1

S EC U R I T Y A N D R ES I L I E N C E M A N AG E M E N T - M I T I G AT I N G R I S K

FO R YO U R O RG A N I ZAT I O N

2

S P E A K E R S

• Dennis Blass, CPP – Children’s of Alabama

• Lisa DuBrock, CPA – Radian Compliance, LLC

• Jim Leflar, CPP, CBCP, MBCI – Zantech IT Services

• Marc Siegel, Ph.D. – San Diego State University and M Siegel Associates LLC

2

3

S E S S I O N O V E R V I E W A N D O B J E C T I V E S

• Panel Discussion – Perspectives on Resilience

➢ What is organizational resilience or what is a resilient organization?

➢ When does an organization move from an ad-hoc approach to a formal structured approach?

➢ What is the advantage of breaking down siloes?

• Change Management – Issues/Recommendations

• New Security and Resilience Standard – The recipe book

• Questions

3

4

W H AT I S O R G A N I Z AT I O N A L R E S I L I E N C E O R W H AT I S A R E S I L I E N T O R G A N I Z AT I O N ?

• Resilience is an aspirational objective – there is no endpoint nor is there one-size-fits-all.

• Organizations become more resilient by fully integrating proactive management of risk into their system of management.

• Everyone is seen as a risk maker and risk taker, therefore, a risk manager.

• Emphasis is placed on security and risk awareness throughout the organization.

• The management of risk is viewed through the front windscreen, not out the rear-view mirror.

• Risk is considered at the strategical, tactical, operational, and reputational levels.

• Organizations are not viewed as islands but as part of a value chain.

• It is an iterative process where you learn from mistakes.4

5

W H AT I S O R G A N I Z AT I O N A L R E S I L I E N C E O R W H AT I S A R E S I L I E N T O R G A N I Z AT I O N ? CON ’ T.

• Organizational resilience is a strategic approach to enhancing the unfettered system-wide interactions (risk, communications, cooperative relations, and social capital) in the holistic organizational environment (internal and external – includes supply chain).

5

6

W H E N D O E S A N O R G A N I Z AT I O N M O V E F R O M A N A D - H O C A P P R O A C H T O A F O R M A L

S T R U C T U R E D A P P R O A C H ?

• The focus of any formal structured approach should be enhanced risk and business management. The move to a formal approach may be driven by:

• Contractual requirements and client demands;

• The need to demonstrate reliability in a supply chain;

• The need to improve business performance and support future market development including market expansion;

• Legal and liability protection; and

• The need for data- and information-based business decision making.

• Certification to a standard should not be a driver – rather it is a distraction. Let it be the gravy at the end of successful implementation.

• Implementation should be tailored to the organization’s system of management, not just the standard.

6

7

W H E N D O E S A N O R G A N I Z AT I O N M O V E F R O M A N A D - H O C A P P R O A C H T O A F O R M A L

S T R U C T U R E D A P P R O A C H ? CON ’ T.

• OR becomes a formal approach when management begins to organize and recognizes the OR outcomes.

• Groups and org. culture can have informal elements.

• Communication channels are both formal and informal.

• The processes that make up the organizational system(s) can be both formal and informal – both are powerful/influential.

7

8

W H AT I S T H E A D VA N TA G E O F B R E A K I N G D O W N S I L O E S ?

• Increase communication effectiveness

• Share resources – more effective

• Risk is risk – entire organizational issue

• Increase the opportunity for social capital

8

9

W H AT I S T H E A D VA N TA G E O F B R E A K I N G D O W N S I L O E S ? CON ’ T.

• An efficiently run organization will have a single risk-based, information-based system of management focused on outcomes and opportunities.

• Objectives need to be considered on the strategic, operational, tactical, and reputational level enterprise-wide, division-wide, and locally.

• Security and risk management support the creation of value – they are part of the operating system.

• Security and risk awareness, communication, and training promote a culture of resilience by incorporating them in all aspects of the business.

• An integrated and holistic approach maximizes precious resources and minimizes duplication of efforts.

• Breaking down silos enhances the collaborative effort needed to address complex multi-disciplinary issues that organizations and their supply chains must address in the global market.

9

10

C H A N G E M A N A G E M E N T I S S U E S

• Resistance to Change:

• General uncertainty about the change (Kennedy, 2011);

• cynicism, dubious trust of leadership, and employee’s lacking confidence in each other;

• Institutional resistance to change (Agocs, 1997);

• Organization is slow to change;

• Poor implementation by manager (Gilley, Gilley & McMillan, 2009);

• Poor planning and preparation;

• Senior leadership avoiding unknown risk (Lane, McCormack & Richardson, 2013);

• Avoiding initiative is better than creating risk problem.

• Change failures caused by human actions, not technical.10

11

C H A N G E M A N A G E M E N T R E C O M M E N D AT I O N S

• Gain firm, personal approval from the CEO;

• Ensure CEO will continue to support the change initiative;

• Develop a marketing strategy for the change initiative;

• Communicate the personal importance of the initiative to the employees as well as the organizational importance;

• All employees must understand the value of the change.

11

12

C H A N G E M A N A G E M E N T R E C O M M E N D AT I O N S

• Multi-methods of distribution (e.g., multimedia displays, newsletter, intranet messages, and team meetings);

• Seek and recruit employee involvement in the change;

• Ensure employees see involvement is necessary for success;

• Active participation increases the likelihood of personal association with the initiative.

• Pace change to the local culture and to promote success breeding success.

12

13

C H A N G E M A N A G E M E N T R E C O M M E N D AT I O N S

• Implement a formal repeatable process consistent with organization’s culture;

• Routine status updates and reinforce the value, importance, and personal benefits to all participants;

• Top leader must be involved in the routine meetings or marketing messages;

• Leader must be seen showing absolute, sincere involvement and commitment to the initiative;

• Provide symbols of recognition from top leadership - helps maintain motivation, commitment, & personal recognition with the initiative.

13

14

S TA N D A R D : S E C U R I T Y A N D R E S I L I E N C E I N O R G A N I Z AT I O N S A N D T H E I R S U P P LY

C H A I N S• ANSI/ASIS Standard - ORM.1 which combines 3 previous ASIS Standards

• SPC.1, PAP.1 and BCM.1

• Provides a risk based systematic, country-neutral approach to identify, assess, and manage risks related to an organization's operations and its supply chain.

• Places an increased emphasis on an organization’s supply chain

• Uses enterprise risk management perspective, emphasizing:

➢ Proactive risk and business management to support a process of prevention, protection, preparedness, readiness, mitigation, response, continuity, and recovery from undesirable and disruptive events;

14

15

O R M . 1

• ORM.1 is a holistic framework which takes into account:

• Context of the organization and its supply chains;

• Legal, regulatory, and contractual obligations and voluntary commitments;

• Needs of internal and external stakeholders;

• Uncertainties in achieving its objectives;

• Protection of human, tangible and intangible assets, and

• Continual improvement.

15

16

W H Y O R M . 1 ?

• ORM.1 enables an organization to:

• Develop an ORMS policy;

• Establish objectives, procedures, and processes to achieve the policy commitments;

• Develop processes to assure competency, awareness, and training;

• Set metrics to measure performance and demonstrate success;

• Take action as needed to improve performance;

• Demonstrate conformity of the system to the requirements of this Standard;

• Establish and apply a process for continual improvement.

• ORM.1 and CPP - Either the new standard or the legacy standards may be used to study for the CPP exam

16

17

C H A N G E M A N A G E M E N T R E F E R E N C E S

Agócs, C. (1997). Institutionalized resistance to organizational change: Denial, inaction and repression. Journal of Business Ethics, 16(9), 917-931.

Avey, J. B., Wernsing, T. S., & Luthans, F. (2008). Can positive employees help positive organizational change? Impact of psychological capital and emotions on relevant attitudes and behaviors. The Journal of Applied Behavioral Science, 44(1), 48-70.

Blank, R. E. (1990). Gaining acceptance: The effective presentation of new ideas. Total Quality Management, 1(1), 69-73.

Coch, L. & French, J. R. P. (2011). Overcoming resistance to change. In W. E. Natemeyer and P. Hersey (Eds.), Classics of organizational behavior, 4th Edition (pp. 41-62). Long Grove, Illinois: Waveland Press.

17

18

C H A N G E M A N A G E M E N T R E F E R E N C E S

Diamond, M. A. (1992). Hobbesian and rousseauian identities: The psychodynamics of organizational leadership and change. Administration & Society, 24(3), 267-289.

Gilley, A., Gilley, J. W., & McMillan, H. S. (2009). Organizational change: motivation, communication, and leadership effectiveness. Performance Improvement Quarterly, 21(4), 75-94.

Holt, D. T., Dorey, E. L., Bailey, L. C., & Low, B. R. (2009). Recovering when a change initiative stalls. OD Practitioner, 41(1), 20-24.

Kennedy, D. (2011). Moving beyond uncertainty: Overcoming our resistance to change. Leader to Leader, (62),: 17-21. 18

19

C H A N G E M A N A G E M E N T R E F E R E N C E S

Lane, K. E., McCormack, T. J., & Richardson, M. D. (2013). Resilient leaders: Essential for organizational innovation. International Journal of Organizational Innovation, 6(2), 7-25.

Neck, C. P. (1996). Thought self-leadership: A self-regulatory approach towards overcoming resistance to organizational change. International Journal of Organizational Analysis (1993 - 2002,) 4(2), 202.

Nord, W. R., Jermier, J. M. (1994). Overcoming resistance to resistance: Insights from a study of the shadows. Public Administration Quarterly, 17(4), 396.

Palmer, B. (2004). Overcoming resistance to change. Quality Progress, 37(4), 35-39.

19

20

C H A N G E M A N A G E M E N T R E F E R E N C E S

Rochet, C., Keramidas, O., & Bout, L. (2008). Crisis as change strategy in public organizations. International Review of Administrative Sciences, 74(1), 65-77.

Rudes, D. (2007, January). Tied response to organizational change. Paper presented at the meeting of American Sociological Association, New York, NY.

Stanley, D. J., Meyer, J. P., & Topolnytsky, L. (2005). Employee cynicism and resistance to organizational change. Journal of Business & Psychology, 19(4), 429-459.

Wart, M. (2004). A comprehensive model of organizational leadership: The leadership action cycle. International Journal of Organization Theory and Behavior, 7(2), 173-208.

20

21

HOW TO REACH US• Dennis Blass –

• Email address - Dennis.Blass@childrensal.org

• Lisa DuBrock – 847-997-2032

• LDuBrock@RadianCompliance.com

• Jim Leflar – 267-300-1139

• JLEFLAR@AOL.COM

• Marc Siegel – 858-405-9855

• siegel@msiegel.net

21

22

Questions?