What is resilience? What distinguishes the various types of resilience? How does this impact your business design and IT design? This article will provide some foundational views on resilience as reference.
Oxford Dictionary defines resilience as: “the capacity to recover quickly from difficulties; toughness.” [<a href="https://www.oxfordlearnersdictionaries.com/definition/english/resilience">Oxford</a>].
Organizations need a purpose
The goal of any organization is to be and stay relevant to all its stakeholders [op’tLand-2008], since an organization is an intentionally created cooperative of human beings [Dietz-2013]. So when the intention is not fulfilled anymore, then the cooperation has no purpose and the organization will stop existing.
If an organization is purposeful, and it is intentionally designed then the organization design plays an important role, else there is no intention and no purpose with a certain societal purpose [Daft 2010].
A short history
Since 2008 businesses are designed for resilience.
The challenge to our organizations is that the surrounding context is changing very quickly. This is caused by your world being hyper-connected. Every business in the world is challenged by startups and new competitors. The start-up boom post-2008 provided the skills to business to continuously innovate and pivot [pivot] fueled by the financial crisis of 2008 .
In 2014 VUCA was introduced as purpose for resilience.
In 2014 the term VUCA was introduced into business management to describe the continuous uncertainty businesses are part of [Bennett-2014]. VUCA stands for Volatile, uncertain, complex and ambiguous. This make sense making for leadership within organizations very challenging.
In 2021 resilience has been identified as a must in business design
In 2021 the EU has adopted the term resilience as key for industry 5.0 [eu01, eu02]. Resilience is part of the policy of the Dutch National Bank for the Dutch financial market [dnb01, dnb02, dnb03] and part of the Risk Management standard ISO 31.000 [Hutchens-2018].
Generic definition of resilience
An organization or an IT system is in difficulties when an event results in a decrease of its value output. An event with the effect of a decrease in value output can also be called a stressor.
Recovery is completed when the normal value is delivered (again). The moment between the impact of that stressful event (stressor) and the return to normal is what we call resilience [Botjes-2020].
The decline in the value is the period of time a system absorbs the stress, and recovery is when the value output is on the rise. See figure 1.
Figure 1 – generic definition of resilience from Botjes 2020
The triad of Fragile, Robust and Antifragile
Nicolas Taleb introduced the triad of fragile, robust and antifragile (figure 2), which we can use to provide some more depth on what resilience is [Taleb-2012].
Taleb stated that there are “systems” that break when exposed to a stressor. These systems are to be called fragile. When we look at figure 1, a fragile system is able to absorb a little bit of stress and then quickly breaks and loses value when past the breaking point.
There are also systems that are robust. These systems can absorb and recover (all) the stress they are exposed to. An example of this is a block of concrete or a diamond. Nothing it is impervious to everything, therefore a system is usually only robust for certain stress or for a certain amount of stress. All robust systems will have a breaking point.
Taleb states that there are also systems that do not break from stress. Taleb states that there is the antithesis of fragile, which he names antifragile. An antifragile system gains value from stress.
An example of this is the immune system. When an immune system is strained by stress through, for example bacteria, then it learns and adapts to become stronger. The immune system after the fact of being exposed to stress is stronger than the system before the exposure. A stronger immune system is a system that becomes in the future less ill from the same stress.
Figure 2 – The triad by Taleb 2012 from Botjes 2020
Is resilience more than robustness?
Where does resilience fit in the Triad of Taleb?
Resilience clearly plays a role in being robust. Since resilience is about absorption of stress and after time is back at the original value level. Resilience is also often mentioned in the context of antifragility. For that, we look at the definition of resilience by Martin-Breen.
In the academic and non-academic literature there are many definitions of resilience [Wang-2017, Hosseini-2016, Holling-1996, Martin-breen-2011]. The literature review of Martin-Breen offers a nice definition of resilience that fits well when addressing organizations, and with that also indirect IT systems.
Martin-Breen states there are three types of resilience (see figure 3). The beauty of his definition is that it enables the distinction between bouncing back to the previous normal and bouncing back to the new normal.
Figure 3 – Three types of resilience by Martin-Breen 2021 and Botjes 2020
The first type is “Engineering Resilience”. This is where the function of the systems (what) and the construction (how) are designed in minute detail [Dietz-2013].
An IT-system or organizational-system that is designed to show Engineering Resilience behavior is designed to bounce back to the intended function without changing the construction. The intention is to prevent disruption of and changes to the value creation of this system.
“This type of resilience is measurable by the following three characteristics: resistance, elasticity and stability.” – [Holling-1996, Martin-breen-2011, Kastner-2017, Botjes-2020].
The second type of resilience is called “Systems Resilience”.
Here, the function of the system needs to be continued at any costs, and the construction might change. The identity and purpose of the IT-system or organizational-system stay the same, and the added value (function) will stay the same, but should not have to be identical.
This implies that the system can absorb disturbance and reorganize while undergoing changes.
“The system is able to withstand the impact of any interruption and recuperate while resuming its operations / fixed functions.’” [Walker-2004][Santos-2012][Martin-breen-2011]
Complex Adaptive Systems (CAS) Resilience
The third type of resilience is called Complex Adaptive Systems resilience. As the name implies, this behavior is adapting to the situation at hand that extend the changes that a system’s resilient system show. A CAS resilient system will show emergent behavior that is the result of dynamic changing of the construction and the function of the system [Martin-breen-2011, Kastner-2017, Botjes-2020].
Changing the function of an IT-System or Organizational-System implies changing the value proposition toward the outer world. This on one side demands autonomy of the people designing, implementing and operating the system. This autonomy provides the freedom to find a more valuable value proposition. This is why this type of resilience is the only type that enables a system to deliver more value as reps once to a change event.
There is also another downside next to the need for autonomy, that is the question of how far can a system adapt to the new reality without losing its identity and be still the same organization as before the change [Kastner-2017, Taleb-2012, Botjes-2020]. And when an organization has multiple CAS resilient sub-systems, how do you prevent evolving into chaos?
“Complex Adaptive Systems Resilience is the behavior of the system where the function of the system may change and the construction of the system may change over time.” [Botjes-2020]
Summary of the freedom in function and construction
- Engineering resilience : construction and function of the system stay the same.
- Systems Resilience: the function of the system stays the same, but the construction will change.
- CAS Resilience: there is freedom to change the function and the construction of the system.
In this context, function stands for “what value it delivered” and construction “how it is created” [Dietz-2013]. The premise is that the construction and the function are segregated [wikipedia-reductionism].
Summary on resilience
So the three types of resilience in their behaviour in respect to a disruption can be summarized as “impertinent”, “recover” and “adapt”.
Security and Resilience
it is our view that security is about the organisational behaviour in response to “unkown” events. Therefor resilience is for us an important dimension of assesing the security maturity of an organisation.We tried to capture this in the following maturity levels.
|Level 3||Add antifragility||to embrace chaos, seize the opportunity to increase value from unplanned events.|
|Level 2||Add resilience||to absorb unplanned events and to increase value from planned events.|
|Level 1||Add robustness||to be prepared for known threats and risks to increase value by planned change.|
|Level 0||Add stability||to evolve towards controlled planned change and basic quality control.|
Whitepaper on resilience and IT Security
In other blogs we will deepdive into this. And you can read more on it in our whitepaper : “Introduction to the BRACE Model – Metamodel on Secure Product Development”, download requires no login.
Research on organisational behaviour and Security
We are also investing in discovering and learning more on what influences our behaviour so that we can be more effective in improving security of the organisation and the IT systems created and used by the organsiation. One our research blogs is: “Improving Security by influencing Human Behavior“ Our research is open for everybody to read, use and contribute. Let us kow if you have feedback .
Xebia’s core values are: People First, Sharing Knowledge, Quality without Compromise and Customer Intimacy. That is why this blog entry is published under the License of Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA).
-  https://en.wikipedia.org/wiki/Financial_crisis_of_2007%E2%80%932008
- [Bennett-2014] Bennett, N., & Lemoine, J. (2014). What VUCA really means for you. Harvard business review, 92(1/2). https://hbr.org/2014/01/what-vuca-really-means-for-you
- [Botjes-2020] Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389 .
- [Daft-2010] Daft, R., Murphy, J., and Willmott, H. (2010). Organisation Theory and Design. http://www.worldcat.org/oclc/761007858 .
- Dietz-2013] Dietz, J. L., Hoogervorst, J. A., Albani, A., Aveiro, D., Babkin, E., Barjis, J., … & Winter, R. (2013). The discipline of enterprise engineering. International Journal of Organisational Design and Engineering, 3(1), 86-114. https://www.researchgate.net/publication/263068480_The_discipline_of_Enterprise_Engineering .
- [dnb01] https://www.bis.org/review/r210512b.htm
- [dnb03] https://www.rijksoverheid.nl/documenten/toespraken/2020/09/15/toespraak-aanbieden-miljoenennota
- [dnb02] https://www.marketscreener.com/news/latest/Lecture-Klaas-Knot-ldquo-Emerging-from-the-crisis-stronger-together-rdquo-How-we-can-make-Europe–31217340/
- [eu01] https://msu.euramet.org/current_calls/documents/EC_Industry5.0.pdf
- [eu02] https://ec.europa.eu/info/news/industry-50-towards-more-sustainable-resilient-and-human-centric-industry-2021-jan-07_en
- [hbr] https://hbr.org/2014/01/what-vuca-really-means-for-you
- [Holling-1996] Holling, C. S. (1996). Engineering resilience versus ecological resilience. Engineering within ecological constraints, 31(1996), 32. https://resilienceengineeringinstitute.org/engineering-vs-ecological-resilience
- [Hosseini-2016] Hosseini, S., Barker, K., & Ramirez-Marquez, J. E. (2016). A review of definitions and measures of system resilience. Reliability Engineering & System Safety, 145, 47-61. https://doi.org/10.1016/j.ress.2015.08.006 .
- [Hutchins-2018] Hutchins, G. (2018). ISO 31000: 2018 Enterprise Risk Management. CERM Academy Series on Enterprise Risk Management. Certified Enterprise Risk Manager(R) Academy. http://www.worldcat.org/oclc/1125105820 .
- [Jackson-2019] Jackson, M. C. (2019). Critical systems thinking and the management of complexity : responsible leadership for a complex world. John Wiley & Sons, Inc.„ Hoboken, NJ, USA, 1 edition. https://www.goodreads.com/book/show/43970779 .
- [Kastner-2017] Kastner, D. (2017). Antifragile organisation design: A framework of self-organisation practices in today’s complex and unpredictable economy. Master’s thesis, Central Saint Martins – University of the Arts London, Master innovation management, London, United Kingdom. https://www.goodreads.com/book/show/37703370
- [Martin-breen-2011] Martin-Breen, P. and Anderies, J. M. (2011). The bellagio initiative, background paper, resilience: A literature review. In Resilience: A Literature Review, Brighton:IDS. http://opendocs.ids.ac.uk/opendocs/handle/123456789/3692 .
- [op’tLand-2008] Op’t Land, M., Proper, E., Waage, M., Cloo, J., and Steghuis, C. (2008). Enterprise Architecture: creating value by informed governance. http://www.worldcat.org/oclc/1101880293
- [oxford] https://www.oxfordlearnersdictionaries.com/definition/english/resilience
- [pivot] https://www.startups.com/library/expert-advice/startup-business-pivot
- [Santos-2012] Santos, R. S. (2012). why resilience?ä review of literature of resilience and implications for ¨ further educational research. In Review of Resilience Research, Claremont, CA. Claremont Graduate University & San Diego State University. https://www.researchgate.net/publication/291035818
- [Taleb-2012] Taleb, N. N. (2012). Antifragile: Things That Gain from Disorder. Random House, New York, NY, USA. http://www.worldcat.org/oclc/851345873 .
- [Walker-2004] Walker, B. H., Holling, C. S., Carpenter, S. R., and Kinzig, A. (2004). Resilience, adaptability and transformability in social–ecological systems. Ecology and society, 9(2). http://www.ecologyandsociety.org/vol9/iss2/art5
- [Wang-2017] Wang, Zhonglin, et al. 2017, “Analysis of the Definitions of Resilience.” IFAC-PapersOnLine, vol. 50, no. 1, 2017, pp. 10649–57, https://doi.org/10.1016/j.ifacol.2017.08.1756 .
- [wikipedia-reductionism]. https://en.wikipedia.org/wiki/Reductionism