3 rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13) Resilient Organization: Modelling The Capacity for Resilience Nurul Aisyah Sim Abdullah Faculty of Computer and Mathematical Sciences Universiti Teknologi Mara Shah Alam, Malaysia nurulaisyah@gmail.com Nor Laila Md Noor Faculty of Computer and Mathematical Sciences Universiti Teknologi Mara Shah Alam, Malaysia norlaila@tmsk.uitm.edu.my Emma Nuraihan Mior Ibrahim Faculty of Computer and Mathematical Sciences Universiti Teknologi Mara, Shah Alam, Malaysia emma@tmsk.uitm.edu.my. Abstract—The concept of resilience is becoming popular in the business continuity management debate and academic analysis. This interest is associated with the concern to develop a resilient organization that is able to absorb, adapt and recover quickly from unexpected events or changes to ensure continuous services or critical business function and operations. Literature analysis from related articles found that resilience is still a relatively new concept and there are some unanswered questions on the definition of organization's resilience, the capacity that make up resilience and the mechanisms to enable the organization to remain exist and functioning. Thus, this paper adds to the literature an understanding of the issues and modelling the capacity of resilience from the perspective of individual and organization's resilience. Keywords-Business Continuity Management; Resilience Management; Organizational Resilience; Building Resilience I. INTRODUCTION Business continuity management (BCM) is one of the eleven components in information security management system (ISMS) [1] and it is a key information services management issue [2],[3]. BCM is an act of anticipating incidents which will affect mission-critical functions and processes of an organization and ensuring that it responds to any incident in a planned and rehearsed manner [4]. However, the existing approach on BCM are not sufficient to ensure organizational resilience due to some drawbacks (Table 1). These shortcomings could cause failure of the organization to take appropriate action in an any unexpected events or changes. Resilience is seen well-suited to socio-technological environment that is complex and interconnected to ensure the survival of an organization to continuously provide their services because of its ability to capitalize on unexpected challenges and changes [5]. Resilience looks beyond restoration because it includes development of new capabilities and it is an expanded ability to keep pace and even create new opportunities. Resilience is not just about recovery but focuses on how people cope with complexity under pressure, change and unintended event to achieve success [6]. Resilience refers to the capacity of human beings /system/organization to survive and thrive in the face of adversity [7],[8],[9]. It is a property that is closely associated with the capacity to avoid, contain and mitigate accidents[10],[11],[12] and the ability of an organisation to keep or recover quickly to a stable state, allowing it to continue operations during and after a major mishap or in the presence of continuous pressure. TABLE I. CURRENT BCM APPROACH DRAWBACKS • Existing approaches to ensuring IT and IS continuity is through planning, backup system, alternate site [14] and focuses only on those events that the business considers have an impact on the core activities of the organization. Less significant events are not covered [15]; • A plan and strategy preparation based on identifying scenario[16]. The question is what will do if the unexpected happens • Prevention/mitigation revolved around a technology and process aspect and does not take into account the human aspect although human attitude and behavior accounts for some of the accidents. • The Current Risk Assessment focus is on what goes wrong and try to eliminate the causes, reduce impact and improve barriers or capability for effective response in order to ensure business continuity. This is not sufficient to support the end-to-end business process because of the dynamic changes and unpredictable circumstances. • Resilience is seen just as a benchmark to measure of a successful business continuity management program. • The tool, method, model, term and concept that we have are all directed to the think going wrong[6],[17], [18] The shift in focus from risk to resilience, stems largely from the frustration with the emphasis on the identification of risk factors, early planning of mitigation and control of certain scenarios that are yet to guarantee the preservation of existence and continuity of service. Whi1e a risk-focused approach has been very helpful in mitigation to reduce identified risks and their potential impact, more complex organization environment require a more