ISO 22316 final draft to be released before year’s end

The final draft of ISO 22316 ‘Security and Resilience – Guidelines for Organisational Resilience’, will be released before the end of the year, StrategicRISK has learned.

Speaking at a RIMS Australasia event in Sydney on 21 November, ISO 22316 project leader Brian Roylett said the new standard would be released “in about five weeks”.

“It’s a really high level standard that looks at the principles and the attributes [of organizational resilience],” Roylett said.

“It’s not a ‘how-to’ and there’s more work to be done on that with handbooks and the like, but certainly we’re going to make sure that it doesn’t just become a new fad. That’s the really critical issue for anybody that’s involved with it – is to make sure that it doesn’t become a replacement concept for risk management.”

At the same event, consultancy Control Risks presented the findings of its global research in to organisational resilience.

It found that 62% of respondents were either aware of, or had read, the ISO 22316 guidance. Some 92% of respondents agree with its core principles, which focus largely on shared purpose and collaboration across functions. But 18% indicated that they did not plan to adopt the core principles, preferring instead to stick to existing processes. 


The survey also looked at the internal and external threats most likely to cause disruption and test a company’s resilience.

More than 70% of respondents chose reputational damage as the most significant concern to their business in the event of a disruption – considerably more than reduced revenue (38%), loss of new business opportunities (25%), or reduced shareholder value (26%).

From an internal perspective, the number one threat was voted as the ability for a company to anticipate change and adapt quickly.

Perhaps unsurprisingly, cyber threats came out as the top external threat, with 46% of the vote.

RIMS Australia board member Cathy Murray commented: “Cyber threats are not necessarily just at the business that you work, but also at the service providers to your business. Because if they’re not prepared for cyber threats then that’s going to impact your business.”

Clyde and Co managing partner John Edmund added that their clients were becoming increasingly concerned about cyber liability.

“It’s one of the key issues that we deal with at the moment,” he said.

“The main issue is first-party immediate response loss and damage that you face – your whole system goes down you’re going to have to have systems and information put back together. And then it’s the liability side, which gives rise to the greater financial exposure and maybe the greater risk over a longer period of time.”