously innovate and pivot [pivot] fueled by the financial crisis of 2008 [2008].

In 2014 VUCA was introduced as purpose for resilience.

In 2014 the term VUCA was introduced into business management to describe the continuous uncertainty businesses are part of [Bennett-2014]. VUCA stands for Volatile, uncertain, complex and ambiguous. This make sense making for leadership within organizations very challenging.

In 2021 resilience has been identified as a must in business design

In 2021 the EU has adopted the term resilience as key for industry 5.0 [eu01, eu02]. Resilience is part of the policy of the Dutch National Bank for the Dutch financial market [dnb01, dnb02, dnb03] and part of the Risk Management standard ISO 31.000 [Hutchens-2018].

Defining resilience

Generic definition of resilience

An organization or an IT system is in difficulties when an event results in a decrease of its value output. An event with the effect of a decrease in value output can also be called a stressor.

Recovery is completed when the normal value is delivered (again). The moment between the impact of that stressful event (stressor) and the return to normal is what we call resilience [Botjes-2020].

The decline in the value is the period of time a system absorbs the stress, and recovery is when the value output is on the rise. See figure 1.

Figure 1 - generic definition of resilience from Botjes 2020

Figure 1 – generic definition of resilience from Botjes 2020

The triad of Fragile, Robust and Antifragile

Nicolas Taleb introduced the triad of fragile, robust and antifragile (figure 2), which we can use to provide some more depth on what resilience is [Taleb-2012].


Taleb stated that there are “systems” that break when exposed to a stressor. These systems are to be called fragile. When we look at figure 1, a fragile system is able to absorb a little bit of stress and then quickly breaks and loses value when past the breaking point.


There are also systems that are robust. These systems can absorb and recover (all) the stress they are exposed to. An example of this is a block of concrete or a diamond. Nothing it is impervious to everything, therefore a system is usually only robust for certain stress or for a certain amount of stress. All robust systems will have a breaking point.


Taleb states that there are also systems that do not break from stress. Taleb states that there is the antithesis of fragile, which he names antifragile. An antifragile system gains value from stress.

An example of this is the immune system. When an immune system is strained by stress through, for example bacteria, then it learns and adapts to become stronger. The immune system after the fact of being exposed to stress is stronger than the system before the exposure. A stronger immune system is a system that becomes in the future less ill from the same stress.

Figure 2 - The triad by Taleb 2012 from Botjes 2020

Figure 2 – The triad by Taleb 2012 from Botjes 2020

Is resilience more than robustness?

Where does resilience fit in the Triad of Taleb?

Resilience clearly plays a role in being robust. Since resilience is about absorption of stress and after time is back at the original value level. Resilience is also often mentioned in the context of antifragility. For that, we look at the definition of resilience by Martin-Breen.

In the academic and non-academic literature there are many definitions of resilience [Wang-2017, Hosseini-2016, Holling-1996, Martin-breen-2011]. The literature review of Martin-Breen offers a nice definition of resilience that fits well when addressing organizations, and with that also indirect IT systems.

Martin-Breen states there are three types of resilience (see figure 3). The beauty of his definition is that it enables the distinction between bouncing back to the previous normal and bouncing back to the new normal.


Figure 3 - Three types of resilience by Martin-Breen 2021 and Botjes 2020

Figure 3 – Three types of resilience by Martin-Breen 2021 and Botjes 2020

Engineering Resilience

The first type is  “Engineering Resilience”. This is where the function of the systems (what) and the construction (how) are designed in minute detail [Dietz-2013].

An IT-system or organizational-system that is designed to show Engineering Resilience behavior is designed to bounce back to the intended function without changing the construction. The intention is to prevent disruption of and changes to the value creation of this system.

This type of resilience is measurable by the following three characteristics: resistance, elasticity and stability.” – [Holling-1996, Martin-breen-2011, Kastner-2017, Botjes-2020].

Systems Resilience

The second type of resilience is called “Systems Resilience”.

Here, the function of the system needs to be continued at any costs, and the construction might change. The identity and purpose of the IT-system or organizational-system stay the same, and the added value (function) will stay the same, but should not have to be identical.

This implies that the system can absorb disturbance and reorganize while undergoing changes.

The system is able to withstand the impact of any interruption and recuperate while resuming its operations / fixed functions.’” [Walker-2004][Santos-2012][Martin-breen-2011]

Complex Adaptive Systems (CAS) Resilience

The third type of resilience is called Complex Adaptive Systems resilience. As the name implies, this behavior is adapting to the situation at hand that extend the changes that a system’s resilient system show. A CAS resilient system will show emergent behavior that is the result of dynamic changing of the construction and the function of the system [Martin-breen-2011, Kastner-2017, Botjes-2020].

Changing the function of an IT-System or Organizational-System implies changing the value proposition toward the outer world. This on one side demands autonomy of the people designing, implementing and operating the system. This autonomy provides the freedom to find a more valuable value proposition. This is why this type of resilience is the only type that enables a system to deliver more value as reps once to a change event.

There is also another downside next to the need for autonomy, that is the question of how far can a system adapt to the new reality without losing its identity and be still the same organization as before the change [Kastner-2017, Taleb-2012, Botjes-2020]. And when an organization has multiple CAS resilient sub-systems, how do you prevent evolving into chaos?

“Complex Adaptive Systems Resilience is the behavior of the system where the function of the system may change and the construction of the system may change over time.” [Botjes-2020]

Summary of the freedom in function and construction

To conclude:

  1. Engineering resilience : construction and function of the system stay the same.
  2. Systems Resilience: the function of the system stays the same, but the construction will change.
  3. CAS Resilience: there is freedom to change the function and the construction of the system.
Figure 4 - Three types of resilience and their freedom in regard to their function and construction by Martin-Breen 2021 and Botjes 2020.
Figure 4 – Three types of resilience and their freedom in regard to their function and construction by Martin-Breen 2021 and Botjes 2020.
In this context, function stands for “what value it delivered” and construction “how it is created” [Dietz-2013]. 
The premise is that the construction and the function are segregated [wikipedia-reductionism].

Summary on resilience

So the three types of resilience in their behaviour in respect to a disruption can be summarized as “impertinent”, “recover” and “adapt”.

Security and Resilience

it is our view that security is about the organisational behaviour in response to “unkown” events. Therefor resilience is for us an important dimension of assesing the security maturity of an organisation.We tried to capture this in the following maturity levels.

Level 3Add antifragilityto embrace chaos, seize the opportunity to increase value from unplanned events.
Level 2Add resilienceto absorb unplanned events and to increase value from planned events.
Level 1Add robustnessto be prepared for known threats and risks to increase value by planned change.
Level 0Add stabilityto evolve towards controlled planned change and basic quality control.

Whitepaper on resilience and IT Security

In other blogs we will deepdive into this. And you can read more on it in our whitepaper : “Introduction to the BRACE Model – Metamodel on Secure Product Development”, download requires no login.

Research on organisational behaviour and Security

We are also investing in discovering and learning more on what influences our behaviour so that we can be more effective in improving security of the organisation and the IT systems created and used by the organsiation. One our research blogs is: “Improving Security by influencing Human Behavior“ Our research is open for everybody to read, use and contribute. Let us kow if you have feedback .

Sharing Knowledge

Xebia’s core values are: People First, Sharing Knowledge, Quality without Compromise and Customer Intimacy. That is why this blog entry is published under the License of Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA).


  1. [2008] https://en.wikipedia.org/wiki/Financial_crisis_of_2007%E2%80%932008
  2. [Bennett-2014] Bennett, N., & Lemoine, J. (2014). What VUCA really means for you. Harvard business review, 92(1/2). https://hbr.org/2014/01/what-vuca-really-means-for-you
  3. [Botjes-2020] Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389 .
  4. [Daft-2010] Daft, R., Murphy, J., and Willmott, H. (2010). Organisation Theory and Design. http://www.worldcat.org/oclc/761007858 .
  5. Dietz-2013] Dietz, J. L., Hoogervorst, J. A., Albani, A., Aveiro, D., Babkin, E., Barjis, J., … & Winter, R. (2013). The discipline of enterprise engineering. International Journal of Organisational Design and Engineering, 3(1), 86-114. https://www.researchgate.net/publication/263068480_The_discipline_of_Enterprise_Engineering .
  6. [dnb01] https://www.bis.org/review/r210512b.htm
  7. [dnb03] https://www.rijksoverheid.nl/documenten/toespraken/2020/09/15/toespraak-aanbieden-miljoenennota
  8. [dnb02] https://www.marketscreener.com/news/latest/Lecture-Klaas-Knot-ldquo-Emerging-from-the-crisis-stronger-together-rdquo-How-we-can-make-Europe–31217340/
  9. [eu01] https://msu.euramet.org/current_calls/documents/EC_Industry5.0.pdf
  10. [eu02] https://ec.europa.eu/info/news/industry-50-towards-more-sustainable-resilient-and-human-centric-industry-2021-jan-07_en
  11. [hbr] https://hbr.org/2014/01/what-vuca-really-means-for-you
  12. [Holling-1996] Holling, C. S. (1996). Engineering resilience versus ecological resilience. Engineering within ecological constraints, 31(1996), 32. https://resilienceengineeringinstitute.org/engineering-vs-ecological-resilience
  13. [Hosseini-2016] Hosseini, S., Barker, K., & Ramirez-Marquez, J. E. (2016). A review of definitions and measures of system resilience. Reliability Engineering & System Safety, 145, 47-61. https://doi.org/10.1016/j.ress.2015.08.006 .
  14. [Hutchins-2018] Hutchins, G. (2018). ISO 31000: 2018 Enterprise Risk Management. CERM Academy Series on  Enterprise Risk Management. Certified Enterprise Risk Manager(R) Academy. http://www.worldcat.org/oclc/1125105820 .
  15. [Jackson-2019] Jackson, M. C. (2019). Critical systems thinking and the management of complexity : responsible leadership for a complex world. John Wiley & Sons, Inc.„ Hoboken, NJ, USA, 1 edition. https://www.goodreads.com/book/show/43970779 .
  16. [Kastner-2017] Kastner, D. (2017). Antifragile organisation design: A framework of self-organisation practices in today’s complex and unpredictable economy. Master’s thesis, Central Saint Martins – University of the Arts London, Master innovation management, London, United Kingdom. https://www.goodreads.com/book/show/37703370
  17. [Martin-breen-2011] Martin-Breen, P. and Anderies, J. M. (2011). The bellagio initiative, background paper, resilience: A literature review. In Resilience: A Literature Review, Brighton:IDS. http://opendocs.ids.ac.uk/opendocs/handle/123456789/3692 .
  18. [op’tLand-2008] Op’t Land, M., Proper, E., Waage, M., Cloo, J., and Steghuis, C. (2008). Enterprise Architecture: creating value by informed governance. http://www.worldcat.org/oclc/1101880293
  19. [oxford] https://www.oxfordlearnersdictionaries.com/definition/english/resilience
  20. [pivot] https://www.startups.com/library/expert-advice/startup-business-pivot
  21. [Santos-2012] Santos, R. S. (2012). why resilience?ä review of literature of resilience and implications for ¨ further educational research. In Review of Resilience Research, Claremont, CA. Claremont Graduate University & San Diego State University. https://www.researchgate.net/publication/291035818
  22. [Taleb-2012] Taleb, N. N. (2012). Antifragile: Things That Gain from Disorder. Random House, New York, NY, USA. http://www.worldcat.org/oclc/851345873 .
  23. [Walker-2004] Walker, B. H., Holling, C. S., Carpenter, S. R., and Kinzig, A. (2004). Resilience, adaptability and transformability in social–ecological systems. Ecology and society, 9(2). http://www.ecologyandsociety.org/vol9/iss2/art5
  24. [Wang-2017] Wang, Zhonglin, et al. 2017, “Analysis of the Definitions of Resilience.” IFAC-PapersOnLine, vol. 50, no. 1, 2017, pp. 10649–57, https://doi.org/10.1016/j.ifacol.2017.08.1756 .
  25. [wikipedia-reductionism]. https://en.wikipedia.org/wiki/Reductionism
Edzo Botjes
Antifragility Architect & Variety Engineer at Xebia. A Shrek look a like. Loves Coffee, Food, Roadtripping & Zen. ENFP-T. Phd candidate for resilient information security and governance. edzob @ Signal, Linkedin, WWW, Medium, Riot/Matrix, Wire, Telegram

Get in touch with us to learn more about the subject and related solutions

Explore related posts