Papers can be searched for key words. They are listed by author (in alphabetical order) and allocated to one type:

  • Concept
  • Approach
  • Illustration or case study

and one sector:

  • Engineering / infrastructure
  • Ecological
  • Social / community
  • Business
  • Cross-cutting

All papers: A compilation of all papers including introduction and conclusion is available for download here (pdf).

Resilience: Approaches to Risk Analysis and GovernanceIgor Linkov, Benjamin D. Trump, Cate Fox-Lent1
Resilience: Approaches to Risk Analysis and Governance
An introduction to the IRGC Resource Guide on Resiliencei
Igor Linkov, Benjamin D. Trump, and Cate Fox-Lent
Wide ranging and uncertain threats to public health, energy networks, cybersecurity, and many other
interconnected facets of infrastructure and human activity, are driving governments, including those
of the United States, European Union and elsewhere to further efforts to bolster national resilience
and security. Concerns arise from the increasingly interconnectedness of the world, where
infrastructure systems rely on novel technologies that, while expanding services and promoting
system maturation and growth, expose such systems to new and cascading risks that could devastate
the normal functioning of important systems. Such risks – ranging from cybersecurity to loss of
biodiversity to important ecosystem services – represent growing challenges for risk managers in the
21st century. They require development of conventional risk management strategies, but also
resilience-driven strategies to adequately protect against undesirable consequences of uncertain,
unexpected and often dramatic events.
The National Academy of Sciences (NAS) defines disaster resilience as “the ability to plan and prepare
for, absorb, recover from, and adapt to adverse events” (NAS 2012). The NAS definition highlights a
societal need to address highly uncertain and consequential risk events that are not easily addressed
through traditional approaches of risk management. With this in mind, the paragraph above defines
a scientific challenge about complexity, interdependencies, forms of adaptation, scale that requires a
new synthesis across complexity, biology, computers, social and cognitive sciences. Connecting the
science challenge to the societal need will require engineering advances —advances that will bridge
the traditional divide between engineering disciplines and social sciences.
With this in mind, decision-makers and policymakers have utilized the concept of resilience to
evaluate the capability of various complex systems to maintain safety, security and flexibility, and
recover from a range of potential adverse events. Further, resilience offers the capability to better
review how systems may continually adjust to changing information, relationships, goals, threats,
and other factors in order to adapt in the face of change – particularly those potential changes that
could yield negative outcomes. Preparation for reducing the negative consequences of such events
when they occur is generally thought to include enhancing resilience of systems in desirable states,
and has been described as including considerations of risk assessment as well as necessary resilience
actions before, during, and after a hazardous event takes place. As such, resilience efforts inherently
consider the passage of time and shifting capabilities and risks that may accrue due to changes in
system performance and capacity to absorb shocks. Resilience strategies have the potential to
radically change how a nation prepares itself for the potential disruptions of key services such as
energy, water, transportation, healthcare, communication and financial services. When nations
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

prepare for recovery from external shocks of a significant magnitude, resilience strategies must be
Despite the promise of resilience analysis to improve the safety and security of the variety of
industries mentioned and others, the field remains relatively new to the risk management
community. Some risk managers oppose risk and resilience, some articulate the two concepts for
their complementarity, some say that risk is part of resilience, others say that resilience is part of risk.
One recurring complication is the lack of standardization in the field. Practitioners employ a variety
of definitions, metrics, and tools to assess and manage resilience in differing applications. Another
complication includes the sheer breadth of what resilience analysis implies, both from the standpoint
of methodology as well as case applications. These issues motivate the need to provide an overview
of various perspectives on the definitions, interpretations, and methodological underpinnings of
resilience analysis and thinking as it relates to more traditional risk management. Such an exercise is
necessary for, and vital to, the future of the field, where further structure will be needed to facilitate
a more common set of definitions and working tools that practitioners can use to deploy resilience
into various fields in the future.
Here we introduce a series of papers from thinkers and practitioners in the field of resilience. It offers
a view on some of the common streams of thought discussed by disciplinary experts. Specifically, this
paper includes (I) a comparison of risk and resilience management strategies, (II) a description of
common features within resilience analysis and thinking, and (III) a discussion of the benefits that
resilience management brings to the field of risk management.
I - Comparison of Risk and Resilience Management Strategies
Resilience analysis fundamentally maintains much of the same philosophical background as
traditional risk assessment. However, resilience analysis additionally delves into the unknown,
uncertain and unexpected at the scale of systems rather than individual components. Resilience
thinking requires practitioners to ponder potential future threats to system stability and develop
countermeasures or safeguards to prevent longstanding losses. Resilience analysis maintains one
primary difference in the sense that it primarily focuses on outcomes: practitioners are directly
concerned by the ability of the impacted organization, infrastructure, or environment to rebound
from external shocks, recover and adapt to new conditions. In other words, where traditional risk
assessment methods seek to harden a vulnerable component of the system based upon a snapshot
in time, resilience analysis instead seeks to offer a ‘soft landing’ for the system at hand. Resilience
management is the systematic process to ensure that a significant external shock – i.e. climate
change to the environment, hackers to cybersecurity, or a virulent disease to population health –
does not exhibit lasting damage to the functionality and efficiency of a given system. This
philosophical difference is complex yet necessary in the face of the growing challenges and
uncertainties of an increasingly global and interconnected world.
In reviewing the similarities and differences in the fields of risk and resilience (approaches and
methodologies), it is necessary to consider the philosophical, analytical, and temporal factors
involved in each field’s deployment (Aven 2011). Philosophical factors include the general attitude
and outlook that a risk or resilience analyst expresses when understanding and preparing for risks in
a given model. Analytical factors include those quantitative models and qualitative practices

deployed to formally assess risk in a particular model. Lastly, temporal factors include the timeframe
over which risk is traditionally considered using the analytical models available. Overall,
consideration of these and other factors will demonstrate that, while resilience analysis does differ
somewhat from more conventionally utilized risk assessment, resilience thinking is highly compatible
with existing methods and are synergistic with traditional risk analysis approaches.
Philosophically, risk and resilience analysis are grounded in a similar mindset of (a) avoiding negative
consequences of bad things happening and (b) reviewing systems for weaknesses and identifying
policies or actions that could best mitigate or resolve such weaknesses. Risk is the operative term for
both methodologies, and the overall goal is to lessen as much as possible the damages that could
accrue from a hazardous external shock or other undesirable event. As such, practitioners of both
mindsets are explicitly required to identify and categorize those events that could generate
hazardous outcomes to humans, the environment, or society in general (i.e. commerce,
infrastructure, health services, etc.), and subsequently identify countermeasures to meet such
However, the two methodologies contrast on two key aspects: how to assess and understand
uncertainty, and how to judge outcomes of hazardous events (Scholz et al 2012; Fekete et al 2014;
Aven and Krohn 2014). For the former, a traditional risk analysis approach would seek to identify the
range of possible scenarios in an ad hoc or formalized manner, and protect against negative
consequences of an event based upon the event’s likelihood, consequences and availability of
funding, to cover an array of issues for a given piece of infrastructure or construct. In this way,
conventional risk assessors generally construct a conservative framework centered upon system
hardness, such as with system protections, failsafe mechanisms, and/or response measures to
protect against and respond to adverse events. Such a framework has its benefits, but as we discuss
in the next section, if the risk philosophy that supports the analysis is too rigid and inflexible, this can
hinder event response efforts to rebound from a severe or catastrophic event.
When judging outcomes of hazardous events, resilience analysis fundamentally seeks to provide the
groundwork for a ‘soft landing’, or the ability to reduce harms while helping the targeted system
rebound to full functionality as quickly and efficiently as possible, which may imply adaption to new
conditions. This is consistent with The National Academy of Sciences (NAS) definition of resilience,
which denotes the field as “the ability to plan and prepare for, absorb, recover from, and adapt to
adverse events.” While this difference may appear subtle, it carries a significantly different operating
statement that causes resilience analysts to focus more on ‘flexibility’ and ‘adaptation’ within their
targeted systems. This differs from the conventional approach commonly deployed by traditional risk
analysis, which instead seeks to identify a system that is fail-safe in nature yet inherently
conservative. However, the intrinsic uncertainty of the world, the various actors and forces at work,
and the systemic nature of many risks, make it significantly unlikely that inflexible systems would
prevent all risks in the long run, or would adequately protect against severe events that could cause
lasting and sweeping damage to society and the environment. This is particularly true for lowprobability
events, which have a significant chance of being written off in a traditional risk
assessment report as being excessively unlikely enough to not warrant the proper resources to hedge
against (Park et al 2013; Merz et al 2009). Even high-consequences events are often written off of
many decision-makers’ agendas, when they have a low probability of occurrence.

Analytical differences between traditional risk analysis and resilience analysis are less understood
and developed due to the relatively recent attention to resilience. However, it is possible to derive
some understanding based upon the philosophical frameworks that underlie the risk management
process. Both risk analysis and resilience analysis permit the use of both quantitative data and
qualitative assessment, which allows for greater overall flexibility in applications ranging from wellknown
hazards to highly uncertain and futuristic hazards through the utilization of subject expert
insight where quantitative data is limited. Such information is generally integrated into a specific
index or model in order to translate the findings into a meaningful result for the risk analyst, who is
then able to offer either an improved understanding of the real risk that certain hazards pose against
targeted infrastructure and/or an improved review of which alternative actions or policy options may
be taken to mitigate the harms presented by such risks.
Quantitative data may be derived from engineering tests in the field, climate models, design
specifications, historical data, or experiments in a laboratory, among others, where policymakers and
stakeholders are able to view and assess the likelihood and consequence of certain risks against
identified anthropologic or natural infrastructure. Likewise, qualitative assessment is generally
derived from meetings with subject experts, community leaders, or the lay public, and can be can be
used for narrative streamlined assessment such as with content analysis. In most cases, it is optimal
to include both sources of information due to the ability of quantitative field data to indicate more
accurate consequences and likelihoods of hazard alongside qualitative assessment’s ability yield
greater context to an existing understanding of risk data. However, it is often not possible for both
sets of information to be generated with full confidence, either because of a lack of reliability within
qualitative sources of assessment or because of lack or insufficience of quantitative data (due to the
rarity of the situation that is studied, or concerns of ethical experimentation, and/or cost and time
issues), leaving policymakers and stakeholders to make the best decisions with what is available to
them. This is universally true for both traditional risk analysis and its fledgling partner in resilience
analysis, and is likely to be the case for any risk assessment methodology to be developed in the
However, conceptualizations of risk and resilience are different. Resilience quantification is less
mature than its peer methodology in traditional risk assessment, which otherwise has decades of
practical use. This is because resilience is particularly relevant for dealing with uncertain threats,
which are always difficult, if not impossible, to quantify. Nonetheless, several quantitative, semiquantitative,
and qualitative approaches have been proposed and deployed to measure systemic
resilience at local, national, and international levels for a variety of catastrophic events (generally
those with low-probability, high-consequences). Some of these approaches could be relatively
simplistic, for example with a qualitative classification system. Others are more complex, for example
with resilience matrices or highly complex network analysis, where the availability of information and
user preferences determines the level of sophistication deployed for a given resilience case. Despite
these differences, however, resilience thinking and analysis will be similarly dogged by the potential
for ‘garbage-in, garbage-out’ analysis, where resilience practitioners must be vigilant, rigorous and
robust in their use of relevant and valid quantitative data or qualitative information for whichever
risk classification they to employ (Hulett et al 2000).
Temporally, risk analysis and resilience analysis are required to consider the near-term risks that
have the potential to arise and wreak havoc upon complex systems (Hughes et al 2005). Both engage

in exercises that identify and chart out those potential dangers that threaten to damage the
infrastructure in question. This exercise can range from being unstructured and ad hoc to organized
and iterative, yet ultimately analysts consider a series of threats or hazards that can have some
measurable impact upon natural or man-made structures. These hazards are then reviewed based on
their likelihood of occurrence and consequences on outcome, which is another iterative process.
Lastly, risk analysts are required to assess the immediate aftermath of the various adverse events
that were initially identified, and gain a greater understanding into how different components of
infrastructure may be damaged and what the consequences of this may be.
Resilience analysis differs in a temporal sense from traditional risk analysis by also considering
recovery of the system once damage is done. Thus, in addition to considering system decline
immediately after an event (i.e. risk), resilience adds consideration of longer term horizons that
include system recovery and adaptation. Traditional risk analysis can integrate recovery and
adaptation (for example, by considering probability of system to recover by specific time after event
or likelihood that it will be able to adapt), yet this is not necessarily the prime focus of the overall risk
analytic effort. Instead, a traditional risk analysis project constructs the ideal set of policies that,
given available money and resources, would offer the best path forward for risk prevention and
management. Attention to longer term and lower probability threats is often neglected in favor of
more intermediate and likely dangers, with only limited emphasis or focus on the need for
infrastructural and organizational resilience building, in the face of uncertain and unexpected harms.
In this way, traditional risk assessment may not accurately or adequately prepare for those lowprobability
yet high-consequence events that could dramatically impact human and environmental
health or various social, ecological, and/or economic systems that have become ubiquitous within
modern life.
II - Features of Resilience
Globalization is increasing and strengthening the connectivity and interdependencies between social,
ecological, and technical systems. At the same time, increasing system complexity has led to new
uncertainties, surprising combinations of events, and more extreme stressors. Confronted by new
challenges, the concept of resilience, as an emergent outcome of complex systems, has become the
touchstone for system managers and decision-makers as they attempt to ensure the sustained
functioning of key societal systems subject to new kinds of internal and external threats. Ecological,
social, psychological, organizational, and engineering perspectives all contribute to resilience as a
challenge for society. However, there are weak linkages between concepts and methods across
these diverse lines of inquiry. Useful ideas and results accumulate and partially overlap but it is often
difficult to find the common areas. Further, the different technical languages hamper communication
of ideas about resilience across of the different contributing disciplines and application problems.
Connelly et al. (2016) identified features of resilience that are common across conceptualizations of
resilience in various fields including (i) critical functions (services), (ii) thresholds, (iii) recovery
through cross-scale (both space and time) interactions, and (iv) memory and adaptive management.
These features are related to the National Academy of Science definition of resilience through the
temporal phases of resilience (Table 1). The concept of critical functionality is important to
understanding and planning for resilience to some shock or disturbance. Thresholds play a role in
whether a system is able to absorb a shock, and whether recovery time or alternative stable states

are most salient. Recovery time is essential in assessing system resilience after a disturbance where a
threshold is not exceeded. Finally, the concepts of memory describe the degree of self-organization
in the system, and adaptive management provides an approach to managing and learning about a
system’s resilience opportunities and limits, in a safe-to-fail manner.
Table 1: Resilience features common to socio-ecology, psychology, organizations, and engineering and infrastructure, which
are related to the temporal phases from the National Academy of Science definition of resilience (discussed in Connelly et al
2016 – forthcoming).
Description by Application Domain
NAS phase
of resilience
Resilience Feature Socio-
Psychological Organizational Engineering &
Plan Critical function A system function identified by stakeholders as an important dimension by
which to assess system performance
provided to
Goods and
services provided
to society
provided by
physical and
Absorb Threshold Intrinsic tolerance to stress or changes in conditions where exceeding a
threshold perpetuates a regime shift
Used to identify
natural breaks
in scale
Based on sense
of community
and personal
Linked to
adaptive capacity
and to brittleness
when close to
Based on
sensitivity of
functioning to
changes in input
Recover Time Duration of degraded system performance
Emphasis on
dynamics over
Emphasis on
time of
disruption (i.e.,
stage: childhood
vs adulthood)
Emphasis on time
until recovery
Emphasis on
time until
Adapt Memory/Adaptive
Change in management approach or other responses in anticipation of or
enabled by learning from previous disruptions, events, or experiences
memory guides
how ecosystem
after a
which is
maintained if
the system has
high modularity
Human and
social memory,
can enhance
learning) or
diminish (e.g.,
memory of
challenges posed
to the
organization and
management that
modification and
building of
responsiveness to
Re-designing of
systems designs
based on past
and potential
future stressors

Critical Functions (Services). Understanding the resilience of systems focuses on assessing how a
system responds to sustained functioning or performance of critical services while under stress from
an adverse event. In assessing resilience, it is necessary to define the critical functions of the system.
Stakeholders play a key role in defining critical functions. Operationalizing resilience concepts
depends on identifying the resilience of what, to what, and for whom. In addition, system resilience
depends on how the boundaries of the system are drawn (i.e., the chosen scale of interest) and the
temporal span of interest. Scale is often dictated by the social organizations responsible for
managing the system based on temporal and spatial dimension (Cumming et al 2006). Thus,
stakeholders influence how resilience is assessed both in terms of defining critical functions and
system scale. For example, the Resilience Alliance workbooks for practitioners assessing resilience in
socio-ecological systems asks stakeholder groups to envision the system and scale of interest,
possible disturbances, and to identify vulnerabilities (Resilience Alliance 2010). Further, with respect
to psychological resilience, individuals are responsible for assessing resilience through self-reported
inventories of protective factors (e.g., adaptable personality, supportive environment, fewer
stressors, and compensating experiences) (Baruth and Caroll 2002). It is common practice to use
questionnaire responses of stakeholders to assess resilience in psychological and organizational
Thresholds. The concept of resilience involves the idea of stable states or regimes in which a system
exists prior to a disruptive event. Systems are able to absorb changes in conditions to a certain
extent. Further, resilient systems have higher ability to anticipate and use other forms of information
and have different ways to synchronize over multiple players (Woods 2003). However, if a shock
perpetuates changes in conditions that exceed some intrinsic threshold, the system changes regimes
such that the structure or function of the system is fundamentally different. It is the balance of
positive and negative feedbacks that can cause a system trajectory to exceed a threshold and
degrade system performance (leading to the “collapse” phase of the adaptive cycle) (Fath et al 2015).
The nested nature of systems contributes to the possibility of cascading effects when a threshold at
one scale is crossed and causes disruptions at other scales (Kinzig et al 2006). The sensitivity of
system and sub-system performance to changes in inputs can be used to determine resilience
thresholds. Resilience thresholds within organizations are linked to the adaptive capacity of the
organization and of the management scheme utilized. Identifying thresholds prior to exceeding them
is difficult and an area of intense research (Angeler and Allen 2016). When a threshold is crossed,
return is difficult, especially where hysteresis is present. Where or when a threshold is not exceeded,
resilience is still relevant, but measures of return time are more appropriate. These concepts are
interlinked, and return time may slow as the resilience limits of a system are approached (i.e., critical
slowing) (Dakos et al 2008; Gao et al 2016).
Scale. Resilience is often considered with respect to the duration of time from a disruptive event until
recovery (or until the system has stabilized in an alternate regime), and the spatial extent of the
system of interest. We consider space and time scales as inextricably linked. Changes in critical
functionalities are highly correlated in time and space. It is a flawed approach when one aspect of
scale is considered without co-varying the other. There is frequently an emphasis on minimizing time
to recovery where full or critical levels of services or functions are regained. Engineering resilience, in
particular, has a focus on the speed of return to equilibrium, but this measure of resilience does not
adequately consider the possibility of multiple stable states, nor account for non-stationarity (Walker
et al 2004). However, return to equilibrium provides important information about the resilience of a

system to perturbations that don’t cause the system to exceed a threshold and enter into an
alternative regime. In the psychological domain, there is also a consideration for the timing of
disruptive events within an individual’s lifetime. For example, children might be more susceptible
than adults to negative psychological impacts from an event, though this is not always the case.
Further, resilience requires an appreciation for system dynamics over time. It is thought that
resilience is linked to the dynamics of certain key variables, some of which are considered “slow”
changing and constitute the underlying structure of the system while others are “fast” changing
representing present-day dynamics. Panarchy theory captures this cross-scale structure in complex
systems (Allen et al. 2014).
Memory. Memory of previous disruptions and the subsequent system response to a shock can
facilitate adaptation and make systems more resilient. For example, Allen et al. (2016) observe that
ecological memory aids in reorganization after a disruptive event. It has also been noted that socioecological
resilience is enhanced by a diversity of memories related to the knowledge, experience,
and practice of how to manage a local ecosystem (Barthel et al. 2010). Institutional memory can
extend beyond individuals. For example, institutional memory is responsible for maintaining lessons
learned from previous challenges to the organization or to similar organizations (Crichton et al 2009).
In each case system-wide sensing or monitoring is essential to capture changes in salient driving
conditions and critical functions. Memory of an event in the short term often results in increased
safety or resilience through anticipation of a shock or disruptive event through enhanced resistance
or adaptive capacity, though in the long-term the memory of the event fades (Woods 2003). Memory
tends to be maintained if the system has high modularity or diversity.
In human physiology, responding to repeated stressors produces long run changes in the
physiological systems affected by the series of events that evoke stress responses. Although memory
of a past experience can have a negative impact on an individual, in some cases, memory can enable
positive adaptation whereby these individuals are better able to cope with future stressors. Social
memories tend to influence individuals’ interpretations of reality, and thus maladaptive social
memories can decrease individual and societal resilience.
Adaptive Management. Under changing conditions, however, memory of past disturbances and
responses may not be sufficient for maintaining system performance or critical functionality. The
concept of adaptive management acknowledges uncertainty in knowledge about the system,
whereby no single management policy can be selected with certainty in the impact. Instead,
alternative management policies should be considered and dynamically tracked as new information
and conditions arise over time. Accordingly, management is able to adapt to emergent conditions,
reduce uncertainty, and enhance learning in a safe-to-fail manner. By adjusting response strategies in
advance to disruptive events, management is able to build a readiness to respond to future
challenges. Anticipation and foresight lead organizations to invest in capabilities to deal with future
disruptions and prepare for multi-jurisdictional coordination and synchronization of efforts such that
the system adapts prior to disturbances. Thus, system-wide sensing (and monitoring), anticipating
disruptions, adapting and learning (from both success and failure) occur proactively and in a
perpetual cycle, or until key uncertainties are reduced (Park et al 2013).
There are a number of common features of resilience linked to the planning, absorbing, recovering
and adapting phases identified in the NAS definition. Preparing or planning for resilience involves
stakeholder identification of critical functions of the system and the strategic monitoring of those

functions. Intrinsic thresholds or boundaries determine the amount of disturbance a system can
absorb before the system enters an alternate regime, whereby the structure and/or critical functions
of the system are different. Whether the system transitions to a new regime or remains the same,
the time until the system (performance and critical functionality) recovers from a disturbance is used
to assess resilience. Finally, memory and adaptive management facilitate system coping to changing
conditions and stressors, even in an anticipatory sense. These features, along with stakeholders and
scale, are important across domains in understanding and communicating resilience concepts.
III - Benefits of Resilience Thinking Over Traditional Risk Analysis
Traditional risk analysis and resilience analysis differ, yet overall they must be considered
complementary approaches to dealing with risk (Figure 1). One way to assess how they are
complementary is to consider Risk Assessment as bottom-up approach starting from data and
resilience as Top-Down approach starting with mission and decision-maker needs with obvious need
for integration. Risk assessment process starts with data collection and progresses through
modelling to characterization and visualization of risks for management while resilience starts with
assessing values of stakeholders and critical function and through decision models progresses
towards generation of metrics and data that ultimately can inform risk assessments.
Figure 1: Risk and Resilience Integration (after Linkov et al., 2014).
Resilience analysis focuses on both everyday dangers and hazards to organizational and
infrastructural condition along with longer term or lower probability threats that have significantly
negative outcomes. The purpose of such focus is to improve the target’s ability to ‘bounce back’ from
an adverse event, or reduce the time and resources necessary to return the impacted infrastructure

back to normal operating procedures. In this way, resilience analysts are by default required to
consider risk over the extended or long term and review those events which could prevent a system
or infrastructure from returning to full functionality for an extended period. Though not universally
true, resilience management may afford policymakers and stakeholders a greater upfront defense
against system endangering hazards such as those that occurred in the case of Hurricane Katrina or
Superstorm Sandy.
A conventional way to determine how risk and resilience are complementary is to consider that risk
assessment as the preliminary phase to resilience analysis. It provides the first elements needed to
trigger, or not, the need for resilience assessment. This is particularly true in the case of lowprobability,
high consequence risks of the distance future, such as those associated with climate
change, large-scale cybersecurity threats, or severe weather events on the coasts. In this way,
resilience analysis adds a different perspective that traditional risk analysts may otherwise miss – the
ability to understand the capacity of an organization or infrastructural system to rebound from a
massive external shock. While it is impossible to fully predict a highly uncertain and infinitely diverse
future, a robust resilience analysis can offer system level preparation across physical, information
and social domains thus improving the functionality of the system in the midst of a crisis. While lowprobability
high-severity events are rare, several have been experienced in recent memory (ranging
from the September 11th terrorist attacks to the Fukushima Daiichi nuclear disaster), making
resilience assessment both a realistic and highly useful tool to minimize unnecessary losses to
infrastructure, capital, and most importantly, human wellbeing.
These benefits of resilience analysis do not immediately mean that resilience analysis is an all-around
improvement over conventional risk analytic methods. For traditional risk analysis, risk planning is a
multistage effort that requires advanced threat identification for hazardous events prior to their
occurrence with follow-up risk mitigation focused on hardening vulnerable system components.
Resilience analysis starts with identifying critical functions of the system and stakeholder values with
subsequent assessment of system improvement alternatives. Resilience analysis centers on the
integration of risk perception (the active identification of risk and hazard in the midst of uncertainty),
risk mitigation (steps taken to reduce harms before they occur), risk communication (the need for a
clear and meaningful discourse on the seriousness of risk to the general population), and risk
management (post hoc measures to address a realized hazard) collectively guide any risk or resilience
effort. In this way, resilience analysis is far more than a focus on rebounding from a serious risk
event, but rather a series of similar steps as with conventional risk analysis that has its own angle on
how to best prepare for such hazards.
Resilience analysis cannot, however, replace risk assessment. Its systems approach is characterized
by a higher complexity of conceptualization and disconnect from specific system components that
needs to be engineered individually. Moreover, less severe and better characterized hazards are
better served by existing conventional methods that adequately assess perceived cost and benefits
for a given action.
Resilience as Understood by Various Experts
This paper serves as a general introduction to the concept and application of resilience, specifically as
it relates to traditional risk management, and in particular about suggestions for metrics or indicators

that can be developed to assess resilience in a system, and the performance of resilience strategies.
IRGC has invited experts, scholars, and practitioners of resilience from across the globe who were
asked to provide (i) their view of an operating definition of resilience, (ii) discussion of the purpose
and utilization of resilience, (iii) instruments to deploy resilience, and (iv) potential metrics and
criteria for resilience management. As such, each entry offers a unique view of how resilience is
understood and utilized in general or for specific applications – all within a comparable framework by
which the reader may assess the similarities and differences across the body of included experts.
PanarchyDavid G. Angeler, Ahjond S. Garmestani, Craig R. AllenPanarchyi
David G. Angeler1, Ahjond S. Garmestani2, and Craig R. Allen3
1Swedish University of Agricultural Sciences, Department of Aquatic Sciences and Assessment, Box
7050, SE-75 007 Uppsala, Sweden

2U.S. Environmental Protection Agency, National Risk Management Research Laboratory, 26 W.
Martin Luther King Drive, Cincinnati, OH, USA 45268
3U.S. Geological Survey, Nebraska Cooperative Fish & Wildlife Research Unit, University of Nebraska,
Lincoln, NE, USA 68583

Keywords: Resilience, Multiscale, Complex adaptive systems, Risk
Panarchy theory describes the hierarchical organization of complex systems (Allen et al., 2014). Contrary to hierarchy theory, which assumes system control from the higher to lower levels, in a panarchy control acts both from the bottom up and top down. A further distinction between panarchy theory and hierarchy theory is that the former considers dynamic system organization while the latter has more static assumptions. Hierarchical dynamic organization is an emergent property of complex systems and is characterized by the vertical separation of low-frequency dynamics of large extent (e.g., plate tectonics) and high-frequency dynamics of small extent (plankton dynamics in lakes). The partitioning of system dynamics manifests in the compartmentalization of patterns of structure and processes, which provides complex systems with common properties, including enhanced adaptive capacity to withstand disturbance. This ability to cope with disturbances arises from self-organization into hierarchies, whereby disturbances that affect particular scales can be absorbed by other scales in the system (Nash et al., 2014). In turn, this enhances the resilience of complex systems due to the interaction of variables that interact with the system at distinct scales and create self-reinforcing patterns (through positive feedbacks) resistant to change (Gunderson & Holling, 2002).
The dynamic character of a panarchy is described as a set of nested adaptive cycles, whereby adaptive cycles at each scale describe the processes of development and decay in a system (Gunderson & Holling, 2002). An adaptive cycle operates over a discrete range of scale in both time and space (Angeler et al., 2015), and is connected to adjacent adaptive cycles. Because adaptive cycles operate over specific ranges of scale, and a panarchy is composed of multiple adaptive cycles, a system’s resilience is dependent upon the interactions between structure and dynamics at multiple
i This paper is part of the IRGC Resource Guide on Resilience, available at:­governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
scales. The number of levels in a panarchy varies, but corresponds to dominant scales present in a system.
Panarchy and risk
In a world of increasing connectedness, understanding scale-dependent processes and structure is critical for navigating a turbulent future. Panarchy provides us with a powerful tool for unveiling the dynamics of scale dependent structure and processes in complex systems. Panarchy serves as a perspective for understanding ecosystems, linked social–ecological systems and governance, and can serve as a framework to envision and quantify risk. The concept is essentially linked to resilience and follows from attempts to characterize and assess resilience in complex systems. As a heuristic, panarchy can help envision the organization of seemingly complicated systems and be linked to risk assessments related to pressures deriving from global environmental change. Panarchy can be utilized in the abstract conceptual sense for establishing qualitative mental models for risk assessment. Panarchy can also serve as a model of system dynamics that allows for concrete and testable hypotheses regarding the risks associated with environmental change.
Applications of panarchy for risk and resilience analysis
Panarchy has served as a model of complex systems organization for exploring a range of social­ecological system challenges that are relevant in a risk governance and assessment context. These explorations include the investigation of the linkages between adaptive cycles in social systems and ecosystems focusing on cycles of destruction and renewal; linking environmental change to social phenomenon such as migration; linkages between system organization and the provision of ecosystem services; managing abrupt change; identifying scales; identifying aspects of resilience including causes of population collapse; and links between resilience, regime shifts and thresholds in systems (Allen et al., 2014).
In a social systems context, panarchy theory has been used in a variety of contexts, such as evoking panarchy as a framework for understanding the linkages between social and ecological systems, which helps with the general understanding of the institutional and organizational change needed to cope with risk and enhance resilience. In urban systems, empirical analyses reveal that urban systems are partitioned into discrete scales separated by thresholds, showing that small cities grew faster than average and large cities grew slower than average (Garmestani & Gunderson, 2009). This demonstrates the potential for a panarchy framework to deal with risks associated with uncertainty in urban ecology, for example the effects of unsustainable growth and urban sprawl. Also, in firm size distributions, the distribution of functional aspects in firm organization is associated with indices of resilience (employment volatility; Garmestani et al., 2006). There is a current consensus among many legal scholars that existing law is too inflexible to accommodate resilience approaches explicitly, and therefore panarchy theory as well. Thus legal reform and new laws, laws which themselves have ant of resilience and that foster resilience in social ecological systems will be required to allow for resilience-based governance (Green et al., 2015).
Quantifying panarchy
Panarchy theory has the potential to develop into a framework for envisioning and assessing risk. Panarchy covers many aspects of complex system dynamics such as adaptation, conservatism and reorganization, which are impossible to frame within a single hypothesis. However, hypotheses that explicitly test the underlying premises of the theory can be formulated and put at risk. Following from panarchy theory are fundamental predictions regarding both the organization and dynamics of environmental, governance and other social aspects related to risk that should manifest if the propositions are true. It presents opportunities to test specific hypotheses regarding resilience and structuring processes in complex systems, and regime shifts, among others. Many of these manifestations have been tested empirically, some have been modeled, and some not tested at all because of data constraints (Allen et al. 2014). Panarchy theory has implications for two important, interconnected, but poorly understood phenomena: novelty arising from change, and regime shifts. Understanding both are essential ingredients for understanding the tradeoffs related to change and the risks those changes entail to human societies. Given the importance of these phenomena for understanding resilience, panarchy theory has great potential to make operationalization of these phenomena explicit, ultimately improving ways for quantification and measurement of risk.
Ecological ResilienceCraig R. Allen, Ahjond S. Garmestani, Shana Sundstrom and David G. AngelerEcological Resiliencei

Craig R. Allen1, Ahjond S. Garmestani2, Shana Sundstrom3 and David G. Angeler4

1U.S. Geological Survey, Nebraska Cooperative Fish & Wildlife Research Unit, University of Nebraska,
Lincoln, NE, USA 68583
2U.S. Environmental Protection Agency, National Risk Management Research Laboratory, 26 W.
Martin Luther King Drive, Cincinnati, OH, USA 45268
3Nebraska Cooperative Fish & Wildlife Research Unit, University of Nebraska, Lincoln, NE, USA 68583
4Swedish University of Agricultural Sciences, Department of Aquatic Sciences and Assessment, Box
7050, SE-75 007 Uppsala, Sweden


Keywords: Resilience, Social-ecological systems, Management, Risk assessment


Resilience is the capacity of complex systems of people and nature to withstand disturbance without
shifting into an alternate regime, or a different type of system organized around different processes
and structures (Holling, 1973). Resilience theory was developed to explain the non-linear dynamics of
complex adaptive systems, like social-ecological systems (SES) (Walker & Salt, 2006). It is often
apparent when the resilience of a SES has been exceeded as the system discernibly changes, such as
when a thriving city shifts into a poverty trap, but it is difficult to predict when that shift might occur
because of the non-linear dynamics of complex systems.

Ecological resilience should not be confused with engineering resilience (Angeler & Allen, 2016),
which emphasizes the ability of a SES to perform a specific task consistently and predictably, and to
re-establish performance quickly should a disturbance occur. Engineering resilience assumes that
complex systems are characterized by a single equilibrium state, and this assumption is not
appropriate for complex adaptive systems such as SES. In the risk governance context this means that
compounded perturbations derived from hazards or global change can have unexpected and highly
uncertain effects on natural resources, humans and societies. These effects can manifest in regime
shifts, potentially spurring environmental degradation that might lock SES in an undesirable system
state that can be difficult to reverse, and as a consequence economic crises, conflict, human health

i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Resilience and risk governance

A premise of any SES is that surprise and uncertainty are inherent to the system. Risk governance, as
defined by the International Risk Governance Council, implies enabling societies to benefit from
change while minimizing the negative consequences of the associated risks. However, achieving and
managing for trade-offs between benefits for societies of change while reducing risks is difficult and
does not adequately address surprise and uncertainty in system behaviour. SES management and
governance have therefore, to a large extent, struggled over the long term to ensure the
maintenance of ecological regimes that are desirable for humans in terms of consistent delivery of
ecological goods and services while systems undergo change. Regime shifts, such as the collapse of
commercial fisheries, have often been the consequence of the sustained overuse of natural

Resilience-based management benefits risk governance in two ways. First, when systems are in a
desirable state for humans, management can focus on fostering and enhancing the resilience of this
regime by assuring that functional attributes relevant for processes that deliver ecosystem services
are diverse and imbricated. Second, systems in undesirable states can also be highly resilient. Where
systems are in undesirable states resistant to change, that is when an undesirable state is resilient, it
may be necessary to reduce the resilience of the system and to induce a shift in the system to a
regime that is more desirable, and then to manage the system to foster the regime of this desirable

Adaptive management

Adaptive management was developed as a way to conduct safe-to-fail experiments for ecosystems,
and a way to allow management to occur in the face of uncertainty while allowing flexibility and
enhancing learning. Managing for resilience therefore consists of actively maintaining a diversity of
functional attributes in the system, accounting for thresholds and the non-linear dynamics that occur
at thresholds, and implementing adaptive management and governance. Managing for resilience
requires an improved understanding of system-level behavior, rather than specific, detailed
knowledge of parts of the system. Adaptive management and governance are critical to managing for
resilience, as they treat policy and management options as hypotheses to be put at risk, and thus
enhance learning and reduce uncertainty (Allen et al., 2011).

The following propositions constitute the core of managing for resilience in social-ecological systems:

Identify the conditions that indicate loss of resilience for the particular system (Angeler &
Allen, 2016). Recent research demonstrates that there are system-specific conditions
that indicate a system is losing resilience and approaching a regime shift. These
indicators are measurable (see below), and will differ between ecosystems.
Identify and maintain a diversity of system elements and feedbacks that help keep a
system within a desired regime. Maintain the distribution of ecological functions within
and across scales that contribute to system resilience.

Measuring resilience

Resilience theory explicitly accounts for the hierarchical organization of SES. It considers discrete
scales of space and time at which patterns of structure manifest and processes unfold. For instance,
small and fast processes such as the turnover of leaves on trees are orders of magnitude different
than the large and slow processes, such as climate, that drive the location of boreal forest on a
continent. Resilience can be assessed by examining how functional attributes are distributed within
and across the scales present in the system of interest. Resilience is considered to increase with an
increasing redundancy and diversity of functional attributes, both within and across scales. Higher
redundancy and diversity of functional traits can buffer against disturbances, maintain processes and
stabilize feedbacks of desired system regimes.

Fundamental to the assessment of resilience is the objective identification of the scaling
structure of the system to determine within and cross-scale redundancy and diversity of functional
attributes. A series of methods have been developed in the ecological sciences that have potential
for wider application in the social and ecological sciences (Sundstrom et al., 2014). These methods
include Classification and Regression Tree analysis, and their Bayesian implementation, which
identify scaling structure based on size characteristics in ecological (e.g. animal size) or urban (city
size) systems. Other approaches are based on time series and spatial modelling (Angeler et al., 2016).
Time series modelling allows identifying discrete temporal frequencies at which patterns in complex
systems manifest. Spatial methods reveal discrete geographical extents and variation in relevant
variables and have potential to assess how entire regions beyond ecosystems affect and are affected
by local and regional environmental processes and governance (spatial resilience; Allen et al., 2016).
Other approaches include early warning indicators, which allow assessing when a system approaches
critical thresholds and potentially faces an impending regime shift (Dakos et al., 2012).

Infrastructure Network ResilienceKash Barker, Jose E. Ramirez-MarquezInfrastructure Network Resiliencei
Kash Barker1, Jose E. Ramirez-Marquez2,3
1School of Industrial and Systems Engineering, University of Oklahoma, USA, 2Stevens Institute of Technology, Hoboken NJ, USA, 3Tecnológico de Monterrey, Guadalajara, México
Keywords: Resilience, Infrastructure networks, Reliability, Vulnerability, Recoverability
The US government has increasingly emphasized resilience planning for critical infrastructure. Presidential Policy Directive 21 (White House, 2013) states that critical infrastructure “must be secure and able to withstand and rapidly recover from all hazards,” where the combination of ‘withstanding’ and ‘recovering’ from disruptions constitutes resilience. The resilient operation of critical infrastructures is “essential to the Nation’s security, public health and safety, economic vitality, and way of life” (DHS, 2013). DHS planning documents highlight terrorist attacks, natural disasters, and manmade hazards, all of which could exacerbate our aging and vulnerable infrastructure networks, whose general condition was given a grade of D+ (ASCE, 2013).
As risk is often viewed as the combination of disruptive scenario, likelihood, and consequence, the study of resilience can be viewed as a special case of risk when ‘consequence’ is measured in terms of vulnerability to and length of disruption resulting from a disruptive scenario. This is true across many applications, including infrastructure networks. Reducing risk in infrastructure networks, in terms of an ability to withstand a disruptive scenario (reducing vulnerability) and an ability to recover (increasing recoverability), can be achieved as the result of building network resilience. As such, resilience management can be viewed as an important component of risk management depending on how the consequence of a disruptive scenario is defined. And much like the quantification of risk, the quantification of resilience is scenario-specific: a network’s resilience is a function of the conditions surrounding the disruption (Haimes, 2009).
Resilience has increasingly been seen in the literature, and measures of resilience have seen a recent increase (Hosseini et al., 2016). This paper focuses on a particular paradigm for describing the behavior of a network before, during, and after a disruptive scenario ........, originally offered by Henry and Ramirez-Marquez (2012) and subsequently refined by Barker et al. (2013), Pant et al. (2014), and Baroud et al. (2014a) and applied with network applications. The network, whose behavior is depicted in Figure 1, operates in state ....0 until a disruption occurs at ....e, and at time ....d the network reaches its maximum disrupted state ....d. Recovery from the disruption commences at time ....s, and
i This paper is part of the IRGC Resource Guide on Resilience, available at:­governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
state ....f is attained at time ....f and is maintained thereafter. The performance of the network is measured with ....(....), which assumes that a larger value of network performance is preferred, therefore a degradation caused by ........ leads to a decrease in ....(....). Figure 1 depicts the behavior of ....(....) before, during, and after disruption ........ .
Figures 1 and 2 illustrate three dimensions of resilience: reliability, vulnerability, and recoverability. Prior to disruptive scenario ........, the ability of the network to meet performance expectations is described by its reliability (Ebeling, 2010; Modarres et al., 2010). Jonsson et al. (2008) define vulnerability as the magnitude of network damage given the occurrence of a particular disruptive scenario, complementary in concept to robustness in the “resilience triangle” literature in civil infrastructure (Bruneau et al., 2003). Recoverability is related to understanding the ability and speed of networks to recover after a disruptive scenario, similar in concept to rapidity in the “resilience triangle” literature in civil infrastructure [Bruneau et al. 2003].

Figure 1. Graphical depiction of decreasing network performance, .(t), across several state transitions over time.
Resilience is defined here as the time dependent ratio of recovery over loss, or .(....)= Recovery(....)/Loss(....), noting the notation for resilience, . (Whitson & Ramirez-Marquez 2009) as R is commonly reserved for reliability. Eq. (1) formalizes this measure, where ....(....0) refers to the ‘as­planned’ performance level of the network, ....d is the point in time after the disruption where network performance is at its most disrupted level, recovery of the network occurs between times ....s and ....f, and any quantification of resilience requires the occurrence of disruptive scenario ......... Eq. (1) is used for networks whose performance is reflected in Figure 1.

Network performance, ....(....), can be defined in a number of ways. For example, Almoghathawi et al. (2016) describe network performance as the extent to which demand is being met at the demand nodes of a network, an important consideration in electric power or water networks. In transportation network applications (e.g., Jenelius & Mattson (2015)), origin/destination travel times or network flow may appropriately measure network performance. Ganin et al. (2016) propose the proportion of active nodes in a network as a measure of performance. Gao et al. (2016) also use a graph theoretic measure of network performance,
Several related measures can be derived from Eqs. (1) and (2) (Pant et al. 2014), including: (i) time to complete restoration, or the total time spent from the point ....s when recovery activities commence up to the time when all recovery activities are finalized, (ii) time to full network resilience, or the time spent from ....s up to the time when .........|........=1 (note that for network applications, flow can be at its maximum when links are still disrupted, thus the distinction between (i) and (ii)), and (iii) time to ....×100% resilience, or the time spent from ....s up to when .........|........= .....
As one might imagine, there is a dependence relationship among the three dimensions of resilience from Figures 1 and 2. Strengthening reliability through network protection and hardening may reduce the impact experienced after ........, thus investments in reliability may assist in reducing vulnerability. Likewise, a less vulnerable network (or a network that is more capable of withstanding a disruptive scenario) is more easily restored. Thus, an investment in reducing vulnerability can pay dividends in improving recoverability, even though these risk management options are very different from each other. There exists a tradeoff among reliability, vulnerability, and recoverability, where pre-disruption investments may be less expensive than post-disruption investments to achieve and maintain similar levels of network performance before and after a disruptive scenario. And naturally, there exists a likelihood that the scenario occurs (and thus recoverability is necessary).
Annotated bibliography
Bursztein and Goubault-Larreq (2007) proposed a logic-based framework to assess the resilience of computers networks against disruptions such as malicious intruders as well as random faults. Their proposed model uses two-layered presentation of dependencies between files and services and also quick response to the incidents. Sterbenz et al. (2013) described a comprehensive methodology to assess network resilience through a combination of topology generation, simulation, and experimental emulation techniques with the goal of improving the resilience and solvability of the future internet. Trivedi et al. (2009) reviewed the definitions and metrics for network resilience.
Individual dimensions of network resilience (reliability, vulnerability, recoverability) have been well studied. Reliability typically quantifies the likelihood of connectivity of a network (Mandaltsis & Kontoleon, 1987; Jan, 1993; Ramirez-Marquez & Rocco, 2008, 2009).
Numerous works study network vulnerability, noting that vulnerability is highly dependent upon the type and extent of disruption ........ (Crucitti et al., 2005; Zio et al., 2008; Zhang et al., 2011). In particular, Nicholson et al. (2016) propose measures of network vulnerability based on network flow, as opposed to most studies that emphasize topology (Holme et al., 2002; Holmgren, 2006; Wu et al., 2011; Johansson et al., 2011; Johansson et al., 2013).
The work on optimizing recovery typically involves the order and scheduling of links to restore (Gong et al., 2009; Matisziw et al., 2010; Aksu & Ozdamar, 2014; Nurre et al., 2012; Cavdaroglu et al., 2013).
To identify the important components (nodes/links) contributing to the resilience of a network, Barker et al. (2013) offer some resilience-based component importance measures derived from Eqs.
(1) and (2). Fang et al. (2016) extend this approach with some new measures.
Validating Resilience and Vulnerability Indices in the Context of Natural DisastersLaura A. Bakkensen, Cate Fox-Lent, Laura Read, Igor LinkovValidating Resilience and Vulnerability Indices in the Context of Natural Disastersi
Laura A. Bakkensen1, Cate Fox-Lent2, Laura Read2, and Igor Linkov2
1School of Government and Public Policy, University of Arizona 2US Army Corps of Engineers, Engineer Research & Development Cente
Keywords: Risk, Resilience, Validation, Metrics, Vulnerability, Natural disasters
Resilience implies that a system can persist and function more successfully over the duration of an event, relative to a less-resilient counterpart. These key elements are highlighted in two definitions, including the National Academy of Science’s definition of disaster resilience as “the ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events” and the Intergovernmental Panel on Climate Change’s definition of “the ability of a system and its component parts to anticipate, absorb, accommodate or recover from the effects of a hazardous event in a timely and efficient manner, including through ensuring the preservation, restoration or improvement of its essential basic structures and functions”.
Despite risk management actions to lessen impacts, losses from natural disasters have increased over time and motivated discussion of a new resilience management paradigm as a policy objective in the
U.S. and worldwide. While there has been a recent proliferation of resilience assessment tools and methods to help develop an understanding of existing resilient capacity, few of these approaches point to specific improvement measures or support specific investment priorities. Although resilience quantification may be in its infancy, researchers should understand that their methods are likely to be used in decision making for funding justifications or policy development, whether they are intended for use in that way or not.
Quantifying resilience and vulnerability through aggregation of metrics has become a popular approach to aid in decision making. However, empirical validation remains an important final step. While such multi-metric resilience indices may be well substantiated by theory, they may not perform as expected. The policy relevance of a resilience assessment relies on its ability to pinpoint areas in need of improvement that can confidently be expected to reduce some disaster impact, whether total losses, spatial extent of disruption, or recovery time. The objective of this work is to
i This paper is part of the IRGC Resource Guide on Resilience, available at:­governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
present a first effort at partial validation of five popular U.S. resilience indices. Multi-variate regression is used to empirically validate each index to test their power to explain historical property losses, fatalities, and disaster declarations at the county-event level across states in the Southeast. The results are compared with the stated index objectives, to examine the relevance of each index and to identify best practices for index development to support further validation. Lastly, policy recommendations are made based on the findings in order to enable disaster indices to be better utilized to inform policy and action.
The authors acknowledge that this is an initial and incomplete attempt at validation. One, most of the indices’ authors do not specifically state that their indices will explain the three outcomes tested here. Also, resilience goes beyond simply withstanding disruptive events and speaks to the ability of a system to recover from disturbances and adapt to changing conditions, the latter of which this validation does not assess. The recovery component of resilience could perhaps be validated using explanatory power for number of days that schools are closed, or length of time for local business revenues to rebound. However, as much of that data is currently lacking, this intent of this paper is bring to reader’s attention the need for external validation of these methods and to demonstrate one approach using regression analysis.
Instruments for resilience management
In response to the clear need for disaster research, academics and practitioners alike have conducted many studies in an effort to better understand resilience and vulnerability. One major focus has been the development of indices to quantify resilience and vulnerability using metrics. In that vein, a main effort in quantification is through an index, or “composite indicator”, that aggregates metrics across a variety of numerical factors in order to gauge the level of disaster resilience or vulnerability across space. Cutter (2015) reviews the assortment of tools, indicators, and scorecards that currently populate the resilience literature in the United States. Some of these are “resilience” indices and some are “social vulnerability” indices but this turns out to be only a nominal difference. Although social vulnerability and resilience may be different theoretical constructs, popular indices of vulnerability have stated goals of identifying “uneven capacity for preparedness and response and… determining differential recovery from disasters” and informing management across “all phases of the disaster cycle,” which closely match the definition of, and goals of, resilience indices. As a result, most indices include very similar set of metrics related to demographic and municipal data, for example: number of owner-occupied homes, hospital beds per capita, educational attainment rates, existence of hazard mitigation plans, and the Gini coefficient of inequality. The output of these indices is relative—comparing one county to another, or one county at to the same county at some later point in time. The decision making that this sort of result could inform would be statewide allocation of funding, or identification of target areas for improvement. However, though many indices draw on similar sets of metrics, the results may vary from index to index—one index may show county A as more resilient than county B, while another index may show the reverse, confusing the selection of an appropriate index to base decision making on. To enhance the utility and policy external validation of these indices with actual disaster outcomes should be performed. Community resilience to disasters is still an emerging field and index developers often describe their products as frameworks or baseline assessments but there is little utility unless they can be confidently used to inform decision makers. This work takes as inputs the results of five prominent disaster indices in the United States: Cutter, Burton, and Emrich’s Baseline Resilience Index for Communities (BRIC); Peacock et al.’s Community Disaster Resilience Index (CDRI); Foster’s Resilience Capacity Index (RCI) as applied to metropolitan areas by the Network on Building Resilient Regions; Cutter, Boruff, and Shirley’s Social Vulnerability Index (SoVI); and Flanagan et al.’s Social Vulnerability Index (SVI). Figure one shows the score from each index for counties in the southeastern United States. The CDRI was only available for coastal counties, the RCI for metropolitan areas, and the BRIC for the on the eastern States.

Figure 1: Scores by index for counties in the southeastern US
Figure 2 graphs the scores of each index in three selected regions. The counties listed for each region are adjacent to each other, yet across the different index, their calculated relative performances
(higher or lower than a neighbor) vary. Depending on the disaster index selected, a state official would come to different conclusions about how to allocation funding for improvement in the region. This observation initiated the present effort to at a first order validation of these approaches with historical disaster data.

For the disaster index validation, data was collected from the National Climatic Data Center and Federal Emergency Management Agency for the 10 US states shown in Figure 1. Three common outcomes for disaster planning are reduction of damage and loss of life and reduction of emergency support needed. Therefore it is expected that the resilience indices will positively correlated with property losses ($), fatalities (#), and disaster declarations (#) while the social vulnerability indices will be negative correlated with these outcomes. Multivariate regression analysis is employed to empirically validate the explanatory power of the five disaster indices, relative to their theoretical performance, while controlling for other potential confounding variables, including population density or capital stock in harm’s way, magnitude of the disaster, and year. The magnitudes of each relationship are not directly compared, as these are determined, in part, by individual index assumptions and normalizations used in the index creation. Instead, the method tests the ability of
each index in explaining outcomes consistent with the theoretical sign (ß_1<0 for resilience indices and ß_1>0 for vulnerability indices) and statistical significance of the relationship. We do not believe, nor intend for, our validation exercise to be comprehensive in testing for all types of outcomes. Instead, we present the results as an important first attempt at formal empirical validation and comparison across indices.
The five indices analyzed were all theoretically sound and individual metrics were analyzed using statistical techniques by the creators of each index. However, empirical validation reveals that not all indices perform as expected. A pairwise comparison between the five indices was performed. While there is qualitative consistency within the index types (resilience or vulnerability), the overall correlations are not high. The highest correlations observed were between BRIC and CDRI at 0.805. Half of the ten pairwise correlations have values between -0.5 and 0.5, with some values close to zero. Thus, it remains unclear, with only this information, whether disaster indices are picking up different facets of resilience and vulnerability or some indices are performing better. In the regression analysis, CDRI and SoVI perform the best, with all results of the correct sign, but the estimated coefficient on disaster declarations and fatalities, respectively, are not statistically significant. This may be partly driven by the fact that they were already empirically verified to some extent in the original analysis. In addition, RCI performs as expected for property losses and fatalities, but has an insignificant but incorrect sign for declarations. CDRI, RCI, and SVI perform best for both damages and fatalities, while SoVI performs best for both damages and disaster declarations (Table 1). While most indices explain historical damages, only some explain fatalities and few explain disaster declarations with significance. However, very few indices specifically explain the outcomes that they try to speak to, so the user is left to interpret the results independently. One recommendation of this paper is that indices should be much clearer in what they aim to explain— disaster reduction or recovery, infrastructure or community health, etc.—and should follow up with explicit testing to see if they indices perform well. This way, decision makers can know clearly which index to choose to inform certain types of decisions.

Understanding community resilience and vulnerability to natural disasters remains a policy priority around the world. Corporations, governments, and non-profit organizations are investing time and resources into measuring and improving resilience across many disciplines, so much so that the term has evolved into a new identity validated index functionality is fundamentally important in order to better understand the value of index results and properly apply these lessons for their intended purposes. By validating index performance using outcomes related to the stated objectives of the indices, policy makers can have confidence that investments in resilience or reduction in vulnerability, as recorded by changes in a disaster index, will translate to specific desired improvements.
Operationalize Data-driven Resilience in Urban Transport SystemsEmanuele Bellini, Paolo Nesi, Pedro FerreiraOperationalize Data-driven Resilience in Urban Transport Systemsi
Emanuele Bellini1 and Paolo Nesi1
1DISIT Lab, Information Engineering Dept. University of Florence
Keywords: Sustained adaptability, Decision Support System, Big Data, Urban Transport System, Sociotechnical system
Resilience and sustained adaptability in urban transport systems (UTS)
Today, enhancing resilience in Urban Transport Systems is considered imperative for two main reasons: a) such systems provide critical support to every socio-economic activity and are currently themselves one of the most important economic sectors in Europe; b) the paths that convey people, goods and information, are the same through which risks are propagated.
Transport systems have thus developed a prominent safety and business critical nature, in view of which current management practices have shown evidence of important limitations. UTS is a sociotechnical system whose resilience can be defined as the intrinsic ability to adjust its functioning prior to, during or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions (Hollnagel, 2011). Thus, UTS resilience is considered an emergent property and it refers to managing high variability and uncertainty in order to pursue successful performance of the system continuously. Answering to questions as:

What type and sources of variability need to be managed?

What type and level of resources are needed to cope with such variability?

How to plan and deploy such resources?

How to ensure that local adaptive mechanisms are synchronised at the system level?

is needed to understand the sources of operational variability, the mechanisms through which it may potentially propagate inside and outside and the impact on the system performance. The potential for resilience to emerge from UTS system performance can be assessed based on the “four resilience cornerstones” (Hollnagel, 2011):
• Responding (Knowing what to do): corresponds to the ability to address the “actual” and respond to regular or irregular disruptions by adjusting functioning to existing conditions.
i This paper is part of the IRGC Resource Guide on Resilience, available at:­
governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Monitoring (Knowing what to look for): corresponds to the ability to address the “critical” by monitoring both the system and the environment for what could become a threat in the immediate time frame.

Anticipating (Knowing what to expect): corresponds to the ability to address the “potential” longer term threats, anticipate opportunities for changes in the system and identify sources of disruption and pressure and their consequences for system operation.

Learning (Knowing what has happened): corresponds to the ability to address the “factual” by learning from experiences of both successes and failures.

The final aim is to dampen the performance variability of the functions composing the complex system considering their internal characteristics as well as their interdependencies.
Challenges in UTS resilience
Complex sociotechnical and interdependent systems are under-specified by nature. This means that, to a certain extent, system operations are unknown and therefore, potentially uncontrolled. Within urban contexts, transport systems are challenged to respond to a wide range of mobility needs, whilst coping with severe constraints of many different kinds, namely geographical, environmental, safety and security related, among others. A list of challenges, needs and criticalities emerged from stakeholders:

Over-specification of procedures and incremental development of rules based on past experience goes against the need for flexibility (local adjustment).

Supply chain interdependency is not properly taken into account. Multi-decision-makers (civil protection, public administration, infrastructure managers, etc.),

UTS users (citizens) with their conflicting micro-opportunistic behaviors, different risk perceptions, beliefs, skills, etc. should be included in the UTS resilience management

Heterogeneous data sources (environmental sensors, traffic flows, social network, etc. ) with different data delivery rate (raining from real-time to static), quality, reliability and semantics.

Fragmented and sometimes not clearly defined responsibilities among UTS actors.

Local and general vulnerabilities with complex interdependencies aiming the system (ICs, People, Organizations, Business, etc.) composing the urban sociotechnical system.

Needs to optimally manage the scarcity of resources in term of first responders, goods, and tools available before, during and after emergency

Needs of a coordinate multi-channel communication strategy and a situation-aware communication delivery tools (e.g. localised and personalized early warnings, installation of variable messaging panels, etc.)

Common attitude of the authorities to neglect the preparing and adapting phases in favor of the absorbing and reacting phases.

Weak population preparedness against unusual extreme events and wrong perception about their recurrence probability and potential effects.

Moreover, since resilience is a complex and multifaceted concept there is the need to semantically disambiguate the meaning of the terms used through an active engagement of all the stakeholders. In fact implementing a measurement system for UTS resilience assessment has implications at political level because of its connection with the quality of life. Thus, in order to avoid any kind of “manipulation” of the measurement results in the political debate, the indicators require an agreement about their acceptance among all the actors involved in UTS, to achieve:
a) a clear understanding of the UTS adaptive capacity
b) a semantic reconciliation of the most ambiguous concepts and the identification of an
official and widely accepted definition for them.
c) the development of sets of indicators and thresholds based on the agreed concepts
d) the identification of the sources to feed indicators with pertinent data. Such approach should result into a semantic-aware Statistical Information System, to govern indicators development according to the transparency imperative. (Bellini & Martelli, 2012).
Florence UTS case study
The authors conducted a preliminary assessment of the resilience of the city of Florence UTS interviewing relevant actors as Civil Protection, City Mobility and ICT dept., Urban Policy, Public Transport operators, companies managing the road and rails infrastructures, small business operators. According to the preliminary results against the European Resilience Management Guidelines (Gaitanidou, Bellini, & Ferreira, 2016) several drawbacks in UTS resilience implementation and function coupling emerged for both predictable and unpredictable events. In fact, the Florence UTS is a multi-actor system that tends to be organised in silos with some technological and organizational barriers that prevent to manage resilience effectively. For instance, a decision to start a new yard in a specific part of the city is usually taken by the technical services department that is responsible for the roads maintenance. Since such kind of decision may have multiple implications, it requires that all the affected stakeholders should be timely informed (e.g. mobility department., citizens, business operators). In particular the mobility department needs to be aware of the status of the network to re-organize the service in the area (e.g. changing the road conditions). Unfortunately the need for such information sharing is neither officially defined with procedures nor technologically supported yet. Inefficient function coupling among the UTS functions “maintenance” and “operation” increases the probability of an increment of their performance variability in changing conditions. In fact, if the information resource necessary for the “operation” function to adjust the service and organise new mobility strategy is provided too late or not at all, when an emergency occurs, the decision taken by this function will be totally unreliable, extending the performance variability of the system over its flexibility boundaries, potentially causing a catastrophe. For instance, every traffic plan calculated in advance on the base of scenarios coming from the risk assessment activities, ends up to be ineffective in real condition, since it is based on hypothetical scenarios. Factors like the dynamic and intensity of the phenomena, the real-time status of the traffic, the real time position and direction of the people, etc. can frame a very diverse context, thus making good decisions with such level of dynamics and uncertainty is an open challenge.
To cope with such uncertainty, during an emergency, precious time is spent to gain a better understanding of the status of the UTS, collecting information from the operators on the ground (e.g. firefighters, urban police) or from citizens (calls to emergency call centre). In the meantime a number of decisions are taken separately by each actor involved causing overlaps in the interventions, human resources and means over/under spending, conflicting objectives, etc. affecting the absorb and recovery effectiveness. For instance an excessive use of resource during an emergency may prevent the capability of the system to respond to another emergency effectively for a while, increasing instantly its vulnerability.
It is clear that taking well-informed decisions to dampen performance variability in UTS during the four phases (planning/preparing, absorbing, recovering, adapting) requires new tools and methods based on data that should be timely, reliable and relevant.
New smart tools for resilience management
Today, thanks to the development of new technologies such as Internet of Things, network sensors, smart devices, big data analytics, and so forth, it is possible to go beyond the simulation based approach to resilience moving from technologies in vitro to technologies in vivo.
In fact, in order to sustain the adaptability of Florence UTS and to support decision makers in planning, preparing, absorbing, recovering and adapting phases, in the context of RESOLUTE EU project ( an Evidence-Driven Decision-Support System (EDDSS) is currently under experiment in the city (Bellini E. , Nesi, Ferreira, Simoes, Candelieri, & Gaitanidou, 2016). An EDDSS (Bartolozzi, Pantaleo, Nesi, Bellini, & Santi, 2015) is a computer-based information system that supports organizational decision-making activities. The objective of the EDDSS is to translate heterogeneous data into knowledge to provide evidence for making decisions for a problem by compounding experts’ experiences and data and analysing them in an intelligent and fast way a human cannot do in reasonable time. The system is composed of a big data platform (KM4City) and the Collaborative Resilience Assessment and Management Support System (CRAMSS).
The KM4City platform (Bellini P. , Nesi, Rauch, Benigni, & Billero, 2014) implemented in Florence, is an advanced Big Data semantic aggregator of data generated by the Florence Smart City able to manage huge amounts of static and dynamic data streams generated by different actors (utilities networks position; citizens position, velocity, direction, social network data; hydrogeological risk maps; safe areas maps; presence of students at schools; public transport real-time position; Civil protection volunteers availability; weather forecast, etc. ), and to connect such multi sources data flow to models of the complex system. Going beyond the theory and simulations, such a data-driven approach provides the means to assess the levels of criticality at evidence/quantitative level, while seeking to enable the capabilities of the system to take an appropriate decision at strategic, tactical and operational level (Bellini P. et al., 2014). Km4City also provides consumption APIs for 3rd party exploitation fuelling the Collaborative Resilience Assessment and Management Support System (CRAMSS).
The CRAMSS is a System Thinking and a Multiple Input – Multiple Output (MIMO) application having the capability of combining Communication, Data and Knowledge (Bartolozzi, Pantaleo, Nesi, Bellini, & Santi, 2015) to track resource availability and support real-time allocation decisions to dampen function performance variability generated by internal and external factors (interdependencies).
Thus CRAMSS supports structured decision making for system adaptive management (Collier &
Linkov, 2014) at several layers of abstraction (Strategic, Tactical, Operational level).
The output of CRAMSS will be then communicated according to the 4R: right information, to the right
person, at the right moment, through right channels (e.g. situated message variable displays, traffic
lights, personal smart devices).
The New Resilience Paradigm - Essential Strategies for a Changing Risk LandscapeJoseph FikselThe New Resilience Paradigm -Essential Strategies for a Changing Risk Landscapei
Joseph Fiksel1
1The Ohio State University
Keywords: Resilience, Risk management, Adaptability, Systemic risk, Supply chain resilience
The Need for Resilience
Resilience is the capacity to survive, adapt, and flourish in the face of turbulent change (Fiksel, 2015,
p. 5). A very common usage of resilience is in human psychology—a resilient person is able to recover from adversity, such as a traumatic accident or a job loss, and to forge ahead with confidence. At a broader scale, resilience is seen in social organizations such as tribal, ethnic, or religious groups, as well as entire cities and nations. Resilience is intrinsic in living things—for example, bacteria can develop resistance to antibiotics. Likewise ecosystems can recover from extreme damage such as an oil spill.
In the field of risk governance, the resilience of business enterprises and other organizations depends upon the resilience of people, products, processes, assets, markets, and communities. To cope with an increasingly networked and turbulent world, enterprise managers need to anticipate and embrace change rather than resisting it. Instead of merely seeking to return to a normal ‘equilibrium’ state, a strategic approach to resilience involves learning from disruptions and building capacity for rapid response and adaptation. In other words, rather than bouncing back, organizations need to ‘bounce forward.’
For some types of risks, the likelihood and magnitude of random events can often be predicted with a fair degree of confidence based on historical data. For example, in the property and casualty insurance industry, actuarial tables provide a reliable basis for setting premiums. However, problems arise if shifting conditions make historical observations irrelevant. Moreover, hypothetical extreme events may never be observed in practice. Thus, risk assessment and management often becomes a subjective exercise based on human judgment, with pessimistic and optimistic assumptions sometimes differing widely. An alternative approach is to design systems that are inherently resilient to unexpected challenges.
i This paper is part of the IRGC Resource Guide on Resilience, available at:­
governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
Beyond Traditional Risk Management
Embracing change and building inherent resilience will require a new approach to dealing with risk and uncertainty. In today’s complex risk landscape, conventional risk management is inadequate for dealing with fast-moving, unfamiliar changes that may have catastrophic consequences. The most damaging disruptions are often a result of rare “black swan” events that seem highly unlikely until they actually happen, such as the tsunami that destroyed the Fukushima nuclear power plant in Japan (Taleb, 2007).
According to the National Academy of Sciences, risk-based methods are not adequate to address complex problems such as climate change and loss of biodiversity, and more sophisticated tools are available that go beyond risk management (National Research Council, 2011). The concept of a stable equilibrium, with steady growth punctuated by occasional isolated deviations, is no longer realistic. Similarly, the World Economic Forum has acknowledged the importance of resilience for addressing ‘systemic’ risks that are difficult to predict or manage effectively. Systemic risk is defined as “the risk of breakdowns in an entire system, as opposed to breakdowns in individual parts and components”. Systemic breakdowns can result from tipping points that trigger a chain of cascading effects, such as floods, power blackouts, property destruction, and economic crises (World Economic Forum, 2014).
There are several key limitations to the classic risk management paradigm (Fiksel, 2015, p. 24): first, risks cannot always be anticipated. A critical step in risk management is hazard identification; yet risks may result from cumulative changes that reach a tipping point. In a complex system, ‘emergent’ risks are often triggered by improbable events whose causes are not understood, and their potential consequences are difficult to predict a priori. Second, risks may be hard to quantify. Even if risks can be identified, the lack of an adequate dataset with reliable statistical information can make it difficult to assess the most significant threats. Managers may underestimate the probabilities or magnitudes of risks that they have never experienced, and faulty assumptions may lead to misallocation of resources. Finally, adaptation may be needed to remain viable. Risk mitigation and recovery practices are typically aimed at returning to ‘normal’ conditions. Instead, every disruption represents a learning opportunity, and should be viewed as a stimulus to drive process improvement based on root cause analysis and systems thinking. In today’s fast-changing world, a philosophy of ‘business as usual’ may be untenable.
The established methods of risk management can be useful for protecting against familiar, predictable risks, such as fires or power failures. Resilience is not a substitute for risk management; rather it enables organizations to embrace change and counteract vulnerabilities by expanding their portfolio of capabilities. Early adopters of resilience have demonstrated how they can augment traditional risk management practices with new competencies that help them to anticipate, prepare for, adapt, and recover from unexpected disruptions, and in some cases to treat disasters as an opportunity for gaining competitive advantage. Companies like General Electric, IBM, and Swiss Re see the emerging interest in resilience as an opportunity for new products, services, and markets (Evans, 2013).
Strategies for Resilience Improvement
Resilience implies the capacity to overcome changes that are not predictable or quantifiable, representing unforeseen threats and opportunities. In the absence of predictive information, resilience involves capabilities for sensing of discontinuities, rapid adaptation, and flexible recovery or transformation. Designing resilient systems may involve changing their physical configuration. For example, a collection of distributed electric generators (e.g., fuel cells) connected to a power grid can be more resilient than a central power station in handling disruptions. Similarly, a geographically dispersed workforce linked by telecommunications may be less vulnerable to catastrophic events that could disable a centralized facility.
There are many other opportunities to develop enterprise resilience, including both functional and structural initiatives. Functional initiatives range from increased agility in recognizing and resolving problems (e.g., emergency preparedness) to fundamental transformations in response to strategic threats or opportunities (e.g., business model innovation). Structural initiatives range from establishing safeguards against disruptions (e.g., supply chain flexibility) to reducing vulnerability to change and increasing versatility (e.g., business diversification) (Fiksel, 2015, p. 14).
Research at Ohio State, supported by Dow Chemical and other companies, has produced a comprehensive supply chain resilience framework that helps companies to identify important vulnerabilities and to set priorities for strengthening their capabilities (Fiksel, Polyviou, Croxton, & Pettit, 2015) . For example, a company that faces unpredictable market demand could strengthen a number of capabilities: flexibility in manufacturing to satisfy surges in demand; accurate, up-to-date visibility of demand status to support timely decision making; early anticipation and recognition of market changes to enable strategic responses; and close collaboration with customers and suppliers to ensure coordinated action. Similarly, a company concerned with dependence on a complex supply network could work on flexibility in sourcing by identifying alternative sources, flexibility in manufacturing by reducing lead times, and anticipation by recognizing early warning signals of possible disruptions.
Besides supply chain management, resilience strategies are relevant for every major business function, including capital budgeting, customer relationship management, human resource management, information management, and new product development. Design for Resilience can be defined as “adaptation or transformation of enterprise products, processes, or assets in order to reduce vulnerabilities and improve capabilities, enabling sustained or enhanced performance” (Fiksel, 2015, p. 174). Examples of resilient products include self-healing materials, reconfigurable computer chips, and adaptive communication networks.
Measuring Enterprise Resilience
While hundreds of resilience indicators have been developed by various organizations, the table below lists a number of fundamental attributes underlying enterprise resilience (Fiksel, 2015). Note that these attributes cannot simply be maximized; there are tensions that need to be balanced. Adaptability and Efficiency are opposed, since the pursuit of efficiency tends to eliminate sources of variability and unused capacity. For example, the ‘lean’ movement has increased the vulnerability of supply chains to unexpected disruptions. Likewise, Cohesion and Diversity are opposed, since the pursuit of cohesion may eliminate diversity of talents, opinions, and business models. The challenge of creating a resilient culture is to encourage individuality and resourcefulness while maintaining a sense of common identity and purposeful teamwork.
Attribute Types of Indicators Example
Cohesion Strength of corporate identity or stakeholder trust Interbrand ranking of brand value
Vulnerability Presence of disruptive forces that can threaten business continuity Country-specific political risk index
Adaptability Capacity to rapidly modify key products, technologies, or business processes Response time to execute modification
Efficiency Productivity in terms of value delivered relative to resources required Production volume per unit of energy input
Diversity Variety of markets, suppliers, facilities, and employee capabilities Number of qualified sources by component
Stability Ability to continue normal business operations when disruptions occur Surge capacity as a percent of normal output
Recoverability Ability to overcome severe disruptions and restore business operations Maximum tolerable damage without shutdown

Table 1: Measuring Enterprise Resilience
For each of these attributes for which resilience indicators can be defined in qualitative or quantitative terms. For example, recoverability can be measured in terms of the time required to recover, the cost of recovery, or the maximum tolerable degree of disruption. Note that some indicators may be correlated; for example, stability, vulnerability, and recoverability all depend upon a fundamental attribute called precariousness, which indicates how close the system is to a critical threshold (e.g., minimum inventory level) (Walker, Holling, Carpenter, & Kinzig, 2004).
It is sometimes helpful to aggregate resilience indicators into an index. For example, Cisco created a composite index of resilience indicators related to products, suppliers, manufacturing processes, and test equipment for outsourced components. This index is applied automatically to Cisco’s top 100 products, accounting for about half of Cisco’s revenue, and is included on the company’s Supply Chain Operations Executive Dashboard. Meanwhile, IBM Corporation has worked with the United Nations to develop “ten essentials” of disaster resilience, and helped to develop a “resilience scorecard”—a self-assessment tool that cities could use to evaluate their preparedness, including collaboration, risk assessment, building codes, natural buffers, and warning systems.
Finally, it is important to understand that resilience is a necessary, but not sufficient condition for long-term sustainability. Indeed, there may be trade-offs between resource conservation to improve sustainability versus the need for resource buffers to increase resilience (Fiksel, Goodman, & Hecht, Resilience: Navigating Toward a Sustainable Future, 2014).
Measuring Urban Resilience As You Build It - Insights from 100 Resilient CitiesLeah Flax, Amy Armstrong, Liz YeeMeasuring Urban Resilience As You Build It -Insights from 100 Resilient Citiesi
Leah Flax1, Amy Armstrong1 and Liz Yee1
1100 Resilient Cities, Pioneered by The Rockefeller Foundation, 100RC, see also
Keywords: Urban, Cities, Systems, Shocks, Stresses, Resilience Condition, Resilience Potential, Resilience Impact
A Holistic Definition of Resilience That Addresses Urban Complexity
100 Resilient Cities (100RC) -pioneered by The Rockefeller Foundation, partners with cities in dozens of countries around the globe to develop and implement actions that build urban resilience. The 100RC Network is made up of practitioners at the forefront of an urban resilience movement who are often the earliest adopters and co-creators of resilience-building tools and methods. Our approach is centered on a holistic definition of resilience that integrates multiple schools of resilience thinking. In our work with partner cities we define resilience as the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.
Of particular note about our holistic definition of resilience is that it addresses not only the impact of acute shocks, but also chronic stresses, and that it identifies the multi-scalar nature of urban resilience as resting on capacity existing at a range of levels from individuals to macro systems.
A Proactive and Holistic Approach to Managing Risk
A focus on building resilience differs from traditional approaches to risk management. Specifically it takes a systems approach, incorporates the threats posed by chronic stresses, produces integrated solutions that offer multiple benefits, and is adaptive to uncertain future scenarios.
Most critical to a resilience approach is consideration of how both shocks and stresses contribute to risk. When a catastrophe occurs it creates a cascade of impacts, exacerbating all the issues present before the event. Attention to day-to-day conditions such as social disparity, inadequate healthcare, and poorly constructed or aging infrastructure can limit the aftershocks felt when disasters occur, And just as shocks aggravate stresses, stresses can also accumulate and become shocks. For example rising unemployment can lead to rioting and civil unrest, and environmental degradation can cause
i This paper is part of the IRGC Resource Guide on Resilience, available at:­governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
deadly landslides and flooding. Notably—and a key part of building the urban resilience movement— a focus on chronic stresses not only reduces the potential they will exacerbate a shock, but it helps cities operate better in good times as well.
Addressing multiple shocks and stresses simultaneously requires a fundamentally integrative approach. It is especially appropriate for developing the type of adaptive solutions needed in urban places that face multiple uncertainties. It works well at the city scale where there are a multitude of decision-makers, and it is necessary to break down silos and work across sectors to understand how systems connect and impact each other. Strategies for building resilience demand a more holistic approach. Resilience actors ask ‘how can we create a City that will thrive for generations to come in the face of multiple risks and an unknowable future?’ ‘How can we not only protect people’s lives but also increase their livelihoods and access to opportunities?’ ‘How can we, with every dollar spent, connect systems to create multiple benefits across them?’
While the complex nature of building resilience presents many challenges, and can seem overwhelming, it has the potential to create greater efficiency and impact by integrating efforts and creating alignment across multiple stakeholders. The result is improvements today that will minimize future impacts and shorten recovery time.
As this holistic understanding of resilience takes hold in cities around the world, tools and methods are being developed to bring theory into practice, and cities are finding themselves at the forefront of innovating a new community of practice.
What Cities Need to Measure to Build Resilience
From Byblos to Bangalore to Boston, cities that partner with 100RC are diverse in risks, size, region, development, governance, and culture. How each city approaches building resilience looks a bit different, but common among them is a need for resilience measurement all along the journey. Methods used by cities for measuring or identifying resilience must be sound, but they must also connect to the types of objectives city stakeholders have, such as: gaining consensus and buy-in around what the city’s resilience challenges are; designing initiatives that will contribute to the city’s resilience; accessing financial and other resources necessary to implement; demonstrating impact on people’s lives; and making the case for continued investment in building resilience.
As a network organization 100RC is actively engaged in trying to meet city needs for such methods through development of new tools and curation of existing best practices. The tools and methods most needed by cities can be grouped in three subjects:
Resilience Condition – Measurement of the current state of urban resilience. Necessary to baseline existing conditions and identify opportunities to build resilience. Resilience Potential – Measurement of the potential an initiative or program has to contribute to city resilience. Necessary to design projects and approaches with a clearly articulated resilience value proposition. Resilience Impact – Measurement of short and long-term outcomes achieved. Necessary to create accountability and understand effectiveness.
Approaches to Measuring
Resilience Condition – 100RC’s approach to measuring resilience condition combines measuring existing conditions and the risk potential of shocks and stresses under various future scenarios. Resilience condition may be understood as a city’s current capacities combined with future risks. Methods for measuring resilience condition employed by 100RC partner cities include a qualitative assessment of perceived city strengths and weaknesses, an inventory of actions the city currently employs that have resilience-building potential, the use of existing data on shock and stress trends, and mapping potential interactions of shocks and stresses. These activities are primarily done with qualitative proprietary tools designed exclusively for the 100RC member network and the synthesis of existing data. Cities in the network from Surat, India to Los Angeles, USA to Thessaloniki, Greece have innovated how they apply these tools to achieve greater inclusion of stakeholders and more reliable data.
Quantitative tools for measuring resilience condition at a city-scale and applicable globally are not yet widely available. Over the next three years, however, we anticipate that this gap will be filled by tools such as the City Resilience Index released in May 2016 by the Rockefeller Foundation and Arup ID, and the ISO 37120 Standard for Resilient and Sustainable Cities being developed by the World Council on City Data.
Within a City, over-reliance on quantitative methods can obscure geographic or social disparities, provide limited visibility into the root causes that influence city performance, and fail to engage the diverse perspectives of stakeholders that are often important to understanding the story behind the data. For this reason qualitative tools and methods for further analyzing and challenging data, drawing out the insights of city experts, and assessing resilience at varying scales (block, neighborhood, etc.) remain critical.
Using a citywide resilience index or measurement to benchmark an individual city’s strengths and track its progress over time can be a very useful tool—both within a city and across the network of practitioners trying to understand how best to achieve impact. However, using quantitative indices for comparing resilience condition across cities should be discouraged because of the relative and complex nature of resilience; comparing an individual city’s benchmark across diverse contexts may be dangerous, as the factors that contribute to local context—and the insights for what will be necessary for enhancing resilience—will be obscured.
Resilience Potential – The challenge of this area of measurement is to connect the design of individual actions (policies, projects, programs, etc.) to what is necessary to build the city’s overall resilience. A tension exists here in measuring resilience potential through specific goals (i.e. reduced traffic deaths, increased literacy, etc.) vs. intermediary outcomes (i.e. adaptive, absorptive, and anticipatory capacities as put forth by ODI). With either approach, to design resilience-building initiatives measurement methods must account for the city-specific context of risk (shocks and stresses) as well as current capacities and performance of critical functions. Methods must also be adaptable to various types and scales of actions ranging from setting city policy to designing large infrastructure projects.
Developing better methods for identifying resilience potential is of critical importance – without it cities will continue to struggle to develop sound strategies for building resilience, or will simply plan for known disaster risks and call it resilience. For example, in several cities where we work, the resilience conversation had previously focused on prevention against a handful of exogenous shocks, such as earthquakes or hurricanes or terrorism. But through the resilience planning process, underlying vulnerabilities such as water insecurity, infrastructure decay, low social cohesion and other stresses have been identified as posing a significant threat now—as well as being exaggerated in times of acute crisis—and therefore must be dealt with as part of a holistic approach to increasing a city’s resilience potential.
The current gap in diagnostic tools to assess potential has been a catalyst for creativity and innovation among resilience thinkers and city experts who have stepped into this space to create processes and methods that work for them and build consensus and ownership along the way. They are largely using evaluative processes to analyze and critique project design and identify opportunities to further maximize potential resilience value. These methods include multiple­criteria analysis or a “resilience lens” to compare projects. Workshops that develop initiatives with a design thinking approach have also been widely used as a way to incorporate multiple resilience­building objectives in a given project. Some of these include the intensive workshops the United States Department of Housing and Urban Development has led (in conjunction with The Rockefeller Foundation) for awardees of the National Disaster Resilience Competition. These workshops seek to articulate the resilience value of the proposed project and to identify metrics and approaches to performance management that will ensure winning jurisdictions hold themselves accountable to achieving the full resilience value of their proposed projects.
Additionally methods are being advanced for specific sectors, particularly for capital projects and the built environment. An example of this is the RELi Resiliency Action List + Credit Catalogii, a comprehensive listing of resilient design criteria that can be used to evaluate projects and is akin to a resilience lens for U.S. Green Building Council’s LEED standard (Leadership in Energy and Environmental Design). The SuRe® Standard, developed by Global Infrastructure Basel Foundation and Natixis, is another example of a well-developed infrastructure-specific tool for understanding resilience potential. It is aimed at establishing a common language of sustainable and resilient infrastructure projects between project developers, financiers, local authorities and end-users and specifically considers projects from both a risk management and a benefit creation perspective (SuRe, 2015). There is significant potential for further development and refinement of sector-specific criteria and rubrics, however, it’s critical that they focus on how initiatives contribute to the resilience of the city rather than myopically measuring the resilience or robustness of the initiative itself.
As measuring resilience condition at a city scale advances, there is also the potential to downscale established indicators to apply at the initiative level across sectors.
ii See bibliography and
Resilience Impact – Looking backward at how cities have fared shocks and stresses, the benefits of a resilience approach seem obvious. Compelling examples such as Medellin, Colombia and New York City can be found in Dr. Judith Rodin’s book The Resilience Dividend: Being Strong in a World Where Things Go Wrong. But the body of evidence and measurement methods linking how actions intended to build urban resilience are delivering a resilience dividend is still developing. It is within resilience impact measurement that resilience as a practice will be tested. Practitioners will need to prove the benefits of resilience planning—showing the impact on livelihoods, the built environment, the costs of municipal finance and other metrics. And crucially, showing better outcomes in times of great stress and disaster.
Resilience impact measurement is near and dear to the heart of all cities. Cities seek to measure resilience impact at multiple scales – from that of an individual initiative to shifting the needle on the city’s overall resilience. Cities are eager to show progress to their constituents and build confidence and support for continued investment. They have a keen desire to understand what is working and how they can best use scarce resources, and unlock new capital and drive investment towards resilience-building approaches.
If we get resilience condition and resilience potential measurement right, measuring resilience impact will follow naturally. Valid methods for measuring resilience condition used over time will reveal whether resilience capacity has in fact increased. Similarly, if tools for maximizing resilience potential are effective then they can be used to compare projected and realized benefits and thus measure the resilience impact at the initiative level.
Even with resilience condition and potential methods in place, however, challenges to measuring resilience impact will remain. These have been well articulated in “Resilience Measurement Principles,” and include issues of causality, timeliness and avoided losses which are particularly relevant at the city scale:

Causality – linking the actions taken to outcomes realized

Timeliness – implementation of initiatives may take much longer than a single political cycle and benefits may not be realized until long after implementation

Avoided losses – the impact of shocks and stresses that were avoided is difficult to measure

The valuation of resilience impact in monetary terms also remains a critical gap in establishing financing streams for resilience-building initiatives. As resilience impact measurement advances, it should bridge with other fields that value a range of direct and indirect effects such as ecosystem valuation, progressive standards for benefit/cost assessment, and risk assessments by insurers and creditors.
Resilience in IRGC's Recommendations for Risk Governance (Risk Governance Framework)Marie-Valentine FlorinResilience in IRGC’s Recommendations for Risk Governance (Risk Governance Framework)i
Marie-Valentine Florin1
1EPFL International Risk Governance Center
Keywords: Resilience, Framework, Inclusive approach, Risk and resilience, Uncertainty
Resilience, as an approach or simply a characteristic of a system, aims to help systems cope with unexpected changes. The concept has gained popularity among scientists and practitioners alike who are faced with addressing the limits and boundaries of risk management. In 2005, the International Risk Governance Council’s White Paper (IRGC, 2005) proposed an inclusive risk governance framework to deal with risks marked by complexity, uncertainty, or ambiguity. Further the White Paper identified a specific space for resilience building focused on the context of governing risk. Since then, IRGC has continued to make the case that resilience-building can be a relevant strategy to address the consequences of certain types of risks, such as with emerging risks, or risks with high uncertainty about causes and impact, and potentially catastrophic consequences.
IRGC proposes that resilience strategies should be considered for risks marked by uncertainty and unexpectedness, as often the case in complex adaptive systems. However, we also argue that other conventional risk management strategies should not be neglected. For example, risk managers need to identify and address trade-offs between hardening and protection (robustness) versus resilience and recovery. This paper includes excerpts from the description of the IRGC risk governance framework (IRGC, 2005; IRGC,2008).
Risk and resilience
In IRGC's thinking and recommendations for risk governance, risk is defined as an uncertain consequence of an event or an activity with respect to something that humans value (definition originally in Kates et al. (1985: 21)). Such consequences can be positive or negative (depending on the values that people associate with them), but most people are concerned risks that pose various harms. Systemic risks are those risks that affect the systems on which society depends, such as with health, transport, energy, telecommunications, etc. Systemic risks are at the crossroads between natural events (partially altered and amplified by human action such as the emission of greenhouse gases), economic, social, and technological developments and policy-driven actions, both at the domestic and the international level.
i This paper is part of the IRGC Resource Guide on Resilience, available at:­
governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
In this context, risk analysis is used to inform a process by which resilience is built, when and as needed, to help strengthen the capacity of a system to cope with surprises. Resilience is a protective strategy to build in defences to the whole system against the impact of the realisation of an unknown or highly uncertain risk. Resilience strategies will primarily aim to reduce exposure and vulnerability. For example, they will aim to design systems with flexible response options, or improve emergency management.

Figure 1: Risk and resilience
Resilience as a strategy for managing risks marked by uncertainty and unexpectedness
Targeted risk governance strategies differ according to the dominant characteristic of the knowledge about the risk issue (‘simple’, ‘complex’, ‘uncertain’, ‘ambiguous’)

‘Simple’ risk problems can be managed using a ‘routine-based’ strategy, which draws on traditional decision-making instruments, best practices, and/or time-tested trial-and-error.

For ‘complex’ and ‘uncertain’ risk problems, it is helpful to distinguish the strategies required to deal with a risk agent from those directed at the risk-absorbing system: complex risks are thus usefully addressed on the basis of ‘risk-informed’ and ‘robustness-focussed’ strategies, while uncertain risks are better managed using ‘precaution-based’ and ‘resilience-focussed’ strategies. The former strategies seek to access and act upon the best available scientific expertise and at reducing a system’s vulnerability to known hazards and threats by improving its buffer capacity. The latter strategies pursue the goal of applying a precautionary approach in order to ensure the reversibility of critical decisions and of increasing a system’s coping capacity to the point where it can withstand surprises (IRGC, 2005; Klinke, 2001).

Finally, for ‘ambiguous’ risk problems, the appropriate strategy consists of a ‘discourse-based’ strategy which seeks to create tolerance and mutual understanding of conflicting views and values with a view to eventually reconcile them.

These strategies are presented in Figure 2 and in more details below.

Figure 2: Risk governance strategies
Complex risk problems
Complexity refers to the difficulty of identifying and quantifying causal links between a multitude of potential causal agents and specific observed effects.
In the case of complex risks, a major input for risk management is provided by the scientific characterisation of the risk. Complex risk problems are often associated with major scientific dissent about complex dose-effect relationships or the alleged effectiveness of measures to decrease vulnerabilities (for complexity refers to both the risk agent and its causal connections and the risk absorbing system and its vulnerabilities). Resolving complexity requires receiving a complete and balanced set of risk and concern assessment results that fall within the legitimate range of plural truth claims. In a situation where there is no complete data, the major challenge is to define the factual basis for making risk management or risk regulatory decisions. So the main emphasis is on improving the reliability and validity of the results that are produced in the risk assessment.
Robustness concerns primarily the insensitivity (or resistance) of parts of systems to small changes within well-defined ranges of the risk consequences. The terms robustness has different meanings in different contexts. For example: in most of the natural hazard literature, robustness is one of the main components of resilience. In much of the risk literature, robustness refers to the insensitivity of numerical results to small changes, while resilience characterises the insensitivity of the entire system against surprises. In the literature about decision-making, robustness characterises decisions that display good enough (though not optimal) performances for various possible futures.
Risk problems due to high unresolved uncertainty
Uncertainty is a state of knowledge in which the likelihood of any adverse effect or the effects themselves cannot be precisely described. If there is a high degree of remaining uncertainties, risk management needs to incorporate hazard criteria (which are comparatively easy to determine), including aspects such as reversibility, persistence, and ubiquity. Further, risk management must then select management options which empower society to deal with worst-case scenarios (such as containment of hazardous activities, close monitoring of risk-bearing activities, securing reversibility of decisions in case risks turn out to be higher than expected).
According to IRGC, the management of risks characterised by multiple and high uncertainties should be precautionary. Since high unresolved uncertainty implies that the (true) dimensions of the risks are not known, one should pursue a cautious strategy that allows learning by restricted errors. The main management philosophy for this type of risk is to allow small steps in implementation (containment approach) that enable risk managers to stop or even reverse the process as new knowledge is produced or the negative side effects become visible. The primary thrust of precaution is to avoid irreversibility (Klinke and Renn, 2001).
With respect to risk absorbing systems, the main objective is to make these systems resilient so they can withstand or even tolerate surprises.
Robustness and resilience are closely linked, but they are not identical and require partially different types of actions and instruments. In contrast to robustness, where potential threats are known in advance and the absorbing system needs to be prepared to face these threats, resilience is a protective strategy against unknown or highly uncertain hazards whereas it concerns a whole system. Instruments for resilience include the strengthening of the immune system, diversification of the means for approaching identical or similar ends, reduction of the overall catastrophic potential or vulnerability even in the absence of a concrete threat, design of systems with flexible response options, and the improvement of conditions for emergency management and system adaptation.
Resilience strategy for systemic risk
Resilience strategies are needed for systemic risks that develop in complex adaptive systems with emergent properties. Due to the difficulty of identifying and analysing how elements in the systems interact with each other, the management of systemic risks often become very complex and challenging to apply in such a way that all the components of the system are included. A limitation of resilience management approaches is that if all components of the system are not included, the way the trade-offs are resolved may incur new risks. Management strategies for one network often rely on the functionality of another network. For example, building resilience to the risk of unexpected failure of a waste-water management system will also require that a resilience strategy for the electricity system is implemented.
An adaptive approach to resilience assessment and management is often recommended to learn as knowledge is improved from experience about how to reduce the consequences of systemic risks and their unexpected impacts. Focus must be on enabling business continuity by understanding changes in the critical functionality of a network over time after a shock, reducing time to recovery and extent of disturbance. Working on the capacity of social-ecological systems to adapt or transform in response to unfamiliar, unexpected or extreme shocks, Carpenter & al (2012) suggest that conditions that enable general resilience include: diversity, modularity, openness, reserves, feedbacks, nestedness, monitoring, leadership and trust.
Resilience-focused strategies target the risk absorbing system and, in particular, aim to improve the capability to cope with surprises. Options include diversity of means to accomplish desired benefits, avoiding high vulnerability, allowing for flexible responses, and preparedness for adaptation. Objectives of a resilient system include to:

Guarantee the functionality of the system and the services it provides, in the case of stress or disaster

Limit the extent of impact and losses if the services are discontinued

Ensure fast recovery if the provider of the service is unable to continue to provide the services

Scholars and practitioners are advised to work together to operationalise resilience approaches in a multi-stakeholder, multi-sectoral and multidisciplinary manner. Such work must include feedback from experiences in organisations that work to building resilience in the context of disaster preparedness and management, engineering design, cyber security or ecological systems. Advocates of resilience-building will need to make the case that metrics for resilience assessment and management must and can be developed in such a way that robust investment decisions can be made to allocate financial and other resources.
Resilience to Unexpected Impacts of Emerging Risks in IRGC's Recommendations for the Governance of Emerging RisksMarie-Valentine FlorinResilience to Unexpected Impacts of Emerging Risks in IRGC’s Recommendations for Emerging Risk Governancei
Marie-Valentine Florin1
1EPFL International Risk Governance Center
Keywords: Resilience, Emerging risk, Resilience building
As seen in (Florin, Resilience in IRGC’s Recommendations for Risk Governance), adopting resilience building as a risk management strategy aims to help systems cope with unexpected changes. The objective here is primarily to prepare, plan, absorb, recover and adapt. IRGC proposes that resilience strategies should be considered for risks marked by uncertainty and unexpectedness, as often the case in complex adaptive systems, but that other conventional risk management strategies should not be neglected.
Emerging risks
IRGC’s recommendations for dealing with emerging risks is described in four publications, listed in the bibliography.
Emerging risks are risks that are new or emerging in new context conditions. Risk managers are not familiar with them. They are marked by uncertainty, which makes that conventional risk management approaches are often inappropriate.
IRGC describes three categories of emerging risks, resulting from:

Scientific unknowns: when uncertainty and a lack of knowledge about potential impacts and interactions with risk absorbing systems may cause risk to emerge.

Complexity and dependencies: when increasing complexity, emerging interactions and systemic dependencies have the potential to lead to non-linear impacts and surprises

Uncertain changes in context:
When changes in context (in societal or behavioural trends, regulation, or the natural
environment) may alter the nature, probability and magnitude of expected impacts.

i This paper is part of the IRGC Resource Guide on Resilience, available at:­
governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
Management strategies and options for emerging risks
The rationale for thinking about risk management strategies, as described in (IRGC 1) applies to emerging risks and is illustrated in Figure 1 below.

Figure 1: Risk management strategies for emerging risks
Risk management strategies for risks marked by complexity and uncertainty are to be considered for emerging risks. They include resilience-building strategies. A combination of these strategies produces a refined set of two main strategies:

To act at the level of the source of the risk: Analyse and try to act to the contributing factors to risk emergence, in order to avoid, reduce or mitigate the cause of the risk

To act at the level of the impact of the risk: Develop adaptive management and design and implement resilience building strategies, in order to cope with the impact of unexpected surprises that will happen if the risk materialises.

Management options for emerging risk thus include, in a non-exclusive manner:

Option 1: Acting on the contributing factor to the risk, to stop or reduce the development of the emerging risk

Option 2: Developing precautionary approaches, to avoid the risk or to allow the decisions taken about it to be reversible

Option 3: Reducing vulnerability If the organisation cannot (or finds it difficult to) identify any opportunity to act upon the sequence of events leading to a risk, or if the intervention is considered inappropriate or too costly, a reduction in the exposure or an effort to decrease vulnerability to the risk agent can be a strategic option. Two possibilities can be considered:

In the case of emerging but well-identified risks, it is possible to reduce sensitivity to the risk by developing redundancies, improving personnel training or readjusting protection capabilities.

In the case of unexpected events, building resilience may be the most appropriate strategy. This implies considering worst-case scenarios to ensure that organisations will be able to withstand unexpected shocks, rebound to the desired equilibrium while adapting to the changed context and, in general, recover from any levels of stress while preserving operational continuity. Resilience building thus becomes a dynamic pro-active strategy for adaptive risk management. It implies that a learning process is set in motion to adapt to changing context conditions.

Option 4: Modifying the risk appetite in line with the risk Dealing with emerging risks requires that organisations constantly align their risk appetite to changes in their environment, the availability of new knowledge, and their resources and capabilities to tolerate or cope with potential risk losses. Such alignment may be made by increasing the tolerance for risk, by adapting the coping strategies to the new levels of risk that are observed or anticipated.

Option 5: Using risk management instruments for familiar risks

Option 6: Monitoring the emerging risk evolution until more knowledge is collected about the source and the impact of the risk.

Evaluating the strategic options
The evaluation of strategic options depends primarily on:
1. The state of development of the emerging risk and the level of knowledge about it.
When little is known about the threat but it potentially has severe negative consequences, precaution-based and resilience-focused strategies can ensure the reversibility of critical decisions and increase the system’s coping capacity so it can withstand shocks or adapt to new contextual conditions. A case in point are new materials or technologies (such as nanomaterials or new precision medicine therapies) with potentially unknown effects. But when a well-known risk develops in new contexts, considering risk management instruments used for familiar risks is advisable. Or when an evaluation is made that the promises of the new technique exceed the risk, then increasing the risk appetite is advisable.
2. The set of evaluation criteria that the decision-makers will choose to adopt

Effectiveness: To what extent does the selected option achieve satisfactory performance in accordance with the decision-makers' expectations? Resilience may increase the capacity of a system to recover from an unexpected shock, but it may reduce its performance under normal context conditions. Building community self-support is normally time intensive and requires a large investment in engaging with individuals.

Efficiency: Does the selected option provide satisfactory performance at a minimum cost? Resilience building is typically more expensive than conventional mitigation options. For example, building “floating” house with water entrance strategies is more expensive than avoiding water entry with conventional flood barriers.

Sustainability: How does the option perform in economic, ecological and social terms?

Socio-political acceptability: How does the option address issues of equity or distribution of costs and benefits among stakeholders?

Ethical standards: Is corporate responsibility enhanced? To what extent is the distribution of benefits and risks considered fair?

Success factors for resilience building
Resilience building as a strategy to cope with emerging risks requires engaging in work to understand better the system’s behaviour or function, especially when the system itself is changing. Success factors include to:

Look to the long term

o Engage in early-warning activities: look out for, analyse and make sense of signals and develop exploratory scenarios, so that affected organisations and people are not “taken by surprise”. Engaging in scenario building exercises can support the development of resilience capabilities and perhaps, more importantly, provide the rationale that justifies spending money on resilience building.

o Build “antifragility”, that is the sense that you cannot prepare for everything (e.g. scenarios that are too deterministic, relying on cause-effect relationships are not appropriate for

Engage in robust decision-making, which is the ability of decisions to display good enough (though not optimal) performances for various possible futures. Planning in a situation of uncertainty requires adaptability to new situations, iterative risk and resilience assessment and management, consistency and procedural rationality, established, transparent and applied procedures.

Develop management and human capacity – develop flexible and adaptive management, of the type that can accompany the transformation of systems.

Develop metrics to measure system-specific quality, metrics to assess resilience, which can be used to justify and allocate resources -consider “benefit-cost approach to decision-making, based on available resources & capabilities, and expected return on investment
Five Impediments to Building Societal ResilienceStephen E. Flynn1
Five Impediments to Building Societal Resiliencei
Stephen E. Flynn1
1Professor of Political Science & Director, Center for Resilience Studies, Northeastern University
Keywords: Resilience, Risk, Complex interdependency, Critical infrastructure, Cascading failures
Resilience and rethinking our approach to risk
During the second half of the 20th Century, risk came to be viewed by many (the formal risk analytics
community being a notable exception) as something we should aspire to eliminate. From war to
disease, the stated goal increasingly became making the world free of threats and hazards. But the
21st Century has been marked by a growing array of disruptions in the natural and built environments
while threats to peace and stability abound. Further, modern society has become increasingly reliant
on systems, networks, and infrastructure sectors that are interdependent. Consequentially, when
shocks and disruptions occur, they often lead to cascading failures, sometimes with catastrophic
consequences. The recent focus on resilience represents an appropriate countertrend that embraces
the reality that risk is a given, but moves beyond formal risk assessment. Instead, it shifts the focus
away from identifying and managing threats and towards building the capacity that helps to assure
that individually and collectively, societies can steadfastly provide the essential functions upon which
people depend on for their safety and prosperity. The resilience definition outlined in Presidential
Policy Directive 21: Critical Infrastructure Security and Resilience (Feb 12, 2013) appropriately takes
into account this expansive view: “The term resilience refers to the ability to prepare for and adapt
to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the
ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or
incidents.” This definition comprehensively frames resilience as requiring an ongoing and organic set
of capabilities that serve to assure the continuity of what a society values for it safety and prosperity
before, during, and following disruptive events.
Why resilience matters
Resilience focuses attention on what it takes to develop the capacity of individuals, communities,
infrastructure sectors, systems, or networks to thrive when confronted by risk. While identifying,
assessing, and prioritizing the likelihood and nature of a specific threat or hazard is important,
resilience aims to develop the means to withstand, respond, recover and adapt to man-made and
naturally-occurring risks, whether they come with or without warning. Building resilience
necessitates a deep understanding of human factors, the built environment, and the natural
environment and how they interact. It also places special emphasis on identifying and validating the
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

attributes, functions, and values whose loss or disruption would be undesirable or harmful. Too
often this knowledge of what needs to be safeguarded is taken for granted. As a result, myopic
efforts to reduce or eliminate risk often overlook trade-offs and can even end up compromising the
very things that we need to safeguard in order to assure our way of life and quality of life. Further,
solutions that focus primarily on preventing threats and hazards can end up being suboptimal since
interdependencies are overlooked, with the result that they only become apparent in the wake of
disruptive events that generate cascading failures. In short, understanding and advancing resilience
draws on knowledge derived from the field of risk management, but resilience is a strategic societal
imperative that necessarily involves much more than the management of risk. Ultimately, the aim of
resilience is to assure that the communities and the systems not only navigate known and unknown
risks, but become stronger and more successful while transiting perilous waters.
Developing resilience
In the face of a growing array of 21st-century risks, what is needed is the rapid deployment and
widespread adoption of resilience-building knowledge, technologies, and skills. Vitally, this will
require extensive engagement and collaboration amongst industry, commercial innovators, thought
leaders, researchers, technical experts, and public sector practitioners who share a commitment to
building societies that can successfully manage, bounce back from, and adapt to man-made and
naturally-occurring hazards. Key to scaling this effort quickly and globally is the need to devise new
resilience standards and guidelines. Additionally, national and international efforts must be
supported by recommended public policy actions, training and education, innovative market-based
incentives, and greater public awareness and support for investing in resilience practices.
Measuring resilience
The central goal of resilience is to assure that the core functions and values of a society not only
survive, but thrive when confronted with disruptive events. Since this goal is incontrovertible and
universally desirable, the reason why we are far from achieving it suggests that there must be
daunting barriers in our way. Accordingly, one way to measure our progress towards building
resilience is to identify the success at which we can overcome five major impediments:
1. There is a tendency at the societal level to overestimate current capacities to respond in
near-real time to challenges once they emerge and to discount the need to react to leading
indicators of potentially disruptive events in our future such as climate change. Meanwhile, a
preoccupation with extracting greater efficiencies and reducing costs for legacy and new
infrastructure often translates into systems that lack adequate capacity to function in the
face of extreme events.
2. There is a lack of an integrative approach to advancing resilience across complex systems and
networks. For instance, there is no widely accepted consensus on what resilient
infrastructure is, with the result that there are only localized success stories in disparate
domains, for discrete hazards. Most ongoing resilience research efforts are isolated within
specific academic disciplines. As a result, too little understanding or insight informs the
design parameters and operational issues necessary for system- or network-wide resilience.
3. There are pervasive disincentives for building greater resilience. Public and private entities
have become skilled at transferring risk to someone else and not working collaboratively to

take risk on directly. Further, there are few generally accepted resilience standards or
validated best practices for which markets can rationalize providing rewards for entities who
invest in resilience.
4. There is a dearth of appropriate frameworks for managing organizational and governance
issues that match the complexity of interdependent systems and networks. Transport,
communications, energy, and water infrastructure systems with increasingly embedded
cyber vulnerabilities sprawl across multiple political jurisdictions. Ownership and operations
are public and private, large and small, and both highly regulated and loosely regulated. This
translates into incompatibilities across the network of organizations and stakeholders,
inhibiting local actions due to the feeling that “I can't do it by myself, and others are not
moving in the same direction.”
5. There is a lack of adequate training and education programs that draw on the kind of
interdisciplinary collaboration across technical, non-technical, professional and research
programs that is required to advance a comprehensive approach to building resilience.
Actions that overcome these five barriers can be measured and will collectively support the building
of greater societal resilience.
USACE Resilience Assessment Methodologies - Engineering and InfrastructureCate Fox-Lent, Julie D. Rosati, Katherine T. Touzinsky1
USACE Resilience Assessment Methodologies - Engineering and
Cate Fox-Lent1, Julie D. Rosati2, and Katherine T. Touzinsky2
1United States Army Engineer Research and Development Center, Environmental Laboratory,
Concord, MA; 2United States Army Engineer Research and Development Center, Coastal and
Hydraulics Laboratory, Washington, D.C.
Keywords: Resilience, Infrastructure, Risk assessment, Tiered approach, Natural disasters
The US Army Corps of Engineers (USACE) has a Civil Works mission to manage inland and coastal
waterway infrastructure health, in which infrastructure includes a range of constructed and natural
features as well as community characteristics and functioning in the vicinity of USACE assets. As a
result, the USACE developed risk assessment methods to ensure that the project and system have an
acceptable level of risk for the anticipated hazards. With the onset of natural disasters that are more
frequent, unpredictable and are anticipated to be more severe, resilience (in addition to risk
management) has quickly become a research priority for federal agencies. Presidential Policy
Directive 21 (PPD, February 2013), “Critical Infrastructure Security and Resilience” defined resilience
as “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly
from disruptions.” This definition was later echoed in the Executive Order 13693 (EO, November
2013), “Preparing the United States for the Impacts of Climate Change.” In September 2013, the
Chief of Engineers officially charged the Coastal Engineering Research Board, an advisory board for
USACE coastal research, to “recommend a strategy to integrate risk reduction and resilience
practices within USACE coastal planning, engineering, operations, and construction communities.”
This work was undertaken by researchers in the USACE’s Engineer Research and Development Center
(ERDC) and resulted in the adoption of a definition similar to EO 13693 and PPD 21 based on the
National Academy of Science’s (2012) “A National Imperative” in which disaster resilience is defined
as the “the ability to prepare and plan for, absorb, recover from, and more successfully adapt to
adverse events.” Within USACE ERDC, initial methods to characterize and quantify resilience focused
on coastal storm damage. However, in 2014 the USACE Headquarters officially kicked off an initiative
to mainstream resilience within all aspects of the USACE, for all both Civil Works and Military
missions. In order to successfully implement resilience agency-wide, it is critical to align methods to
assess the resilience of a structure, project, and system with the definition of resilience such that the
assessment and subsequent mitigating actions to reduce the risk of hazards and increase resiliency
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

can be readily understood and are defensible to USACE, cost-sharing partners, and the public.
Standardized approaches to resilience are important to ensure equitable distribution of limited
federal resources to USACE districts around the country. The purpose of this section is to summarize
USACE activities with respect to assessing engineering resilience of built and natural infrastructure,
primarily concerning resilience to coastal storm hazards and long-term change.
The distinguishing feature of the various definitions presented above is that they refer to specific
stages of anticipating and responding to disruptive events – preparing, absorbing/withstanding,
recovering, and adapting. Whereas traditional risk-based approaches to planning attempt to prevent
or minimize losses during the “absorb/withstand” stage of the disruption, resilience-based
management focuses on all stages of the disruption as well as the functioning of the system, and
acknowledges that actions are necessary through the event timeline to minimize loss of function
within integrated systems (e.g., commercial activity, telecommunications, ecosystem services, utility
of built and natural infrastructure, etc.). Risk analysis should be undertaken where possible to
evaluating options to reduce damages through prevention, but should be supplemented with, or
integrated into, a larger plan for resilience management that enhances flexibility by considering the
myriad ways to maintain a function of a community system to recover and adapt when the original
organization of the system is disrupted. These system components include not only the engineered
infrastructure or USACE project being studied but the community and ecological components that
may affect or be affected by project decisions.
The ERDC has develop a three-tiered approach to resilience assessment that mimics the tiered
approach to risk assessment already widely used by regulatory entities in the United States and
internationally; however, the resilience assessment incorporates recovery and adaptation of the
surrounding community and ecosystem. The first tier is a screening or scoping level approach to
identify the critical functions and describe the broad components and relationships within the
system. The second tier takes a deterministic look at specific performance goals for various subsystems
that support critical functions. The third tier uses a network representation of the system in
a probabilistic approach to model specific expected performance of the system during stages of
impact and recovery and under various future scenarios. While the third tier gives a more nuanced
view of performance, it requires significantly more data than Tier 1 or Tier 2 and can only realistically
be performed for subsets of the full coastal community system. By utilizing stakeholder input and
expert elicitation in the early tiers, a comprehensive but simple analysis can be performed to make
many planning and investment decisions. Alternatively, Tiers 1 and 2 can aid in focusing subsequent
analysis on the sub-system of greatest value to the community and with greatest vulnerability to
disruption. Following Hurricane Sandy in 2012, the USACE’s North Atlantic Coast Comprehensive
Study (USACE 2015; Bridges et al. 2015) recommended an assessment of community resilience
through application of a similar analysis as part of an integrated approach to reduce risk of future
storm damages.

For each tier of the analysis, qualitative and quantitative characterization of magnitudes for each
stage of resilience are necessary to better focus the assessment and subsequent actions. Without
documented governance to guide the implementation of resilience assessment, it will not be widely
adopted as a standard assessment procedure. Tier 1 can utilize existing data collected at the macro
level, including demographic data, climate data, and engineering data, together with expert
elicitation to provide and initial screening level assessment. These metrics can be aggregated into
indicator indices or scorecards. Tier 2 builds upon existing data and models, using functionality of the
system through the resilience stages as the metrics through which resilience is quantified. Expert
elicitation can both supplement performance ratings for the functions of a system for which data are
not specifically available and stakeholder engagement can help assess the acceptability of system
performance with respect to the preference and values of the system users. Formal decision analysis
methods that integrate data from multiple sources are appropriate for a Tier 2 assessment. Tier 3
requires both robust—and potentially some new—data collection and numerical modeling, with a
network representation of the system and local expertise to characterize the degree and nature of
interactions between the subsets. Tools for this approach may include Bayes nets, agent-based
modeling, network science, or system dynamics.
While we have focused primarily on the work of USACE, the body of resilience work across federal
agencies is swiftly growing. Federal activities in resilience include the US Committee on the Marine
Transportation System (CMTS), which seeks to leverage existing data and studies to develop federal
consensus on resilience of the Marine Transportation System; the National Academy of Sciences’
(NAS) Resilient America Roundtable, which teams federal, academic, and consulting expertise to help
communities and the nation build resilience to extreme events; and the National Institute of
Standards and Technology’s Community Resilience Panel for Buildings and Infrastructure, which is
focused on improving standards, guidelines, best practices, and tools for community infrastructure,
utilizing representation by governing organizations (federal, state, local), academic, and others.
Coordinating bodies like these are critical to facilitate communication between groups, leverage
ongoing work, and guide consensus on resilience practice. For up-to-date information, readers are
directed to sources listed in the annotated bibliography.
Resilience - Preparing Energy Systems for the UnexpectedStefan Gößling-Reisemann1
Resilience – Preparing Energy Systems for the Unexpectedi
Stefan Gößling-Reisemann1
1Faculty of Production Engineering; Institute for Advanced Energy Systems; Sustainability Research
Center (artec), University of Bremen
Keywords: Resilience, Vulnerability, Risk, Resilience management
Introduction: Contrasting vulnerability, risk and resilience
The resilience of energy systems, their vulnerability and the risks stemming from their failure have
been recently received increasing attention in the scientific literatureii. Still, the discussion on the
meaning and interpretation of resilience as a scientific concept is far from settled (Brand & Jax 2010).
For infrastructure systems there is a common thread that describes resilience as the ability of a
system to withstand and recover from severe stress and extreme events without losing its ability to
provide the services it is designed to deliver (see for example Hollnagel 2013). The concrete
definitions of resilience, on the other hand, differ and the usage of related terms, like vulnerability,
fragility, or robustness is also far from consensual. As an example, the vulnerability of a system in the
context of social-ecological systems is defined as the exposure and sensitivity towards certain
stressors “minus” the resilience of the system (Berkes, Colding & Folke 2003, Adger 2003). In this
particular interpretation, vulnerability and resilience are seen as opposites, which seems self-evident
when focusing on well-known stressors. Resilience in this interpretation is a system’s ability to
actively respond to stressors and recover quickly from them, thus includes a dynamic component.
Vulnerability in this context is interpreted as the existence of a stressor acting on the system
(exposure) and the potential for damage on the system being caused by the stressor, depending on
the system’s internal conditions (sensitivity). In the context of homeland security, cyber-security and
terrorism, a different understanding of vulnerability and resilience is dominant. Vulnerability in this
context is interpreted as a part of risk, where risk is understood as the product of threat likelihood,
vulnerability of the threatened system and the consequences of the threat (DHS 2010, Linkov et al.
2014). In this interpretation, a system’s vulnerability reflects the existence of a physical or
operational weakness which allows a threat to cause damage or loss of functionality. Resilience in
this context is interpreted as a “system’s ability to prepare for, absorb, recover from and more
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii See for example the National Academies Workshop on “The Resilience of the Electric Power Delivery System
in Response to Terrorism and Natural Disasters” (
power-delivery-system-in-response-to-terrorism-and-natural-disasters), the UKERC report “Building a
Resilient UK Energy System” (
report.html), the special issue of Energies on the resilience of energy systems
(, or Molyneaux et al. (2016)

successfully adapt to adverse events” (NRC 2012, Linkov et al. 2014), it thus includes a dynamic and
proactive notion of managing potentially harmful stressors.
In view of the largely unknown nature of future stressors, shocks and developments, it makes sense
to distinguish the aspects of vulnerability and resilience even further, especially with regard to their
scope. When the scope of the possible stressors is widened to include such stressors that are not or
only partially known (e.g. the famous “black swans”), vulnerability and resilience reflect different
properties of a system. Vulnerability, as it is used in most of the academic and general literature,
focuses on the degree to which a system can be harmed by external or internal stressors or events
(Adger 2006). The focus usually lies on known stressors. The concept of vulnerability therefore lends
itself to analysis, when specific and well-described events or stressors are correlated with the
system’s sensitivity and adaptive capacity (Gößling-Reisemann et al. 2013). Resilience, on the other
hand, can be interpreted even more widely, as the ability of a system to prepare for, cope with and
recover from any kind of stressor or event while maintaining the system’s service, without
necessarily knowing about the specifics of the event or the stressor. If interpreted in this broad way,
resilience no longer can be analyzed in the strict sense, since the basis for analysis would have to
include all known and unknown (!) stressors, an endeavor that is surely unfeasible. Nevertheless, this
definition of resilience can be used as a guiding principle for designing systems and through its
vagueness and malleability serve as a boundary object for a diverse range of disciplines, e.g. from
sociology to engineering (Brand & Jax 2010, Brand & Gleich 2015).
The uncertain nature of stressors and the capacity to deal with them
Resilience-building, in the above sense of resilience, can be understood as a strategy to deal with
deep uncertainty, i.e. uncertainty that cannot be reduced by statistics or predictive modeling.
Resilience-building and other risk management strategies are thus not to be seen as mutually
exclusive, they rather complement each other. Resilience-building can help find answers to stressors
that cover a wide range of characteristics, and as a strategy has its comparative strengths where the
stressors are unknown with respect to their likelihood of occurrence, their potential impact, or even
the nature of their impact on the respective system.
We propose to distinguish certain characteristics of stressors and the capabilities a resilient system
should possess in order to deal with them. Stressors are characterized by their dynamics and the
state of knowledge about their nature, as follows:
• Known/expected: stressors that the system has already experienced in the past and where
predictions of future occurrence exist
• Unknown/unexpected: stressors that the system has never or only very rarely been exposed
to and where predictions for future occurrences do not exist
• Gradual/creeping: stressors that develop slowly and possibly undetected for some time
• Abrupt/sudden: stressors that develop suddenly or abruptly without warning
A system that is capable of preparing for, coping with and recover from stressors with an arbitrary
combination of the above attributes needs a diverse set of capabilities. For example, when the
stressor develops gradually and is already known to the system or can be expected to occur in the
near future, an adaptation of existing structures, components and organizations can be initiated to

better cope with and recover from occurrences of this stressor. On the other extreme, when the
stressor is unknown and develops abruptly, the system will not have time to find innovative solutions
or build up resistance, so that it has to use existing resources in the most appropriate form possible
to deal with the situation, i.e. it needs to improvise. The needed capabilities for a system to cope
with these stressors can thus be summarized as robustness, adaptive capacity, innovation capacity
and improvisation capacity, see figure 1 (cf Gößling-Reisemann et al. 2013).
Figure 1: Characteristics of stressors and needed capabilities
The building up of these capabilities will improve any system’s ability to deal with stressors of many
kinds. However, these capabilities are also rather abstract and need “spelling out” for specific
systems. Some of the capabilities will require similar structure and processes as traditional risk
management: monitoring, predictive modeling, system simulation, crisis management, etc. However,
with the additional focus on the “unknown” stressors, it will require new mechanisms and processes
to deal with surprises and deep uncertainty.
Instruments for resilience management: How to develop resilience within systems and
The instruments for resilience management, which should be based on the above derived general
capabilities, can be grouped into four main phases or managing resilience: prepare and prevent,
implement robust and precautionary design, manage and recover from crises, learn for the future.
Here, the instruments are exemplified for energy systemsiii.
Prepare and prevent: as a first measure, past crises and near accidents should be transparently
documented and examined to learn about the stressors that caused them and the context in which
they occurred, or in which they were avoided, respectively. The latter is especially important as a
learning tool for resilience engineering (Hollnagel 2007). Further analysis should be directed at
stressors that have not yet occurred, but are likely to occur in the near future, e.g. known from trend
extrapolation. For the energy system this would include using climate change trends, like trends for
extreme weather conditions, in system simulations and planning. The observed trends of converging
and coupling of infrastructures (electricity, gas, heat, fuels, IT) in the course of a transition to high
shares of renewable energies should also be observed for new threats and vulnerabilities, like hacker
attacks, data privacy issues or cascading failures across infrastructures. Furthermore, new threats can
stem from social processes, for example increasing non-acceptance of certain technologies or unfair
iii This section is partly based on discussions within the working group Risk and Resilience as part of the ESYS
(Energiesysteme der Zukunft) project organized by the German National Academy of Sciences and Engineering,
the Union of German Academies of Science and Leopoldina – National Academy of Sciences
2.html). The text is, however, the sole responsibility of the author and not endorsed by the mentioned project

cost-benefit distributions in the context of energy transitions leading to protests and delays or halts
in necessary system changes. Newly developing stressors can be analyzed by vulnerability
assessment methodologies. Results from theses analyses should then be used to adjust the design
parameters of energy system components (technology level), develop testing scenarios and design
guidelines for coupled infrastructures (system level) and monitor social impacts and responses to
technological change with feedback to governance processes (governance level).
Implement robust and precautionary design: in line with the above detailed characteristic capabilities
of resilient systems, the central design elements of resilient energy systems must comprise
robustness, adaptive capacity, innovation capacity and improvisation capacity. On the design level of
components and systems the resilience-enhancing capabilities can be achieved by first strengthening
the identified vulnerable elements (see above) by increasing redundancy, buffer capacity and
energy storage. This will reduce the stress on vulnerable elements in the system and will also act as a
precautionary measure for further and yet unknown stressors. In order to prepare for unknown
future stressors, it is also advisable to check existing technologies in the energy system for
alternative solutions in order to enhance the diversity. Diversity should encompass notions of
variety, disparity and balance (cf. Stirling 2007 and 2010). Additional analyses should also be directed
at components and structures that have not yet been affected by known stressors but are otherwise
crucial to the system. As a precautionary measure, they should also be strengthened by increased
diversity, redundancy, and buffer and storage capacity. Especially for new couplings between
systems (e.g. between electricity and mobility sector) and newly developing technologies (e.g. smart
grid and cyber-physical energy systems) special attention on new potential vulnerabilities is needed,
since integrating different systems into one also imports the respective vulnerabilities. Resilient
coupling of systems should yield additional flexibilities to buffer imbalances in each sub-system,
while minimizing the potential for cascading failures (loose or flexible coupling, cf. Perrow 2011,
Orton and Weick 1990, Beekun and Glick 2001 for loosely coupled organization). It should be obvious
that these resilience design measures will cause conflict with other design goals of energy systems,
most prominently with technical efficiency and (at least short-term) economic competitiveness.
Some conflicts with the ecological sustainability might also be possible, especially in terms of
additional equipment and possibly reduced efficiency. These conflicts need to be addressed
systematically by cost-benefit analyses that include long-term effects and an evaluation of costs due
to rare but possibly extremely damaging events.
Manage and recover from crises: If failures of the energy system lead to crises, they should be
restricted to the smallest possible area or subsystem and be overcome as quickly as possible. In
order to reduce the extent of such crises, emergency planning and respective measures must be
implemented on the regional or local level. With the increasing share of renewable energies comes a
trend towards decentralization of energy systems, which can be utilized for increased resilience.
Currently, the restoration of the electricity supply after blackouts in most industrialized countries is
organized in a rather central fashion and dependent on large thermal power plants. A decentral
design more in line with increasing decentral renewables and the advent of smart grids would be to
organize the energy system in a cellular structure where each cell has the potential to run
autonomously for a limited time and inter-cellular synchronization is used to restore overall system
performance after blackouts. The adequate size of these cells has still to be determined and will also
be dependent on the respective investments necessary to equip cells with restorative functions in
relation to the added resilience of the overall system. Flexible coupling between the electricity

system and other energy subsystems (especially gas, heat and fuel networks) will increase the
restorative capacity and decrease the need for regional storage capacity.
Learn for the future: mastered or averted crises should be used to learn and increase the adaptive
capacity of the system. This can be achieved by documenting and analyzing these crises and events
thereby identifying the weaknesses that led to their occurrence (vulnerability store), or, respectively,
identify the strengths that led to their avoidance or recovery (solution store). Knowledge about crises
and potential solutions should then be used to create simulations and business games for system
actors on all levels. Improvisation capacity can be increased by confronting actors in these
simulations with unforeseen and unlikely developments, like combined external threats and internal
failures of equipment. In the actual operation of the energy system, improvisation capacity can also
be improved by allowing a certain amount of unused resources to be maintained in the system,
comparable to a strategy called “organizational slack” in business organizations (cf. Cyert & March
1963, Linnenluecke & Griffiths 2010)
Metrics: Criteria or indicators for resilience. Measurement and quantification.
Based on the rather broad definitions of resilience, risk and vulnerability introduced above, it is not
possible to truly analyze these aspects of a given energy system, as we can e.g. for aspects like
availability. We can, however, derive metrics and measures that capture certain aspects of resilience
and combine them into metrics, which can be used in the planning and design of energy systems The
system property probably most accessible to measurement and analysis is the vulnerability of the
system, as measured by the observed impact of known and observable stressors on the system
service. Some indicators might be defined and evaluated that describe a system’s performance in
and after a crisis, as a basis to analyze its vulnerability (cf. Gößling-Reisemann et al. 2013a). Typically,
these will include the energy not delivered, the value of lost load, the duration of outages and the
time for recovery of full system operations, the physical damage to equipment, the number or
relative share of customers affected, and so on. These indicators are well known from the reliability
assessment of energy infrastructures and, when evaluated after stressful events and optionally
compared with benchmark systems, indicate the absolute or relative vulnerability of a given energy
For resilience in the more general interpretation as defined above, i.e. based on the capability to
prepare for any given event, a true measurement of this capability is unfeasible. However, one can
assess the degree to which the above-mentioned design components have been implemented.
Buffers and storages of various forms can, for example, be evaluated against the overall energy
consumption in a given system, or quantified as the storage-based duration of supply at maximum or
average load in the system (cf. Chaudry et al. 2011). Couplings with other infrastructures can be
qualitatively assessed as to whether and how far an outage in one system (e.g. the IT infrastructure)
will generate failures in other systems (e.g. the electricity supply). Threat scenarios (e.g. developed
by NESCORv for coupled IT and energy systems) can be used to systematically address these
couplings. Also the diversity of energy systems can be assessed by using diversity measures like the
iv For a review of resilience metrics which are based on an alternative definition of resilience see (Willis & Loa
v National Electric Sector Cybersecurity Organization Resource:

Shannon index or more complex measures involving the above-mentioned attributes of variety,
disparity and balance (Stirling 2007 and 2010).
In the more restricted context of specific and already known stressors and an energy system’s
respective resilience, more detailed metrics and indices of resilience can be derived. These metrics
usually involve some measure of the stressors’ effects on system functionality and the dynamics of
these effects during the phases of planning/preparation, absorption of effects, recovery and
adaptation (see e.g. Ganin et al. 2015). There has been recent publications on resilience metrics for
energy systems that very well summarize the state of the discussion on this topic (see e.g. Roege et
al. 2014, Willis & Loa 2015 or Molyneaux et al. 2016).
Resilience Engineering and Quantification for Sustainable Systems Development and Assessment: Socio-technical Systems and Critical InfrastructureIvo Häring, Benjamin Scharte, Alexander Stolz, Tobias Leismann, Stefan Hiermaier1
Resilience Engineering and Quantification for Sustainable Systems
Development and Assessment: Socio-technical Systems and Critical
Ivo Häring1, Benjamin Scharte1, Alexander Stolz1, Tobias Leismann1, Stefan Hiermaier1
1Fraunhofer EMI, Freiburg, Germany
Keywords: Resilience Engineering, Sustainability, Resilience, Quantification, Resilience management
cycle, Technical resilience properties, Resilience dimensions, Analytical resilience quantification,
Resilience trajectory expansion, Resilience Engineering quantification
Challenge of sustainable, efficient and resilient and systems: definition of technical
Resilience Engineering
Modern system development, improvement, innovation and assessment has to take into account an
ever increasing variety as well as increasingly competing goals. Such goals include: sustainability,
effectiveness, efficiency, user attractiveness but also safety and security (Assembly, 2000). For
example, for past automotive vehicles safety was a luxury, since decades at least a basic level is
standard. In a similar way, sustainability and cyber security of vehicles are currently novel topics and
will evolve to established requirements. Similar arguments are argued to hold true when requiring
that (socio) technical systems are capable of coping with adverse events.
This text aims at showing that a thorough Resilience Engineering can substantially contribute to
improving safety and security as well as the adaptive capabilities of complex socio-technical systems
when they face adverse and potentially disruptive events. Those capabilities, which can be
summarized as resilience, are a key characteristic of sustainability. In our modern world that depends
on (ultra-)complex, interdependent, coupled networks of infrastructure, sustainable development is
only achievable, if we learn to design and optimize our systems in a resilient way (Thoma, 2014).
Systems covered range from infrastructure lifelines to small devices.
Resilience Engineering means preserving critical functionality, ensuring graceful degradation and
enabling fast recovery of complex systems with the help of engineered generic capabilities as well as
customized technological solutions when the systems witness problems, unexpected disruptions or
unexampled events (Thoma, Scharte, Hiller, & Leismann, 2016). Hence, Resilience Engineering is a
new and innovative approach to improving the resilience of systems with the help of the technical
and engineering sciences. Those sciences are able to understand, analyse and improve a vast set of
different kinds of systems, ranging from microsystems to global infrastructure networks. In
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

particular, RE tries to find ways to enhance the resilience of critical infrastructure, e.g. electric,
energy and telecommunication grids.
The resilience of such systems can be defined as their capability to successfully
(1) prepare for
(2) prevent
(3) protect from
(4) respond to, and
(5) recover from
minor up to larger, creeping up to sudden, known up to completely unexampled disruptions, taking
into account the societal and technical contexts (Häring, Ebenhöch, & Stolz, 2016; Thoma, Scharte,
Hiller, & Leismann, 2016). A system is resilient if it is successful in combining all resilience
management phases to minimize the negative effects of any kind of adverse events.
The overview on Resilience Engineering is structured as follows. Section 1 gave an overview and a
definition on Resilience Engineering. Section 2 lists main Resilience Engineering objectives, Section 3
discusses frameworks for generating resilience, and Section 4 shows how to develop and measure
Technical objectives of Resilience Engineering
This section elaborates on the objectives of the technical science-driven Resilience Engineering
approach. We categorize 12 resilience engineering objectives (from (i) to (xii)) into 5 main objectives
((A) to (D)).
(A) Technical-engineering Resilience Engineering approach. Resilience engineering aims at making
the sufficient generation of resilience of (socio) technical systems a well-defined, scalable and flexible
scientific-engineering process that is supported by appropriate methods. Accordingly, objectives of
Resilience Engineering are
(i) to provide engineering, technical and natural science founded approaches and processes
to achieve resilience of (socio) technical systems. For instance as indicated in section 3.
(ii) to develop tailorable validated methods to conceptualize, design, develop and assess
resilient systems. For instance, to refine what it means to achieve overall success in all
resilience management phases (1) to (5).
In the same way as risk analysis and control emerged as a new engineering branch in the 1970s and
1980s, it is expected that resilient engineering for handling a large variety of (potential) disruptions
will emerge as a new technical science domain. Thus, Resilience Engineering allows fulfilling many of
the aims for modern sustainable system developments as listed in the introduction.
(B) Extension and where appropriate replacement of (classical) risk approaches. Further main
objectives include:
(iii) To extend and where appropriate to replace classical notions of risk analysis and
management with resilience concepts, approaches and methods. For instance, to allow

for a more flexible chance enhancement and/or risk control for systems focusing on post
event options for response and recovery.
(iv) To allow for extended and novel perspectives on risk events, risk propagation, risk
assessment and risk control. For instance, to conduct chance/risk management of longterm
system availability objectives.
(v) To be better able to prepare for less expected, seldom, unexpected, unknown or even
unexampled – so-called “black swan” – events. For instance by focusing on the
chance/risk assessment of technical resilience capabilities.
(C) Seamless extensions of notions of reliability and maintainability. Important aims of resilience
engineering are
(vi) To seamlessly link to and to extend classical notions of reliability. For instance, by
understanding and investigating the level of resilient performance of technical systems in
case of major disruptions as an extension of the classical reliability of systems designed
to handle minor statistical and systematic failures.
(vii) To extend maintenance concepts to response and recovery approaches post major
disruptive events. For instance, by defining systems (e.g. part of European high-voltage
grid >380 kV) to be sufficiently large to be able to consider major disruptions (e.g. local
electricity grid failure) as smaller failures.
(viii) To use and improve on resilience indicators that are also relevant for the daily successes
of systems and vice versa. For instance, to define current reliability level of electricity
supply in case of a set of possible minor up to larger disruptions.
(D) Integration of physical security, technical safety and IT security approaches. Resilience
objectives cover all types of potentially disruptive events. Therefore main aims of resilience
engineering include:
(ix) To integrate physical security, safety, IT-security approaches. For instance to determine
and evaluate the chances and risks on resilience using approaches from all corresponding
disciplines and aggregating their analyses semi-quantitatively.
(x) To provide at least conceptual technical and engineering processes and methods that are
independent of the type of adverse or disruptive event considered. For instance, by
developing analytical resilience assessment approaches.
(E) High societal and organizational commitment. The notions of resilience engineering invite for
individual and collective participation as well as organizational involvement. For instance, by focusing
on technical capabilities of systems that can be defined in positive terms. More generally speaking
resilience engineering objectives include:
(xi) To achieve a high level of individual, organizational and societal commitment of all
actors: third party, decision-makers, developers, system designers, system assessment
personnel. For instance, by including highly unlikely events and their long-term
consequences within risk control.
(xii) To ask for the input and feedback of end-users and third parties. For instance, by
focusing on empowerment of actors when using technical resilient systems, by asking for
the level of local controllability of scenarios and the time duration of scenarios as well as
for taking account of perceived risks.

Generating resilience for (technical) systems and processes: Resilience development
framework options
This section indicates how within the Resilience Engineering approach resilience of systems is
generated. Feasible strategies to achieve the resilience engineering objectives listed in section 2
(a) To generate metrics and measures for the success of the resilience management phases (1) to
(5). For instance, to use qualitative, semi-quantitative up to quantitative approaches.
(b) To identify, specify and develop (technical) resilience capabilities (resilience functionalities,
services, or capacities) sufficient for all potential disruptive events. For instance, to require that
specific key functions of a technical system are also available in case of loss of the main energy
(c) To identify, operationalize and specify for systems (generic) resilience properties, attributes or
specifications which by themselves or in combination suffice for sufficient resilience. For
instance, redundancy or physical robustness.
(d) To extend classical risk management and assessment approaches with notions of resilience
analysis, management and enhancement (Häring, 2015; Linkov et al., 2014). For instance, to
conduct risk analysis and management taking account of response and recovery options.
It can be argued that developing technical resilience capabilities is the most viable approach when
focusing on technical systems. Technical resilience capabilities can be defined as any technical
capability, function or functionality. Therefore, reliability functions (standard, comfort functions) of a
technical system can be supplemented with resilience functions and capabilities. This is very similar
to adding functional safety functions for controlling risks in safety relevant or critical systems to
reliability functions of systems (Siebold, Larisch, & Häring, 2010).
Furthermore, technical resilience functions can be defined very flexibly in terms of their qualitative
and quantitative requirements. In addition, they can be realized independently, mixed with existing
functions or completely being part of existing functions.
Such technical resilience capabilities should include (Finger, Häring, Siebold, & Hasenstein, 2016)
(Häring, Ebenhöch et al., 2016):
1. Sensing and observation, for generating situation awareness,
2. Modelling and simulation for situation representation,
3. Inference and decision-making for selection of response options (if any),
4. Action and response for implementation of response options and
5. Adaptation and change, for improving overall capabilities according to (1) to (4).
Metrics, criteria, indicators for quantifying successful Resilience Engineering
This section shows that by now a variety of approaches and methods have been developed or
proposed to quantify resilience. Four main strands can be identified (Häring, Ebenhöch et al., 2016)
(Häring, Scheidereiter, et al. 2016):
(A) Analytical resilience quantification, which is based on the nested combination of (semi-)
quantitative resilience dimensional assessments, e.g. using as outer cycle the resilience
management cycle or risk management cycle. A possible starting point is to focus on chances for

resilience objectives for each resilience management phase (1) to (5) by asking for a systems
technical resilience capabilities according to 1. To 5. (Finger et al., 2016) (Baumann, Häring,
Siebold, & Finger, 2014) (Schoppe, Häring, & Siebold, 2014) (Schoppe et al., 2015) (Siebold,
Hasenstein, Finger, & Häring, 2015);
(B) Resilience expansions with respect to resilience dimensions, e.g. number of events, resilience
phases affected, etc. For instance, the assessment may focus on the immediate response in case
of double physical cyber events.
(C) Resilience trajectory propagation, mainly for using or combining probabilistic-statistical and
standardized engineering-simulative approaches. This approach focuses on the consideration of
multiple possible events and their forward and backward propagation. Propagation is
understood as mapping event descriptions.
For instance, in case of forward propagation earthquake threat is mapped on/propagated to
well-defined seismic events, to regional loadings, to local loadings, to building loading, to physical
building damage, to physical person loading, to personnel damage quantification, to building
damage evaluation, to personnel damage evaluation, and finally to overall damage evaluation.
Examples are: (Fischer, Siebold, Vogelbacher, Häring, & Riedel, 2014) (Fischer, Häring, Riedel,
Vogelbacher, & Hiermaier, 2016) (Riedel et al., 2014) (Voss, Häring, Fischer, Riedel, & Siebold,
2012) (Esmiller et al., 2013) (Salhab, Häring, & Radtke, 2011a) (Salhab, Häring, & Radtke, 2011b)
(Häring, Schönherr, & Richter, 2009);
(D) Based on socio-technical cyber-physical system simulations (Renger, Siebold, Kaufmann, &
Häring, 2015). For instance, recovery times of airport checkpoints after security-induced
disruptions can be determined from simulations.
Such Resilience Engineering quantities can be used for formulating overall resilience optimization
objectives, for instance (Häring, Ebenhöch et al., 2016)
I. to optimize the probability of an acceptable overall total resilience of a system,
II. to minimize the probability of non-acceptable overall total resilience of a system,
III. to optimize the total chance for fulfilling resilience objectives,
IV. to minimize the total risks on resilience objectives.
Summary and outlook
In summary, Resilience Engineering strongly supports to meet a prerequisite for sustainable and
efficient systems: to sufficiently benignly respond to adverse events, i.e. to be resilient (section 1). By
that, Resilience Engineering meets several of the most challenging technical objectives of modern
system development and overall risk control (section 2). By now, a variety of approaches and
frameworks exist how to design resilience in development and improvement of systems (section 3).
It is argued that the identification, design and development of technical resilience capabilities is most
viable. Resilience can be quantified using fast analytical (table-top) approaches up to complex sociotechnical
system simulations for generating time-dependent resilience indicators (section 4).
A Generic Framework for Resilience AssessmentHans Rudolf Heinimann1
A Generic Framework for Resilience Assessmenti
Hans Rudolf Heinimann1
1Future Resilient Systems at Singapore-ETH Centre, Singapore, and ETH Risk Center, ETH Zurich,
Keywords: Resilience framework, resilience functions, post-event strategy, socio-technical systems
From pre-event to (pre+post)-event strategies
Quantitative risk assessment emerged in the 1950s, characterizing risks as a frequency distribution
over the consequences. Modelling the tail of those distributions, extreme value theory has been the
dominating approach to predict low-probability – high-consequence events, thus answering the
questions "what can go wrong? What are the consequences?" In this case, risk assessment is a preevent
strategy, based on the precautionary principle. The ongoing urbanization led to increasing
coupling strength and decreasing heterogeneity, both within and between systems. Those trends are
pushing many socio-technical systems to critical states, at which they are moving into a behavioural
domain that we did not observe in the past, and which is providing ‘outliers’ (Black Swans, Dragon
Kings) in the tail of distribution, making reliable predictions of extreme events challenging or even
impossible. This calls for novel approaches, among which resilience assessment and management –
a post-event strategy - is a first importance to boost system’s recovery, reconfiguration and
A resilience framework based on eight generic functions
In the last decade, the resilience concept gained much attraction, and policymakers, practitioners
and academics have been using it widely and enthusiastically (McAslan, 2010). It has been around for
quite some time (Jackson, 2015), having its origin in the engineering of materials, emerging later in
the area of psychology, and becoming an important paradigm in ecology. In its essence, resilience is
the "capacity of a system to absorb disturbances and to reorganize so as to retain essentially the
same structure, function and feedback loops" (Walker & Salt, 2012). The resilience and policy
committees of the National Academy of Sciences (NAS) defined resilience as the ability of the system
"to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential
adverse events" (Cutter et al., 2012, Cutter et al. 2013). The two definitions are embracing two
fundamental properties that are interacting symbiotically, systems’ resistance and systems’
resilience. The traditional engineering approach has been to design systems for resistance such that
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

they can withstand characteristic exogenous and endogenous actions. Going back to the Latin word
resilire, resilience on the other hand means to spring and rebound.
Figure 1: Resilience concept based on eight generic functions: attentiveness, robustness, resistance, re-stabilization,
rebuilding, reconfiguration, remembering, adaptation
We propose a resilience framework (figure 1) that is based on eight generic system functions:
attentiveness, robustness, resistance, re-stabilization, rebuilding, reconfiguration, remembering, and
adaptiveness, which we characterize with the AR6A acronym. We measure systems performance
(MOPs), represented as the y-axis.
• Robustness refers to that range of performance – defined by an upper and lower limit – that
guarantees a continually expected flow of services.
• Resistance is the ultimate limit of a system to withstand actions that are straining it during its
lifecycle. Structural engineering resistance often equals the elasticity limit, beyond which
non-recoverable deformations will occur. If a disruption is straining a system, its
performance will decrease down to a minimum (Pmin), which can become zero in a worstcase.
Resilience stems on resistance.
• The recovery phase consists of the two functions, re-stabilize and rebuild, aiming to reestablish
critical systems functions up to a range that enables survivability, to rebuild all the
functions and to re-establish normalcy, respectively. We have to emphasize that system
recovery is an active concept that is mobilizing additional resources, which differs from a
‘laissez-faire’ approach.
• Reconfiguration means to adapt and change systemic properties by introducing or deleting
interdependencies, or introducing or deleting components. Our experience shows that
reconfiguration rarely happens with man-made systems. It also requires to change or
enhance the system boundaries to address the key issue "how should we adapt the topology
of the system" to make it more resistant and more resilient.
• Adaptation means to continue to enhance a system's abilities to improve the fitness to cope
with disruptions and to increase survivability.
• Attentiveness and remembering are two ‘cognitive’ functions, encapsulating the ability to
anticipate, and to detect endogenous and exogenous disruptions, and to memorize and learn
from earlier disruptions, enabling a system to respond more rapidly and more effectively to
future disruptions.
Time t
System Performance MOP
• Attentiveness
• Robustness
• Resistance
• Re-stabilize
• Rebuild
• Reconfigure
• Remember
• Adapt
tpre tpost
Remember Adapt
Re-stabilize Rebuild

Scholars have been using sets of functions and attributes to operationalize the resilience concept
(Bruneau et al., 2003; Cimellaro et al., 2010: Ganin et al., 2016; Linkov et al., 2014; Madni &
Jackson, 2009; Planz & Levis, 2015; Tierney & Bruneau, 2007). The earthquake engineering
community usually relies on four attributes - robustness, resourcefulness, redundancy, and rapidity -
while the NAS resilience and policy committees proposed six functions (Cutter et al., 2012, 2013) that
are quite different, which demonstrates that resilience assessment is still emerging. All of the
proposed approaches are stemming on the resistance function, characterizing it with attributes such
as the capability to absorb, or to provide redundancy. They are additionally characterizing the
capability to recover with attributes, such as rapidity, resourcefulness, response, or recovery. The
NAS definition additionally considers awareness and adaptation. Our approach brings in two
‘cognitive’ functions – awareness and remembering –, which we borrowed from the biological
immune systems, which are a model for business resilience (PWC, 2015). It additionally splits the
recovery function into re-stabilizing and rebuilding, which are typical phases in the wound healing
process. Since our eight-function concept is generic, it should be easily transferable to any kind of
system. Our experience with stakeholders shows that they can easily understand the eight functions,
whereas it is difficult for them to understand the resilience concept based on a specific definition.
Transferring the resilience concept into socio-technical systems
Infrastructure systems are a compound of engineered, organizational and user subsystems, at which
we have to look as a whole. Considering that social components triggered many system failures, the
implementation of a resilience framework has to address the human factors within a system first.
The first step consists of raising awareness and of developing a new mindset how to combine preevent
and post-event strategies to cope with future disruptions. In a second step, key people have to
walk systematically through the eight generic system functions. The restabilising, rebuilding and
reconfiguring functions need special attention because they often happen under a ‘laissez-faire’
regime, while tool-supported, active intervention can make them much more effective, supporting
systems to recover much faster. Resilience is a dynamic phenomenon that we can only observe if
there is a reliable body of time series data, which is unfortunately often missing. A third step should
consist to develop a ‘sensing concept’ to capture key system performance indicators that will allow
us to quantitatively characterize and assess resilience in the future.
Assessing and Measuring Resilience
The quantification of resilience stems from work done in the earthquake engineering community
(Bruneau et al., 2003; Cimellaro et al., 2010; Tierney & Bruneau, 2007). It looks at how systems'
performance is falling down after a disruption and how it is recovering afterwards, mapping the
resistance and the recovery functions on some metrics. The term robustness is used mostly instead
of resistance, which we are convinced is more appropriate because it is the essential concept in the
engineering standards, requiring a system to resist against a set of actions. Scholars have been using
this "bathtub" resilience metrics, but there is still a demand for a more comprehensive approach.
Looking at our eight resilience functions, we are striving for an index, into which five functions -
resistance, robustness, recovery (restabilize, rebuild), and reconfigurability - are going in. We assume
that plotting such an index as a time series will be a representation of the adaptability in a longer

run. Additionally, there is a need for an assessment of the "cognitive" resilience functions –
awareness and remembering.
Managing Extraordinary Risks: Proactive and Reactive StrategiesPatrick Helm1
Managing Extraordinary Risks: Proactive and Reactive Strategiesi
Patrick Helm1,2
1 Department of the Prime Minister and Cabinet, Wellington, New Zealand
2 Risk Frontiers, Macquarie University, Sydney, Australia
Keywords: Complex systems, Risk management, Resilience, Adaptation, Disasters, Uncertainty,
Planning for the Unknown
Risk management techniques have contributed greatly to improving reliability and safety in society.
But they have been less effective in dealing with some complex risks with substantial consequences
for social, economic and physical systems.
Paradoxically, for some of the most critical societal risks they can do more harm than good unless
applied carefully. In the case of challenges to national security or natural disasters, for example,
classical structured methodologies can engender false confidence around matters that are inherently
unknowable. Analytical methodologies with proven value in managing recurring risks, even in
complex environments, have been less effective with multi-dimensional risks or societal systems that
have been stressed beyond normal.
There is a wide-spread perception that the risk landscape is changing rapidly. To the extent that this
is true it is only partly because of new and ill-defined threats, hazards, accidents, and other sources
of harm. A bigger factor by far is the ever-growing complexity in society that makes it nearly
impossible to anticipate and contain their potential consequences. Unusual circumstances have
been triggering disproportionate, wide-ranging, and unexpected effects, largely because ever more
complex systems fail to cope with increasing concentrations of people and wealth.
New vulnerabilities are arising for many well-known reasons: global interconnectedness,
demographic changes, modern business practices, new systemic risks, and reliance on closelycoupled
infrastructure systems among others. These can create conditions that allow problems to
spread rapidly, cascade unpredictably, and manifest in novel ways. Such situations inevitably
damage the foundations of social planning, such as assumptions about order, cause and effect,
rational choice, and intentional capability.
This escalating uncertainty in the propagation of harm obliges risk practitioners to adopt more
comprehensive methods of limiting the effects in their policies, strategies, and practices.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Risk management has traditionally been oriented to pre-emptive control. Over time it has evolved
from mitigation at source to addressing vulnerabilities, managing adverse consequences, and
transferring potential costs. But, while effective for familiar risks, the widening concepts of risk and
its management have been carrying increasing baggage; limitations have been exposed for growing
classes of risk, especially those involving complex dynamic systems.
For one thing, such approaches require prior knowledge that the risks exist – through analysis,
historical experience, or evidence of specific threats and hazards. Successful management requires
understanding not just of the risk sources (nature, scale, likelihood, potential effects, etc.), but of the
pathways by which harm might propagate. The potential combined consequences are largely shaped
by many unpredictable ‘system’ factors such as societal vulnerabilities, community culture, and the
dynamics of social and organisational networks.
Integrating Proaction and Reaction
Because they are, by definition, least familiar, critical issues need greater allowances for uncertainty,
ambiguity, and complexity. Probabilistic assessments on their own cannot be expected to contribute
meaningfully; major events usually occur too infrequently to be of much influence in normal planning
timescales for businesses and governments.
Such situations need to be managed with a different balance of reactive and proactive strategies.
Comprehensive planning that is based on a mix of specific risk controls (where justified on costbenefit
grounds) and that also fosters strong resilience in sub-systems and throughout organisational
processes usually provides a more pragmatic means of addressing unfamiliar threats or hazards.
Having such an orientation to resilience and adaptation will usually be more effective for
extraordinary multifarious risks, large-scale societal issues, emerging problems, or threats with high
Resilience has some way to evolve as both a formal discipline and an operational paradigm. Despite
its conceptual simplicity, there is no universally accepted definition and there are semantic
differences to be resolved. It is usually characterised as a behavioural property of a system as it
responds to and recovers from shock. It differs from risk management in its focus on interrelationships
between system elements. It depends on the functioning of physical systems, the
availability and quality of information, and the way that the different elements operate individually
and collectively.
In the context of governance arrangements, risk management and resilience can have a degree of
overlap or complementarity in both concept and definition. The two, however, are fundamentally
and distinctively separate, notwithstanding views held in some quarters about one being a subset or
outcome of the other.
To the greatest extent possible the governance arrangements for both risk management and
resilience building should be established within a single integrated framework. While the detail will
depend on how responsibilities are shared, this is an important principle at all levels of government
and business. A single integrated framework can have a number of advantages by:
• encouraging systems planning and holistic management;
• improving the chances of exposing rogue conditions;

• identifying effective control measures;
• strengthening coordination and balanced management;
• revealing trade-offs and management efficiencies;
• providing a knowledge base for potential adaptive management.
In overall effect this brings about a shift of focus from problems to resolution – improving the
situation, not eliminating the problem. At the same time, investments in resilience, including
adaptive capacity, can have wider long-term utility for governments and businesses. Generic
resilience-building that concentrates on core needs can be especially cost-effective for the
innumerable rare risks that are possible or plausible, but that cannot individually be foreseen and
Layered Risk Governance
Methods of resilience and risk management have to be employed with care to avoid wasted effort.
The framework is especially important. Governance needs to be framed in the context of social
objectives, such as public safety, community functioning, organisational stability, or business
continuity, rather than through the lens of individual events, hazards, threats, or vectors of harm.
In a community, for instance, resilience will only be effective if there is clarity about the ways that
various elements in social systems might interact, and, in particular, an agreed view on what might
accelerate recovery and what might retard it. Any interventions must take into account not only
questions of feasibility, efficacy and cost-benefit utility, but societal expectations such as public
acceptability, trust, accountability, legality, and long-term sustainability.
Thus, a comprehensive system for risk governance will be one in which there is layered effort on
several fronts such that:
• known sources of peril are assessed, repelled, attenuated, avoided, or deflected in ways that
are practical and cost-effective, and appropriate for those potentially at risk;
• exposure and susceptibility are reduced in vulnerable elements, including stakeholders,
organisations, infrastructure, and assets;
• generic resilience is enhanced to attenuate unexpected forms of harm and absorb
disturbances so that those threatened can respond quickly, improvise and adapt as
appropriate, and evolve to a stronger state following a disruption.
Because complex failure routes are intrinsically unpredictable, the effects must be brought under
control as quickly as possible. Much will depend on the governance arrangements in place, including
provisions for helpful features such as: early detection, fast sense-making, speed of response, quick
control of evolving problems, generic preparations, availability of resources, pre-planned decisionmaking,
devolved and flexible management, adaptive capacity, rapid experimentation with ‘safe-tofail’
interventions, real-time modelling of the effects of multiple interventions, rapid learning, and
heuristic decision-making.

Because it is oriented to outcomes rather than inputs, and tends to be an emergent feature of a
system in action, resilience is not easily quantified a priori. It represents the overall reaction to
shocks rather than any pre-determinable metric in static terms. It is not just a measure of the
controls in place, but a characterisation of how the whole system behaves and adapts to internal or
external stresses. Ultimately it is a reflection of the success of the risk governance in place for the
combined ‘Source-&-Society system’ in dynamic mode.
To a limited extent it is possible to develop measures of effectiveness in respect of managing familiar
risks such as in personal safety, medicine, agriculture, manufacturing, and emergency management.
More complex situations or large-scale events need to be approached through modelling and
predictive simulation. Good practice usually involves the use of proxies and indirect indicators of
governance such as situational awareness, quality of planning, capacity for adaptation, ability to
learn from experience, and so forth.
The experience of systems thinking in the engineering world has much to offer for resilience
governance. Engineering systems have evolved over centuries to maximise their overall fitness to
handle disruption from accidents, natural hazards, human failings, deliberate attacks, technical
weaknesses, and other sources of harm. Achieving those ends requires deep knowledge of the
system in a suitably wide context, an understanding of the environment in which the system sits, and
confidence that all control elements are fit for purpose. The essential attributes of a ‘healthy’ system
have been described in the following terms:
• Completeness - all necessary elements are present
• Balance – weight given to each element is appropriate for purpose
• Cohesion – connections and interactions are present and suitable
• Consistency – elements consistent with each other and overall purpose
• Clarity – no ambiguity about elements or connections.
The arguments set out here suggest that a general management strategy for extraordinary risks of all
kinds should be based on four integrated phases of governance:
1. System: manage the system coherently
Analyse the system continuously to try to understand its main features – i.e. investigate
essential elements of the organisation, business, network, or nation to identify the parts
and relationships, roles and responsibilities, strengths and weaknesses, and other factors;
2. Risks: mitigate discrete risks
Undertake risk analysis and management for distinct hazards and threats, potential
vectors of harm, and system vulnerabilities, in order to examine options for mitigation or
for modification of potential consequences on the basis of cost-benefit analysis;
3. Resilience: enhance generic resilience
Build generic resilience throughout the system for diverse scenarios on the assumption
that there could be significant unknowns in both the sources of harm and the pathways,
and in the reactions of those threatened;

4. Adaptation: pre-plan flexible management in response
Put in place arrangements and capacity for high-level governance and adaptive
management to enable a rapid and flexible response if exceptional shocks should occur or
systems are overwhelmed.
This layered strategy can be applied to the management of most forms of risk. The balance of
investments in each of the four steps depends critically on factors such as the nature of the risk, its
potential significance for the organisation or business, and the quality of knowledge.
Three broad categories may be described:
• It is not usually cost effective to mitigate for very rare threats or hazards (e.g. meteorites)
given that there can be so many that are plausible but individually unlikely; any occurrences
are best covered by response services and fast flexible management.
• With regularly occurring risks, experience helps to define the range of uncertainties and put
adequate arrangements in place as part of normal professional practices. Examples include
urban fires, storms, individual medical interventions, industrial failures, hazardous materials
spills, supply chain interruptions, criminal activities, and highway accidents, among many.
• High-end risks, such as major natural disasters, warfare, para-military operations, global
warming, challenges to sovereignty, financial crises, and trans-national threats, where there
is little relevant experience and high stakes, require more comprehensive strategies based on
appropriate risk governance, scenario testing, generic resilience, and adaptation.
Notes on operationalising the four steps in this strategy are provided at Annex.
The future of governance for dealing with extraordinary risks will increasingly need to be based on
community attributes such as social capital, informal communication networks, and organisational
culture. It will inevitably require a different balance of proactive and reactive management, and
changes to risk governance. Above all, it will require a re-orientation of purpose: with the prime
focus being on achieving stability, safety, and security, rather than managing threats and hazards.
In particular, experience of major disasters suggests that the changes will need to concentrate on a
better balance of proactive and reactive practice. Such an approach must involve some or all of the
following: better decision-making under uncertainty; less reliance on risk avoidance and simple
precautionary policies; greater use of probabilistic techniques where relevant; recognition that many
risks have deep uncertainties or are inherently stochastic in nature; planning based on principles and
guidelines, rather than rules or standard operating procedures; decentralisation, subsidiarity, and
devolution of responsibilities; more openness to ideas when confronting unfamiliar crises; instinctual
decision-making rather than simple deductive logic; empowerment to encourage bottom-up as well
as top-down management; frameworks that facilitate action rather than prescriptive plans;
acceptance of self-organising-structures and evolving behaviour in dealing with crises; and trial-anderror
experimentation to investigate options for response and recovery.
A Business Continuity Perspective on Organisational ResilienceDr Brahim Herbane1
A Business Continuity Perspective on Organisational Resiliencei
Dr Brahim Herbane1
1 Leicester Business School, De Montfort University, Leicester, United Kingdom
Keywords: Resilience, Business continuity management, Crisis management
Resilience – Providing a Vision for Business Continuity Management
Contemporary thinking about the role and value of Business Continuity Management (BCM) is
underpinned by the goal of achieving organisational resilience. Although BCM originated in planning
and responses to Informational Technology disasters, it has evolved over the past 40 years to
become an embedded, organisation-wide process with a strategic orientation. BCM comprises of
processes, structures, roles, and resources that evaluate an organisation’s exposure to internal and
external threats and to provide effective prevention and recovery for the organisation, whilst
maintaining competitive advantage and value system integrity. Within BCM, risks are considered to
be threats to the organisation’s activities, objectives and responsibilities. Central to a business case
for BCM is the ability to enhance resilience through the effective implementation of business
continuity management methodologies and systems (which may include standards such as ISO22301
and NFPA1600 among others). From a BCM perspective, resilience is an ability that is related but
distinct since BCM is a set of organisational processes and other resources that are integrated into a
management system that provides continuance of an organisation’s activities following a disruption.
Disruption is avoided or minimised because of preventative measures in place. Such a perspective
aligns with the recent Guidance on Organizational Resilience (BS65000: 2014) from the British
Standards Institute in which organizational resilience is both a goal and “the ability of an organization
to anticipate, prepare for, and respond and adapt to everything from minor everyday events to acute
shocks and chronic or incremental changes”.
Although business continuity professionals and best practice standards increasingly consider
resilience to be a goal of effective business continuity management, BCM is one of several supporting
activities to support resilience. Indeed, Enterprise Resilience Programs incorporate BCM with risk
management, IT disaster recovery, risk management and crisis management in order to undertake a
comprehensive pursuit of resilience (see Figure below). There is no single best way to configure an
enterprise resilience programme given the unique historical, financial and resource attributes of each
organisation. Furthermore, although the lack of consensus on a single ‘definition’ of resilience is
often presented as an ontological difficulty, BCM professionals tend to characterise resilience as the
aspiration or aim of business continuity management systems, much as a chief strategy officer would
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

refer to the corporate vision as the articulation of the future state of organisation following
achievement of its corporate strategy.
Figure 1: A business continuity perspective
Business Continuity Management as an Articulation of Resilience
The conceptual and practical alignment of resilience and business continuity goes beyond their
means-end relationship. An engineering /recovery resilience approach (i.e. response to specific
disruptions) is achieved through the development of business continuity strategies designed to deal
with specific scenarios such as power loss, denial of access to buildings, IT failure, fire, flooding,
transportation failure, industrial action, supply chain disruption, contagious disease outbreak, etc.
Ecosystem/precursor resilience (i.e. the organisation’s ability to emasculate shocks and persist
through periods of disruptive change) is achieved by implementing business continuity as a
continuous management set of responsibilities, structures and activities. ISO22301 and its
predecessor BS25999 are structured around a ‘plan-do-check-act cycle’ in which the changing needs
and expectations of stakeholders and changing requirements of the organisation drive the
development of plans that are in turn implemented, operated, monitored and reviewed. These
guidance standards are derived from well-established good practices for business continuity in which
the BCM process begins with the initiation of formal structures, roles, budgets, senior management
commitment and objectives. Once these operational conditions for BCM are established, attention
then turns to formal planning in which critical activities and functions are identified through a
number of formal analyses, including Business Impact Analysis and Risk Assessment (including risk
appetite). From this, business continuity strategies/plans are developed which should then be
exposed to exercising and testing to rehearse and refine the organisation’s responses to hazards that
could disrupt operational activities.

Although BCM may be thought of as an alternative or substitute for risk management, risk
management principles are central to BCM. Since BCM focusses on preparedness for the recovery,
resumption and restoration of critical activities and functions following a disruptive event, such an
endeavour serves to lower organisational vulnerability and their interaction to known hazards – the
essence of managing risk. Where resilience and BCM may differ from risk management is in the role
of creativity. Within an organisation, creativity may be present, absent, latent, nurtured, central or
peripheral to what the organisation does and how well it does it. As art may rely on improvisation
and bricolage, so too might organisations facing a major disruption. Driven by creativity (which
combines skills and techniques along with an appreciation of resources that are found nearby)
organisations should seek not to be bound by the rigidities of assumptions of plans for generic
scenarios (for instance by using internal assassins to identify vulnerabilities during planning, and red
versus blue teams and injects during exercises).
A narrow view of BCM is that it is a toolbox. Without, however, people and other resources
(including relationships), the BCM toolbox lacks the methods from which resilience may be
fashioned. Indeed, the human dimension is at the heart of business continuity management. The
commitment of the C-Suite to initiate and sustain BCM is necessary to build a supportive culture
within an organisation in which knowledge of vulnerabilities are shared, ideas flow freely and
responsibility promotes, rather than stifles, problem-solving and continuous improvements.
BCM – A Part but not the Whole
As noted above, BCM is one element of an organisation’s path towards greater reliance. In
operational terms good financial management, information security policies and practice, health and
safety management, succession planning and retention policies, staff capabilities, staff training and
flexibility, corporate social responsibility policies and practices, supply chain management, quality
management, and brand and marketing management are among the key processes that can
underpin an organisational insight into operational risks and mitigate/remove their impact. In terms
of international guidance standards to support resilience, the following are salient:
• IS028000 Security Management Systems for the Supply Chain
• ISO22301 Societal Security - Business Continuity Management Systems - Requirements
• ISO22313 Societal Security - Business Continuity Management Systems - Guidance
• ISO27001 Information Security
• ISO31000 Risk Management
• NFPA1600 Standard on Disaster/Emergency Management and Business
Continuity/Continuity of Operations
(This list is indicative rather than exhaustive.)
The wide range of underpinning activities and guidance standards reinforce the important (but not
exclusive) roles of BCM and Risk Management in developing organisational resilience. In a national
context, governments (local and national) and business support agencies may provide guidance on
BCM and resilience and local guidance and standards may exist. For example, in the United Kingdom,
the Cabinet Office publishes guidance on emergency planning, business continuity and resilience for
a wide variety of organisations, and British Standards BS11200 (Crisis Management) and BS65000

(Guidance on Organizational Resilience) originate from the UK standards body BSI. BS65000 identifies
the high level principles/actions and operational disciplines that are necessary to develop
organisational resilience. The high level principles and actions are situational awareness, setting a
clear vision and purpose, ensuring coherence of activities that contribute to resilience, developing
adaptive capability (innovation, flexibility and agility), strengthening and developing the organisation,
and providing validation and review for organisational development. The guidance identifies 21
operational disciplines that underpin and embed resilience processes, including risk, business
continuity, crisis and ICT disaster recovery continuity management.
Assessing the Value of Continuity
The proactive and preventative nature of BCM means that evaluating BCM using approaches such as
Return on Investment (ROI) is akin to calculating the ROI of an insurance policy. To pursue an
objective assessment of ROI is nigh on impossible. Elements of its value can be known and put
together to provide a case for new/continued investment. Deriving this casual path is therefore
problematic and may result in simplifications and assumptions about certainty (event X will happen
with Y frequency and with Z degree of loss) set against alternative levels of investments and their
impact on levels of frequency and impact of known forms of disruption.
Nevertheless, the inability to accurately measure ROI does not mean that it does not add value
because Business Impact Analyses for activities within the scope of BCM will show the operational,
contractual, financial and reputational impacts of the inability to fulfil those activities in the event of
a disruptive incident. All of these impacts will have recognisable levels (that is – we may not be able
to measure them precisely but we would have a clear indication of their severity, ranging from trivial
to strategically important). Regardless of the challenges of assessing the value of BCM, in many
economic sectors BCM is no longer an option but a requirement.
Resilience Engineering and Indicators of ResilienceIvonne Herrera1
Resilience Engineering and Indicators of Resiliencei
Ivonne Herrera1
1Department of Industrial Economics and Technology Management, Norwegian University of Science
and Technology
Keywords: Resilience Engineering, Adaptive Capacity, Graceful extensibility, ETTO, Complex-socio
technical systems, Everyday operations, Critical infrastructures
The concept of ‘resilience’ has emerged in a variety of fields and the concept’s proliferation has
resulted in many interpretations and perceptions. A recent worldwide systematic literature review
identified more than 300 definitions of resilience (DARWIN, D1.1). Within Resilience Engineering,
resilience is more precisely defined as “the intrinsic ability of a system or organization to adjust its
functioning prior to, during, or following changes, disturbances, and opportunities so that it can
sustain required operations under both expected and unexpected conditions” (Hollnagel, 2014).
Since its inception, the development of resilience engineering (RE) as a concept and a field of practice
has made it clear that the scope of safety management must be expanded from being concerned
with failure to include everyday functioning of a system or an organization. (Hollnagel, 2015; Nemeth
& Herrera, 2015).
Traditionally, most of the safety and risk indicators are reactive related to malfunctions, failures or
‘after the fact’ information. Thanks to the consistent use of methods based on after the fact
information, major accidents are extremely rare in ultra-safe systems (Amalberti, 2001). Therefore, in
the everyday performance of most of the safety-critical industries, nothing goes wrong and positive
outcomes are the norm. In this context, it is a questionable strategy to focus exclusively on potential
risks and to look only for failures and malfunctions because effective everyday management cannot
be based on something that is infrequent or unpredictable. Proactive indicators based on RE check
the ‘vital signs’ of the system and identify areas for continuous improvement of the core business
process. These indicators are intended to complement traditional approaches supporting the ability
to monitor current performance influenced by the context and to assess how well the systems and
organizations are prepared to handle potential challenges, opportunities and continue operations.
Looking forward in addition to looking backwards will contribute to an improvement of the overall
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Resilience engineering basic terms
In the literature resilience terms are found to be common across several domains e.g. nuclear,
transportation, electricity and health-care. This section presents a selection of the most commonly
used resilience engineering terms:
Adaptive Capacity: The ability or potential to adjust activities, resources, tactics, and strategies in the
face of kinds of events, variations, demands, and uncertainty to regulate processes relative to targets
and constraints. This is a simple extension of an old definition for skill and expertise, the ability to
adapt behavior in changing circumstances to pursue goals (Woods lecture on Resilience Engineering,
Brittleness describes how rapidly a system's performance declines when it nears and reaches its
boundary conditions (Woods, 2015).
Graceful extensibility is a positive capability to stretch near and beyond boundaries when surprise
occurs. Systems and organizations need graceful extensibility as a separate kind of capacity to our
everyday performances when the system is far from the boundary conditions (Woods, 2015).
ETTO Principle - Efficiency-Thoroughness Trade-Off: people (and organisations) have to make a tradeoff
between the resources they spend on preparing to do something and the resources they spend
on doing it. The trade-off may favor thoroughness over efficiency if safety and quality are the
dominant concerns, and efficiency over thoroughness if throughput and output are the dominant
concerns (Hollnagel, 2009a).
A resilient system or organization is characterized by dependent abilities (introduced as cornerstones
Hollnagel, 2009b, 2015):
• The ability to learn addresses the use of experience, “dealing with the factual”. It includes
what went well as well as what went badly. It is not only about information available in
databases. This includes how the system learns and share stories e.g. what makes the system
• The ability to anticipate relates to the understanding of how the situation at hand develops,
whether into single events, or through parts interacting and affecting each other.
Anticipation relates to threats and challenges, as well as opportunities. It “addresses the
potential” looking for possible future events, conditions, or changes that might affect the
system positively or negatively.
• The ability to monitor relates to actively looking for signs of what might happen in the near
future in terms of opportunities and threats. It “addresses the critical” looking into system´s
own performance and external conditions focusing on what is essential to continue
• The ability to respond corresponds to be prepared to respond, having resources and capacity
to respond to regular, irregular variability, disturbances and opportunities in a flexible
manner. It addresses “dealing with the actual” event (which can be expected or unexpected).
Sustained adaptability offers new ways to manage interdependencies across scales. It refers to the
ability to manage adaptive capacities of systems (organizations) that are part of a layered network.

Today´s systems and organizations adapt and function to demands in rapidly changing environments
under different degrees of uncertainty. Thus, the question is to assess the ability of a system to
remain resilient, how well systems and organizations cope with expected and unexpected changes.
Hence, the overall objective of this chapter is to present methods and tools to identify and use
resilience indicators developed within Resilience Engineering. These indicators support early
identification and response to potential opportunities and problems ahead to meet demands,
constraints and changes in a specific context of operations.
How to improve the ability of a system to remain resilient
Resilience refers to a quality, to something that the system does rather than to something that the
system has; so it is highly unlikely that it can be represented by a single or simple measurement.
Systems and organizations operate constrained by their design envelope. Resilience is required when
systems or organizations are challenged due to conditions that were not imagined during design or
when they operate outside, or at the boundaries of the design envelope. Thus, systems and
organizations are required to enhance their adaptive capacity. Indicators of resilient performance are
related to how the system anticipates and adapts to different kinds of disturbances (expected and
unexpected). Woods (2009) argues that it is not possible to measure resilience per se, but the
potential for resilience. These indicators are not derived from experience of resilience, but indicate
potential to remain resilient when challenging events occur (these indicators are more related to
feed forward and leading indicators). The following are examples of approaches and tools that have
been proposed to identify and use indicators of resilience potential:
The Resilience Analysis Grid (RAG) (Hollnagel, 2011) includes a set of questions to provide a measure
of a resilience profile in relation to resilience abilities (monitor, anticipate, respond and learn). The
“RAG profile for an ability” shows how well a system does on each of the four abilities. There is also a
RAG profile for the four abilities summarizing the balance among these abilities. Consequently, it can
be used to determine improvements in relation to a specific ability or to re-establish a proper
balance. The RAG is proposed as a process measure since it provides information about the actual
situation. Hence, this measure should be updated on a regular basis.
In the energy sector, indicators using the stress-strain analogy are proposed to identify how well the
system copes with different kinds of demands. It plots the adaptive capacity of the system by looking
at general situations and selected unexpected situations (Lay, 2011).
Weak signals occur every day because they reflect the adjustments of the people working in
complex systems (e.g. air traffic controllers ‘they get the work done’). Indicators that are related to
weak signals draw data from the performance variability of humans (e.g. overload reports, quality of
communications), technology (degraded system modes) and the organization (Leonhardt & Licu,
The concept of Margin of Manoeuvre is derived from the theories about complex adaptive systems.
For organizations and systems to maintain control in the face of changing situations, they have to
actively create and maintain an adequate margin of manoeuvre internally and in coordination with
other systems and organizations - a cushion of potential actions and additional resources that allows
the system to continue functioning despite unexpected demands. When this margin shrinks, or is

lost, so is the ability to control the system when unexpected disrupting events begin to occur.
Systems and organizations that fail to manage and maintain sufficient margin of manoeuvre fall into
maladaptive traps that lead to systems failures (Hofmann et al., 2011; Woods et al., 2011).
The Functional Analysis Method (FRAM, Hollnagel, 2012) aims to capture the dynamics of complex
socio-technical systems by modelling the non-linear dependencies and variability which the functions
experience. A FRAM analysis assesses the potential variability of each function, defines the functional
resonance based on possible dependencies amongst functions and potential for functional variability.
The method has been applied to real-world problems (e.g. transportation, healthcare). The method
provides qualitative results e.g. proposal for increasing wanted variability or damping unwanted
variability, ways of monitoring variability.
Q4-Balance framework (Balancing Economy-Safety Trade-offs) proposes visual and conceptual basis
to support effective decision-making by developing and utilizing a balanced portfolio of indicators.
Performance indicators fall into a space defined by two dimensions: reactive-proactive and economysafety.
The structure reveals an emergent pattern where indicators can be grouped into four classes -
- economy-reactive, economy-proactive, safety-reactive, safety-proactive. The Q4-balance
framework is associated with the notion of safety energy. This notion aims at qualifying efforts and
resources the organization is devoting and at assessing its capability to be proactive in safety
management. The notion emphasizes the fact that such resources are necessarily finite and that they
are consumed by a variety of conflicting tasks (Woods et al., 2013).
SCALES Framework combines principles from Enterprise Architecture and Resilience Engineering
proposing a tool prototype with a set of generic guidelines showing how resilience related indicators
could be identified using different viewpoints. This prototype is developed as a semantic wiki to
further support the analysis of the system from different views considering organizational, human
and technological aspects. It includes a new resilience viewpoint integrated into the modelling
prototype connecting resilience theoretical concepts into practical application. It combines resilience
abilities to monitor, anticipate, respond and learn from changes, as well as to more concrete
resilience engineering themes such as flexibility, cross-scale and cascades. This represents
advancements on practical representations for resilience analysis. The web-tool includes the
application of the SCALES Framework to four cases (delivered open source to promote its use,
Herrera et al., 2016, SCALES, D1.3 and D1.4).
Saurin (2015) argues for the concept of slack as important for resilience engineering (RE). His
argument, is that slack can be seen as a source for dealing with both expected and unexpected
varying conditions. This concept is described as the pool of resources in an organization that is in
excess of the minimum necessary to produce a given level of organizational output. It relates to
means available spare resources, of any sort, which can be called on in times of need. A distinction
between slack-as-imagined (SAI) and slack-as-done (SAD) to identify indicators is proposed as a
parallel with the distinction between work-as-imagined as work-as-done, proposed by Hollnagel
(2012). Both the imagined and actual slack should be checked against expected and actual deployed,
respectively. This may help to identify effective ways to manage resources.

Indicators for resilience potential
Resilience indicators can be related to essential abilities to anticipate, monitor, respond and learn.
The following terms are associated with resilience indicators across the resilience engineering
literature: graceful extensibility and sustained adaptability, margin of manoeuvre, buffering capacity
including redundancy and resourcefulness, flexibility, cross–scale interactions, communication,
coordination, timing and synchronization (Mendonça et al., 2015).
The examples above illustrate ongoing efforts to develop approaches and tools for revealing,
assessing and managing resilience when facing expected and unexpected challenging conditions.
Resilience Engineering addresses the need for better tools for forecasting, change and crisis
management and collective action within and across different systems and organizations at different
stages before, during and after everyday operation and crisis. The approaches and tools mentioned
above are still in an early phase and further developments are needed and expected in particular
concerning their practical use.
Formalizing Resilience Concepts for Critical InfrastructureHynes, W.M., Purcell, S.M., Walsh, S.D. Ehimen, E.1
Formalizing Resilience Concepts for Critical Infrastructurei
Hynes, W.M.1, Purcell, S.M.1, Walsh, S.D.1, Ehimen, E.1
1Future Analytics Consulting Limited
Keywords: Resilience, Critical infrastructure, Risk management, Crisis
In an era that has seen a multitude of high impact disasters ranging from natural events such as
earthquakes, floods, tsunami’s, volcanic disruptions to man-made acts of terrorism and cyberattacks,
there is a pressing need to assess the resilience of modern societies to withstand and recover from
unexpected adverse events, with a particular focus on critical infrastructure (CI) (as defined by
Council Directive 2008/114/EC. Unsurprisingly, against the backdrop outlined above concepts of
resilience which offer all-encompassing, integrated approaches to planning for, responding to and
recovering from all manner of man-made and natural disasters have dominated recent discourse on
disaster and crisis reduction and management. In this regard, the frequency and severity of impacts
of disaster and crises events have channelled attention to vulnerable physical assets,). The removal
or suspension of critical infrastructure assets from normal service would significantly affect public
safety, security, economic activity or environmental quality (Clarke et al., 2015).
Resilience building in cities has grown in importance with a number of global programmes which
have promoted the importance of urban resilience. A notable example is the Rockefeller
Foundation’s “100 Resilient Cities Campaign” (100RC), which provides economic grants for
international cities to improve their resilience, as well as producing some more generic guidance
on the topic. Interestingly, and in contrast to some of the more technical approaches seen
elsewhere, 100RC identifies the enhancement of resilience as more of an organisational challenge.
Following extensive academic, policy and practice literature reviews pertaining to the topic of
resilience, three typologies or qualities of resilient systems have been identified by 100RC: assetbased
characteristics (e.g., hazard proofed infrastructure); practices or process-based characteristics
(e.g., community involvement in planning) and attributes (e.g., flexibility and adaptability); these are
assessed against eight qualities that underpin these typologies across the urban system:
• Acceptance - of uncertainty with foresight incorporated in system design
• Reflective - evidence of learning from previous events
• Adaptive - tacit and corporate knowledge used
• Robust - systems can withstand loss of functionality
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

• Resourceful - spare capacity is available when systems fail
• Integrated - information is shared across sectors
• Diverse - assets are distributed across the city to ensure that risk is not
• Inclusive - marginalised communities are included in resilience vulnerability
measurements and plans.
The approach demonstrated above is indicative of the transition which is occurring in the
understanding of resilience as the measure, metric and indicators that we employ to evaluate our CI
systems become more nuanced and multifaceted. Vugrin et al. (2010) recognises the need for the
expansion of resilience considerations to transcend the quantitative and there is now a concerted
move within by practitioners to move toward more holistic means of CI resilience evaluation.
The greatest strength of the concept of resilience is its multidisciplinary origin, as outlined succinctly
in Clarke et al. (2015). It is the origin of the concept of resilience that hints at the manner in which is
best advanced as an important discipline in the management of adverse events which strike CI
works, that is an adaptive synthesis of quantitative and qualitative understanding of the impacts of an
adverse event on CI networks and the society that they serve. In terms of resilience vs. risk
management as outlined in Clarke et al. (2015), the advantage of resilience as a concept and through
its application in comparison of the narrow confines of risk management thought and theory is the
scale at which resilience-focused methodologies can conceive of and react to adverse events. Clarke
“The widening of the resilience metaphor and its application within a broader policy arena fits
with the complexity and interrelated nature of truly ‘global’ or ‘globally significant’ events that
combined exogenous and endogenous forces (such as climate change/environmental disasters)
and influence anthropogenic systems and infrastructures at a variety of spatial scales.
Events during the early part of the 21st century such as Hurricane Katrina in 2005, the global
economic recession and credit crunch between 2008 and 2013, and the 2011 Tohuku
earthquake demonstrate a need for responses which are multi-agency (vertical and horizontal
integration) and multi-scalar (global-national-regional-local) where the initial shock poses a
threat to integrated ‘systems’, and often illuminate more persistent stresses at a local and
regional scale” [p 14].
The reasoning advanced above truly conceives of the need for an expansive concept of resilience
which truly engages with the vast potential impact of adverse events on CI as opposed to
quantitatively defined and narrowly focused risk management strategies.
Instruments for Resilience Management
Enhancing the rresilience of communities and infrastructures requires an understanding of how the
activities of crisis planning and planning are carried out. Gaining this understanding is an aim of the
Realising European ReSILiencE for Critical INfraStructure (RESILENS) project in order to create a userfriendly,
citizen centric European Resilience Management Guideline which is founded in the principles

of risk management and vulnerability reduction. To this end the research will include an analysis of
the various activities involved in maintaining the safety and security of people and property, including
the analysis of emergency response plans, systems and procedures in order to establish the nature of
the various elements that go into the planning and organisation of crisis and emergency response,
crisis prevention and resilience assurance. The research will result in the development of a detailed
‘Concept of Operations’ (CONOPS) model (Future Analytics Consulting, 2015), which is a description of
a system or system of systems based on a number of critical elements. These include:
• Actors: looking at the human factor in resilience including the role of individuals and
organisations; citizens and planners, operational emergency response personnel and crisis
managers; service providers and their operational and management staff;
• Roles: (defined in terms of the distinct activities involved in everyday resilience as well as
crisis management, with their own distinct objectives);
• Interdependencies and relationships: in terms of the extent to which there is a division of
labour between different actors, examining the points of intersection between actors in the
various systems we will be examining;
• Organisation: referring to the structure, horizontal and vertical, within agencies and also
between agencies;
• Resources: This is primarily concerned about information and human resources (but all
resources that are relevant to crisis management are considered).
• Coordination and communication: mechanisms used primarily by civil protection, but also
those used by citizens in response to major emergency and crisis events.
• Conflicts and contradictions: examining for areas where the activities of personnel and
organisations may not be harmonious, where there are potential conflicts in terms of legal
and regulatory issues, resources limitations, suitability of education and training, etc.
This type of analysis will facilitate the development of quantitative and qualitative metrics formed
and influenced by the characteristics out the above, by which resilience-enhancing outputs can be
measured and assessed in practice by expert practitioners maintaining and managing the upkeep of
Assessing the performance of the deliverables against the needs identified by the above elements will
be key in terms of ensuring that the approach to CI resilience is effective in safeguarding societal
processes before during and after times of crisis. In addition, illustrating the expansiveness of
resilience and the comparatively narrower remit of risk management, this section will review two
different approaches to the protection of CI. It should be noted that ISO/TC 292 Security and
resilience is in the process of examining international standards relating to the application of
resilience through the lens of standardisation. The existence and work of this committee is a step
toward the remediation of resilience centric gaps in existing ISO standards, such as ISO31000-Risk
Management-Principles and guidelines”.
“ISO31000-Risk Management-Principles and guidelines” illustrates effectively the rationale and
approach of a risk management focused methodology which intersects with considerations relating to

resilience. The principles and guidelines are flexible in terms of the manner in which it can be applied.
The manner in which ISO31000 functions is succinctly described in Clarke et al. (2015) which states,
“ISO31000 begins by ‘establishing the context’, including factors such as local and
national policy, and using this as a baseline for assessment and management. The next stage is
‘risk assessment’, which also includes ‘risk identification’, ‘risk analysis’ and ‘risk
evaluation’, and often involves a variety of quantitative approaches. This can then be
translated into physical or organisational methods through ‘risk treatment’, whilst the final
stages of the approach are ‘monitoring and overview’ and ‘communication and consultation”
[p 35].
For a particular piece of infrastructure, this approach is rational and effective. It determines a risk,
assesses it, develops responses on the part of the CI operator which may contain or remediate that
risk and monitors the results. The scalability of this approach and its predominantly quantitative
nature, however, does constrain its ability to engage with qualitative markers at a higher spatial scale,
where the complexities of the end users of CI intersect with the systems themselves.
In terms of the optimal selection of indicators for the monitoring of resilience in practice, these can
be defined in a variety of manners. One of the more effective and comprehensive approaches to
deriving resilience indicators is the work that was undertaken by Argonne National Laboratory (ANL)
in the US in 2013. This is just one mechanism for the quantification of resilience related metrics.
There are others such as the UNISDR scorecard which are equally valid in terms of quantifying the
characteristics of resilience associated with critical infrastructure. Figure 1 below illustrates the
framework of the Resilience Measurement Index that ANL derived.
Figure 1: Resilience Management Index (Argonne, 2013)
Organizational Resilience - How Do You Know If Your Organization Is Resilient or NotLeena Ilmola1
Organizational Resilience – How Do You Know If Your Organization Is
Resilient or Not?i
Leena Ilmola1
1International Institute for Applied Systems Analysis (IIASA), The Global X-Networkii
Keywords: Resilience, Organizational resilience, Trust, Vulnerability, Resilience profile
There are two principle ways to approach resilience measurement; either to try to collect information
about as many functions as possible in an organization or to use an indicator that will reflect how an
organization is going to manage an unexpected event. I will describe both approaches and make a
recommendation of their applicability to different situations.
Emerging uncertainties of global systems present a challenge to decision making. Two features that
have a great impact on the nature of dealing with uncertainty are still mostly missing from the
resilience studies (Rockefeller 100 Resilient Cities, Resilience Alliance, Lee et al. 2013). First, the
models are frequently missing the main source of uncertainty: a reaction of a social system to a
disruptive event or a shock. The feedback of the social system is often pushing our well-planned
operations out of their trajectories and generates surprises. The second challenge of decision making
– often an outcome of the surprises generated by the social system - is how to know what is needed
for the situation in which we do not know what we do not know (ontological uncertainty). We will
present a decision-support application to meet both of these challenges.
The global social environment is so complex that it would be unrealistic to hope that we will ever
have sufficient information to reduce uncertainty (Anderson 1999, Courtney 2003). Within our
research community (Global X-Network) we are dedicating our research to the study of uncertainties
and the development of decision-making tools that are needed.
The framework used in this chapter (Ilmola et. al 2013) defines resilience by introducing four A’s:
awareness, adaptation, agility and active learning. For us resilience is not ‘bouncing back’, but
bouncing actively forward.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii The Global X-Network “GXN” is a self-organized network of Asian, European and North-American researchers
that are studying uncertainty and surprise. Resilience development is one of the strategies (the other strategy
is to invest in anticipation of changes) that can be applied to uncertainty. The network has studied resilience in
national, regional and organizational levels. (

Figure 1: Resilience measured by performance over time.
Trust Indicator - Social systems and surprises
Risk analysis is dedicated to deal with the “known unknowns” (epistemological uncertainty). Outside
of this are “unknown unknowns” (ontological uncertainty), the reactions of social systems define the
level of performance (in picture 1) of our organization. To understand the resilience of the social
system, we need a brief description of some of the principles of the dynamics of social systems.
The main purpose of the social system is to distinguish itself from the other systems (Berger and
Luckmann 1966) and from its environment. For this purpose, the social system is building,
maintaining and defending its identity (Luhmann 1995). Part of the identity is the perception of
values, rules and procedures. The shared perception of the environment outside (market) is
necessary for predictability and efficient actions. The need for stabilization is so strong that the
process will continue until the organization is so stable (=rigid) that even a small disruption will shake
the system and even collapse it.
Surprises emerge from situations where the existing perceptions of reality are challenged, and we
feel that we do not have enough information about the situation. When the existing procedures are
not applicable anymore, people have to decide what to do; to optimize for their benefit or to
improvise to maintain the organization’s goals. In this situation, we use our identity as guidance, in
the best of the cases we are guided by our identity, such as “in this company, we will never leave our
customer in trouble” instead of maximizing our benefit.
According to research about the resilience of social systems (Ilmola and Casti 2013, Ikonen 2013,
Kouvo 2014, Mayer, Davis and Schoorman, 1995, Sztompka 1999), it seems that the social systems
that have strong trust are less prone to a selfish or even disruptive mass behavior. Trust can be
defined as the willingness of a party to be vulnerable to the actions of another party based on the
expectation that the other will perform a particular action important to the trustor, irrespective of
the ability to monitor or control that other party (Mayer et al. 1995 p. 712). This trust can be a trust
of peers, superiors or institutions (Kouvo 2014, Zhang and Wang 2010).

We claimed at the beginning of this chapter that we can prepare even for unknown unknowns and
reached even one step further by saying that we can measure the capability to improvise when the
situation is shaped by unknowns. Our recommendation is to focus on trust measurement.
The method is simple: we present to members of an organization a set of pictures (see Figure 2) ask
them to define which picture is best describing their perception about the future of their
organization and then to describe with a couple of sentences why they choose the picture. The
explanations are analyzed with a simple text mining tool, and results will reveal
positiveness/negativeness of trust on future.
Figure 2: We are using an indirect way to reveal what people feel. First, a respondent chooses the picture that tells about
today and the future, and then we ask him to tell us why this picture was the best one. Images themselves are not
important, but the 2-3 sentences reveal a lot. The method is called semiotic image wall.
In our studies, we have found out that in those organizations where planning procedures are
participative, the trust on the organization and its future is higher. When the Trust Indicator decribed
above shows low results, it is time to invest in participatory strategy processes, or even to train
extreme events together.
Resilience Profile - Vulnerabilities and sources of resilience
The systematic development of resilience as a capability requires an in-depth understanding of
organizations' vulnerabilities and current sources of resilience. A single indicator cannot provide
developers enough insight needed for well-justified resilience investments. The Resilience Profile
approach is a step towards the deeper understanding of gaps between requirements and reality.
The Resilience Profile measurement system presented below is based on an analysis of resilience
with several scopes; national (Ilmola and Casti 2012), regional (Ilmola and Rovenskaya 2016) and
organizational .The aim of the approach is to identify and measure those features that build generic

resilience. The research has been case-driven, and exploratory. The choice was necessary because
the theoretical frameworks available, such as Complex Adaptive Systems (CAS) theory (Anderson
1999) and ecosystems resilience literature (Folke 2006) are very generic.
The data needed for analysis is collected from people in an organization. A data collection methods
suite consists of different methods such as surveys, systems mapping, structured participatory
analysis, stories about previous shock incidents and Robust Portfolio Modeling (Liesio and Salo 2012).
The Resilience Profile consists of four main resilience dimensions (see Figure 3 below); operations,
structure, planning, and resources. Each dimension is divided into 3-4 factors.
• 'Operations' consists of culture, the speed of reaction, trust, and experience (or exercises) of
disruptive incidents.
• 'Structure' consists of structure, infrastructure and layers
• 'Planning/strategy' consists of an organization’s perception of the environment, the
vulnerability of key strategies, and the width of the focus (vision/mission) of the
• The 'Resources' of the organization are described with four factors. These are a mix of
competencies, redundancy, diversity, and mobility.
Figure 3: The Resilience Profile is divided into 14 specific features of four dimensions: O=operations, S=structure,
P=perception, and R=resources. This figure illustrates and compares the profile of two cities.
The resilience analysis described above produces a report of an organization’s resilience profile,
comparison to another similar organizations and description of sources of resilience and key
I have presented above two resilience measurement frameworks, a 'fast-to-apply' indicator (the
Trust Indicator) and a more detailed framework for identification of Resilience Profile. The Trust
Indicator is recommended to use when uncertainties are typically “unknown unknowns” and

organization cannot invest a lot in resilience analysis. The Resilience Profile analysis is justified when
resilience is an essential means of competition and the organization will systematically invest in
resilience development.
Principles for Resilient Design - A Guide for Undestanding and ImplementationScott Jackson1
Principles for Resilient Design - A Guide for Understanding and
Scott Jackson1, 2
1Burnham Systems Consulting – Greater Los Angeles Area
2University of South Australia
Keywords: Resilience, Principles, Design, Processes, Heuristics, Measurement, Adversity, Capability
In the context of engineered design, according to the International Council on Systems Engineering
(2015) resilience is “the ability to provide required capability in the face of adversity”. Resilience is
somewhat different from risk. While risk pertains to the loss of value due to uncertain future events,
resilience has to do with designing a system to maintain a pre-designated level of capability following
a disturbance. A key consideration of resilience is the concept of satisficing as described by Adams et
al. (2014, p. 118). Satisficing means that the desirable end state of a system is an acceptable level of
functionality and that full recovery is not necessarily required.
Resilience Perspectives
Within the study of resilience there are two perspectives: reactive and proactive. Traditionally
resilience has been considered to be a reactive concept, that is, the study of the effect on a system
following an encounter with a disturbance. Psychology, materials science, and ecology have adopted
this perspective. Even some work in engineering has also adopted this perspective, for example,
Haimes (2009, pp. 498-501). On the other hand, the study of resilience in an engineering context has
adopted the proactive perspective, that is, it considers events prior to the encounter with the threat.
Foremost among these sources, the book by Hollnagel et al. (2006, p.36).
Resilience Principles for an Engineered Design
If a current design is not resilient, these are the features that need to be added to the system to
make it resilient. There are two types of principles, physical and process principles. In addition, all
principles are abstract. As described in Table 1, physical redundancy, for example, is an abstract
physical principle. All it says is that the system should consist of two identical branches with equal
functionality. A communications system, for example, is a concrete system; a communications
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

system with two identical and independent branches is a concrete example of a system with physical
redundancy. Also described in Table 1, loose coupling is an example of an abstract process principle.
Electrical power systems are typical concrete systems that incorporate this principle.
• Support Principles
1. Absorption – The system should be capable of withstanding the design level disruption.
Hollnagel et al. (2006)
• Margin – The design level should be increased to allow for an increase in the disruption.
Hollnagel et al. (2006)
• Hardening – The system should be resistant to deformation. Richards (2009)
• Context spanning – The system should be designed for both the maximum disruption level
and the most likely disruption. Madni (2008)
• Limit degradation – The absorption capability should not be allowed to degrade due to
aging or poor maintenance. Derived; Jackson and Ferris (2013)
2. Restructuring – The system should be capable of restructuring itself. Hollnagel et al. (2006)
• Authority escalation – Authority to manage crises should escalate in accordance with the
severity of the crisis. Maxwell et al. (2009)
• Regroup - The system should restructure itself after an encounter with a threat. Raveh
3. Reparability – The system should be capable of repairing itself. Richards (2009)
4. Drift correction – When approaching the boundary of resilience, the system should be able to
avoid or perform corrective action; action can be taken against either real-time or latent threats..
Hollnagel et al. (2006)
• Detection – The system should be capable of detecting an approaching threat. Derived:
Jackson and Ferris (2013)
• Corrective action – The system should be capable of performing a corrective action
following a detection. Derived: Jackson and Ferris (2013)
• Independent review – The system should be capable of detecting faults that may result in a
disruption at a later time. Derived, Haddon-Cave (2009)
5. Cross-scale interaction – Every node of a system should be capable of communicating,
cooperating, and collaborating with every other node. Hollnagel et al.
• Knowledge between nodes – All nodes of the system should be capable of knowing what
all the other nodes are doing. Billings (1997)
• Human monitoring – Automated systems should understand the intent of the human
operator. Billings (1997)
• Automated system monitoring - The human should understand the intent of the
automated system. Billings (1997)
• Intent awareness – All the nodes of a system should understand the intent of the other
• Source: Billings (1997)
• Informed operator - The human should be informed as to all aspects of an automated
system. Billings (1997)

• Internode impediment – There should be no administrative or technical obstacle to the
interactions among elements of a system. Derived from case studies
6. Complexity Avoidance – The system should not be more complex than necessary. Madni (2009),
derived from Perrow (1999)
• Reduce Variability – The relationship between the elements of the system should be as
stable as possible. Marczyk (2012)
7. Functional redundancy – There should be two or more independent and physically different
ways to perform a critical task. Leveson (1995), Madni (2009); Leveson uses the term “design
8. Physical redundancy – The system should possess two or more independent and identical legs to
perform critical tasks. Leveson (1995); Leveson uses the term “design redundancy”
9. Defence in depth – The system should be capable of having two or more ways to address a
single vulnerability. Derived from Reason (1997)
10. Human in the loop - There should always be human in the system when there is a need for
human cognition. Madni (2009)
• Automated function – It is preferable for humans to perform a function rather than
automated systems when conditions are acceptable. Billings (1997)
• Reduce Human Error – Standard strategies should be used to reduce human error. Derived
from Billings (1997) and Reason (1990)
• Human in Control – Humans should have final decision-making authority unless conditions
preclude it. Billings (1997)
11. Loose Coupling – The system should have the capability of limiting cascading failures by
intentional delays at the nodes. Perrow (1999)
• Containment – The system will assure that failures cannot propagate from node to node.
Derived; Jackson and Ferris (2013)
12. Modularity. Madni (2009), Perrow (2011) the functionality of a system should be distributed
through various nodes of that system so that if a single node is damaged or destroyed, the
remaining nodes will continue to function.
13. Neutral State – Human agents should delay in taking action to make a more reasoned
judgement as to what the best action might be. Madni (2009)
14. Reduce Hidden Interactions – Potentially harmful interactions between elements of the system
should be reduced. Derived from Leveson (1995) and Perrow (1999)
Table 1: Resilience principles and sources
Most of the principles are in reality heuristics rather than scientifically accepted principles meaning
that they are practices adopted by experts in the various domains based on their experience. As
heuristics the designer can be confident that they will be effective most of the time but not all of the
time. Hence each principle can be expected to exhibit a vulnerability meaning that its incorporation
may actually lead to occasional failures. This fact leads to the incorporation of one of the most
important principles, the principle of defence in depth, meaning that second and third principles may
be required to compensate for the vulnerabilities of the primary principle.
Jackson and Ferris (2013, pp. 152-164) have identified the principles that include both architectural
physical and process principles. This paper also identifies those principles that would most likely be
used as backup principles. They are called dependent principle. Among these there are 14 primary

principles and 20 support principles. The primary principles are applicable across the broadest range
of domains and scenarios. The support principles are a subset of the primary principles, that is, they
apply to a defined limited set of conditions. The following paragraphs discuss two of the most
important principles: absorption and restructuring. The reader is referred to the Jackson and Ferris
paper for a more exhaustive discussion of the principles and the support principles. Table 1 presents
the complete set of primary and support principles.
Regarding the absorption principle, in very few cases can the system absorb all possible threat levels.
That is when the defence in depth principle come into play. A good example is the US Airways Flight
1549, also known as the Miracle on the Hudson case described by Pariès (2011, pp. 9-27). In this case
the aircraft was unable to absorb the flock of geese that it had struck (the absorption principle), so it
was forced to employ the functional redundancy principle (alternative sources of power and control)
and the human in the loop principle (the pilot). The result was an example of satisficing in which the
aircraft was lost while the humans were saved.
The best example of the use of the restructuring principle is when the authorities in New York were
able to deploy a spontaneous power system after the World Trade Centre attacks to restore power
within five hours as described by Mendoça and Wallace (2006, pp. 209-219).
Finally, after having identified all the possible principles, how does the analyst decide which ones
constitute a solution for a resilient system for a specific case? The answer to that question requires a
little more analysis. The reader is referred to the paper by Jackson, Cook and Ferris (2015). This paper
describes the path of a system from a nominal operational state to a final acceptable and satisficing
state. This path is called a state-transition analysis. It defines seven possible states in which the
system can exist and 28 possible transitions from state to state. Each transition will require the
employment of one or more principles. In reality the number of practical principles will be very small,
at least it is hoped. In short these principles will constitute the candidate principles for a final
solution and will be the inputs to a simulation to determine the most appropriate one for a given
Measurement of Resilience
The measurement of resilience is dependent on what information is available and when is it
available. This section defines four stages and the level of measure that may be possible in each
Stage 1 – A system exists and no improvements have been made. Its vulnerability is well known
from events in the past. For example, prior to the San Francisco Earthquake and Fires in 1906 the city
lacked a redundant water system. The events of 1906 left the city without water with which to
extinguish the fires. In agreement with Haimes (2009), measurement of resilience in this phase would
be very difficult since the characteristics of the system are unknown.
Stage 2 – In this phase resilience principles have been invoked to improve the resilience of the
system. The most useful metrics are the principles that result from the recommendations of experts
in each domain. In short a compilation of these recommendations and their frequency would
constitute a valid and useful metric.
Stage 3 - At this point specific designs will have been defined with the appropriate principles
incorporated in them. These characteristics will have been incorporated into a computer model to
simulate the encounter with the threat and the resulting condition of the system being defined. In

addition, threat and the encounter of the threat will also be in the model. This is the stage at which
the highest quality metrics would be possible. Ganin et al. (2016) have proposed metrics which can
be quantified and evaluated during this phase.
Stage 4 - At this point the system will have been built and it will have encountered the predicted
threat. It will be possible to determine what actually happened and how much of the system
including humans survived. Unfortunately there are very few cases like this. In short, it cannot be
expected that many good metrics will come out of this phase.
Use of Indicators for Assessing Resilience of Smart Critical InfrastructuresA.S. Jovanovic, N. Schmid, P. Klimek, A. Choudhary1
Use of Indicators for Assessing Resilience of Smart Critical
A. S. Jovanovic1,2, N. Schmid2, P. Klimek2,3, R. Egloff4
1EU-VRi, Germany, 2Steinbeis Advanced Risk Technologies, Germany, 3Medical University Vienna,
Austria, 4SwissRe, Switzerland
Keywords: Resilience, Smart infrastructures, Open data, Big data, Resilience indicators
Resilience of modern societies is largely determined by and dependent on resilience of their critical
infrastructures such as energy grids, transportation systems, governmental bodies or water supply.
This is clearly recognized by the European Union in its policies and research agenda, such as the DRS
actions and projects (DRS: Disaster-Resilience: Safeguarding and securing society, including adapting
to climate change). In this context, the issue of “measuring resilience” has an important place and it
can be tackled by means of resilience indicators, what was in the focus of the DRS-14 line of calls [1]
emphasizing the need for “… better understanding of critical infrastructure (and)… for defining
measures to achieve a better resilience against threats in an integrated manner including natural and
human threats/events (e.g. due to human errors or terrorist/criminal attacks)…”. The need for
guidelines and frameworks for resilience is particularly important in the areas of IT security and
related critical infrastructures, e.g. “smart infrastructures”. While the information technology
provides more and more possibilities to make critical infrastructures “smarter”, this may also create
new risks and vulnerabilities [2], [3]. In other words, although making an infrastructure “smarter” in
normal operations and use, it has to be checked if such a smart critical infrastructure will behave
equally “smartly” and be “smartly resilient” also when exposed to extreme threats, such as extreme
weather disasters or, e.g., terrorist attacks. Assuming that the resilience of an infrastructure is
defined as “the ability to anticipate, prepare for, and adapt to changing conditions and withstand,
respond to, and recover rapidly from disruptions [4] the current research effort tries to support the
quantitative assessment of the resilience by combining the “conventional” resilience indicators (e.g.
those from the standards) with the indicators possibly derivable from other sources [5].
The “Resilience Cube”: From conventional indicators, over Big Data to “one indicator”
The “conventional” resilience indicators are defined in various standards and guidelines (e.g. those of
organizations and institutions such as OECD, ISO, GRI, API, HSE, IAEA, or ANL) and these are normally
specifically envisaged as resilience indicators, possibly already accepted and applied in related areas,
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

such as risk, safety, security, business continuity, sustainability. An overview done in the
SmartResilience project [6], lists over 400 of such indicators from different institutional and literature
sources. Many of these indicators, however, suffer from (1) the lack of data (needed to quantify an
indicator), (2) inconsistency among the indicators and (3) lack of specific agreed indicators needed
for the specific threat-vulnerability scenarios in a given infrastructure.
The situation results in the need to have an indicator-based methodology for resilience assessment
that will allow to include and consider:
1. New situation/scenario-specific resilience indicators proposed by experts (ad hoc, if
needed), as an addition to the indicators proposed in standards/guidelines, and
2. New resilience indicators derivable out of Big Data and Open Data
Obviously, the first extension helps solving the need to treat specific threat-vulnerability scenarios (of
a particular importance for new types of threats and new types of critical infrastructures, e.g. the
smart infrastructures), whereas the second extension helps solving the issue of data – big and open
data are abundantly and increasingly available nowadays.
The methodology under development ([2][6]) proposes to assign the relevance of all three categories
of indicators (“conventional”, situation-specific ones and the big/open data based ones) to 5 × 5
resilience matrix covering main phases of the resilience cycle (Understand risks, Anticipate / prepare,
Absorb / withstand, Respond / recover, and Adapt / learn) and different dimensions of the resilience
(System / physical, Information / data, Organizational / business, Societal / political and Cognitive /
decision-making). As for practical purposes too many indicators may become a burden, especially in
the case when the resilience of different infrastructures should be compared, the methodology
foresees to assign relevance of single indicators to different cells of the resilience matrix, i.e. one
indicator may be relevant for more than one phase or more than one dimension.
In practice, the indicators cannot be considered neither independent, nor standardized. Ideally, in
such a case, one would prefer dealing with one resilience indicator only. One indicator might be good
for comparison, but it can hardly represent the complexity of practical situations (e.g. complex
scenarios, unknown responses, uncertainties). The indicators from big/open data can be considered
“smart” in the sense that they (1) may involve data processing with sensing, actuating and
communication, (2) may include data from the knowledge bases of smart systems on infrastructures,
making them proactive/leading (what separates them conventional indicators which are primarily
reactive/lagging), (3) can be used to deal with, describe and, possibly, analyze complex situations,
and be used for predictions and autonomous decisions. These resilience indicators are of a particular
importance for “smart infrastructures”, i.e. infrastructures relying on smart systems in their
operation and functionality.
The methodology shown in Figure 1, combines the advantages of “one resilience indicator”
(convenient for use, but not transparent) with the advantages of many indicators (transparent, but
cumbersome). The methodology looks first at the threats and the characteristics of a given
infrastructure (primarily its vulnerabilities and risks). Based on this, it defines the scenario(s) leading
to the exposure of the infrastructure to the adverse event(s). The indicators are then grouped along
three main axes: conventional indicators, big data based ones and the resilience matrix based ones.
Other combinations of axes (e.g. the 2D resilience matrix vs “smartness” as the 3rd dimension)can be

considered, too. The result might be then visualized as the “resilience cube”. The point in the cube is
the “Compound Resilience Indicator” which can conveniently be compared or benchmarked among
different infrastructure/scenarios, but can be equally well decomposed (aggregated) to the single
indicators or groups of indicators included.
Adverse events
Smart city
Increasing LEVEL of
resilience indicators
(Level 1, Level 2, …)
towards BIG &
Increasing the number of
Figure 1: The SmartResilience project methodology: From indicators (SCIs and threats) to benchmarking and
identification of the “hot spots” (deficits, issues, problems) [2]
The “Resilience Cube”: Practical application
Once the set of indicators is considered/accepted as representative, the dynamic/”smart” resilience
assessment “check-list” can be created and used for the assessment of the respective SCI (e.g. water,
energy, smart city). One of the most pressing challenges in this context is to find trends and patterns
in the large and high-dimensional datasets that can be captured in intuitive indicators of high
practical use. Many infrastructures lend themselves exceptionally well to be analyzed from a complex
network perspective [7]. Many real-world networks (such as communication networks, metabolic
networks, or social networks) have a surprisingly high degree of robustness with respect to random
errors or perturbation. However, this robustness comes at the high price of extreme vulnerability to
targeted attacks. Network science methods have resulted in actionable information on network
vulnerabilities in response to disruptive events in the context of transportation [8], power [9], and
communications [10]. An additional challenge in the design of resilient infrastructures is that multiple
interdependencies between mutually dependent networks induce an additional component of
fragility [10]. The Compound Resilience Indicator (CRI) measures the combined resilience based on
the indicators coming from different sources. The Compound Resilience Indicator can be
represented, e.g., as the normalized sum of weighted sub-indicators (e.g. on a scale from 0 (no
resilience) to 1 (perfect resilience)). The result of the calculation of these indicator sets is the
resilience cube for a specific critical infrastructure. In real life, the Compound Resilience Indicator

would be a result of the combination of different functions for different critical infrastructures, which
theoretically differ in slope of the resilience reduction over time and starting value.
The proposed assessment method for resilience of Smart Critical Infrastructure will be practically
implemented in the SmartResilience project. If successful, it will allow to measure resilience
performance of different infrastructures and compare their performance over time, before, during
and after an adverse event. This would allow policy-makers to take decisions based on a coherent
and reliable assessment tool over time. As a consequence, comparability of resilience performance
could be enhanced. To sum up, while other resilience measurement approaches (such as the
Infrastructure Report Card 2013 [11]) compare different scales of resilience at a point in time the
proposed method would allow to better understand the result of a resilience assessment(since index
building is transparent and enables analysis of single indicators), better trace results of resilience
assessments in real time and better exploit indicators which can be derived from big and open data.
The approach proposed should allow to better understand and quantify the results of a resilience
assessment, make the process of the indicator building more transparent and enable analysis of
comparison along a freely definable sets of indicators. It should also improve the possibilities to trace
results of resilient assessments in real time better, and, thus, exploit the advantages offered by the
use big and open data indicators.
The paper is based on the Grant Agreement No. 700621 supporting the work on the SmartResilience
project provided by the Research Executive Agency (REA) ('the Agency'), under the power delegated
by the European Commission. This support is gladly acknowledged here, as well as the collaboration
of all the partners and persons involved.
Risk and Resilience Management in Social-Economic SystemsTatyana Kovalenko, Didier Sornette1
Risk and Resilience Management in Social-Economic Systemsi
Tatyana Kovalenko1 and Didier Sornette1
1ETH Zurich, Department of Management, Technology and Economics
Keywords: Resilience, risk, stress, uncertainty, predictability, dynamics, exogenous, endogenous,
adaptive management, black swan, dragon-king
Risk and Resilience as complementary measures of stress
We propose a definition of resilience as an important complement to risk. Both concepts describe
stress within a socio-economic system from two different angles, and together allow for a
comprehensive approach to governance and management. Stress is an internal response of a system
to a perturbation called stressor or stress-factor (Kovalenko & Sornette, 2013). Here, we think of
stress as a variable that characterizes the current (or potential) state of a system on a continuum
scale ranging from its normal functioning state (e.g. low average level of stress with bursts below
certain amplitude and time thresholds) to an unsustainable dynamics leading to a change of regime
(e.g. high average stress level with strong upward trend).ii In natural sciences, stress can be directly
quantified from its observable effects, for instance in the form of physical deformation of a stressed
body in engineering or a set of common non-specific physiological changes in living biological
organisms. In contrast, stress is hard to quantify in socio-economic systems. As in natural sciences,
socio-economic systems are complex and multi-scaled, subjected to a large number of exogenous
and endogenous factors, with feedback loops and coupling mechanisms. However, clearly
differentiating responses to exogenous from responses to endogenous stressors is made harder by
the existence of learning, anticipation and self-fulfilling prophecies, where beliefs govern actions with
feedbacks on processes. As an alternative, an indirect approach to measure stress was developed,
based on:
1) Risk (as the triplet of (i) probability/uncertainty, (ii) potential loss and (iii) mitigation
techniques, i.e. counter-measures to reduce vulnerability of a system) characterizes
possible environment- and system-specific stressors. By analogy with the Newton's third
law, risk is a proxy for a potential internal stress response of a system to these threats;
2) Resilience (as the four-level hierarchy of (i) local ‘engineering resilience’, (ii) non-local
‘ecological resilience’, (iii) ‘viability’ enriched with managerial impact and (iv) adaptation
and transformation mechanisms) embodies the inner capacity of a system to cope with
stressors of any nature (Kovalenko & Sornette, 2013). It characterizes the maximum
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii In the present paper, we do not investigate long-term effects of different levels of stress on ability of a system
to respond to stressors. Prolonged extreme levels of stress may result in adverse changes of adaptive capacity of
under- or overstimulated system, resembling “poverty trap” and “rigidity trap” resp. (Carpenter & Brock, 2008).

amount of stress a system can bear without a functional disruption, the system dynamics
following a perturbation such as the speed of recovery of a traditional functionality, the
achieved level of performance or its transformation to a completely different state.
Adding value and filling gaps with resilience
First, as their definitions deriving from their common genesis – stress – attest, resilience and risk are
closely interconnected:
• The vulnerability of a system, being one of the constituents of risk, bridges it to
resilience: indeed, the susceptibility of a system to risks and its ability to sustain stress
intersect greatly and may be affected by the same managerial actions (mitigation
• When trying to balance costly universal resilience and profitable but stripping
optimization, risk measures can be important indicators of a required level of resilience.
Second, resilience and risk measures are complementary:
• Focusing on the components of risk and resilience that can be expressed in the same
units (e.g. risk exposure vs. maximum loss that a system can withstand), comparison of
their relative values is useful to choose an appropriate response to a stressor. ‘Normal’
stress, when risks are significantly smaller than the system resilience, induces a ‘fight’
response with negative feedbacks and return to an equilibrium state. When the risk
level becomes comparable to the resilience level, a ‘fly’ response is often initiated by
employing risk-avoidance or environment-adaptation strategies. ‘Extreme’ stress, when
resilience is insufficient, requires a major transformation of the system via positive
feedback mechanisms;
• Resilience plays a distinct and crucial role in uncertain environments (which resonates
with the IRGC view), when standard risk management techniques fail to adequately
quantify or even detect existing hazards. This category includes exposure to:
a) extreme risks, which are characterized by heavy/fat-tailed distributions with
undefined mean and/or variance (e.g. existing models for operational risk are
often considered to be unrealistic in capturing the peril of human failure or a
cyber security breach),
b) slow-moving risks, which are difficult to identify and monitor,
c) surprise factors associated with Knightian uncertainty of unknown unknowns
(popularized under “black swans” (Taleb, 2007));
• Finally, complex socio-economic systems, with nontrivial micro-macro relations, may
d) unsustainable dynamics and gradual maturation towards an instability leading to
a bifurcation and potentially large impact events (captured under the concept of
“dragon-kings” (Sornette D. , 2009), (Sornette & Ouillon, 2012)).
In any context, resilience serves as a ‘safety buffer’, i.e. an all-purpose resource to withstand a nonspecific
stress response of a system to any demand.

Instruments for resilience management
As risk and resilience are interconnected and complementary concepts, their governance and
management structures may be similar, but specialized accordingly. We emphasize the following
systemic elements for resilience build-up:
• clear statement of (measurable, multidimensional) goals to resolve conflicts of interests
between time-scales (short- vs. long-term) and beneficiaries (individual vs. community);
• development - via investment, education and regulation - of fundamental values, right
incentives and fair remuneration;
• strengthening of institutions for contract enforcement; implementation of transparency
and accountability mechanisms;
• diversification and fostering of heterogeneity, as a reservoir of adaptive capacity;
• decoupling of key components to decrease systemic risk and susceptibility to cascade
Active (biological and socio-economic) systems put stress to use as a driving force of their evolution
towards better fitness to changing environments. In particular, stochastic or deliberate stressors are
useful for the
• identification and characterization of stress via the system response to perturbations;
• measurement of stress, e.g. via risks and resilience;
• catalysis of learning, which promotes adaptation through feedback mechanisms, and
selection of specific favorable features;
• excitation of the system’s readiness, maintaining an attentive and engaged state.
Depending on (i) the level of stress induced by environmental demands or endogenous processes
and (ii) the degree of uncertainty/predictability of a system, we suggest four risk and resilience
management regimes, with their corresponding response mechanisms and management
instruments (figure 1), which can be grouped into two subgroups according to the stress elevation,
‘normal’ to ‘extreme’.
‘Normal’ stress, when addressed timely, usually does not endanger the very existence of a system.
Negative feedbacks are appropriate and adaptation (co-evolution) of a system to (with) stressors
• “Ad hoc management” can be applied to cope with ‘normal’ stress for unpredictable
complex systems in a highly uncertain environment. This regime is characterized by
self-organization, decentralization of management functions and delegation of
• “Adaptive management” (Allen & Garmestani, 2015) operates an iterative learning
methodology to reduce high management uncertainty in systems with low-tointermediate
spatial and temporal variability. Within this approach, reversible
repetitive interventions are preferable, which produce visible effects on a timescale of
iii As an interesting illustration, the development of advantageous attributes of human society such as
cooperation and exaggerated risk taking by males have been shown to be driven by its co-evolution with external
and internal stressors, such as competition between groups (Hetzer & Sornette, 2013), (Hetzer & Sornette, 2013)
or individual males (Favre & Sornette, 2012), (Baumeister, 2010).

months to years rather than decades. Inclusiveness of stakeholders, strong leadership
and community involvement enable this regime.
Extreme stressors truly determine the environmental landscape and the evolution of the system.
Thus, positive feedbacks should be employed for the radical transformations needed to adapt to the
new conditions.iv Centralization, focus on key functionality and mobilization of resources are
required. The outstanding importance of extreme events is reflected in the choice of memorable
names (Black swans and Dragon-kings) personifying the following regimes.
• The “Black swan” regime requires a management approach that deals with
unpredictable exogenous disturbances of a large impact. Quantitative estimation is
problematic. Critical areas should be identified and accounted for in a contingency
plan; strategies to avoid most adverse trajectories must be implemented. The
resilience of a system, its ability to react fast and transform when needed is essential.
• The “Dragon-king” regime, in contrast, suggests that certain types of extreme events are
predictable. These events are the outcome of the system dynamics progressively
approaching an instability leading to a transition to another mode. Monitoring and
early warning signals should be a part of management practice; interventions are timesensitive
and include preparations to a possible change of course.
Figure 1: The four quadrants of risk and resilience management regimes corresponding to the system’s degree of
uncertainty/predictability and stress level within it.
iv For example, cardinal political and economic changes are often associated with extreme shocks and generic Jcurve
dynamics (Challet, Solomon, & Yaari, 2009), (Yaari, Nowak, Rakocy, & Solomon, 2008). This type of
transitions is characterized by an initial phase of significant recession followed by a recovery, when the renewed
system can outperform its preexisting level due to its better evolved fitness.

In all regimes, the resilient evolution of a socio-economic system towards a desired state requires a
combination of (i) structured and strict evidence-based assessment and decision-making processes
and (ii) flexibility and diversity in the considered alternative policies. The essential ingredients of
management success are scientific rigor of implementation and high quality of data. (Chernov &
Sornette, 2016) analyses numerous case studies and provides recommendations to facilitate
knowledge acquisition and transparent communication in order to prevent distortion and the
scourge of information concealment.
Metrics of resilience
Development of a complex system resilience calls for a multidimensional measurement approach,
corresponding to multiple goals, risk factors and time scales. It includes the following steps.
1) Identification of stressors, their classification (exo-/endo-factors). E.g. specific dynamical
patterns observed before or after extreme events were shown to be characteristic of
the (exo-/endo-) nature of the triggering factors. This is relevant to many complex
systems (Sornette & Helmstetter, 2003), (Sornette D. , 2005), and have been applied to
financial shocks (Sornette, Malevergne, & Muzy, 2003), commercial sales (Sornette,
Deschatres, Gilbert, & Ageon, 2004), and YouTube videos views (Crane & Sornette,
2) Quantification of dependencies between risk factors, with increased attention to
extreme risks (Malevergne & Sornette, 2006);
3) Integration of both probabilistic measures of stress: (a) risks (observation of event
probabilities, losses, vulnerability of the system) and (b) resilience (“exploration” of the
stability landscape, e.g. characterized by its latitude, resistance, precariousness and
panarchy (Walker, Holling, Carpenter, & Kinzig, 2004));
4) Development of direct measures of stress. E.g. for financial system, the “crash hazard
rate” can be interpreted as a direct measure of the level of stress through its theoretical
link to the excess bubble price (Johansen, Sornette, & Ledoit, 1999), (Johansen, Ledoit, &
Sornette, 2000), (Yan, Woodard, & Sornette, 2012).
5) Quantitative measurement and characterization of the dynamics. E.g. different levels of
resilience hierarchy can be used for a different time scales.
The following quantitative metrics pertain to each of the four risk and resilience management
• “Ad hoc management”. While the system is here characterized by low predictability and
its stressors are stochastic, the high frequency and low severity of the latter allow for
standard risk measures, such as quantile-based approaches (e.g. value-at-risk or
conditional value-at-risk, i.e. expected shortfall), based on historical records, to
determine adequate passive defense measures: margin levels, reserves, capital buffers,
provisions, and so on.
• “Black swan”. The intrinsic uncertainty and the significant impact of these extreme
events call for imaginative ‘what-if’ scenario analysis, and prudent stress-testing.
Option and other derivative strategies are typically put forwards for passive defense.
However, these countermeasures involve risk-taking (and at the extreme gullible)

• “Adaptive management”. Carefully designed and controlled management experiments
are iteratively maintained to determine effective, and – importantly – scalable, costefficient
policies. The methodology emphasizes:
o incorporation of knowledge about different aspects of the system from a broad
range of stakeholders,
o model development and formulation of alternative testable hypotheses,
o carefully monitored and controlled experimentation to test and falsify the working
o analysis and evaluation of the obtained data, adjustments of the models and
management practices.
• “Dragon-king”. The system dynamics close to a change of regime contains early
warning signals, allowing for the probabilistic estimation of the time and severity of
the incoming transition. The theoretical underpinning of this predictability stems from
bifurcation theory applied to dynamical systems: the fundamental reduction theorem
states that, close to a change of regime, a system can transit from one state to another
one only in a small number of ways, with a collapse from high to low dimensionality of
the relevant variables and control parameters. These transitional “normal forms” have
been systematically classified (Thom, 1989), (Guckenheimer & Holmes, 1983), (Manoel
& Stewart, 2000), (Kuznetsov, 2004). The identification of the relevant control
parameter(s) and the characterization of the reduced system dynamics towards a
tipping point is of key importance to predict and thus prepare against extreme events
in out-of-equilibrium socio-economic systems.
Implementation and Measurement of Strategies for the Unpredictable: Imprivsation and Revising the Blame GameP. H. Longstaff1
Implementation and Measurement of Strategies for the
Unpredictable: Improvisation and Revising the Blame Gamei
P. H. Longstaff1,ii
Syracuse University
Keywords: Deep Uncertainty, Improvisation, Blame, Strategic Risk Management
I have always resisted the idea that resilience can be measured in any system. That is because of my
firm belief that resilience is most useful as a strategy for dealing with risks you cannot prevent or
predict. But I can’t deny the need that many people feel to measure it, and to some extent, I
understand the need. It is very human to want to control (or at least minimize) the bad things that
can happen. Nobody wants to be at the helm of an organization when something unpredicted (and
bad) happens because the first thing people will do is claim that it was predictable and preventable.
The Blame Game happens.
The world is getting so interconnected and complex that unpredicted (and unpredictable) things
happen more often. Scott Snook (U.S. Army, ret.) of the Harvard Business School has taken an indepth
look at a tragic accident in the immediate aftermath of the Persian Gulf War in which two U.S.
fighter planes shot down a U.S. helicopter. He asks why nobody predicted the problems that led to
this accident before it happened, and concludes:
Part of the answer lies in our inherent limitations as information processors. Part of the
answer lies in our linear deterministic approach to causality. Part of the answer lies in the
inherent unpredictability of events in complex organizations.
And yet, many organizations want a formula that will prescribe how they will respond in lock-step to
all challenges. We would like it to be inexpensive, easy to implement, and compatible with our
current operations. Something we can just bolt on to our current systems, tick a box, and move on.
Every year we can measure some things and pronounce ourselves resilient. If that is your goal, there
are many fine consultants who will sell it to you. And it works pretty well for risks you can predict and
measure the potential impact. The insurance industry has gotten pretty good at this type of
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii Longstaff is an analyst and educator currently specializing in managing and regulating systems with high
uncertainty. Her most recent work is a multidisciplinary analysis of the concept of “resilience” and its
implications for business planning and public policy planning for environments with high uncertainty. She
received funding from the National Science Foundation to lead a cross-disciplinary study of resilience. She
pursued this work further as a Senior Visiting Scholar at Oxford University in 2010-11. She has published
extensively on topics related to resilience and security. She has been invited to speak on these topics to groups
all over the world.

measurement over the last several hundred years. But the recent interest in the concept of resilience
stems in part, I believe, from an often unarticulated belief that Professor Snook is right: some things
are just not predictable, and we need to get ready for them.
I think the concept of resilience is a lot like the concept of safety’. We don’t measure safety, we
measure the things we think will make something safe. Let’s take airplanes for example. Safety is
ultimately measured by the number of flights everyone walks away from. For dangers that we can
predict it is possible to devise things we can count: the tensile strength of the bolts that hold things
together, the fuel it will take to overcome headwinds, the redundancy of all critical systems, the
training hours of pilots and crew. All these things make the flight safer in cases of challenges we
know are likely or possible. For challenges nobody predicted, few veterans of the airline industry will
deny that flexibility and the ability to improvise have saved many lives.
For unpredicted challenges, the things that may be the most important are the most difficult to
measure. But they can become part of a resilience plan and measurement will use slightly different
tools. I will concentrate on two interrelated resilience strategies for unpredictable challenges:
improvisation and revising the Blame Game. Both are mentioned in the IRGC Guidelines for Emerging
Risk Governance. I will suggest that they can be measured by testing.
Improvisation is a resilience strategy for dealing with unanticipated challenges NOW by taking
resources that are immediately available and reorganizing them in new ways in order to continue an
important function. It is generally employed when plan A is not working, and even Plan B (e.g., the
Emergency Plan) is not effective for the unexpected challenge. It is, in effect, Plan C. Good
improvisation needs accurate, real-time information about what the various parts of the system are
doing. It requires predetermined rules that grant permission to ignore the Plan A rules and Plan B
rules and reallocated resources temporarily when certain things happen. It requires a clear
understanding of what is the most important goal (e.g., human safety, avoiding damage to critical
assets, etc.). Carefully implemented improvisation rules are thus a resilience strategy that allows an
organization to bounce back from an unpredicted challenge.
Sometimes flexibility and improvisation are not cherished as strategic assets for dealing with high
uncertainty. Instead, they are punished as failure to follow Standard Operating Procedure –
particularly if the improvised solution does not work. And sometimes people should be punished if
they did not follow the prearranged constraints on improvisation or if they pursued the wrong goal,
such as corruption or self-enrichment.
The blame game
Thus, improvisation requires that an organization changes how it allocates blame when bad things
happen. Eric Hollnagel has studied reliability in many critical technical and human systems. He has
written extensively on the role that blame plays in these systems. He suggests a balance between
accountability and learning. He admits that setting out all unacceptable behavior in advance
(particularly in systems with high uncertainty) is not possible and so there must be a mechanism that
is perceived as relevant and fair for making these decisions. He suggests building a “Just Culture” that

balances concerns for fairness with organizational cohesion, loyalty, and safety. This balance will be
different in each organization, and the balance will probably have to be re-examined periodically. In
many organizations, it will make sense for the specifics of this new culture to emerge over time as it
adapts to changing uncertainties. Imposing something from the top down that does not allow for
adaptability will only make the organization more brittle and liable to things like failures that cascade
throughout the system.
So, how would you measure the effectiveness of improvisation and revising the Blame Game? Since
both require changes in how things get done, some organizational learning (including the dreaded
training meetings) for resetting and fine-tuning corporate culture is probably in order and the
acceptance of these changes can be measured with surveys. But training and surveys need to be
backed up by clear examples of organizational commitment to the changes – deeds, not just words.
For example, someone who has improvised but was unsuccessful is celebrated for a good try.
In addition, the ability of the organization (and the people in it) to implement these two strategies
can be tested by conducting simulations of scenarios that nobody thinks will happen. It must be a
situation where Plan A and Plan B will not get them to the most important goal. Success can be
measured by the ability of participants to communicate accurate, real-time information and to
suggest new ways to put resources together. Did they know what the most important goal is? Did
they know what resources are available?
Success should NEVER be measured by whether the improvised solution actually worked. These are
often risky situations where no one has ever gone before, and any form of Blame Game will make
improvisation in a real challenge much less likely. Both a simulation and an actual unanticipated
challenge are opportunities to learn, and anything that stops the flow of information about what
really happened is a tragic loss of important information.
But the measurement of these two strategies will be pointless unless there is a change in the
organization’s attitude toward uncertainty. People who believe that things will happen just like they
always have are more likely to lay blame when there are unexpected bad outcomes. They believe
these outcomes must have been caused by a failure to get the right data and apply the right rules.
Their response to a bad surprise is often to impose more constraints (more rules) on the system, thus
ironically, making it more complex and adding uncertainty. If you can get everyone comfortable with
the fact that new dangers (and opportunities!) are likely, you can devise strategies that help people
feel confident that they can deal with them. And the more you test the strategies and reinforce good
tries, the more confident and resilient the organization will become.
A Tiered Approach to Resilience AssessmentIgor Linkov & Cate Fox-Lent1
A Tiered Approach to Resilience Assessmenti,ii
Igor Linkov1 & Cate Fox-Lent1
1US Army Corps of Engineers, Engineer Research & Development Cente
Keywords: Resilience, Resilience assemssement, Tiered approach
The concept of resilience has become prevalent among scientists, engineers, and policymakers in a
range of disciplines in various socio-ecological fields (e.g. ecology, urban planning, flood protection,
drought management) and across public domains (e.g. city managers, state, regional, and federal
officials). Key stakeholders within industry, government, and society-at-large consider its application
to problems such as disruption from climate change or the challenge of ecosystem management,
among others (United Nations, 2015; Walker et al. 2004). In this paper, we view resilience as a
focusing concept to aid decisions centered on maintaining critical functions and services before,
during, and in the aftermath of a disruptive event (NAS 2012). Given the need for resilience
assessment in many sectors and the multiple scales over which such an assessment is necessary,
agencies operating within a regulatory environment may benefit from guidance in the selection of
the appropriate tools and methods for resilience assessment.
The proposed resilience management approach is not intended to supplant more conventional
approaches of risk management or the many existing efforts of resilience quantification method
development, but instead provides a guide to select tools that are appropriate for the given analytic
need. We recommend that the tiered approach integrate work from the many agencies,
organizations, and researchers who have built resilience indices, visualization tools, and modeling
methods on the subject for various resilience-driven applications.
Instruments for resilience management
Regulatory agencies have long adopted a three-tier structure for risk assessment and risk
management. We build on this structure by proposing a tiered approach for resilience assessment
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii This is summary of paper resulting from Aspen 2015 workshop on Risk and Resilience. Other co-authors of the
full paper include Laura Read, Craig R. Allen, James C. Arnott, Emanuele Bellini, Jon Coaffee, Marie-Valentine
Florine, Kirk Hatfield, William Hynes, Aleksandar Jovanovic, Roger Kasperson, John Katzenberger, Patrick W.
Keys, James H. Lambert, Richard Moss, Peter S. Murdoch, Jose Palma-Oliveira, Roger S. Pulwarty, Dale Sands,
Jeffrey Taylor, Edward A. Thomas, Mari R. Tye, David Woods.

that can be integrated in the existing regulatory processes. Comprehensive approaches to assess
resilience at appropriate and operational scales, reconciling analytical complexity as needed with
stakeholder needs and resources available, and ultimately creating actionable recommendations to
enhance resilience are still lacking. Our proposed structure consists of tiers by which analysts can
scale a resilience assessment and associated management actions relative to the scope and urgency
of the risk and the capacity of resource managers to improve system resilience.
We view resilience management through a framework for making decisions with respect to how to
maintain critical functions and services during and after a disruptive event- something that a tiered
approach to resilience management must directly account for. Each tier of the approach manages
uncertainty with increasing levels of precision (Figure 1). These include:
i. by identifying tools that do simple ranking at a screening-concept level (Tier I),
ii. to those that quantify based on metrics and performance in a systems model (Tier II),
iii. and finally methods to represent uncertainty probabilistically (Tier III).
The benefits of the approach are that each tier has a set of actionable items, but users can also move
incrementally between the tiers as more detailed analysis is needed. Users can assess their system at
each level, incorporate available data and stakeholder input, and then determine if the model
employed is sufficiently accurate to describe the system and scenario. The tiered approach enables
users to extract a range of responses from basic but practical, to sophisticated and predictive, in an
effort to quantify the tactical steps needed to enhance resilience. Groups that seek an integrated
strategy for assessing and communicating resilience, one that incorporates science into decisionmaking
while working with limited funding, data, and timelines, may find this tiered approach yields
a practical means of addressing pressing issues in a changing climate.
The goal of Tier I is to quickly and inexpensively identify the broad functions that a system provides
to human society or the environment as well as the general pathways of system failure and change in
performance over time following a disruptive event. Analytically, this framing and characterization
analysis makes use of existing data, expert judgment, and conceptual models. Tier I considers type,
frequency and intensity of shock events to define possible vulnerabilities and seeks to identify the
major social-ecological-technological properties of the system. The decision of how to proceed is
based on a conceptual model of the system with the following characteristics: simple system
representation, easy consensus on major criteria from stakeholders, retrospective in considering
historical records, and conservative in assumptions about the future.
The goal in Tier II is to describe the system or systems with more detail using a fundamental—but
often still deterministic— model and observational data. Such a model can be used to compare
resilience management alternatives that are not mutually exclusive to obtain the best outcome
across the system. The conceptual model developed in this phase has increased fidelity in terms of
representing infrastructure systems, ecosystems, and social institutions. Of course, introducing a
more realistic model can also raise issues regarding how these components are represented; thus a
comparative analysis is needed to illustrate tradeoffs between different representations. In this tier,
we start to explicitly quantify model parameters and assess these tradeoffs.

The primary objective of Tier III is to develop a detailed model for the sub-systems that support those
critical functions that are most sensitive to the threats of concern. The approach should consider
interactions in ecological and technological components of the system along with an analysis of the
impact of management decisions on affected social institutions and vulnerable populations. In this
tier, stakeholders are central to framing the criteria, weighting of parameters and validating the
model. Here a full range of scenarios can be tested to better understand system performance in an
uncertain future, as the model only requires the mode of failure, not the cause. Tier III has internal
feedbacks, it can be prospective in predicting how resilience may change given different system
configurations under chronic and episodic shocks.
Figure 1: Overview of tiered approach to resilience assessment
The benefits of the approach are that each tier has a set of actionable items so that users can move
incrementally between the tiers as needed. Users can assess their system at each level, incorporate
available data and stakeholder input, and ultimately determine if the model employed is sufficiently
accurate to describe the particular system and scenario at hand. The tiered approach enables users
to extract a range of responses from basic but practical, to sophisticated and predictive, in an effort
to quantify the tactical steps needed to enhance resilience. Overall, stakeholders that seek an
integrated strategy to assess and communicate resilience may find this tiered approach yields a
practical means of addressing pressing issues in a changing climate.
Advancing Resilience through LawGary E. Marchant1
Advancing Resilience through Lawi
Gary E. Marchant1
1Center for Law, Science & Innovation, Arizona State University
Keywords: Resilience, Law, Regulation, Risk, Procedure, Substantive
Resilience is the capacity of a system to “bounce back” from an adverse outcome. It is the
complement to traditional risk management – which seeks to avoid or minimize the occurrence of
adverse events. But when risk avoidance fails and an adverse event does occur, resilience is the
strategy that seeks to limit the scope and duration of the resulting damage, and to restore the
system to a favourable (even if different) state.
Resilience vs Risk
A rational risk governance system would include elements of both risk avoidance and resilience. They
are both essential, although traditionally our efforts and attention have focused primarily on the risk
management/avoidance side. But as the world and its technologies gets more complex, and in
response to a series of natural and human disasters (e.g., Hurricanes Katrina and Sandy, the
Deepwater Horizon oil spill, and Fukushima), greater attention is now being given to the resilience
side of the ledger.
The appropriate mix of emphasis on risk avoidance and resilience will vary depending on the nature
of the problem. For risks that are well-characterized and can be effectively controlled, the priority
should be on risk avoidance through traditional risk assessment and risk management strategies. But
where risks are unknown or cannot be easily calculated or controlled, as is the case with many
emerging technologies such as nanotechnology or synthetic biology, more emphasis should be put in
ensuring effective resilience measures are in place to quickly mitigate and control any unanticipated
problems that cannot be or are not prevented by traditional risk assessment and risk management.
Law and Resilience
To date, resilience has primarily been instituted as a management or voluntary professional
undertaking by experts in fields such as engineering, environmental management, disaster planning
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

and response, healthcare planning, and public utilities. Law has historically provided little
incorporation, guidance, or requirements for resilience (Ruhl, 2011). Law, especially regulatory law,
has been mostly ex ante – addressing potential risks in a “one and done” front-end approach that
involves a single rulemaking that seeks to put in place rules to prevent potential problems before
they happen (Shapiro & Glicksman, 2004). This pre-emptive approach is not equipped to address
unanticipated consequences or problems that arise after enactment of the governing statute or
regulation (Odom Green et al., 2015).
A more adaptive management approach is needed in which applicable rules and statutes can be
modified to address unanticipated outcomes and problems. Unfortunately, the administrative law
requirements in most countries, under which regulatory agencies operate, are not conducive to more
adaptive and reflexive approaches, as they tend to require time-consuming and burdensome
processes every time an agency changes course. While some proposals have been published for
making regulatory systems more adaptive and responsive (e.g., Craig & Ruhl, 2014), such proposals
have generally not been implemented to date.
Nevertheless, there are useful examples in existing regulatory structures that do implement a
resilience strategy, even if implicitly rather than explicitly applying the concept of resilience
(Marchant & Stevens, 2016). These existing examples point the way to a more comprehensive legal
incorporation of resilience. There are two major categories of legal resilience measures – procedural
and substantive (Marchant & Stevens, 2016). Procedural resilience measures put in place a process
for early detection and amelioration of problems or harm. Substantive resilience measures put in
place harm reduction and adaption measures ex ante to be better prepared to deal with harm if and
when it occurs. Some examples of procedural and substantive legal resilience tools are described
Procedural Resilience Legal Tools
Procedural legal resilience tools give a regulatory agency authority to periodically review the
effectiveness of its regulatory program, and perhaps take quick action to remedy any gaps or flaws in
the program. Such tools essentially allow agencies to take an adaptive management approach, which
is usually inconsistent with most national administrative law frameworks. For example, under the
U.S. Clean Air Act, the Environmental Protection Agency is required to re-assess the scientific
evidence and protectiveness of its air quality standards for criteria pollutants such as ozone and
particulate matter, and to revise those standards if they are not adequately protective.
Requiring regulatory agencies to produce and update action plans for dealing with an ongoing
problem is another way to institutionalize procedural reliance measures. In the U.S., President
Obama issued Executive Order 13,653 on November 1, 2013, which required each federal agency to
create and update periodically a climate change Adaption Plan that includes “a description of
programs, policies, and plans the agency has already put in place, as well as additional actions the
agency will take, to manage climate risks in the near term and build resilience in the short and long
Another procedural resilience approach is to authorize agencies to depart from their statutory
requirements if and when something goes wrong and unanticipated adverse effects occur. Again,
traditional administrative law requirements are an impediment to such changes in direction, as

agencies are generally precluded from over-riding or departing from legislative dictates. There has
nevertheless been a growing use and support for the principle of “administrative forbearance” that
allows agencies to put a hold on statutory provisions and programs when, for example, they are
creating a problem that needs to be stopped and reversed, an important resilience capability.
Substantive Resilience Legal Tools
The other set of legal resilience tools involve regulatory requirements that substantively provide for
more resilient systems. A threshold challenge for such approaches is that it is difficult to put in place
substantive measures to remedy unanticipated harms that might occur in the future. If you cannot
anticipate specific harms ex ante, it becomes problematic to design applicable remedies for that
harm. One generic strategy is to require that companies engaging with a particular activity or
technology to carry appropriate liability insurance or post a bond to ensure adequate resources are
available to mitigate any harms that result. For example, such requirements have been put in place
for hazardous waste treatment, storage and disposal facilities (TSDFs) under U.S. hazardous waste
Another substantive legal resilience approach is to put in place secondary back-up systems for when
the primary regulatory approach fails to achieve its intended objective. For example, under the Clean
Air Act (CAA) and Clean Water Act (CWA) in the United States, non-attainment provisions
automatically kick in if the primary regulatory approach (state implementation plans under the CAA
and category- specific effluent limitations under the CWA) fails to achieve safe pre-determined levels
of air or water quality.
Another important substantive resilience tool is the power to be able to recall or inactivate a
technology or product that is found to be causing unanticipated harms. For example, a “kill switch”
might be engineered into a synthetic biology or nanotechnology product so the product can be
quickly inactivated if it is found to be causing unanticipated harms.
While law has been a late arrival at the resilience table, it has an important role to play in putting
into place both procedural and substantive regulatory provisions for ensuring more resilient systems.
The Quest for Enterprise Resilience: Navigating Complex Systems to Survive and ThriveCharley Newnham, James Crask1
The Quest for Enterprise Resilience: Navigating Complex Systems to
Survive and Thrivei
Charley Newnham1 and James Crask1
Keywords: Organizational resilience, Enterprise resilience, Complex systems, Continuity,
What is Organizational resilience and why does it matter?
The concept of ‘Organizational’ resilience is not new. Academic research goes back a long way,
though many modern researchers point towards pivotal articles such as Hamel and Valikangas’ The
Quest for Resilience (2003) as ‘game changers’.
British Standard 65000, guidance for Organizational Resilience (BSI, 2014) intends to deliver a
practical approach to creating suitably resilient organisations which may be, according to Hamel
(2012), “the most fundamental business challenge of our time”. It defines Organizational resilience
as the “ability of an organization to anticipate, prepare for, and respond and adapt to incremental
change and sudden disruptions in order to survive and prosper” (BSI, 2014). This definition captures
some essential resilience components that can be missing from less complex definitions, that is,
those that simply talk about the ability to ‘bounce back from adversity’. The Standard’s definition
acknowledges while organisations have to be able to deal with sudden shocks they also have to be
able to adapt over time to survive and thrive.
That more resilient organisations require the ability to evolve substantially over time (Morel &
Ramanujam, 1999) is not new information for leaders. It is common sense that companies must
remain relevant to remain viable, as well as being able to respond to sudden disruptions – and
opportunities. In 2015, PwC researchers found that “25% of respondents believed that their
organisations would always deliver the same core services”, while only 38% were sure that their
organisations would be able to evolve to remain relevant. Further, 42% believed their organisations
would definitely continue to exist for decades to come and only 22% believed their organisation was
equipped to survive disruptions and major incidents (PwC & London First, 2016).
So what is the role of governance in resilience? Carmelli & Markham (2011) remind us that from the
Christian church to the Roman Empire to modern day business, research shows that great
governance is “essential for resilience”. The question is: how can we leverage our approach to
governance today to achieve appropriate resilience to ensure our organisations stand the test of
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Is managing resilience really any different to managing risk?
Risk leaders often ask whether “organizational resilience” is just a new spin on risk management. We
suggest that risk and opportunity management are two sides of the same coin, but they are
facilitated by resilience where resilience is the sum of the factors that support the identification and
management of risk and opportunity throughout every activity in the business.
In this sense potential resilience contributors and detractors include functions and processes
primarily designed to offer Organizational protection, such as risk management, business continuity,
and security, but also include less tangible elements such as an organisation’s strategies, culture,
approach to innovation, social capital, capability and capacity, reserves, and its potential to adapt
and evolve over time. In our opinion this broader view does not replace the requirement to manage
risk but simply highlights the need to consider, understand and invest appropriately in all the factors
that provide the organisation’s ability to survive and thrive. Risk and opportunity may be two sides
of the same coin, but resilience completes the trinity required to understand and manage ‘corporate
In addition, talking about resilience presents an opportunity to recognise that operating
environments, people, suppliers, divisions, functions and other factors that create organizational
structures are complex systems within complex systems – which are difficult to understand and to
manage, and marked by uncertainties and unexpected changes. Traditional approaches to risk
management (as a discipline rather than an activity) calls for the simplification of risk to a point
where they can be quantified and recorded: this will always be a vital management tool. However,
resilience provides an opportunity for us to acknowledge that the things contributing to success and
failure are both complex and dynamic. This implies we either need to apply systems theory concepts
to Organizational resilience, or find ways to cut through the systems to create an indicative view of
how adequate our resilience might be, without losing sight of its complex, dynamic nature.
Where should resilience builders start?
Most organisations have already begun their resilience journey. Most have a degree of risk
management, business continuity, security and the other disciplines and processes that exist to
protect the organisation and its key stakeholders. These are sometimes referred to collectively as
‘operational resilience disciplines’. In 2015 a survey showed that 90% of leaders believe that
resilience is greater when the activity of these disciplines is appropriately joined up, but only 37%
believe that it is (PwC & London First, 2016). Taking the issue of disjointedness further, many
organisations suffer from unhelpful disconnections and gaps between entities, areas of the business,
processes and assets. Some of these are vulnerabilities that can lead to severe disruption or
unclaimed opportunities.
Therefore, the first instruments for managing resilience on many leaders’ list may be to:
• Ensure that operational disciplines are effective and appropriately joined up
• Remove unhelpful silos that create vulnerability or reduce opportunity, and test critical
processes and systems from end-to-end
Leaders then need to consider how to see and manage the less tangible aspects of their
organisation’s resilience. While systems theory might be the utopia of understanding and managing

resilience, creating and keeping up with the volumes of information that could be generated
presents practical challenges. Therefore, researchers have focussed their endeavours to create
insights into the key indicators that identify an organisation’s state of resilience: “a set of
generalizable insights for building social, economic, technical and business systems that anticipate
disruption, heal themselves when breached, and have the ability to reorganize themselves to
maintain their core purpose, even under radically changed circumstances.” (Zolli & Healy, 2012)
Resilience indicators
Though the field of Organizational resilience is relatively new in terms of being practically applied
within business, there are many resources (including those in the attached Bibliography) to guide
leaders in identifying the key resilience indicators for their organisation to provide insight into the
state of their resilience. These indicators, when combined with their current knowledge of the
business, including risk, sales and financial data – have the advantage appreciating an organisation as
a complex system, operating within a wider, more complex set of systems. The insights the
indicators provide give leaders new ways to consider where they might amend their resilience. No
longer limited to traditional risk management methods, their approach can be complemented with
an ability to look at different, often more strategic and almost always less silo-based ways to mitigate
risk and create the optimal conditions for creating and seizing opportunity.
As Zolli & Healey (2012) identified there is an increasing consensus on some key indicators. For
example, the resilience research institute ResOrgs cites headline indicators of situational awareness,
innovation and creativity, proactive posture, stress tested strategies, unity of purpose, broken silos,
leveraged knowledge, understanding of internal resources, effective partnership, decision making
and staff engagement (ResOrgs, 2011). Meanwhile, professional services organisations such as PwC
find innovative ways to visually display their indicators. The ‘periodic table’ is one example and
houses key indicators – including those cited by ResOrgs – expanding to include others informed by
research and experience. It includes indicators such as lived values, situational understanding, social
capital, understanding of networks, leadership and decision making and capability and capacity (PwC,

Figure 1: PwC ‘Periodic Table of Resilience Indicators’
When thinking about the practical implementation of resilience, research tends to map indicators to
“resilience outcomes” that leaders recognise as features of a more resilient organisation. These can
help bring the resilience of the organisation to life. For example, PwC, uses 6 resilience outcome
states to talk about resilience with top leaders: cohesiveness, adaptive capacity, reliability, relevance,
agility and trust (PwC, 2015), while Airmic focuses on six verbs: predict, prevent, prepare, respond,
recover, review (Cranfield School of Management, 2014).
The anticipated International Standard for Organizational Resilience, ISO 22316, intends to offer
universal insights into how key indicators might be assessed. In the interim each model tends to use
its own approach and, in most cases, anticipate the need to customise the indicators, the weightings
of the measurements and the resulting insight to fit an organisation’s individual features and
Two Applications of Resilience Concepts and Methods: Offshore Installations and Critical InfrastructuresKnut Øien1
Two Applications of Resilience Concepts and Methods: Offshore
Installations and Critical Infrastructuresi
Knut Øien1
1Senior Scientist, SINTEF, Norway
Keywords: Resilience, Indicators, Major accidents, Early warnings
Resilience development strategies
The main strategy for developing resilience in socio-technical systems, whether this is offshore
installations, critical infrastructures, or some other systems, is to demonstrate practical usefulness of
resilience approaches for the relevant stakeholders, starting with simple concepts, models and
methods. After all, all definitions, concepts and models are simplified representations of reality, no
matter the complexity of the representation. It is recommended not to make the starting-point too
Thus, the strategies used in the two applications presented in this paper have been to develop
pragmatic, practical and easy to understand/communicate approaches. The approaches are further
tailored to the relevant stakeholders, and they are participatory approaches where the stakeholders
take an active part in defining the issues that are important for each resilience dimension, and in
defining the indicators measuring the issues.
The resilience dimensions provide a fixed frame, whereas the issues important for each dimension
and the indicators to measure these issues are provisional (candidates). They will be reviewed and
evaluated by stakeholders (e.g. users and domain experts), and may be adjusted and new issues and
indicators added.
Indicators and measurements
Both applications utilize indicators, either as early warnings for potential events or as measures of
resilience. The first application focuses on trends in the indicator values, which may indicate a drift
towards potential events, whereas the second application uses indicators as a means to measure
Measurement of resilience using indicators provides status on the various phases/dimensions in a
semi-quantitative manner expressed as a level on a scale. It is not about millimetre precision, but an
indication of the level at which resilience is obtained in each phase. It is an indirect measure of
resilience that does not require actual event data (which is often rare and hard to obtain, especially
since we also need to cope with surprises). The indicators do not provide an exact measurement of
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

e.g. the shape of the functionality curve (cf. Figure 2). The functionality curve itself is only used as a
conceptual model, not as an operational model.
A word of caution when it comes to indicators: An indicator is "a measurable/operational variable
that can be used to describe the condition of a broader phenomenon or aspect of reality" (Øien,
Utne & Herrera, 2011). This aspect of reality – also termed the theoretical variable – may be risk
factors, resilience issues, etc. We cannot measure these directly; instead, we need an operational
definition of the factor/issue that represents the theoretical variable. This operational variable is
what we denote an indicator. The indicator will typically be described as a number, ratio, score on
some scale, or similar. Without this type of specification/operationalization, we are left with just a
theoretical factor or issue. Unfortunately, what is often referred to as indicators, also in the resilience
literature, are just factors or issues. They are not made operational, which means that they are not
indicators, even if they are presented as such.
Two applications – different definitions and concepts
The first application is a methodology for the establishment of early warning indicators for offshore
oil and gas installations, which was evaluated/demonstrated against the Deepwater Horizon drilling
rig accident in the Gulf of Mexico in 2010. The second application is a preliminary approach for
resilience assessment of critical infrastructures.
The two definitions used are:
Definition 1: Resilience refers to the capacity of recognizing, adapting to, and coping with the
unexpected (Woods, 2006).
Definition 2: Resilience of an infrastructure is the ability to anticipate, prepare for, and adapt to
changing conditions and withstand, respond to, and recover rapidly from disruption.ii
It may be questioned to what extent the definition in itself is important, since definitions by nature
comprise condensed and thereby limited amount of information. In the first application, a concept of
resilience was developed that only partly reflected the definition. It was the concept, and the
methodology developed based on this concept, that was important for this application. The two
applications are described below, focusing on the concepts of resilience used.
Application 1 – Evaluation of methodology for early warning indicators using the Deepwater
Horizon accident
The methodology, termed Resilience-based Early Warning Indicators (REWI) method, is described in
Øien, Massaiu and Tinmannsvik (2012), and the evaluation using the Deepwater Horizon accident is
described in Øien and Nielsen (2012).
The fundamental attributes/dimensions of resilience covered by the REWI method are called
contributing success factors (CSFs) and are risk understanding, anticipation, attention, response,
robustness, resourcefulness/rapidity, decision support and redundancy. For each CSF, the REWI
method defines a set of general issues contributing to the fulfilment of the goals of the CSF.
Measurable indicators are developed for the issues.
ii This is an adaptation of a definition proposed by the National Academy of Sciences (2012): the ability to prepare and plan for, absorb,
recover from, and more successfully adapt to adverse events.

The CSFs are based on key literature sources (e.g., Woods, 2006; Woods & Wreathall, 2003; Tierney,
2003), and was tested in an empirical study on the successful recovery of high-risk incidents
(Størseth, Tinmannsvik, & Øien, 2009). The empirical study supported the selected set of CSFs, which
are shown in Figure 1. The CSFs represent an operationalization of the concept of resilience. Figure 1
also includes questions to enhance the understanding of the CSFs.
Figure 1: The concept of resilience based on Contributing Success Factors (CSFs)
The REWI method was applied to analyse the causes and factors that led to the DWH accident. The
mapping of the predefined REWI issues to the DWH accident causes showed that relevant early
warnings could have been provided, and the accident might have been prevented, if the respective
issues had been followed-up by the use of relevant indicators. This depends of course not only on
relevant early warnings, but also on adequate response to the signals given. Details of the evaluation
are found in Øien and Nielsen (2012).
Application 2 – Resilience assessment of critical infrastructures
Resilience assessment of critical infrastructures is included in the scope of the EU H2020 project
SmartResilience (Smart Resilience Indicators for Smart Critical Infrastructures)iii. It uses the critical
infrastructure system functionality curve (Linkov et al., 2014) as a starting point, but adds additional
resilience dimensions as phases, as shown in the timeline in Figure 2.
iii will provide results and deliverables from the project (in 2016-2019).
(of response)
(incl. improvisation)
CSF 2:
Decision support Redundancy
(for support) Risk under- Anticipation Attention
CSF 1:
CSF 3:
Make sure that
risk awareness is
maintained (avoid
underestimation of risk)
Be able to provide necessary
capasity to respond, given a
deviation or incident
Be able to support decisions
(remedy of goal-conflicts) in order
to maintain critical functions
Understand – anticipate – and monitor Respond – completely – and timely Give support – and ensure support
1.1 1.2 1.3 2.1 2.2 2.3 3.1 3.2
How do we achieve
knowledge and experience
about risk/hazards?
What can we expect? What should we look for? What must we do? How can we ensure
completion of the response
(without suffering damage)?
How can we ensure
timely and sufficient
How do we support the
trade-off between safety
and production?
How do we compensate
for degradation to uphold/
maintain critical functions?

Figure 2: Preliminary concept of resilience based on the system functionality curve
The curve itself could be studied in detail, e.g. determining the slope of the absorption curve and the
speed of recovery; however, the main approach in SmartResilience is to assess the resilience
dimensions indirectly using indicators. Similarly as in the REWI method, there will be a layer of
"issues" between the resilience dimensions and the indicators.
A special feature of the SmartResilience project is the focus on increased functionality enabled by
smart technology providing smart critical infrastructure. This gain in functionality also represents an
emerging threat, since the smart technology may increase the vulnerability of the critical
The resilience dimensions manifested as phases in the functionality-time curve is sequential; whereas
the resilience dimensions manifested as contributing success factors in the REWI method is nonsequential,
(e.g. decision support is provided at several stages). Thus, the concepts are different and
adapted to the specific applications. However, notice that risk understanding (risk picture/landscape)
is the starting phase in both applications, linking risk and resilience.
A common feature of both applications is the use of indicators – resilience indicators: in the first
application to provide early warnings and in the second application to provide a measure of
resilience (for each issue, each phase/dimension, and each critical infrastructure).
The main differences foreseen in the SmartResilience approach to resilience assessment of critical
infrastructures, compared with previous and on-going approaches, are the level of issues between
the resilience dimensions and the indicators, and the stakeholder participation in defining and
adjusting the (candidate) issues and indicators.
Threats Smart Cities
Smart Functionality
Critical Infrastructures
Conventional Functionality
Accident /
Gain due to smart technology
Absorb Be aware/ Respond Recover Adapt
Understand Anticipate

Resilience purpose and preference
Quite a lot of effort goes into justifying resilience or resilience management as an additional strategy
to risk management, but mainly on a conceptual level (e.g. Linkov et al., 2014). Here, the purpose of
resilience is discussed for the two specific applications: early warnings and assessment of resilience.
Different types of indicators (e.g. resilience-based, risk-based, performance-based, and incidentbased)
have different pros and cons (Øien, 2013). The purpose of using resilience-based indicators,
instead of risk-based indicators, for early warnings is that development of resilience-based indicators
is e.g. more relevant as early warnings (cover issues early in the casual chain), less resource intensive,
and has generally a broader coverage. They may also focus on positive signs and signals. A drawback
is that it is less easy to determine risk relevance/importance of resilience-based indicators.
The purpose of assessing resilience, not instead of, but in addition to risk, is that some of the phases
are less emphasised in traditional risk analysis/assessment/management, e.g. the recovery and
adaptation phases, whereas in our resilience assessment all phases (dimensions) are assessed.
In the two applications: early warnings and assessment of phases in critical infrastructure protection,
a resilience approach is considered as better suited compared to traditional risk management, since
it better covers all the phases.
Modern Resilience: Moving Without MovementJosé Manuel Palma-Oliveira, Benjamin D. Trump1
Modern Resilience: Moving Without Movementi
José Manuel Palma-Oliveira1 & Benjamin D. Trump1
1Faculdade de Psicologia, Universidade de Lisboa
Keywords: Systems-driven Resilience, Neutrality of resilience, Temporal dynamics, Management of
desirable states
Since the first scientific use of the term in the 17th Century, resilience has been used by various
disciplines to describe how targeted systems respond to shocks and stresses that threaten to alter
their original design (Alexander, 2013). This has brought the term into the everyday lexicon in various
professions and disciplines in the modern day, yet also complicates matters due to the multitudes of
differing perspectives regarding how resilience should be defined. Currently, the study of resilience
suffers from limited shared understanding as these different disciplines seek to discuss what
resilience means for their line of work – a definition that may not be congruent with the
understanding of the term in other disciplines. While such differing perspectives are likely to
continue in the foreseeable future, this paper seeks to propose a more common baseline
understanding of resilience as well as a systems-driven approach applicable for resilience analysis
across the multitude of interested disciplines.
In a general sense, resilience has been used as a metaphor that seeks to describe how systems
absorb threats and maintain their inherent structure and behaviour. More specifically, resilience is
used as a global state of preparedness, where targeted systems can absorb unexpected and
potentially high consequence shocks and stresses (Larkin et al., 2015)
Common usage of resilience causes scholars to infer several principles of what resilience actually
means. The first such principle includes the positivity of resilience, or the notion that resilience is an
inherently beneficial goal to achieve. The second includes the measurement of resilience by
characteristics believed to apply to a given system – effectively driving an inductive approach to
resilience thinking (Béné et al., 2012). Lastly, resilience thinking is often viewed in a context-agnostic
framework, where principles of resilience can be applied to various situations and cases
However, we argue that this metaphorical approach to resilience has inherent weaknesses that must
be addressed in order to better understand and apply resilience thinking to various projects.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Matching point-by-point based upon discussion above, we argue that a more technical
understanding of resilience must:
1) Be theoretically neutral. Resilience can refer to the reinforcement of beneficial or harmful
activities or outcomes – making it so that it is not always beneficial to develop resilience for a
system (Zellmer & Gunderson, 2009). Nevertheless, stakeholders can place normative value
upon reinforcing the resilience of systems with beneficial outcomes and/or reducing the
resilience of systems that maintain negative outcomes.
2) Foster and apply systems theory. We argue that resilience is the study of systems, where it is
incumbent on the researcher to understand the interaction effects between systems and
their relevant sub-systems. This may be described as system panarchy, where, not only a
system can move through different phases as well change in one sub-system can have a
cascade effect that alters all others. Understanding the consequences and magnitude of such
cascade effects is crucial to identify areas where systems may be brittle or resilient
(Gunderson & Holling, 2002; Holling, 2001).
3) Adopt a context-driven approach to a targeted system (see Cutter et al., 2008 as a good
attempt). Given the review of system interactions from Step 2, a vital element to better
understand the interactions of systems and the potential for panarchic effects includes the
need to (i) gain a greater understanding of the system’s historical behaviour and actions, and
(ii) identify the various cultural, psychological, and physical characteristics that can enforce or
prevent the institution of resilience. Such context is case-specific, and cannot be derived
from a global, context-agnostic review or resilience characteristics.
4) Given the context and drivers of resilience noted above, apply existing ecological,
psychological, socio-cultural, and physical (and others depending of the systems at stake)
scientific theories to enable the identification and measurement of panarchic effects and
determine which sub-systems are resilient, which are brittle, and whether the built-in
feedback loops and self-reinforcing factors produce inherently ideal or harmful states of
existence. Such discussion must inherently consider the interaction effects of such systems
over time, rather than as an instantaneous snapshot.
5) By separating the metaphoric use of resilience from the more technical application of the
term, it is possible to clarify the often ambiguous role of stakeholders in defining and
informing the inputs and implications of a system’s resilience. In the metaphoric usage of
the term, stakeholders are requested to do almost everything from defining system risks to
make estimations about the weaknesses and the strategy. In the latter, however,
stakeholders should be asked to participate in defining the problems and weighting of
strategic paths. A central concern here includes the high degree of uncertainty and
complexity facing stakeholders in such exercises, where the defining of risks and
consideration of resilience strategy is a complicated effort even for subject experts.
The Purpose of Resilience
We define resilience as the capability of a system to recover in the midst of shocks or stresses over
time. Recovery implicates multiple interactions between factors, and across scales and sub-systems
that are usually unexpected and complex in nature. Given such concerns, resilience differs from
traditional methodological approaches of protecting against risk, where these uncertain and complex

shocks and stresses that affect targeted systems are inherently outside of the design of the system’s
intended purpose. As such, preparation for such events contains only limited available guidance, and
promoting traditional risk approaches such as bolstering system hardness is prohibitively difficult and
excessively expensive. Resilience allows us to take on these concerns within a framework of resource
constraints and the need to protect against low probability, high consequence events more recently
described as ‘black swans.’ In other words, resilience is preferred to traditional risk management
strategies where a systems-theory of protecting against risk is required, and where the potential risks
in question are highly unlikely yet potentially catastrophic in nature.
Some theoretical and empirical implications of the above definition of resilience that have to be
taken in consideration, and they seldom are, include:
1. The dimension of “time” is not only important to shorten the recovery phase (Linkov et
al., 2014), as an indicator of resilience, but also implies the understanding how the
system cope with previous stress and what were the dynamics of those changes.
2. Since a system is dynamic (it changes over time), system stresses can occur throughout
the system’s development. As such, individual strategies can both augment an individual
system’s resilience to certain stresses while also increasing the system’s brittleness in the
face of certain shocks. Given this idea, it is essential to understand that strategies to
promote resilience may also make the system brittle or susceptible to collapse.
3. Basic rules of systems theory have to pertain to the basic analysis of the system like
feedback loops, interaction effects, panarchy, etc.
Thus, a proper application of the resilience methodology is always conceived as the understating of
the specific adaptive cycle of that particular system or systems.
Instruments for Resilience Management
A key component of developing resilience is to understand the inherent function and components of
the system in question. As such, no universal or ‘one-size-fits-all’ approach can adequately cover the
complexity and uncertainties facing specific systems – at least not without a thorough consideration
of the various subsystems and nested components that are changed in the midst of a shock or stress.
Given this consideration, resilience can only be developed where (i) a context-rich understanding of
the targeted system and its relevant sub-systems is established, and the interaction effects that
cause one sub-system to influence others noted, and (ii) each sub-system is defined based upon the
scientific properties and theories provided by psychology, engineering, biology, and other fields. In
simpler terms, resilience can only be developed within systems when a full and scientifically-driven
understanding of a system’s panarchy is fully described. Without such knowledge of interaction
effects and context-driven assessment, it is impossible to gain a full understanding of the different
factors and scientific principles that drive a specific system’s resilience.
That means that the complexity of a certain system can be defined by a specific and limited number
of system rules and dynamics, which are respectively comprised of a small set of variables and
processes. The complexity is given by those processes operating at different scales in space and time
(Simon, 1974; Holling, 2001).

Taking these points into account, the targeted systems are dynamic, follow a set of partially
predicted phases and simple rules, and interact with multiple systems and subsystems with different
variables. Such a scale is characterized not only by its non-linearity and complex interaction effects,
but also by the complete absence of pre-defined top-down approach.
From the above, one can list the characteristics that shape operationalization and measurement of
the resilience analysis:
a) Often within engineering applications, resilience is based upon a determination of a system
in a utilitarian perspective by identifying the most critical function(s) of the targeted system.
That is an insufficient heuristic since one has to determine not only the function but also the
systems(s) scale, its spatial considerations (geographical domain), and how such
considerations shift and alter over time. This is central consideration to shape resilience
management because, through such considerations, it is possible to isolate both the
interconnections with the other systems of the same scale and, more importantly, the subsystems.
b) The idea of adaptive cycle implies that, as underlined, a given system operates within in a
specific moment of its cycle. As such, efforts to bolster system resilience must account for
current and future developments related to how such a system may change over time (Allen
et al., 2014).
c) All systems are inherently comprised of social and ecological drivers. As such, the essential
proprieties of a given system like feedback loops, adaptive cycles, etc. cannot be defined
without the mobilization of different variables from ecology, economy and human behaviour.
d) The description of the system, both in terms of its proprieties and in terms of processes
connected with the specific disciplinary relevant frameworks, has to be repeated in each
studied subsystem. Scholarly literature reinforces the aspect of global preparedness that a
system has to acquire in order to be resilient pointing to the component of surprise. Surprise
also arrives from the work of the different systems and of the effects that certain variables of
a certain system have in the functioning of the others.
e) The system functioning is generally multi-factorial. The scale of those variables and theories
are the only system elements that will change in order to be adapted to the scale and pace of
the systems at stake.
f) Resilience is always an emergent property of a system but never determined solely by the
system. Even in psychological resilience, where one would think that resilience is a propriety
of the individual system, the more promising avenues of research stress the fact that the
major predictors of the individual resilience are the contextual factors (i.e., social networks,
family, housing conditions, etc.) (Ungar, 2012).
Metrics and Criteria for Resilience Management
Normally, the current metrics for resilience management are based upon a diverse set of
assumptions and proposals. Resilience as operationalized as a Resilience Index (i.e., checklist of
items) is a growing trend in the field, and is driven by the desire to compartmentalize each step of
the risk management process (Orencio & Fujii, 2013; Todini, 2000; Sempier et al., 2010; Cutter, 2016)
. However as described, the application of these methods are of limited value in the abstract.
Specifically, this is due not only to difficulties in defining and contextualizing targeted systems and

sub-systems but also due to a lack of specific guidance in the way the variables interact in the
system. Furthermore, the connection between the evaluated factors and the final resilience score is
often tautological.
These indexes are normally based upon representativeness heuristic (i.e., if a concept represents the
metaphorical uses of resilience then it is a god index for it) (Tversky & Kahneman, 1975) and not
upon the proprieties of the specific system. For instance, making a system more robust and resilient
to certain circumstances can also increase the system’s brittleness in the face of other shocks and
We can measure resilience with criteria that can apply to all systems (cognitive, physical, informative,
etc.). In spite of the fact that these criteria are an attempt to be free of the representative heuristics,
however, they are not free of shortcomings. Specifically, such efforts are often reductionist in nature
due to an attempt to operationalize a system into a small number of criteria – the result of which
often promotes limited context by which resilience analysts may understand the complexity and
interaction effects of the system and its embedded sub-systems (Davoudi, 2012). Furthermore, they
are focused in the normal “resilience cycle” that serves as an extension of the normal “continuous
improvement cycles” and, more precisely, in the so-called recovery phase. The shortening of the
recovery phase is a consequence of the resilient functioning and should not be the sole focus of the
In the last 100 years, systemic frameworks have been frequently discussed and promoted by various
fields in science and technology development. Such efforts have generally fallen short of a functional
definition due to an adherence to the truism ‘everything is related with everything’ – making it
functionally impossible to scientifically characterize the properties of a system. Resilience is at risk of
becoming another such failed effort due to a lack of focus on defining and measuring the interaction
effects between systems and sub-systems – which otherwise would leave resilience as nothing more
than a metaphor for more modern risk management.
To overcome such an obstacle, we advocate for a method of resilience management that adopts a
theoretically neutral, context-driven, temporally-derived, and systems-driven approach to apply the
method to various disciplines and resilience-building activities worldwide.
Ecological & Social-ecological Resilience - Assessing and Managing Change in Complex SystemsAllyson Quinlan, Lance Gunderson1
Ecological & Social-ecological Resilience - Assessing and Managing
Change in Complex Systemsi
Allyson Quinlan1 and Lance Gunderson1,2
1Resilience Alliance, 2Emory University
Keywords: Social-ecological systems, Resilience assessment, Resilience principles, Metrics
Humans are changing the dynamics of ecosystems in ways that are increasing risk and driving change
from local to global scales. The concept of ecological resilience was introduced by C.S. Holling to
characterize abrupt, non-linear and surprising change in ecosystems (Holling, 1973). This concept
posited multiple configurations of ecosystems—that ecosystems could exist in qualitatively different
forms; each characterized by different structures and feedbacks. Ecological resilience was defined as
an emergent system property that mediated the transition among different ecosystem
configurations or regimes. Over time, scholars have shown that such quasi or meta-stable states
exist across all types of ecosystems, from marine to aquatic to wetlands to drylands (Folke, et al.,
2004). Walker and colleagues also refined components of resilience as a) resistance to change and b)
latitude in capacity to avoid a regime shift c) precariousness and d) panarchy (Walker, Holling,
Carpenter, & Kinzig, 2004). Multiple regimes, with transitions among them, have also been described
in social-ecological systems due to complex human-environment interactions both within and across
scales of space and time. SES resilience is defined in three parts as i) the capacity of linked socialecological
systems to absorb disturbances while retaining essential structures, processes and
feedbacks, ii) the capacity for learning and adaptation, and iii) the degree to which the system is
capable of self-organizing (Carpenter, Walker, Anderies, & Abel, 2001).
Resilience objectives
The types of change suggested by resilience theory and observed in social-ecological systems imply
different responses or practical strategies, because of the types of uncertainties associated with each
model of change. Many case histories demonstrate that SES’s undergo at least three different
trajectories of change: system development toward a planned and relatively stable regime, resilience
dynamics when the system flips from one regime to another, and transformation to an entirely new
regime of the social-ecological system (Gunderson & Holling, 2002). The first category of change
focuses on attempts to control ecosystems to secure steady and reliable ecosystem goods and
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

services, for example, managing forests for continued wood supply. Such management approaches
remove competition through thinning and attempt to control outbreaks of destructive agents such as
fire or forest pests. All of these actions are aimed at optimizing and sustaining production of wood
for lumber, fiber or fuel. The second category of change relates to resilience management that
usually involves inherent and unresolvable uncertainties, which are generally approached through
adaptive management (Walters, 1986). Managing under conditions of high uncertainty requires
hypothesis testing and learning. For example, experimenting to determine how mechanisms such as
functional diversity in fish communities can help prevent a regime shift to a degraded coral reef.
Adaptive management confronts system uncertainties by applying policies and practices structured
to iteratively test and evaluate a system’s state and trajectory. Transformative change, the third
category, involves new social and ecological components, rules, regulations, institutions, and
configurations, suggesting strategies of adaptive management and adaptive governance (Gunderson
& Holling, 2002). For example, when Chile moved to a democracy small fishers and scientists worked
together to develop voluntary agreements that, in combination with reforms and new laws, have
begun to chart a more sustainable future for Chilean fisheries.
Resilience assessment
Resilience assessment attempts to better understand change dynamics. The practitioner’s guide to
resilience assessment developed by the Resilience Alliance (RA) provides an iterative approach to
understanding how resilience as a property of social-ecological systems is created, maintained or
eroded over time (Resilience Alliance, 2010). The approach described in the practitioner’s guide was
informed by several decades of theoretical and applied research in ecology, natural resource
management, complex adaptive systems and integrated social-ecological systems. Developed by RA
researchers, the guide is structured around core concepts that include: defining system boundaries
and key issues relevant to stakeholders, identifying potential thresholds and tipping points,
describing adaptive cycles of change, exploring cross-scale interactions, and evaluating attributes of
adaptive governance. As new understanding and knowledge about the system become available
through a set of questions and activities, models are refined, and specific information about the
system is updated. The assessment process can be adapted to a particular context, including the
degree to which it is participatory vs. expert-driven, the use of primary and secondary data, and in
relation to the overall purpose of the assessment. Assessments produced with the guide have been
used to develop regional plans, to identify funding priorities, to probe ‘wicked problems’, to reveal
leverage points, and to influence governance systems.
Comprehensive applications of resilience assessment offer practical examples of how a resilience
perspective differs from traditional approaches to natural resource management and have informed
the RA’s assessment guide (Walker, Abel, Anderies, & Ryan, 2009). Engaging multiple stakeholders in
the process is key, particularly when the aim is to act on assessment outcomes. A recent assessment
framework combining resilience, adaptation, and transformation, further advances the integral role
of stakeholder participation and importantly, the development of tailored and more generic
indicators (O'Connell, Walker, Abel, & Grigg, 2015). Growing interest in resilience metrics
underscores the need for approaches and frameworks that seek to deepen understanding of system
dynamics and focus evaluation on key resilience properties (Quinlan, Berbés-Blázquez, Haider, &
Peterson, 2015).

Resilience management – adaptive management & governance
A common objective of resilience management involves identifying both the risks and opportunities
associated with current management paradigms and governance regimes. Folke, Hahn, Olsson, and
Norberg (2005) stress the need for adaptive governance with a focus on the social aspects of
governance as a means to gain acceptance of adaptive management and to assure the organizational
learning and ability to navigate competing values and interests that are necessary for its
implementation. The authors include in their criteria: social capital including trust, common rules,
leadership, and experience; networks and bridging organizations within a polycentric governance
structure, and a devolution of management rights and power sharing that promotes participation.
The reflexive nature of adaptive governance emphasizes the need to regularly revisit and question
underlying assumptions. Schultz and colleagues also point out that adaptive governance structures
are flexible and thus may be best suited to contexts that leave enough space for innovation and
bottom-up initiatives (Schultz, Folke, Österblom, & Olsson, 2015). The authors further suggest that
continuous and accelerated change will challenge all forms of governance and attempts to manage
social-ecological systems, reinforcing the need for on-going learning and trust-building toward
collaborative stewardship.
Inclusive Resilience: A New Approach to Risk GovernanceOrtwin Renn1
Inclusive Resilience: A New Approach to Risk Governancei
Ortwin Renn1
1 Institute for Advanced Sustainability Studies (IASS), Potsdam
Keywords: Inclusive, Complexity, Uncertainty, Ambiguity, Governance
The concept of resilience has been used in many disciplines for different notions of being able to
respond adequately when the system is under stress. It has been widely applied in ecological
research and denotes the resistance of natural ecosystems to cope with stressors (Holling, 1973;
Walker et al., 2004). Resilience is focused on the ability and capacity of systems to resist shocks and
to have the capability to deal and recover from threatening events (Carpenter et al., 2001; Rose,
2007). This idea of resistance and recovery can also be applied to social systems (Review in Norris et
al., 2007; Adger et al., 2005; Renn & Klinke 2014).
The main emphasis here is on organizational learning and institutional preparedness to cope with
stress and disaster. The US Department of Homeland Security (DHS) uses this definition: “Resilience
is the ability of systems, infrastructures, government, business, and citizenry to resist, absorb, and
recover from or adapt to an adverse occurrence that may cause harm, destruction, or loss [that is] of
national significance” (cited after Longstaff et al., 2010: 19). Hutter (2011) added to this analysis the
ability of systems to respond flexibly and effectively when a system is under high stress from an
unexpected crisis. Pulling from an interdisciplinary body of theoretical and policy-oriented literature,
Longstaff et al. (2010) regard resilience as a function of resource robustness and adaptive capacity.
The governance framework suggested by the International Risk Governance Council (IRGC, 2005)
depicts resilience as a normative goal for risk management systems to deal with highly uncertain
events or processes (surprises). It is seen as a property of risk-absorbing systems to withstand stress
(objective resilience) but also the confidence of risk management actors to be able to master crisis
situations (subjective resilience).
In this paper, I explain the connection between inclusiveness of risk governance based on the
involvement of multiple stakeholders, and the need to enhance resilience, understood here as the
capability of a socio-technical system to cope with events that are uncertain and ambiguous (Klinke &
Renn, 2012). This approach has been inspired by Lorenz (2010), who distinguishes adaptive, coping
and participative aspects of resilience. I will use this classification to discern between three
management styles which correspond to these three aspects of resilience. I have called them: riski
This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

informed (corresponding to adaptive capability); precaution-based (corresponding to coping
capability) and discourse-based (corresponding to participative capability).
Complexity, uncertainty and ambiguity in risk governance
Understanding and managing risks are confronted with three major challenges: complexity,
uncertainty and ambiguity (Renn & Klinke, 2016; Rosa et al., 2014: 130ff). Complexity refers to the
difficulty of identifying and quantifying causal links between a multitude of potential candidates and
specific adverse effects. Uncertainty denotes the inability to provide accurate and precise
quantitative assessments between a causing agent and an effect. Finally, ambiguity denotes either
the variability of (legitimate) interpretations based on identical observations or data assessments or
the variability of normative implications for risk evaluation (judgment on tolerability or acceptability
of a given risk).
In a case where scientific complexity is high and uncertainty and ambiguity are low, the challenge is
to invite experts to deliberate with risk managers to understand complexity. Understanding the risks
of oil platforms may be a good example of this. Although the technology is highly complex and many
interacting devices lead to multiple accident scenarios most possible pathways to a major accident
can be modelled well in advance. The major challenge is to determine the limit to which one is
willing to invest in resilience.
The second route concerns risk problems that are characterized by high uncertainty but low
ambiguity. Expanded knowledge acquisition may help to reduce uncertainty. If, however,
uncertainty cannot be reduced (or only reduced in the long run) by additional knowledge, a
“precaution-based risk management” is required. Precaution-based risk management explores a
variety of options: containment, diversification, monitoring, and substitution. The focal point here is
to find an adequate and fair balance between over cautiousness and insufficient caution. This argues
for a reflective process involving stakeholders to ponder concerns, economic budgeting, and social
For risk problems that are highly ambiguous (regardless of whether they are low or high on
uncertainty and complexity), route 3 recommends a “discourse-based management.” Discourse
management requires a participatory process involving stakeholders, especially the affected public.
The aim of such a process is to produce a collective understanding among all stakeholders and the
affected public about how to interpret the situation and how to design procedures for collectively
justifying binding decisions on acceptability and tolerability that are considered legitimate. In such
situations, the task of risk managers is to create a condition where those who believe that the risk is
worth taking and those who believe otherwise are willing to respect each other’s views and to
construct and create strategies acceptable to the various stakeholders and interests.
In essence: The effectiveness and legitimacy of the risk governance process depend on the capability
of management agencies to resolve complexity, characterize uncertainty and handle ambiguity by
means of communication and deliberation.

Instrumental processing involving governmental actors
Dealing with linear risk issues, which are associated with low scores for complexity, scientific
uncertainty and socio-political ambiguity, requires hardly any changes to conventional public policymaking.
The data and information regarding such linear (routine) risk problems are provided by
statistical analysis; law or statutory requirements determine the general and specific objectives; and
the role of public policy is to ensure that all necessary safety and control measures are implemented
and enforced (Klinke & Renn, 2012). Traditional cost-benefit analyses, including effectiveness and
efficiency criteria, are the instruments of political choice for finding the right balance between underand
over-regulation of risk-related activities and goods. In addition, monitoring the area is important
to help prevent unexpected consequences. For this reason, linear risk issues can well be handled by
departmental and agency staff and enforcement personnel of state-run governance institutions. The
aim is to find the most cost-effective method for the desired regulation level. If necessary,
stakeholders may be included in the deliberations as they have information and know-how that may
help to make the measures more efficient.
Epistemic processing involving experts
Resolving complex risk problems requires dialogue and deliberation among experts. The main goal is
to scan and review existing knowledge about the causal connections between an agent and potential
consequences, to characterize the uncertainty of this relationship and to explore the evidence that
supports these inferences. Involving members of various epistemic communities which demonstrate
expertise and competence is the most promising step for producing more reliable and valid
judgments about the complex nature of a given risk. Epistemic discourse is the instrument for
discussing the conclusiveness and validity of cause-effect chains relying on available probative facts,
uncertain knowledge and experience that can be tested for empirical traceability and consistency.
The objective of such a deliberation is to find the most cogent description and explanation of the
phenomenological complexity in question as well as a clarification of dissenting views (for example,
by addressing the question which environmental and socio-economic impacts are to be expected, in
which areas and in what time frame). The deliberation among experts might generate a profile of the
complexity of the given risk issue on selected inter-subjectively chosen criteria. The deliberation may
also reveal that there is more uncertainty and ambiguity hidden in the case than the initial appraisers
had anticipated (Birkmann, 2011; Bovenkerk, 2012). It is advisable to include natural as well as social
scientists in the epistemic discourse so that potential problems with risk perception and risk frames
can be anticipated. Controversies would then be less of a surprise than is currently the case. Such
epistemic discourse is meant to lead to adaptive management procedures that monitor the state of
knowledge and proficiency in the field and adjust management responses according to the various
levels of knowledge available at each time period (Wiering & Arts, 2006; Klinke & Renn, 2012).
Reflective processing involving stakeholders
Characterizing and evaluating risks as well as developing and selecting appropriate management
options for risk reduction and control in situations of high uncertainty poses particular challenges.
How can risk managers characterize and evaluate the severity of a risk problem when the potential
damage and its probability are unknown or highly uncertain? Scientific input is, therefore, only the

first step in a series of steps constituting a more sophisticated evaluation process. It is crucial to
compile the relevant data and information about the different types of uncertainties to inform the
process of risk characterization. The outcome of the risk characterization process provides the
foundation for a broader deliberative arena, in which not only policymakers and scientists, but also
directly affected stakeholders and public interest groups ought to be involved in order to discuss and
ponder the ‘right’ balances and trade-offs between over- and under-protection (Renn & Schweizer,
2009). This reflective involvement of stakeholders and interest groups pursues the purpose of finding
a consensus on the extra margin of safety that potential victims would be willing to tolerate and
potential beneficiaries of the risk would be willing to invest in to avoid potentially critical and
catastrophic consequences. If too much precaution is applied, innovations may be impeded or even
eliminated; if too little precaution is applied, society may experience the occurrence of undesired
consequences. The crucial question here is how much uncertainty and ignorance the main
stakeholders and public interest groups are willing to accept or tolerate in exchange for some
potential benefit.
This issue has direct implications for resilience. As this concept reflects the confidence of all actors to
deal with even uncertain outcomes, it provides a mental guideline for the negotiations between
beneficiaries and potential victims of risks (IRGC, 2005). Furthermore, it includes a discourse about
coping capacity and compensation schemes if the worst were to happen. The boundary between
subjective and objective resilience is, however, fuzzy under the condition of effect uncertainty
(Brown & Kulig, 1996/97; Norris et al., 2007). In cases of known risks past experience can
demonstrate whether the degree of self-confidence was accurate and justified. Over long time spans
one would expect an emerging congruence between objective and subjective resilience (learning by
trial and error). However, for extremely rare events or highly uncertain outcomes, one necessarily
relies on models of anticipation and expectations that will widely vary among different stakeholder
groups, in particular those who benefit and those who will bear the risks (Berkes, 2007).
Furthermore, there will be lots of debates about the potential distribution of effects over time and
space. The degree of coping capacity that is regarded as sufficient or justified for approving a new
risk agent or a disaster management plan to become enacted depends therefore on a discourse
between the directly affected groups of the population. Such a reflective involvement of
policymakers, scientists, stakeholders and public interest groups can be accomplished through a
spectrum of different procedures such as negotiated rule-making, mediation, round-table or open
forums, advisory committees, and others (see Beierle & Cayford, 2002; Klinke, 2006; Rowe & Frewer,
2000; Stoll-Kleemann & Welp, 2006).
Participative processing involving the wider public
If risk problems are associated with high ambiguity, it is not enough to demonstrate that risk
regulation addresses the public concerns of those directly affected by the impacts of the risk source.
In these cases, the process of evaluation and management needs to be open to public input and new
forms of deliberation. This corresponds with the participative aspect of resilience (Lorenz, 2010).
Such discursive activities should start with revisiting the question of proper framing. Is the issue
really a risk problem or is it an issue of lifestyle or future vision? Often the benefits are contested as
well as the risks. The debate about ‘designer babies’ may illustrate the point that observers may be
concerned not only about the social risks of intervening in the genetic code of humans but also about

the acceptability of the desired goal to improve the performance of individuals (Hudson, 2006). Thus,
the controversy is often much broader than dealing with the direct risks only. The aim here is to find
an overlapping consensus on the dimensions of ambiguity that need to be addressed in comparing
risks and benefits, and balancing pros and cons. High ambiguity would require the most inclusive
strategy for involvement because not only directly affected groups but also those indirectly affected
should have an opportunity to contribute to this debate.
Resolving ambiguities in risk debates necessitates the participatory involvement of the public to
openly discuss competing arguments, beliefs and values. Participatory involvement offers
opportunities to resolve conflicting expectations through a process of identifying overarching
common values, and to define options that will allow a desirable lifestyle without compromising the
vision of others. Critical to success here is the establishment of equitable and just distribution rules
when it comes to common resources and a common understanding of the scope, size and range of
the problem, as well as the options for dealing with the problem (Renn & Schweizer, 2009). Unless
there is some agreement on the boundaries of what is included, there is hardly any chance for a
common solution. Such a common agreement will touch upon the coping capacity of systems to deal
with different frames of risks and not only with the physical impacts of risks. There are various social
constructions of resilience that the participants associate with the management options. The set of
possible procedures for involving the public includes citizen panels or juries, citizen forums,
consensus conferences, public advisory committees and similar approaches (see Rowe & Frewer,
2000; Beierle & Cayford, 2002; Hagendijk & Irwin, 2006; Klinke, 2006; Abels, 2007; Renn, 2008:
The goal of this paper has been to illustrate the significance of resilience for risk governance,
including all stages from pre-assessment to management and communication. For this purpose, the
resilience concept by Lorenz was applied to link risk governance strategies with the three major
aspects of resilience: adaptive management capacity, coping capacity, and participative capacity. The
three risk characteristics –complexity, uncertainty and ambiguity– were linked to these three aspects
of resilience. Furthermore, the three aspects were used to develop four major risk management and
discourse strategies; beginning with simple risk management in which none of these characteristics
and capacity requirements were involved, to discourse-based management in which all three
characteristics and capacity requirements were combined.
Whereas the analysis of simple and –to some degree– complex problems is better served by relying
on the physical understanding of experienced resilience, uncertain and ambiguous problems demand
the integration of social constructions and mental models of resilience, operationalized as confidence
in one’s coping capacity, for both understanding and managing these problems. The distinction of
risks according to risk characteristics not only highlights deficits in our knowledge concerning a risk
issue, but also points the way forward for the selection of the appropriate management options.
Thus, the risk governance framework attributes an important function to public and stakeholder
participation, as well as risk communication, in the risk governance process. The framework suggests
efficient and adequate public or stakeholder participation procedures. The concerns of stakeholders
and/or the public are integrated into the risk appraisal phase via concern assessment. Furthermore,
stakeholder and public participation are an established part of risk management. The optimum

participation method depends on the characteristics of the risk issue. In this respect, the three
aspects of resilience are gradually included into the various discourses. The need for finding an
agreement on what constitutes an adaptive, coping and participative response to ensuring resilience
underlines the necessity to understand and comprehend the objective and subjective nature of
Creating Value Through ResiliencePaul E. Roege1
Creating Value Through Resiliencei
Paul E. Roege, P.E.1
1Creative Erg, LLC
Keywords: Community, Resilience, Learning, Adaptation, Value, Social capital
Promoting relevance
State and federal protection programs in the United States (US) focus on critical infrastructure and
centrally-managed response/restoration of essential services. Resilience is an alternative risk
management protocol that better addresses uncertainty, but requires redirection of metrics and
management processes toward constant learning and adaptation, and a reversal in posture from loss
minimization to value creation in the face of change. Useful concepts and techniques are available,
especially from the military and social resilience communities of practice.
Presidential Policy Directive 21 (PPD-21), (2013) defines resilience as “the ability to prepare for and
adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes
the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats
or incidents”. Recent military guidance addresses “energy resilience” (Office of the Assistant
Secretary of Defense for Energy, Installations, and Environment) and “personal resilience” (Army
Resiliency Directorate), calling respectively for sustained energy services and Soldier readiness.
Except for incidental mention of “changing conditions” in PPD-21, the consistent emphasis is on
significant, often stipulated events (e.g., hostile attack or flood). Conversely, researchers have
presented resilience as a means to assure community welfare in the face of generic change and
uncertainty. Holling (1996) distinguishes “ecological resilience” and “engineering resilience.” The
former asserts holistic survival and sustainment through (for example) learning, healing,
reproduction and evolution; the latter applying analogous principles to synthetic systems toward
narrower goals of continued functionality and “graceful degradation.”
Although not naming resilience per se, Brafman (2008) describes organizations that thrive by learning
and adapting on an ongoing basis, typically embracing decentralization and simple guidelines rather
than extensive structure. Taleb (2014) observes that change is inevitable and frequent, and insists
that the goal must be greater than simply surviving or mitigating losses. “Antifragility” directly
contradicts structured and dependent systems and calls for portfolio solutions to hedge losses while
maximizing gains; resulting in aggregated net benefit.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Crowdsourcing and the potential for ‘everyday’ impact
National Planning Frameworks (Department of Homeland Security, 2014) describe a structured,
government-led approach for prevention, protection, mitigation and response to disasters,
essentially ignoring ‘normal’ change. Recent federal government shutdowns due to severe weather
threats in Washington, DC (, 2016), illustrate the problem of binary thinking.
Fortunately, publicity about such impacts has encouraged adoption of resilience-promoting practices
such as telecommuting (Hughes, 2014); a “bottoms-up” capability that also provides value in nonemergencies.
Latency in adoption highlights the impact of cultural issues – in this case, trust and
comfort level with virtual interaction (Brown, Smith, Arduengo, & Taylor, 2016), not lack of
institutional direction. To supplant “all-or-nothing” attitudes and promote proactive learning,
Thomas and Kerner (2010) advocate adaptive management, emphasizing active sensing, crossdomain
management, and change incentivisation.
In constrast to presumed government primacy in resilience-building, recent events such as Hurricane
Sandy and the 2010 Haiti earthquake expose the importance of private citizen initiative before,
during, and in the wake of emergencies. An Associated Press poll (2013) indicated that two-thirds of
Hurricane Sandy victims in New Jersey drew needed assistance from neighbors and first responders,
not government or insurance providers. When a few Tufts University students heard about the dire
post-earthquake situation in Haiti, they organized an ad-hoc system of SMS (texting) and
georeferenced databases, and recruited a global network of volunteer translators to collect, process
and deliver status information to institutional responders (Morrow, Mock, Papendieck, & Kocmich,
2011). Substantial literature reports the power of virtual communities and social media as enablers
for resilience (Meier, 2012).
Capabilities as a foundation for resilience
Driven by diverse missions and uncertain environment, US military services define their operational
requirements around defined force capabilities rather than specific system designs or operational
procedures (Charman of the Joint Chiefs of Staff Instruction, 2015). Following this example, the
National Preparedness Goal (Department of Homeland Security, 2015) prescribes 32 core
capabilities, grouped under five mission areas: prevention, protection, mitigation, response, and
recovery. Each capability includes an action-based description which, although directed toward
disruptive events, could also contribute value more generally.
Military analytical processes could be useful in advancing resilience capabilities. To illustrate, the
Army’s “functional concept” for Mission Command (US Army Training and Doctrine Command)
outlines concepts and capabilities that underlie Army doctrine, organization, training, materiel,
leadership, personnel, facilities, and policies (DOTMLPF-P) associated with the Mission Command
“warfighting function.” Subordinate “warfighting challenges,” such as “provide security force
assistance,” resemble preparedness capabilities (above). Required military capabilities, such as
“globally networked teams” are more fundamental and inspire more powerful solutions across the
range of DOTMLPF-P than do the specific task-based challenges they address. Roege, Hope and
Delaney (2014) suggest an adaptation of the military capability development process to community

Both FEMA and military constructs require insight elicitation from experts and stakeholders,
translation into logical models, and decision processes. Mental models represent individual and
collective beliefs, perceptions and attitudes which in turn drive behaviors, and provide useful bases
for education, policy development and decision analysis (Morgan, Fischhoff, Bostrom, & Atman,
2002). Interviews, workshops, scenario-based exercises or more specifically structured processes as
described by Grenier and Dudzinska-Przesmitzki (2015) may be used to expose and support synthesis
of model taxonomies and criteria. Multi-Criteria Decision Analysis offers useful techniques to
reconcile inevitably diverse and potentially divergent values and goals; it has been applied to
similarly complex environmental decision-making (Linkov & Moberg, 2011).
Criteria supporting an abundance paradigm
The National Academies (Disaster Resilience: a national imperative, 2012) compiled an extensive list
of generalized resilience measurement models and criteria from various works. Norris, Stevens,
Pfefferbaum, Wyche, and Pfefferbaum (2008) is cited for its broadly relevant measures based upon
four key resources and their interactions: economic resources, social capital, information and
communication, and community competence. The Rockefeller Foundation’s Resilience Framework
(2014) emphasizes individual and social components through such qualities as “reflective,”
“resourceful,” and “inclusive.” Collectively, these top-level measures composite diverse component
metrics that importantly address the full range of situations, community (not just government)
capabilities and capacity, and a value perspective that allows for a net gain.
Measuring Economic Resilience to Disasters: An OverviewAdam Rose1
Measuring Economic Resilience to Disasters: An Overviewi
Adam Rose1
¹University of Southern California
Keywords: Economic theory, Static and dynamic resilience, Inherent and adaptive resilience,
Operational metrics
Researchers and decision-makers in the disaster field are evenly split on the definition of resilience.
One group utilizes the concept to refer to any action taken to reduce disaster losses. This group, with
a large representation by engineers, focuses primarily on mitigation with an eye to reducing the
frequency and magnitude of disasters and strengthening property to prevent damage (see, e.g.,
Bruneau et al., 2003). The broader definition has also been adopted and applied more evenly by
major panels assessing resilience research and practice, such as the National Research Council, which
defines resilience as: “The ability to prepare and plan for, absorb, recover from, or more successfully
adapt to actual or potential adverse events” (NRC, 2012; p. 16).
Another group, with a large representation by social scientists, focuses primarily on actions
implemented after the disaster strikes (Tierney, 2007; Rose, 2007; Cutter, 2016). This group takes the
meaning of resilience more literally, referring to its Greek language root, whose definition is “to
rebound.” They also acknowledge that resilience is a process, whereby steps can be taken before the
disaster to build resilience capacity, but resilient actions do not take place until afterward. Examples
would include emergency drills, purchase of back-up electricity generators, and lining up alternative
suppliers of critical inputs. Here the focus is not on property damage, which has already taken place,
but rather the reduction in the loss of the flow of goods and services emanating from property, or
capital stock. The former is often measured in terms of gross domestic product (GDP) and
employment, and is typically referred to as business interruption, or BI (Tierney, 1997). BI just begins
at the point when the disaster strikes, but continues until the system has recovered or reached a
“new normal”, which is typically coming to be considered a sustainable level of activity. Measuring BI
is thus much more complicated, because it involves matters of the duration and time-path of
recovery, both of which are strongly affected by the behavioral responses of public and private
decision-makers (Rose, 2004).
This chapter focuses on the measurement of economic resilience. Economic resilience is more
focused than community resilience (e.g., Norris et al., 2008), but on par with resilience in other
disciplines (e.g., organizational behavior, planning, engineering, ecology), with which it shares more
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

commonalities than differences (Rose, 2007). It is closely related to the literature on business
continuity (Sheffi, 2005; Herbane, 2010), as both foci on the continued functioning of individual firms
and their recovery from disaster. The latter has a strong focus on cyber/information technology
considerations, and on that score is far ahead of the literature on economic resilience, with a few
exceptions (see, e.g., Rose, 2015).
Defining Economic Resilience
There are many definitions of resilience, but Rose (2007) and others have found more commonalities
than differences. We offer the following general definitions of resilience, which capture the essence
of the concept, and then follow them up with definitions that capture the essence of economic
considerations. Following Rose (2004, 2007), and paralleling two seminal approaches to resilience in
the literature on ecology, we distinguish two major categories of resilience:
In general, Static Resilience refers to the ability of the system to maintain a high level of functioning
when shocked (Holling, 1973). Static Economic Resilience is the efficient use of remaining resources
at a given point in time. It refers to the core economic concept of coping with resource scarcity,
which is exacerbated under disaster conditions.
In general, Dynamic Resilience refers to the ability and speed of the system to recover (Pimm, 1984).
Dynamic Economic Resilience is the efficient use of resources over time for investment in repair and
reconstruction. Investment is a time-related phenomenon—the act of setting aside resources that
could potentially be used for current consumption in order to re-establish productivity in the future.
Static Economic Resilience does not completely restore damaged capacity and is therefore not likely
to lead to complete recovery.
Note that economic resilience can take place at three levels of analysis:
• Microeconomic (operation of individual businesses, households, government agencies, e.g.,
conservation of or substitution for critical inputs, use of inventories or excess capacity,
relocation, production rescheduling)
• Mesoeconomic (operation of industries and markets, e.g., the resource allocating mechanism
of the price system)
• Macroeconomic (operation of the economy, e.g., supply-chain adjustments, importation of
critical inputs, fiscal and monetary policy)
A key asset in analyzing economic resilience is that it can be done in the context of well-established
theory relating to the behavior of producers/consumers/government agencies, markets, and entire
economies. Formal derivations of resilience relationships have demonstrated their usefulness (see,
e.g., Rose and Liao, 2005).
Another important delineation in economic resilience, and resilience in general, is the distinction
between inherent and adaptive resilience (Tierney, 2007; Cutter, 2016). Inherent resilience refers to
resilience capacity already built into the system, such as the ability to utilize more than one fuel in an
electricity generating unit, the workings of the market system in offering price signals to identify
scarcity and value, and established government policy levers. Adaptive resilience is exemplified by
undertaking conservation that was not previously thought possible, changing technology, devising

market mechanisms where they might not previously exist (e.g., reliability premiums for electricity or
water delivery), or devising new government post-disaster assistance programs. It is important to
realize that a good amount of resilience is already embodied in the economy at various levels, and
that policies should be designed to capitalize rather than obstruct or duplicate this capacity. At the
same time, policy should also be geared to rewarding both types of resilience.
An Operational Metric and Initial Measurement
The next step is to translate these definitions into something we can measure. For static resilience,
this can be done in terms of the amount of BI prevented by the implementation of a given resilience
tactic or set of tactics comprising a resilience strategy. For dynamic resilience, the metric would be
the reduction in recovery time in addition to the reduction in BI, though obviously the former
influences the latter. In both cases one needs a reference point or baseline to perform the
measurement. For static resilience this would be the maximum potential BI loss in the absence of the
resilience tactic, while for dynamic resilience it would be the duration and time-path of economic
activity in the absence of resilience in relation to investment in repair and reconstruction.
Several studies have measured resilience using this and related metrics. Rose et al. (2009) found that
potential BI losses were reduced by 72% by the rapid relocation of businesses following the
September 11, 2001 terrorist attacks on the World Trade Center. Rose and Wei (2013) found that a
reduction in potential BI from a nine-month closure of a major US seaport could be as high as 66%
from the implementation of several types of resilience, most notably ship rerouting, use of
inventories, and production rescheduling. Xie et al. (2016) estimated that BI losses could have been
reduced by 30% and recovery time by one year with an increase in investment funds and
acceleration of their timing in the aftermath of the Wenchuan earthquake in China.
Other studies have found the extensive potential of economic resilience. Kajitani and Tatano (2009)
found extensive resilience possibilities among Japanese manufacturing firms in response to utility
lifelines disruptions caused by disasters. Other specialized studies have developed methodologies for
examining the potential of specific resilience strategies, such as the use of inventories (Barker and
Santos, 2008). Moreover, resilience capabilities have been built into major hazard loss estimation
models and software such as the HAZUS Direct Economic Loss Module and Indirect Economic Loss
Module (2016) and the Economic Consequence Analysis Tool (E-CAT) (Rose et al., 2016).
Future Research in Resilience Measurement
In addition, measures of resilience effectiveness can serve as weights in compiling a resilience index,
used as part of formal decision-making tools (Larkin et al., 2105). Today, practically every such index,
economic or otherwise, has assumed equal weight across individual indicator components. Another
advantage of the approach discussed above is that resilience is aligned with actionable variables,
which are most applicable to economic recovery (Rose and Krausmann, 2013). Many resilience
indices still conceive of resilience as the flip side of vulnerability, and are heavily dominated by
background variables (e.g., unemployment rates, literacy rates, percent minorities) that cannot be
changed in the short run.

For risk management purposes, it is important to know not only the effectiveness of resilience tactics
but also their costs. Work is only beginning in this area, but we have some general indications of the
values of this metric. For example, conservation typically means producing a given amount with
fewer inputs, and thus can be cost-saving. Substitution of critical inputs can often be accomplished at
a minimal cost, as can importing these goods from other countries or regions. The cost of inventories
is not the value of the goods and services, but simply their carrying cost. At higher levels of analysis,
the workings of the price system offers costless signals as to the value of factors of production that
can assist resource reallocation decisions. At the same time, resilience tactics have the advantage
over mitigation, because they need only be applied if the disaster has actually struck, while
mitigation requires advance expenditures for a disaster that may never materialize. On the other
hand, most mitigation tactics, once put in place, can protect against many types of disasters over a
number of years, while most resilience tactics are a one-shot expenditure and benefit.
The combination of effectiveness and cost measures can be transformed into cost-effectiveness
metrics that can be used to identify the greatest return on investment expenditures. If effectiveness
can be translated into dollar terms, rather than just percentage reductions, one can then obtain an
estimate of benefits for a more comprehensive benefit-cost analysis to allocate resources across a
range resilience tactics and threats (Rose, 2016).
Research is currently under way to measure both static and dynamic economic resilience through
surveys of businesses. This research emanates from the economic theory foundations mentioned
above and the crafting and administering of surveys in the aftermath of SuperStorm Sandy, which
affected the New York City Metropolitan region in 2011.2
2 This research is being carried out by the author, Noah Dormady, Kathleen Tierney, Liesel Ritchie and
Charles Huyck, and is being sponsored by the US National Science Foundation and by the US
Department of Homeland Security Critical Infrastructure Resilience Institute (CIRI). The author wishes
to thank these organizations for their funding support of this article.
Engineeering Resilience in Critical InfrastructuresProf. Dr. Giovanni Sansavini1
Engineering Resilience in Critical Infrastructuresi
Prof. Dr. Giovanni Sansavini1
1Reliability & Risk Engineering Laboratory, Institute of Energy Technology, Dep. of Mechanical and
Process Eng., ETH Zurich
Keywords: Critical infrastructures, Cascading failures, Self-healing, Adaptation, Recovery,
Restoration, Robust optimization
Defining Resilience
Resilience has emerged in the last decade as a concept for better understanding the performance of
infrastructures, especially their behaviour during and after the occurrence of disturbances, e.g.
natural hazards or technical failures. Recently, resilience has grown as a proactive approach to
enhance the ability of infrastructures to prevent damage before disturbance events, mitigate losses
during the events and improve the recovery capability after the events, beyond the concept of pure
prevention and hardening (Woods, Four concepts for resilience and the implications for the future of
resilience engineering, 2015).
The concept of resilience is still evolving and has been developing in various fields (Hosseini, Barker,
& Ramirez-Marquez, 2016). The first definition described resilience as “a measure of the persistence
of systems and of their ability to absorb change and disturbance and still maintain the same
relationships between populations or state variables” (Holling, 1973). Several domain-specific
resilience definitions have been proposed (Ouyang, Dueñas-Osorio, & Min, A three-stage resilience
analysis framework for urban infrastructure systems, 2012) (Adger, 2000) (Pant, Barker, & Zobel,
2014) (Francis & Bekera, 2014). Further developments of this concept should include endogenous
and exogenous events and recovery efforts. To include these factors, resilience is broadly defined as
“the ability of a system to resist the effects of disruptive forces and to reduce performance
deviations” (Nan, Sansavini, & Kröger, 2016).
Assessing and engineering systems resilience is emerging as a fundamental concern in risk research
(Woods & Hollnagel, Resilience Engineering: Concepts and Precepts, 2006) (Haimes, 2009)
(McCarthy, et al., 2007) (McDaniels, Chang, Cole, Mikawoz, & Longstaff, 2008). Resilience adds a
dynamical and proactive perspective into risk governance by focusing (i) on the evolution of system
performance during undesired system conditions, and (ii) on surprises (“known unknowns” or
“unknown unknowns”), i.e. disruptive events and operating regimes which were not considered likely
design conditions. Resilience encompasses the concept of vulnerability (Johansson & Hassel, 2010)
(Kröger & Zio, 2011) as a strategy to strengthen the system response and foster graceful degradation
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

against a wide spectrum of known and unknown hazards. Moreover, it expands vulnerability in the
direction of system reaction/adaptation and capability of recovering an adequate level of
performance following the performance transient.
Need for Resilience in Critical Interdependent Infrastructures
Resilience calls for developing a strategy rather than performing an assessment. If on the one hand it
is important to quantify and measure resilience in the context of risk management, it is even more
important that the quantification effort enables the engineering of resilience into critical
infrastructures. Especially for emerging, not-well-understood hazards and “surprises” (Paté-Cornell,
2012), resilience integrates very smoothly into risk management, and expediently focuses the
perspective on the ex-ante system design process. Following this perspective, risk thinking becomes
increasingly embedded into the system design process.
The application of resilience-building strategies look particularly promising for critical interdependent
infrastructures, also called systems-of-systems, because of its dynamical perspective in which the
system responds to the shock event, adapting and self-healing, and eventually recovers to a suitable
level of performance. Such perspective well suits the characteristics of these complex systems, i.e. i)
the coexistence of multiple time scales, from infrastructure evolution to real-time contingencies; ii)
multiple levels of interdependencies and lack of fixed boundaries, i.e. they are made of multiple
layers (management, information & control, energy, physical infrastructure); iii) broad spectrum of
hazards and threats; iv) different types of physical flows, i.e. mass, information, power, vehicles; v)
presence of organizational and human factors, which play a major role in severe accidents,
highlighting the importance of assessing the performance of the social system together with the
technical systems.
As a key system of interdependent infrastructures, the energy infrastructure is well suited to
resilience engineering. In the context of security of supply and security of the operations, resilience
encompasses the concept of flexibility in energy systems. Flexibility providers, i.e. hydro and gas-fired
plants, cross-border exchanges, storage technologies, demand management, decentralized
generation, ensure enough coping capacity, redundancy and diversity during supply shortages,
uncertain fluctuating operating conditions and unforeseen contingencies (Roege, Collier, Mancillas,
McDonagh, & Linkov, 2014) (Skea, et al., 2011).
Building Resilience in Critical Infrastructures
In the context of critical infrastructures, resilience can be developed by focusing on the different
phases of the transient performance following a disturbance (also called resilience curve), and
devising strategies and improvements which strengthen the system response.
Focusing mainly on the technical aspects, these strategies can be summarized as:
- Planning ahead during the design phase: robust or stochastic optimization against
uncertain future scenarios, i.e. attacks or uncertain future demand in the energy
infrastructure, can be used in the system planning or expansion process; uncertain
scenarios provide the basis to design resilient systems.

- Self-healing, adaptation and control, i.e. graceful degradation: the system cannot be
design with respect to every uncertain scenario, therefore a resilient design should
consider how to prevent the disturbance from spreading across the whole system,
creating systemic contagion and system-wide collapse. In this respect, cascading failures
analysis, and engineering network systems to be robust against outbreak of outages and
propagations of cascading failures across their elements are key strategies. Control
engineering can provide strategies to create robust feedback loops capable of enabling
infrastructures to absorb shocks and avoid instabilities. Designing structures and
topologies which prevent failure propagation, and devising flexible topologies by
switching elements which allow graceful degradation of system performances after
disruptions are also valuable resilience-enhancing techniques.
- Recovering quickly from the minimum performance level: robust or stochastic
optimization of the recovery and restoration process in the face of uncertainties in the
repair process or in the disruption scenarios.
- Effective system restoration: through the combination of restoration strategies, e.g.
repairing the failed elements and building new elements, the infrastructure can achieve a
higher performance with respect to the pre-disruption conditions.
- Exploiting interdependencies among infrastructures: interdependencies and couplings in
systems operations can foster the propagations of failure across coupled system; on the
other hands, interdependencies might also provide additional flexibility in disrupted
conditions and additional resources that can facilitate achieving stable conditions of the
coupled system.
Quantifying Resilience
Resilience is defined and measured based on system performance. The selection of the appropriate
MOP depends on the specific service provided by the system under analysis.
The resilience definition can be further interpreted as the ability of the system to withstand a change
or a disruptive event by reducing the initial negative impacts (absorptive capability), by adapting
itself to them (adaptive capability) and by recovering from them (restorative capability). Enhancing
any of these features will enhance system resilience. It is important to understand and quantify these
capabilities that contribute to the characterization of system resilience (Fiksel, 2003). Absorptive
capability refers to an endogenous ability of the system to reduce the negative impacts caused by
disruptive events and minimize consequences. In order to quantify this capability, robustness can be
used, which is defined as the strength of the system to resist disruption. This capability can be
enhanced by improving system redundancy, which provides an alternative way for the system to
operate. Adaptive capability refers to an endogenous ability of the system to adapt to disruptive
events through self-organization in order to minimize consequences. Emergency systems can be used
to enhance adaptive capability. Restorative capability refers to an ability of the system to be
repaired. The effects of adaptive and restorative capacities overlap and therefore, their combined
effects on the system performance are quantified by rapidity and performance loss.

Figure 1: The “resilience curve”, i.e. the performance transient after disturbance, and its phases.
Resilience can be quantified through computational experiments in which disruptions are triggered,
the system performance is analyzed (Figure 1), and integrated resilience metrics are computed (Nan,
Sansavini, & Kröger, 2016). By repeating this process, different system design solutions can be ranked
with respect to resilience. By the same token, resilience against various disruptions can be assessed,
and resilience-improving strategies compared.
During the last decade, researchers have proposed different methods for quantifying resilience. In
2003, the first conceptual framework was proposed to measure the seismic resilience of a
community (Bruneau, et al., 2003), by introducing the concept of Resilience Loss, later also referred
to as “resilience triangle”.
In recent years, the importance of improving the resilience of interdependent critical infrastructures
has been recognised, and research works have developed. Historically, knowledge-based approaches
have been applied to improve the understanding of infrastructures resilience (McDaniels, Chang,
Cole, Mikawoz, & Longstaff, 2008). Lately, model-based approaches have been developed to
overcome the limitations of data-driven approaches, such as System Dynamics (Bueno, 2012),
Complex Network Theory (Gao, Barzel, & Barabási, 2016), and hybrid approaches (Nan, Sansavini, &
Kröger, 2016).
Approaches to quantify system resilience should be able to
- Capture the complex behaviour of interdependent infrastructures
- Cover all phases of the transient performance following the disruption, and to include all
resilience capabilities
- Clarify the overlap with other concepts such as robustness, vulnerability and fragility.
Resilience quantification of interdependent infrastructures is still at an early stage. Currently, a
comprehensive method aiming at improving our understanding of the system resilience and at
analysing the resilience by performing in-depth experiments is still missing.
Towards a Cross-disciplinary Understanding and Operationalisation of Resilience for Environmental DevelopmentJochen Schanze1
Towards a Cross-disciplinary Understanding and Operationalisation of
Resilience for Environmental Developmenti
Jochen Schanze1
1Technische Universität Dresden and Leibniz Institute of Ecological Urban and Regional Development
Keywords: Resilience, Cross-disciplinary, Environmental development, Risk management
Challenges of using resilience for environmental development
Increase of human pressure on the natural environment with resulting environmental change on the
one hand and increase of human exposure and vulnerability triggered by societal change on the
other hand lead to rising impacts and risks worldwide (e.g. IPCC, 2014; CRED, 2016). Thus, humanenvironment
interrelations are getting more complex with accelerating dynamics and uncertainties
and declining predictability. Limitations of analysing and controlling those interrelations max out “socalled
precautionary principles” as far as they are based on detailed cause-effect calculations (cf. De
Bruijne et al., 2010). Thereby, the meaning of the receptors of environmental threats such as for
instance people or properties exposed to weather extremes is growing. Particularly, characteristics
and performance of elements or systems at risk with their management and governance come to the
Resilience can be seen as one key concept referring to the performance of subjects, objects and
systems under changing boundary conditions as their “environment” in a broader sense. It has
already a history in a few science disciplines, mainly in physics, psychology and ecology, and today is
gaining interest in numerous fields from their specific views. Environmental development as one
comprehensive great challenge of the presence involves some of these fields and hence needs to
tackle with a variety of resilience concepts. Moreover, it uses resilience in relation to other concepts
such as resistance, adaptability and transformability, which requires differentiation.
Cross-disciplinary conceptualisation of resilience
To conceptualise resilience, the element or system under consideration (and its external stress) has
to be determined. For environmental development elements and systems may be structured as
follows to represent their scope and characteristics:
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

• Element
. Subject (e.g. human being)
. Organism (e.g. plant)
. Object (e.g. brick)
• (Sub-)System
. Social system (e.g. organisation)
. Ecological system (e.g. lake ecosystem)
. Technical system (e.g. building)
• Systems’ complex
. Social systems’ complex (e.g. municipality)
. Ecological systems’ complex (e.g. stream network)
. Technical systems’ complex (e.g. infrastructure network)
. Human-environment systems’ complex (e.g. landscape)
Governing these elements and (sub-)systems may also be considered from a resilience perspective,
although it regards more to a process (management) embedded in a regime (governance):
• Management and governance
. Management of actors with their strategy
. Governance with institutional setting and stakeholders with their networks
Each (sub-)category involves particular disciplines with their resilience concepts. However,
interdependencies between these (sub-)categories in the context of environmental development ask
for the conceptualisation of resilience in a way that allows for a common basic meaning and – as far
as possible – linking to disciplinary specifications. Therefore, the following core definition of
resilience is proposed for environmental development based on a systematic literature review: ability
of an element or (sub-)system (as well as management strategy and governance regime) to regain
characteristic features (maybe undergoing reorganisation; cf. Walker et al., 2006) and to continue
development after disturbance (sudden) or change (creeping) of boundary conditions (cf. e.g. Nelson
et al., 2007). In other words, resilience can be comprehended as elasticity in accomplishing impacts
from (a maximum) external stress with a certain degree of recovery and required time, resources and
patterns. The proposed core definition is neither restricted to one of the (sub-)categories nor bound
to a discipline and serves as a boundary object for disciplinary specification (cf. Hutter, 2013). It is
also focused enough to minimise overlap with related concepts (see below).
Resilience in the proposed understanding is descriptive. Evaluation additionally needs goals and
targets. In the context of risk as the interference of hazard (or climatic stress) and vulnerability
depending on exposure (cf. UNISDR, 2009), it can be seen as one aspect of vulnerability.
Vulnerability, in this case, is determined by value or function, susceptibility and coping capacity
(Blanco-Vogt & Schanze, 2014). Coping capacity may be considered as the ability to regain the initial
state after external stress and hence largely fits the proposed conceptualisation of resilience.
The above definition also enables differentiation from concepts such as resistance, adaptability and
transformability. Resistance may be understood as the strength of an element or (sub-)system to
withstand external stress and suits the aforementioned meaning of susceptibility. In contrast,
adaptability in a narrow sense can be recognised as the ability of a (sub-)system to (autonomously or
consciously) alter its characteristic features (efficiently and fast) to changing circumstances in a sense

of (co-)evolution (e.g. Smit & Wandel, 2006). Transformability just as describes the capacity to create
a fundamentally new system when boundary conditions make the existing element or (sub-)system
untenable (Walker et al., 2006).
Risk management and risk governance in the context of environmental development allow for two
additional perspectives on resilience: first, governing the resilience of elements and (sub-)systems at
risk, second, the resilience of a management strategy or governance regime (e.g. De Bruijne et al.,
2010). In the latter case, resilience may be about the ability to deal with unexpected disturbance or
change in addition to the anticipation of the future in the management strategy or the capacity of
the governance regime (e.g. Wildavsky, 1991).
Measures and instruments for fostering resilience
Influencing and especially fostering resilience according to the proposed core definition can make
use of a wide spectrum of measures and instruments. The measure here is understood as
intervention causing effects directly and instrument as intervention triggering mechanisms that lead
to effects indirectly. In principle, respective activities in the context of resilience aim at optimising
the elasticity of the element and system at risk. They differ from activities dedicated to strengthening
or altering the element or system to reduce susceptibility (resistance) or exposure and vulnerability
(adaptability, transformability). Added value of resilience is the focus on recovery (and its dynamics).
It complements linear strategies of anticipating and strengthening against external stress.
Operationalisation of resilience – Examples proving the cross-disciplinary relevance of
the proposed core concept
Empirical description of resilience bears on a wide range of disciplinary methods likewise to the
variety of conceptualisations. The demand for using resilience with a common core concept in
environmental development similarly requests for linking or adapting disciplinary methods to this
common understanding. As follows, two examples from completely different (sub-)categories of
elements and systems at risk are briefly explained. To highlight interdependency, both examples
refer to flood disaster risks.
Although already known in civil engineering, the meaning of the resilience concept for flood risk
reduction is still in its infancy. It is used in the context of (wet-)proofing of constructions such as
buildings. In this case, resilience describes the ability of construction to dry or to be dried after it has
been inundated and wetted. Operationalisation is based on refurbishment needs for recovering from
flood impacts and little remaining damage is considered as an indication of maximum resilience.
Therefore, the performance of so-called flood resilience technologies is investigated in water
laboratories. Findings are included in water depth-damage functions and simulated in damage
models (cf. Golz et al., 2015). Resilience from this view may be distinguished from the resistance of a
building, which means the strength to withstand flooding without any impact and recovery.
For risk management strategies resilience has no conventional meaning. A recent study on interorganisational
flood risk management strategies provides a set of resilience aspects with further
elaborated indicators (Atanga, 2016). Hereby, resilience is understood as capacity (ability) of key
stakeholders to respond to the unexpected course of flood disasters in addition to the expected
features of flood risk (ibid.). Operationalisation bears on the following resilience aspects:

omnivorousness, homoeostasis, buffer capacity, response process and structure, response resources
and response rate. These resilience aspects according to Wildavsky (1991) are complemented by
anticipation aspects, which may be considered as a means of resistance in the aforementioned
The two examples show that there is the possibility of using the proposed core concept of resilience
and specifying and operationalising it in a disciplinary context. Basic consistency may contribute to
tackling with interdependencies across (sub-)categories and disciplines. Moreover, the examples
support the intention of differentiating resilience from related concepts.
A Multidimensional Review of Resilience: Resources, Process, and OutcomesMarcus L. Snell, Daniel A. Eisenberg, Thomas P. Seager, Susan Spierre Clark, Young Joon Oh, John E. Thomas, Lauren R. McBurnett1
A Multidimensional Review of Resilience: Resources, Processes, and
Marcus L. Snell1, Daniel A. Eisenberg1, Thomas P. Seager1, Susan Spierre Clark1, Young Joon Oh2, John
E. Thomas1, and Lauren R. McBurnett1
1School of Sustainable Engineering and the Built Environment, Arizona State University, Tempe, AZ,
2Center for Behavior, Institutions and the Environment, Arizona State University, Tempe, AZ, USA
Keywords: Resilience, Resilience metrics, Resilience process
While advocates for resilient infrastructure systems typically emphasize improving risk analysis and
management (PPD-21, 2013; NRC, 2012; Hubbard, 2009), the necessity that risk places upon
knowledge of the hazard means it is unequipped to deal with the emergent behavior of surprise
(Anderson, 1999; Rinaldi, 2001; Mitleton-Kelly, 2003; Bekebrede, 2010; Hollnagel et al., 2011; Seager
et al., 2011; Clark et al., 2016). Recent policy shifts have emphasized the development of resilience
analysis as a complement to risk to prepare infrastructure systems for unforeseen, cascading, and
complex failures that can cause catastrophic losses (Park et al., 2013; Clark & Seager, 2015).
Nonetheless, there is disagreement among experts on what resilience means and how to measure
resilience in engineered infrastructure systems. This paper reviews a sampling of resilience literature
from a variety of disciplines and identifies at least three dimensions of resilience: resources,
processes, and outcome priorities (Seager et al., 2008; Adger, 2009; Mathias et al., 2016; Christensen,
The first dimension measures resilience in system resources as material buffers, system
redundancies, or internal capabilities (Linkov et al., 2013a; Linkov et al., 2013b; Eisenberg et al.,
2014). For example, within an energy distribution system some resilient resources can be the
inventory of emergency fuel or water stockpiles, number of backup generators, redundant power
lines, workers, key replacement equipment, energy feedstock, or material composition available
(Willis & Loa, 2015). Measuring resilience as a system or component property within an
infrastructure system is one approach to understanding preparedness. For example, it may be
important to know how many miles of oil spill containment boom are available to respond to a
surprise spill in the same way that it is important to know how many life jackets are available on a
boat. This dimension dominates the Department of Homeland Security’s National Infrastructure
Protection Plan (NIPP) (NIPP 2013), and discussions of resilience that rely on dynamic systems
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

modeling (Han 2010), network theory and agent-based modeling (Baggio, 2011), and whole life cycle
costing (Viavattene, 2012).
Nonetheless, it should be clear that resources alone are useless without a set of processes to deploy
them effectively. In the process dimension, resilience is measured in actions, rather than system
properties (Hollnagel et al., 2011; Park et al., 2013; Seager 2014; Seager 2016). Process-based
resilience is an emergent behavior of a complex system (Holling, 1996; Rinaldi, 2001; Park et al.,
2013) stemming from cross domain, technical-social-ecological interactions and connections that
influence adaptive capacity. In this manner, resilience is measured by what the system does, such as
the way a system senses, anticipates, adapts, learns, or functions at all times and specifically in
response to stressors. For example, the observe-orient-decide-act (OODA) loop is utilized by the
military for rapid risk assessment in a flexible environment (Willi, 2003). The Functional Resonance
Analysis Method is a methodological approach to understanding the couplings and resonance of
system functions resulting in emergent behavior (Hollnagel, 2012). Thus, process-based resilience
emphasizes the capability of people to adapt infrastructure to manage surprise. Additionally, the
implications of a process-based perspective are not merely technical, they are also ethical (Adger,
2009). Whereas risk-based decision-making often relegates failure to matters of chance and
mitigates their consequences by socializing risks (e.g., insurance), adaptive response places
additional burdens on decision-makers to consider the adverse consequences of failures on different
impacted populations.
An outcomes-based perspective emphasizes the necessity of understanding competing resilience
outcome priorities – such as determining when the system has begun to stabilize after an event and
restore damaged resources (Seager et al, 2007; McDaniels, 2008). A National Institute of Standards
and Technology funded project outlines resilience through the PEOPLES Framework (Renschler,
2010). This framework suggests community scale resilience can be evaluated in seven dimensions:
population and demographics, environmental/ecosystem, organized governmental services, physical
infrastructure, lifestyle and community competence, economic development, and social-cultural
capital. These dimensions highlight areas within the technical, social, and ecological systems of
communities whose functionality can be affected through stressors. Resilience is then characterized
by measuring the retrospective performance of the infrastructure system from the time of initial loss
of system functionality to the time it takes for the system to recover.
Although current resilience research often emphasizes one dimension at the expense of others, we
argue that each of these three perspectives are critical in understanding a system’s resilient response
to an event. Unfortunately, the relationships between resources, processes, and outcomes are rarely
explicit – especially in times of crisis – and the relationship between management intent and
consequences is clouded by system complexity. Nonetheless, to achieve resilience policy goals, the
influences and interactions between multiple resilience perspectives must be examined in greater
detail. Comprehensive guidance regarding the types of resources, processes, and priorities that are
supportive of resilient infrastructure systems, with consideration of ethical principles, for
safeguarding the public under conditions of component failure must be developed.
Natural Hazard Disaster Risk Reduction as an Element of Resilience: Considerations about Insurance and LitigationEdward A. Thomas1
Natural Hazard Disaster Risk Reduction as an Element of Resilience:
Considerations about Insurance and Litigationi
Edward A. Thomas, Esq.1
1Natural Hazard Mitigation Association; American Bar Association Committee on Disaster Response
and Preparedness
Keywords: Disaster risk reduction, Resilience, Insurance, Litigation
"Disaster risk reduction is not a luxury. It's an essential insurance policy for a more disasterprone
world, and one of the smartest, most cost-effective investments we can make in our
common future. The benefits of this investment will be calculated not only in dollars saved,
but most importantly, in saved lives."
Jan Egeland, Former U.N. Under-Secretary General for Humanitarian Affairs and Emergency
Relief Coordinator
As a Society, may never have had a greater opportunity to seriously consider how to reduce the
mounting toll which follows foreseeable natural events. The passion and energy of those who believe
in the reality of climate change brings an entire new breath of oxygen into conversations about what
sort of future we will build for the next generations. This energy should be linked with those of us
who care about Disaster Risk Reduction with those concerned that we as a World are on a path of
vast economic damage to our economy due to a mounting toll of disasters.
Worldwide, we are building the future every day: one cubic yard of fill at a time, one building at a
time, and one road at a time. We have a choice: we can build safely and properly so as to not
exacerbate our enormous existing problems caused by improper construction and development; or
we can continue to do business as usual and build an unsustainable future of misery, waste and
needless destruction. Right now we are clearly on the path of mounting losses from foreseeable
natural events.
Basic thought: Fundamentally, we all must take responsibility for our actions.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

When disaster strikes, who pays for the damage incurred?
When Mother Nature’s natural processes cause harm to property, an individual who suffers damage
can pay for the reconstruction of his property in three ways:
A) Self-Help. The injured party might choose to rebuild on her own by using savings, borrowed
money, assistance from national and local charities, and the help of friends and neighbors.
This type of rebuilding was once common throughout the World. Today, this tradition
survives in such communal situations as helping a neighbor rebuild a barn destroyed by
B) Insurance. Casualty insurance can provide an efficient mechanism for recovery, whether the
insurance is purchased by the damaged party or made available through a special
legislatively created mechanism, as is the case for Workers’ Compensation Insurance. State
and federal disaster relief grants are another form of special, legislatively established social
insurance for disaster victims.
C) Litigation. Beyond self-help and insurance, litigation is the only remaining alternative for
recovery when a person suffers damage. Successful litigation requires demonstrating that a
person, corporation, or agency caused, or somehow is legally culpable for the damage that
has taken place.
Sometimes recovery mechanisms can be linked together. For example, disaster assistance in the
United States is typically a combination of self-help (via disaster loans) and insurance (via special
legislation that both authorizes and subsidizes such loans). Each of these three mechanisms has
distinct advantages and disadvantages, as well as widely varying degrees of efficiency, depending on
the particular circumstance.
• Self-help worked well in the past and still does, in specific situations. For optimal use of this
mechanism, the community must be committed to helping each other in times of difficulty.
This form of recovery cannot work well if most of the helpers are themselves suffering
• Insurance can be an extremely efficient mechanism for distributing funds, provided the
individuals damaged possess a sufficient amount of insurance or have been provided such
insurance by operation of law. The downside of insurance is that a person must generally
purchase a policy prior to damage. Experience has shown that people will generally not
purchase insurance for infrequent events such as earthquakes and floods absent a
government requirement. Even when the government does require insurance, compliance is
an issue.
• Litigation is inefficient. Not only does it take many years, but litigation has huge costs that go
not to the damaged party but to attorneys, courts, expert witnesses, court recorders, and
others. Litigation is also uncertain. The damaged party may not be able to obtain counsel or
find a culpable entity. Sometimes a plaintiff will not recover damages because the defendant
can hire clever expert witnesses and/or attorneys. For all of these reasons, litigation is the
least reliable of the three methods discussed.
A fourth, vastly preferred alternative exists! The safe and proper design of buildings and
infrastructure is another option, which should come before insurance and litigation. This alternative

is featured in the Disaster Risk Reduction Curriculum being developed by the Natural Hazard
Mitigation Association (NHMA, 2015).
Multiple paths to change behaviour: Using legal concerns as a path of education,
messaging, and persuasion
The Law
The law, in theory if not always in practice, strongly encourages responsible behaviour. That
responsible behaviour is based on a standard of care as exercised by the individual or corporation
taking action. Professionals, such as engineers or architects, are typically held to a higher standard of
care than the ordinary person.
We are increasingly seeing evidence of movement in the law to hold folks responsible for what they
do and do not do when they had a duty to take action. Typically, when someone breaches a duty of
care and others suffer harm, civil litigation is the way our system of law resolves the controversy.
I believe that recent litigation supports and enforces a view that based on ancient principles of law,
morality and equity; folks do not possess the right to harm their neighbours. Actions which harm
others have consequences beyond karmic payback, to include both civil and even in some situations,
criminal penalties. Today, it is much easier to show causation through forensic sciences such as
forensic hydrology, forensic chemistry, and forensic hydraulics. Today, we can much more easily
answer the question posed by Jimmy Cagney in the wonderful old movie, Mr. Roberts: "All right, who
did it; I want to know: who did it?"
Some Examples of Recent Litigation
A) Civil Litigation
1.) We as a society increasingly struggle to balance the need to feed an ever increasing population
while preserving the quality and quantity of potable water supplies for that population. There can be
a particularly important conflict when farming practices consume potable water desired by city
dwellers or cause that water to be undrinkable. A good illustration of this conflict is an especially
important lawsuit brought by the City of Des Moines Water Works against upstream farming
counties over nitrates in the water supply (New York Times, 2015).
Some additional recent cases which illustrate this concept of civil liability for money damages:
2) Background: For over thirty years lenders and the companies who read FEMA Flood Insurance
Maps have escaped liability when they read a map incorrectly. These companies escaped liability
even when the plaintiff is not required to purchase Flood Insurance, as the law requires, and then
suffers an uninsured loss.
Then: in the case of Paul v. Landsafe Flood Determination, Inc., No. 07-60652 (5th Cir. Dec. 5, 2008),
the plaintiff was allowed to sue to recover from a flood determination allegedly containing an error.

The court noted that a Flood Zone Determination was the kind of Professional Opinion for which it is
foreseeable that “justifiable and detrimental reliance by a reasonable person would be induced.”
3) More recently we have seen the St Bernard Parish case (2014) and the Arkansas Game and Fish
case (2015). The St. Bernard Parish decision and case exhibits really emphasize the importance of
science and engineering in determining foreseeability, standard of care and consequent legal liability
concerning what was done and not done with respect to the MR-GO portion of the failed New
Orleans levees. I believe that such a legal analysis is directly on point to current concerns about
Climate Change, including climate migrants or refugees. Both these cases demonstrate a remarkable
change in how the courts are treating action which causes harm, even when the Agencies involved
had previously escaped liability for conduct found to be outrageous by courts based on the concept
of Sovereign Immunity (Thomas, 2014; Adams-Schoen, 2015).
B) Criminal Cases
If someone does not deliberately intend to cause harm, yet carries out an activity, particularly an
activity which leads to loss of life, in a manner so reckless as to the consequences, criminal action can
be considered under a theory of "depraved indifference" or "common law murder." Such was the
case in 2006, on the island of Kawai, Hawai'i, when the operator of the Ka Loko was indicted for
common law murder for his actions taken before that reservoir breached killing several people. The
operator was not alleged to have intended to murder anyone. However his actions were allegedly so
reckless as to provide the requisite intent.
Litigation may be one path we can take so as to begin to solve our serious problems of moral hazard,
including dissuading activities which exacerbate climate change, whereby one person or group
externalizes the true cost of an activity to others. We know that way too often the folks most harmed
by that externalization of costs are the most vulnerable and underrepresented folks much as
described in the excellent NAACP publication: Equity in Building Resilience in Adaptation Planning, by
Jacki Patterson. I would also mention the really excellent publication: Bounce Forward, by Island
Press, funded by the Kresge Foundation, as containing some truly excellent material relating to thus
discussion, Both Building Resilience and Bounce Forward are on the Natural Hazard Mitigation
Association website at:
In part, the solutions to today’s problems involve our nation and the world following the wisdom of
the First Nations; redeveloping a sense of stewardship of the earth; and following of the ancient
maxim of law: sic utere tuo ut alienum non laedas, (use your property so as not to harm others). The
great moralist Mohandas Gandhi described sic utere tuo ut alienum non laedas as "a grand doctrine
of life and the basis of ahimsa (peaceful relations between neighbors). This maxim of law has also
been called inarguable and universally accepted.
Litigation may well help us begin to solve our serious problems of moral hazard, including dissuading
activities which exacerbate climate change, whereby one person or group externalizes the true cost
of an activity to others. We know that way too often the folks most harmed by that externalization of
costs are the most vulnerable and underrepresented populations, much as described in the excellent
NAACP publication, Equity in Building Resilience in Adaptation Planning, by Jacki Patterson; and also
the brilliant and insightful publication by Island Press, funded by the Kresge Foundation and written
by Laurie Mazur: Bounce Forward: Urban Resilience in an Era of Climate Change.

In 2007, I wrote an article for the Environmental Law Institute which posed a question in its title:
Recovery Following Hurricane Katrina: Will Litigation and Uncertainty Today Make for an Improved
Tomorrow? [National Wetlands Newsletter, vol. 29, no. 5.]. In that article I expressed the hope that
the Katrina Litigation would prod society to do a better job of at providing a safer, more just and
resilient future for our Nation. The article went on to urge: “As Katrina so clearly demonstrated, we
must do a better job of providing for the rebuilding of shattered lives following a catastrophe. At the
same time, our land use and building decisions must improve dramatically. Otherwise, the problems
we currently face in hazard management will only get worse.”
Criteria or indicators for resilience
We must change our foundation of building codes to include cost effective damage reduction and
post event operability in order to achieve resilience.
At the 2016 Building Innovation Conference and Expo, sponsored by the National Institute of Building
Sciences, Dr. Keith Porter from the University of Colorado suggested that if the goal of building codes
were to be resilience, costs would increase about 1%; the savings in areas prone to earthquakes
would be many multiples of the extra costs. In following the earthquake example in the above
paragraph, earthquake codes could be modified as Dr. Porter suggests from current standards to a
more holistic one: “Ordinary buildings in earthquakes will: ‘Avoid serious injury and life loss due to
structural collapse, substantial damage to non-structural components and systems, and release of
hazardous materials, and be largely habitable or functional.”’ [Emphasis added]. The codes should be
modified for other foreseeable natural hazards as well to incorporate resilient standards into our
development practices and avoid the costly scenario of losses and future retrofits.
The idea of including Disaster Risk Reduction in any scheme of Resilience parallels to the origins the
United States systems of dealing with the reduction of urban fire risk. As indicated in the FEMA
Publication: America at Risk America Burning Recommissioned (FA-223/June 2002) when discussing
fire loss in urban portions of the United States: “Today, the threat of fires is still with us. But we have
done a lot to address the risk, minimize the incidence and severity of losses, and prevent fires from
spreading. Our states and localities have an improving system of codes and standards; most of us are
aware of the risks; we have accomplished a lot, but we have much more to do.”
As the report (FA-223/June 2002) very clearly indicates, the success of America’s fire services over
the past 100 years is instructive for the strength and sustainability of America’s communities for the
next 100 years as well. Today, we must not only continue and reinvigorate our successes, but also
expand them to include the natural and man-made threats that each of our counties, cities, towns
and villages face every day – floods, earthquakes, hurricanes, hazardous material spills, highway
accidents, acts of terrorism, and so much more.” [Emphasis added]
In a similar manner, the FEMA National Flood Insurance Program (NFIP) Community Rating System
(CRS), has also successfully provided incentives for communities to exceed floodplain standards. The
lessons drawn from the establishment and enhancement of CRS is to first identify the most
important and meaningful activities that earn incentives. These activities are systematically verified
and tested best practices which will result in measurable Disaster Risk Reduction as well as
protection of the local economy and environment. Such a systematic approach to measuring

capability to reduce risk is not theoretical; it is being done worldwide in Fire Insurance Risk Rating
Schedules. This objective and focused approach to rating local ability to deal with fires is working, we
need to expand this system to all hazards. The Federal Emergency Management has noted:
“…the success of America’s fire services over the past 100 years is instructive for the strength
and sustainability of America’s communities for the next 100 years as well. Today, we must not
only continue and reinvigorate our successes, but also expand them to include the natural and
man-made threats that each of our counties, cities, towns and villages face every day – floods,
earthquakes, hurricanes, hazardous material spills, highway accidents, acts of terrorism, and so
much more.” (Emphasis added) [America at Risk America Burning Recommissioned
(FA-223/June 2002)
More complete Resilience-based Disaster Risk Reduction solutions can only come from first making a
holistic examination of the issues with the systems we have both for development and the systems
we have for providing disaster relief throughout the world.; and then developing a system of
economic rewards and disincentives for individual, community or business actions taken which either
reduce future risks or exacerbate them.
We need to devise a multidisciplinary "Whole Community" approaches to a series of problems. Use
of ancient concepts of law and morality can help to achieve those solutions. An article in the
Washington Post recently pointed out: the word moral may be a “magic word” when it comes to
convincing folks. “The magic word this researcher says can get people to agree with you”
(Washington Post, 2016).
Other folks may be convinced of the need to change our community development practices so as to
reduce disaster losses by the reality of the threat posed by litigation; others by economic or
environmental arguments; still others can be convinced by concerns for taxpayer expenditures;
others by concern for future generations and the stewardship of the Earth; still others by concerns
for the suffering and potential death of disaster victims. However when we reach decision-makers
we must reach them so as to promote Resilience and Disaster Risk Reduction.
Resilience Analytics for Systems of Systems: Literature and Resource GuideHeimir Thorisson, James H. Lambert1
Resilience Analytics for Systems of Systems: Literature and Resource
Heimir Thorisson1 & James H. Lambert1
1Department of Systems & Information Engineering, University of Virginia
Keywords: Resilience analytics, Strategic plans, Systems of systems, Scheduling, Risk analysis, Priority
setting, Systems engineering
This paper identifies literature and other resources for resilience analytics, in particular when the
emphasis is the disruption of preferences by alternative system perspectives. It recognizes that
multiple, possibly conflicting, perspectives of politics, economics, demographics, technology,
environment, etc., are an inherent part of decision-making and plans and processes need to be
resilient to emergent and future conditions that might bring one or more perspectives closer to the
The literature of resilience reflects an interest in the separation of a system from its as-planned or asexpected
functionality over time (Connelly & Lambert, 2016; Ganin et al., 2016; Hamilton et al., 2016;
Thorisson et al., 2016; Linkov et al., 2014). The National Academy of Science describes the resilience
of a system as its ability “to plan and prepare for, absorb, respond to, and recover from disasters and
adapt to new conditions” (National Research Council, 2012). A quantification of this definition is
proposed by Ganin et al. (2016) by evaluating temporal recovery of the critical functionality of the
system when subjected to stressors.
Connelly & Lambert (2016), Hamilton et al. (2016) and Thorisson et al. (2016) describe an approach
where resilience of systems of systems, such as hierarchical and interconnected arrangements of
infrastructure, health care, manufacturing, economics and environment, can be characterized by
separations of time-based priorities or proposed schedules, in particular when a single system comes
to the front. Each system has an associated set of factors and conditions, also known as scenarios,
which might prompt a reevaluation of priorities (Karvetski et al., 2011a; Karvetski et al., 2011b;
Martinez, 2011). The priorities of an agency are for projects, existing assets, policies, geographic
locations, organizational units, and other entities, known as initiatives. A prioritization of initiatives
can be viewed as a timeline of implementation or execution, and thus resilience can be characterized
in terms of separation of the timeline or milestones of plans from an ideal.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

A conceptual illustration of the timeline view is given in Figures 1a-c. Figure 1a shows the as-planned
system in the space of a timeline or milestones. Figure 1b-c then illustrate separations from the asplanned
system when subjected to various factors, alone or in combination. In Figure 1b the system
recovers and achieves the originally planned end state while in the Figure 1c it adjusts to a new end
state. Interpreting Figures 1b-c, the resilience of the system of systems to stress on particular
systems is the closeness of the disrupted trajectories to the as-planned trajectory.
Figure 1: Resilience as the disruption of a timeline of priorities. The resilience of the system is characterized by the
separation of the timeline from an as-planned timeline when systems (alternatively recognized as scenarios) influence the
higher level system.
Resilience analytics as described below focuses on methods for identifying the systems (or particular
scenarios related to the systems), that, alone and in combination, are most in need of investigation,
including risk analysis, simulation, experimentation, data collection and analysis, etc. (Karvetski et al.,
2009; Teng et al., 2012). Risk analysis often relies on being able to assess likelihood and
consequences of scenarios, while resilience analytics can proceed without that assessment
(Thorisson et al., 2016).
Resilience analytics identifies the systems that have the greatest potential to separate the schedule
or priorities from an ideal. This allows system owners and operators to focus on mitigating the
separative influence of identified systems or build flexibility of milestones into strategic plans.
Resilience analytics should be considered in the context of negotiations (Thekdi & Lambert, 2014) or
development of terms for design and operations of systems of systems (Lambert et al., 2012), as
follows. By quantifying how various stressors might affect a timeline of priorities the analysis
quantifies which systems have the most potential to cause a change of mind about the priorities of a
strategic plan within organizations and among stakeholders, which can also be interpreted as
scenarios that might prompt renegotiations. Thus, resilience is achieved by anticipating and
accounting for these vulnerabilities by including elements that specifically address the systems that

are identified to have the greatest potential to have cascading effects on the overall timeline of
The resilience of the design and operation of a system of systems can be quantified, in part, as the
separation of a disrupted timeline of implementation from the as-planned timeline, by attention to a
system within the system of systems. The closer the timelines, the more resilient is the system of
systems to the scenario of any particular system within it. In the case where elements of the system
are ordered in terms of their relative priority or time of implementation, a precondition for
quantifying resilience is establishing this order for the as-planned system as well as alternative orders
that account for different circumstances (scenarios) where emergent and future conditions bring one
or another system to the front.
In the cited references, resilience (as a separation from an initial set of priorities for a system of
systems) is represented graphically (Lambert et al., 2013), or quantified as the absolute value of
change in prioritization (Connelly et al., 2016; Parlak et al., 2012)), the sum of squares of ordering
change (Connelly et al., 2015; Hamilton et al., 2012), Spearman rank correlation coefficient
(Thorisson et al., 2016), Kendall tau rank correlation (Hamilton et al., 2015; You et al., 2014a; You et
al., 2014b).
Critical Infrastructure ResilienceEric D. Vugrin1
Critical Infrastructure Resiliencei
Eric D. Vugrin1
1Sandia National Laboratories
Keywords: Resilience, Infrastructure, Analysis, Metrics
Historically, U.S. government policy toward critical infrastructure security has focused on physical
protection. However, following the terrorist attacks of September 11, 2001; the devastation from
Hurricane Katrina in 2005; and a series of other disasters in the early 2000s, the infrastructure
security community in the United States and globally recognized that it was simply not possible to
prevent all threats to all assets at all times. Consequently, critical infrastructure resilience emerged
as a complementary goal to prevention-focused activities. Whereas critical infrastructure security
policies primarily focused on prevention of terrorism, accidents, and other disruptions, critical
infrastructure resilience activities emphasize the infrastructure’s ability to continue providing goods
and services even in the event of disruptions. Together, critical infrastructure security and resilience
strategies provide a more comprehensive set of activities for ensuring that critical infrastructure
systems are prepared to operate in an uncertain, multi-hazard environment.
Though C.S. Hollings is credited with introducing resilience to the ecological and complex systems
communities more than four decades ago (Holling, 1973), no universally accepted definition of
resilience exists for critical infrastructure. Still, commonalities exist across the dozens of proposed
definitions. The most prevalent theme across all definitions is that the infrastructure system is coping
with changes that have the potential to affect its operation. Many definitions propose mechanisms
by which the infrastructure respond to the changes, and the most commonly listed mechanisms are:
• The ability to absorb or withstand the impact of the change
• The ability to adapt in response to the change
• The ability to recover and restore system functionality rapidly
The efficiency or amount of resources required to successfully respond to a disruption is a less
frequently, but important, consideration. In times of crisis, manpower, equipment, and other critical
resources for response and recovery operations are in high demand. Hence, a system’s ability to
perform through disruptive events with less resource consumption than other systems would be a
desirable feature and make it more resilient than systems requiring more resources.
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

Objective & Purpose of Resilience
Risk management has long been used in critical infrastructure planning activities. While it remains a
valuable tool, resilience analysis and planning can provide additional benefits. These benefits derive,
in part, from fundamental differences between the objectives for risk and resilience analysis.
In the context of infrastructure systems, risk analysis frequently aims to identify the hazards to
infrastructure operations and the potential consequences if those hazards are realized. Risk
management further aims to decrease either the chance that the hazard will be realized or to
decrease the negative consequences that might occur under that realization. Resilience analysis
provides a fundamentally different mindset that results in different methodological approaches.
Whereas risk analysis and management constructs generally begin with an identifiable (or relatively
probable) set of hazards, resilience analysis methods frequently accept that it is not always possible
to identify potential hazards and quantify their likelihood of occurrence. Even in the event when this
is possible, it may not be possible to reduce the chance that the hazard will occur. Risk analysis
methods often include static methods, whereas the temporal dynamics of adaptation, response, and
recovery are viewed as essential to resilience. A common, implicit goal of risk analysis is maintaining
or returning the system and its structure to the status quo. Resilience objectives focus less on the
status quo and more on determining how to achieve a necessary level of infrastructure performance
and delivering essential goods or services. Fundamental changes to system structure and operations
are viewed as viable, and sometimes preferred, options to maintaining the status quo.
Instruments for Resilience Management
A number of different approaches, methods, and tools exist to support resilience management, but
they can generally be grouped into one of two categories: attribute-based and performance-based
methods. Attribute-based methods generally try to answer the question “What makes my system
more/less resilient?” Thus, they typically include categories of system properties that are generally
accepted as being beneficial to resilience. Examples of these categories might include robustness,
resourcefulness, adaptability, recoverability, etc. Application of these methods typically requires that
analysts follow a process to review their system and determine the degree to which the properties
are present within the system. The benefit of these approaches is that their applications tend to be
less time and resource intensive and result in either qualitative or semi-quantitative estimates of
resilience. However, they do not provide any estimation or confidence in how well the system will
operate in the event of a disruption or the effectiveness of potential resilience enhancements and
investments. The Supply Chain Resilience Assessment and Management (SCRAMTM ) tool (Petit,
Fiksel, & Croxton, 2010) and Argonne National Laboratory’s Resilience Index (Fisher & Norman, 2010)
are two examples of attribute-based methods.
Performance-based methods are generally quantitative methods that try to answer the question
“How resilient is my system?” These methods are used to interpret quantitative data that describe
infrastructure outputs in the event of specified disruptions and formulate metrics of infrastructure
resilience. The required data can be gathered from historical events, subject matter estimates, or
computational infrastructure models. These methods tend to rely less on subjective or qualitative
evaluations and, thus, facilitate comparative analyses. Because the metrics can often be used to
measure the potential benefits and costs associated with proposed resilience enhancements and
investments, performance-based methods are often ideal for cost-benefit and planning analyses. A

limitation of performance-based methods is that, alone, they generally do not explain why a system
is more or less resilient than another. These methods also often use computational models to
generate the necessary data, and those models may require significant time and resources to
develop. Consequently, performance-based methods can be rather complex. When deciding which
methods to use, the analyst should determine their analysis objectives, evaluate their resources for
performing the analysis, and assess their comfort with the varying levels of complexity. The
Multidisciplinary Center for Earthquake Engineering Research (MCEER) (Bruneau, et al., 2003) and
Rose (Rose, 2007) have developed examples of performance-based methods.
Metrics, Criteria, Indicator for Resilience
Many resilience metrics, attributes, and indicators have been proposed. The Infrastructure Resilience
Analysis Methodology (IRAM) provides a comprehensive framework for analysing and managing
critical infrastructure resilience (Biringer, Vugrin, & Warren, 2013). The IRAM is a hybrid
methodology that includes performance-based metrics to quantify resilience and resilience attributes
to inform analysis and improvement.
The IRAM quantifies resilience with two primary sets of metrics: systemic impact (SI) and total
recovery effort (TRE). For a specified disruptive event, SI measures the cumulative impact of the
disruption on the infrastructure’s ability to provide goods and services. TRE measures the cumulative
value of the resources expended during response and recovery activities. Together, these metrics
quantify the consequences associated with an infrastructure system for a specified disruption. These
metrics can be used for deterministic analyses and probabilistic analyses that quantify uncertainties
in resilience estimates.
The IRAM contains three resilience capacities, and each capacity contains a collection of resilienceenhancing
features. These capacities can be used to identify resilience-limiting infrastructure
properties or provide the basis for resilient design activities. The absorptive capacity consists of
infrastructure attributes that help the infrastructure withstand or absorb the effects of a disruption.
These attributes consist of relatively low effort options, such as redundancy or excess inventory that
represent the preferred, go-to options. The adaptive capacity includes system properties that enable
the infrastructure to reorganize and change the manner in which it operates in order to overcome
the effects of the disruption. Substitution and re-routing are two examples of adaptive, resilienceenhancing
features. The restorative capacity is the third capacity and includes system properties that
facilitate system repairs and recovery. Examples of restorative resilience-enhancing features include
pre-positioning supplies and reciprocal aid agreements.
The last component of the IRAM is a six-step process that formalizes the application of the IRAM. The
process guides the analyst in applying the IRAM for the analyst’s specific needs. This process has
been successfully used to perform resilience analyses for transportation (Vugrin, Turnquist, & Brown,
Optimal Recovery Sequencing for Enhanced Resilience and Service Restoration in Transportation
Networks, 2014), chemical manufacturing (Vugrin, Warren, & Ehlen, 2011), public health (Vugrin, et
al., 2015), energy (Vugrin, Baca, Mitchell, & Stamber, 2014), and other infrastructure systems for a
variety of resilience activities.
Enhancing Community Resilience: Practical Resources in Addressing the Collaboration GapStephen Diarmuid Walsh MIPI AIED, Martina Madden, Stephen M. Purcell1
Enhancing Community Resilience: Practical Resources in Addressing
the Collaboration Gapi
Stephen Diarmuid Walsh MIPI AIED1, Martina Madden1, Stephen M. Purcell1
1Future Analytics Consulting (FAC) Limited
Keywords: Community, Collaboration gap, Natural/manmade disaster relief, Community resilience
This paper examines Community Resilience (CR), with particular reference to the “collaboration gap”
and the manner in which it impedes the unification of communities and responding professionals in
terms of reacting to the effects of an adverse event (disaster relief). The purpose of this paper is to
highlight the impact of the “collaboration gap” and to then present resources which may enable
communities and responding professionals to react together in order to mitigate and recover from
the effects of an adverse event, thereby enhancing the resilience of communities.
CR has been defined by different authors depending on the particular resilience domain to which the
author is engaging with (see CARRI, 2013 for details). The RAND Corporation’s definition of CR, which
is “a measure of the sustained ability of a community to utilise available resources to respond to,
withstand, and recover from adverse situations”ii is comparable to the definition advanced by the
United Kingdom’s (UK) Cabinet’s Office in its UK Civil Protection Lexicon which was published in 2013.
Therein, CR is defined as “Communities and individuals harnessing local resources and expertise to
help themselves in an emergency, in a way that complements the response of the emergency
services”iii. These definitions emphasise the proactive roles that communities may play in the postdisaster
response and recovery environment.
A collaboration gap appears when critical parties in a cooperative effort are not collaborating in the
most effective way. In the worst case, there is no collaboration at all, or parties are left out of the
main recovery effort (Neef, van Dongen, & Rijken, 2013). The reasons for the emergence of a
collaboration gap are nuanced and multifaceted, of course. However, common causes include a lack
of communications between relief organisations and local communities, a lack of information sharing
between organisations, incompatible work practices, and misalignment between needs and recovery
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
v29 July 2016
ii RAND Corporation, 2016
iii United Kingdom Cabinet Office, 2013

actions. Counteracting the issues which give rise to collaboration gaps and the ultimate achievement
of effective CR by communities and responding professionals is an acknowledged issue (NRC, 2011).
Collaborative CR, when applied, has the capacity to greatly influence the manner in which a response
is marshalled to an adverse event. Work undertaken by Boin and McConnell (2007) illustrates the
point that contingency planning for disaster or adverse events is best carried out when communities
are involved and play an active role in the manner in which a response is coordinated. In the same
work, Boin and McConnell also outline the key barriers which exist to the enhancement of CR. Efforts
to overcome these barriers may be captured by metrics/indicators, some of which are posited in
tables 1-6 below. These barriers are:
• Individual defence mechanisms [the “it won’t happen here” sense]. People’s responses to
potential future threats typically encompass a range of dysfunctions (e.g. denial,
downgrading threat importance, impotence).
• Organisational beliefs and rationalisations. Most organisations (public agencies, political
decision-making authorities, NGOs and private companies) are imbued with cultural values
that predominate over matters of resilience.
• Institutional designs for crisis management. Most organisations are not designed to cope
with critical breakdowns.
• Costs of preparation. Robust contingency planning for breakdowns is not a ‘mission
impossible’ but it is certainly very difficult (McConnell and Drennan, 2006). Promoting
resilient systems requires:
o (i) investing time and resources in plans that may never need to be activated
o (ii) cooperating in a ‘joined-up’ way with multiple stakeholders, who have their own
mandates, priorities, legal status, decision-making cycles, communications systems,
information capacities and cultures; and
o (iii) simulations, exercises and training. All this takes time and money, with no visible
outputs (an ‘avoided crisis’ does not show up in the books).
• Governance frameworks. During times of crisis and breakdown, leaders would be expected to
lead. Preparations are not complete without a plan that guarantees the working of a
command and control model.
• Socio-economic frameworks. It is hard to expect communities to be resilient when many of
them are already in disarray. The modern mega-city houses the most vulnerable people:
poor, homeless, criminals, mentally ill, addicts, the sick, immigrants - in short the people who
have the least resilience.
Boin and McConnell, (2007, p. 56)
Instruments for Resilience Management
Two resources/instruments for the development of community resilience are briefly outlined below.
The first example relates to efforts to address and counteract the conditions which contribute to the
formation of collaboration gaps at an interdepartmental and administrative level within government

and the public service. The second instrument relates to the bridging of gaps among communities
and responding professionals in a live post-disaster environment.
1. Strategic National Framework on Community Resilience, developed by the United Kingdom
Cabinet Office in 2011; and,
2. COmmunity-BAsed COmprehensive Recovery, a European Commission funded 7th Framework
Project (Grant no. 313308).
The Strategic National Framework on Community Resilience “explores the role and resilience of
individuals and communities before, during and after an emergency. Local emergency responders will
always have to prioritise those in greatest need during an emergency, focusing their efforts where life
is in danger. The framework is intended to engage interest and facilitate discussion between central
government departments and agencies, devolved administrations, emergency services, local
authorities, relevant voluntary sector bodies, private sector bodies, elected members and community
and faith groups” (United Kingdom Cabinet Office, 2011). It is a top-down initiative and, while
laudable in terms of its ambition, the manner in which it can actively bridge the collaboration gap at
the community level in post-disaster environments is somewhat constrained. Notwithstanding the
above, in tandem with developed community level instruments, this type of initiative assists in
building momentum behind the development of community resilience response into government
In terms of criteria for the measurement of community resilience, the work of Cutter et al. (2013)
essentially characterises the manner in which community resilience and effectiveness may be
determined. Tables 1-6 below outlines this set of indicators for community resilience, underpinning
theoretical framework for CR. For full reference and further details on the tables below, see Cutter,
S., Emrich, T. & Burton, C.: “Baseline Indicators for Disaster Resilient Communities” and Hazards and
Vulnerability Research Institute in the Annotated Bibliography.
Variable Source Effect on Resilience
Political fragmentation (# local
governments and special districts)
Norris et al. 2008 negative
Previous disaster experience (PDD, yes or
Cutter et al. 2008 positive
Social connectivity (VOADs yes or no) Morrow 2008; Norris et al.
Dependency ratio (debt/revenue) Cutter et al. 2003 negative
International migration (%) Morrow 2008 negative

Sense of place (% born in state and still
live here)
Vale & Campanella 2005 positive
Social capital (churches/capita) Morrow 2008; Tierney
Social capital (% registered voters
voting in 2004 election)
Cutter et al. 2003 positive
Internal migration (% outmigration) Vale and Campanella
Table 1: Community Resilience Indicators: Community Competence
Variable Source Effect on Resilience
Mobile homes (%) Cutter et al. 2003 negative
Shelter capacity (% rental vacancy) Tierney 2009 positive
Medical capacity (hospital beds/10,000) Auf der Heide and Scanlon
Building permits for new construction (#) NRC 2006 negative
Evacuation potential (arterial miles/mi2) NRC 2006 positive
Evacuation potential (# highway bridges) General knowledge negative
Housing age (% built 1970-1994) Mileti 1999 negative
Table 2: Community Resilience Indicators: Infrastructure
Variable Source Effect on Resilience
Recent hazard mitigation plan (yes/no) Burby et al. 2000; Godshalk
NFIP policies (per occupied housing unit) Tierney et al . 2001 positive
Storm Ready participation (yes/no) Multi-hazard Mitigation Council
2005; Tierney et al. 2001
Municipal expenditures (fire, police,
emergency services as a %)
Sylves 2007 positive
Table 3: Community Resilience Indicators: Institutional

Variable Source Effect on Resilience
Housing capital ( difference % white
homeowner and % black homeowner)
Norris et al. 2008 negative
Homeowners (%) Norris et al. 2008; Cutter
et al. 2008
Employment (%) Mileti 1999 positive
Median household income Norris et al. 2008; Cutter
et al. 2008
Poverty (%) Norris et al. 2008; Morrow
2008; Enarson 2007
Single sector employment (% primary sector +
Berke & Campanella 2006 negative
Female labor force participation (%) NRC 2006 positive
Business size (% large >100 employees) Norris et al. 2008 positive
Table 4: Community Resilience Indicators: Economic
Variable Source Effect on Resilience
Racial/ethnic inequality (Abs. value of
difference in % black & % white)
Norris et al. 2008; Cutter et al
Educational inequality (Abs. value of difference
less than 9th grade & college)
Norris et al. 2008; Morrow
Physicians/10,000 (health access) Norris et al. 2008 positive
Elderly (%) Morrow 2008 negative
Social vulnerability index (SoVI) Morrow 2008; Cutter et al.
2008; Tierney 2009
Transport challenged (% no vehicle) Tierney 2009 negative
Communication challenged (% no phone) Colten et al. 2008 negative
Language competency (% ESL) Morrow 2008 negative

Crime rate (per 10,000) Colten et al. 2008 negative
Special needs (% pop with disabilities) Heinz Center 2002 negative
Health coverage (% pop with coverage) Heinz Center 2002 positive
Population wellness (% black infant mortality
Norris et al. 2002, 2008 negative
Table 5: Community Resilience Indicators: Social
Variable Source Effect on Resilience
% Land area in 100-year flood plain Cutter et al. 2008 negative
% Land area subject to SLR Cutter et al. 2008 negative
% Soil erosion Cutter et al. 2008 negative
% Green space/undisturbed land Cutter et al. 2008 positive
% Urban (access variable) Cutter et al. 2008 positive
% Forested land cover (wildfire potential) Cutter et al. 2008 negative
% Land with hydric soils (liquefaction) Cutter et al. 2008 negative
% Wetland loss (ecosystem services) Gunderson 2009 negative
Table 6: Community Resilience Indicators: Ecological
UN City Disaster Resilience ScorecardPeter Williams, Dale Sand1
UN City Disaster Resilience Scorecardi
Peter Williams1, Dale Sands2
Keywords: Cities, Disaster Resilience, Mitigation, Adaptation, Emergency Response
Increasing population growth and urbanization, combined with climate change, are placing more
people and economic activity potentially in harm’s way. We therefore need to think through how we
can improve cities’ resilience to the various harms that might befall them. This paper describes the
contribution that the City Disaster Resilience Scorecard (Williams et al., 2015) (“the Scorecard”) can
make to this endeavor. The Scorecard was written pro-bono by IBM and AECOMii for the United
Nations Office for Disaster Risk Reduction (UNISDR)iii.
What do we mean by disaster resilience? Unfortunately, the term “resilience” is in some danger of
becoming a meaningless portmanteau comprising - variously – disaster, economic, social,
environmental and cultural resilience, to name a few. Most recently the generalized term “climate
resilience” has also started to be used. One way to sort through these definitions, borrowing from
the work of Fiksel (2015) is to think of a spectrum ranging from chronic to acute stress, where:
• Disaster resilience is the ability to respond to acute stresses, whether climate, seismically or
otherwise induced, and revert back to some acceptable position afterwards (note – not
necessarily the same position). Manmade disasters can be included in this definition too, if
• Chronic stresses are the background or ongoing pressures associated with the
environmental, economic or social fabric of a community. Chronic environmental stress in
this context refers to gradual trends such as sea-level rise, pollution, ground-water over-use
and soil erosion that threaten community sustainability.
• Chronic and acute stresses interact, as for example where deforestation around the
headwaters of a river may increase the risk of flash flooding in a city down the river; or
where chronic stress on the social fabric undermines the ability to respond to an acute stress
event such as a heatwave (Klinenberg, 2013).
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

It will be evident that if risk is defined as “probability x impact”, improving disaster resilience as
defined here may require reducing probability through mitigation actions; and will definitely require
reducing impact, again through mitigation but also through improved planning and response. Said
differently, using the insurance industry definition of risk, improving disaster resilience may involve
addressing hazards (especially if manmade disasters are included), but it will definitely require
addressing exposure and vulnerability. Further if, as may well be the case for any given city, risk
cannot be removed entirely, disaster resilience may require acceptance of that risk and the
improvement of “rebound” capacity, such that cities and their societies and economies can “reboot”
after a disaster as rapidly and as smoothly as they can while dealing with the financial impact.
Objectives of the Scorecard
For cities to become resilient, they first need to be able to measure where they are, and to gauge
whether they are becoming more or less resilient over time. The first objective of the Scorecard is
therefore to enable cities to understand, across the entire spectrum of issues associated with
disaster resilience, their resilience baseline: where they are strong, and where they need to devote
time and attention to address weaknesses that may be identified. The intent is that the city’s scores
are then revisited periodically, to see whether the city has become more resilient as a result of its
efforts - or perhaps less, where for example population may have grown in a relatively unsafe area or
the climate may have changed.
The second objective of the Scorecard is to encourage cities to begin to think about disaster
resilience where they have not done so; or where they have, to encourage them to address blindspots
that may hitherto have existed. For this reason, the Scorecard is in the public domain and may
be used entirely free of charge.
The third objective is a little less tangible, and that is to act simply as an agenda for discussions that
need to happen. To varying degrees, all cities are functionally fragmented across different
departments and agencies; and all are dependent on neighboring cities, other tiers of governments,
private sector entities such as utilities or phone companies (or simply large employers or economic
actors), and on civil society organizations and NGOs. All of these organizations need to be operating
on shared assumptions and expectations – ‘one version of the truth’. The Scorecard has proven its
value on multiple occasions in facilitating the necessary discussions.
It is worth pointing out two objectives that the Scorecard does NOT have:
• Like all such instruments, it focuses on the ‘what’ – as in what needs to be addressed. It does
not directly attempt to prescribe the ‘how’ - as in how each weakness should be addressed.
This is because, while in some cases the required remediation may be obvious, in many other
cases it may require specialist input (for example engineering, or social marketing) to
determine. However, it is quite possible to complete the Scorecard as ‘step 1’ in a 2 step
exercise where ‘step 2’ consists of brainstorming and researching what the remediation
strategy needs to include.
• The Scorecard is not intended to enable direct city-to-city comparisons. This is for several
reasons. Because of the complexity of cities, and thus of resilience as a subject, such
comparisons could be highly misleading; and a poor outcome could lead to a city suffering

increased insurance premiums or capital costs, the risk of which might act as a disincentive to
complete the Scorecard in the first place.
The Scorecard Instrument
So what is the Scorecard? Let’s begin with the proposition that disaster resilience is a “system-ofsystems”
issue: it affects multiple physical and social systems in the city, and therefore needs to be
addressed in each of these systems. Recognizing the breadth of the issue, the UN has defined the
“Ten Essentials” of disaster risk reduction, as shown in Figure 1 below:
Figure 1: The “Ten Essentials” – Figure taken from the Scorecard (op cit)
Together the “Ten Essentials” have the merit of providing a holistic coverage of the disaster
resilience field. As noted, the focus is on disaster resilience and not - at least not directly - on the
wider definitions of resilience (social, environmental, cultural). The Ten Essentials do however
include those other factors where they affect disaster resilience. It is worth keeping in mind that:
• While the focus of UNISDR is on natural disasters, there is no intrinsic reason why manmade
disasters or acts of terrorism could not also be included, among the scenarios (Essential 2)
for which the city is planning.
• While some cities may face an immediate one or more obvious hazards such as an
earthquake risk or a hurricane-prone coastline, in others, the hazards may be harder to
identify and may in fact come from smaller events perhaps acting in combination.

The Scorecard then takes the “Ten Essentials” and breaks them down into a set of individual
measurements (in total about 90), each scored 0 through 5, where 0 means zero preparation and 5
means perfection. Guidance is provided on how to allocate scores. A sample of the Scorecard is
shown in Figure 2 below:
Figure 2: Sample of UN City Disaster Resilience Scorecard
As written all assessments in the Scorecard count the same. In practice, assessments (or indeed even
entire Essentials) may be weighted as required.
There are two modes of completing the Scorecard. The first is through a detailed investigation of a
city’s total resilience posture, which may take some weeks or months, depending on the size of the
city and how many separate entities - public, private and social - are involved in making it resilient. In
concept this is somewhat like a consulting engagement. The second is to use the Scorecard as the
basis for a one or two day workshop (with or without a questionnaire) to gather data in advance. In
such a workshop, one might seek to allocate scores to each of the 90 separate assessments, or one
might simply allocate one score for each Essential, while using the individual measurements as
“attention getters” to make sure each Essential has been considered fully. The majority of the
implementations to date have been via workshops, although having set the scene, so to speak, with
their workshops, we know that a number of cities now plan to follow up with the detailed

Metrics and the Scorecard
The Scorecard is in effect a set of metrics, and these can be read from the text itself. Two additional
metrics however may be of interest.
• The Scorecard was awarded the Notre Dame Global Adaptation Index (ND-GAIN) Corporate
Adaptation Prize for 2015iv, in recognition of its effectiveness, and of its exemplification of
public-private cooperation.
• While we cannot be sure, we believe that about 30 cities, distributed across every continent,
have now used the Scorecard in some form. We are aware of plans for approximately
another 15-20 at the time of writing.
Measuring the Resilience of Infrastructure SystemsHenry H. Willis1
Measuring the Resilience of Infrastructure Systemsi
Henry H. Willis1
1RAND Corporation
Keywords: Infrastructure, Resilience, Metrics
The U.S. economy depends on effective, reliable, and affordable infrastructure that delivers energy
and information to support productivity, water to meet basic needs, manufacturing to produce raw
and finished materials, and transportation to connect communities. However, infrastructure is
vulnerable to many threats and hazards that threaten the services it provides. Several events over
the past few years highlight the range of challenges that infrastructure systems must address and
illustrate how communities are responding to some of them.
In 2012, Superstorm Sandy left more than 8.5 million customers without power, with outages
persisting more than one week (U.S. Department of Energy, 2012). While communities recovered,
residents faced shortages of gasoline that persisted during the same period (National Association of
Convenience Stores, 2013). In 2015, multiple airlines suffered computer failures where even delays
of a few hours cancel dozens of flights, delay hundreds of others, and strand thousands of passengers
(see for example LA Times, 2015 and The Guardian, 2015). Finally, in 2016 the Louisiana Coastal
Restoration and Planning Authority released its 2017 Annual Plan, which documented the state’s
current efforts towards implementation of its master plan to achieve long-term sustainability given
threats from hurricanes, coastal erosion, and sea-level rise (LACPRA, 2016).
To improve the resilience of infrastructure in contexts like these it is critical to understand how
resilience can be measured. This requires defining resilience – meaning both what it is and what
aspects of the system must be measured –and understanding why resilience is being measured.
Defining Resilience for Infrastructure Systems
Resilience has been defined in many ways. A few recent definitions define resilience as the ability:
Of the system to withstand a major disruption within acceptable degradation
parameters and to recover within an acceptable time and composite costs
and risks. (Haimes, 2009)
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

To prepare for and adapt to changing conditions and withstand and recover
rapidly from disruptions. . . . [It] includes the ability to withstand and recover
from deliberate attacks, accidents, or naturally occurring threats or
incidents. (White House, 2013)
To prepare and plan for, absorb, recover from, and more successfully adapt
to adverse events. (Committee on Increasing National Resilience to Hazards
and Disasters; Committee on Science, Engineering, and Public Policy; and The
National Academies, 2012)
These definitions, while each different, reveal four aspects of the system being addressed. These
aspects are described in detail in a Framework for Measuring Energy System Resilience, proposed by
the Rand Corporation (Willis & Loa, 2015).
First, resilience describes the state of service being provided by a system in response to a disruption.
When assessing resilience, key questions would be whether the service has been degraded, how
much of the service has been degraded, how quickly the service has been restored, and how
completely the service has been restored. Therefore, resilience does not describe a dichotomous
state of whether or not a disruption has occurred. Rather, resilience describes the degree of
disruption across multiple dimensions, which could include type, quality, time, and geography of
service provision.
Second, the state of a system depends on how it was designed and how it is operated. These choices
influence whether and how service is degraded during a disruption, how quickly it recovers, and how
completely it recovers. For example, an electricity grid system that is designed with more
redundancy, operated with more contingencies for backup, and designed with recovery in mind
might experience a lesser and briefer disruption and, if so, would be more resilient than a system
that has less redundancy, has fewer backups, and is more difficult to rebuild.
Third, different responses will lead to different resilience at different costs. For example, it may be
possible to redesign a supply chain information system after a glitch with more effective knowledge
management, and as a result, the quality of service provided after recovery exceeds the original level
of service provided.
Finally, resilience of a system also depends on the timescale. If repair of a flood protection system
replaces levies where they were and how they were originally designed, over a period of years, the
system may experience repeated disruptions if climate change leads to greater frequency of intense
flooding. If the system is continually maintained and upgraded, the protection could improve, but at
a cost.
Aligning Resilience Metrics to Decision-making
We track metrics to be able to keep score, to tell whether goals have been met or whether success
has been achieved. We track metrics to improve quality, to tell where improvements are possible
and whether progress is being made. We also track metrics simply to account for resources, to tell
whether budgets are met and to know where assets reside.

Metrics of resilience are used for many purposes and at many levels. Some of the reasons for metrics
are more relevant to a national perspective and others to a local or facility perspective. For example,
at a national or regional level, it may be important to know how resilience affects economic output
or economic damage stemming from disasters. For a refinery operator, it may be more important to
know how many spare parts are in stock and what options exist for backup power generation.
These different purposes for measurement have an important implication for resilience metrics.
There is no single set of metrics that supports all decision-making needs. Instead, each purpose may
demand a unique set of metrics, yet organized in a consistent way across purposes.
Logic models provide a consistent framework for organizing metrics in the fields of program
evaluation and quality improvement (Rogers et al., 2000; Greenfield, Williams, & Eiseman, 2006;
Willis & Loa, 2015). From an operational perspective, a logic model explains how activities, budgets,
and people (i.e., inputs) ultimately contribute to desired outcomes. From a strategic perspective, a
logic model explains which inputs are needed to support strategy. From either perspective, a
hierarchy of metrics exists to connect inputs to outcomes and improve understanding about how to
achieve outcomes more effectively and efficiently (Figure 1).
The building blocks of resilience are inputs, which define what is available to support resilience. As an
example, in the context of power systems, inputs include budgets, equipment, spare parts, and
personnel to support recovery operations. On their own, these inputs do not provide resilience
unless they are organized to support functions or tasks.
Figure 1: Metrics Can Serve both Operational and Strategic Decision-making

In a logic model framework, the ways in which inputs are organized to support resilience are called
capacities. Examples of capacities for power systems include response teams capable of repairing
equipment, recovery plans that can be implemented following a disaster, or advanced technologies
that can be used to reroute power and reconstitute portions of a grid during disruptions. Having
these capacities in place is not the same thing as being able to use them, however.
Capability metrics reflect how well capacities can serve a system when they are needed. Ultimately,
capability metrics describe how proficiently tasks can be performed. For some responsible for
managing infrastructure, some capability metrics address the provision of services and thus measure
resilience itself. Others measure capabilities that support resilience. Continuing with the case of
energy infrastructure, examples include the ability to detect leaks or outages, to repair damaged
power lines or pipelines, or to restore power outages.
Capabilities are ultimately desired because they improve system performance. Performance metrics
describe what is produced by an engineered system. In the context of energy systems, examples of
metrics include the amount of energy delivered (i.e. a service) or operating characteristics of the
system (i.e. characteristics of that service that support resilience), such as efficiency, reliability, fault
tolerance, sustainability, or robustness.
In the end, the performance of infrastructure depends on how the systems generate the outcomes
that society is seeking to achieve. Resilience of infrastructure can be measured by many outcomes,
such as reduced damage or deaths and injuries from disasters or increased economic activity.
As communities and infrastructure owners and operators continue towards improving the
effectiveness, reliability, and affordability of infrastructure services, these principals for
measurement can help them track whether they are achieving desired effects on improving the
resilience of their infrastructure.
Resilience as Graceful Extensibility to Overcome BrittlenessDavid D. Woods1
Resilience as Graceful Extensibility to Overcome Brittlenessi
David D. Woods1
1Department of Integrated Systems Engineering, The Ohio State University
Keywords: Resilience engineering, Brittleness, Saturation, Graceful extensibility
Resilience as Graceful Extensibility
The label “resilience” is used in many ways, as this guide illustrates. For example, some use the label
to refer to the ability to rebound from challenges, and others use the label to refer to building more
robust systems that absorb a greater range of disrupting events (Woods, 2015). In Resilience
Engineering (Hollnagel et al., 2006) the label “resilience” is used to refer to a different kind of
adaptive capacity that allow systems to continue to function when challenged by surprises.
In my work, resilience is the opposite of brittleness (Woods, 2006). Brittleness, descriptively, is a
rapid fall off or collapse of performance that occurs when events push a system beyond its
boundaries for handling changing disturbances and variations. Since the word resilience is used in
many different ways, a new term was needed to refer to system characteristics that overcome the
risk of brittleness-induced failures — Graceful Extensibility.
Graceful Extensibility is the ability of a system to extend its capacity to adapt when surprise events
challenge its boundaries (Woods, 2015). All systems have an envelope of performance, or a range of
adaptive behavior, due to finite resources and the inherent variability of its environment. Thus, there
is a transition zone where systems shift regimes of performance when events push the system to
edge of its envelope (e.g., how materials under stress can experience brittle failure; see Baker et al.,
1999 and Woods et al. 2008 for analyses of brittleness for complex systems drawing on material
Boundary refers to this transition zone where systems shift regimes of performance. This boundary
area can be more crisp or blurred, more stable or dynamic, well-modeled or misunderstood.
Brittleness and graceful extensibility refer to the behavior of the system as it transitions across this
boundary area. Graceful extensibility and brittleness are opposites. The latter is characterized by
rapid performance fall off or collapse when events push the system past the boundary of its
envelope. The former, graceful extensibility, refers to system’s ability to adapt how it works to
extend performance past the boundary area into a new regime of performance invoking new
resources, responses, relationships, and priorities (for example see Wears et al., 2008 for description
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

of how emergency rooms adapt to changing patient loads, in the extreme case following a mass
casualty event).
With low graceful extensibility, systems exhaust their ability to respond as challenges grow and
cascade. As the ability to continue to respond declines in the face of growing demands, systems with
low graceful extensibility risk a sudden collapse in performance. With high graceful extensibility,
systems have capabilities to anticipate bottlenecks ahead, to learn about the changing shape of
disturbances/challenges prior to acute events, and possess the readiness-to-respond to meet new
challenges. As a result, systems with high graceful extensibility are able to continue to meet critical
goals and even recognize and seize new opportunities to meet pressing goals. Resilience
management builds, sustains, and adjusts graceful extensibility to forestall brittleness-induced
Systems with finite resources in changing environments are always experiencing and stretching to
accommodate events that challenge boundaries. No system can escape the constraints of finite
resources and changing conditions. All systems, however successful, have boundaries and experience
events that fall outside these boundaries. Boundary challenging events are a form of model surprise,
not simply a matter of expected frequency or probability. Studies of graceful extensibility then ask:
“What do systems draw on to stretch to handle surprises?” The properties that contribute to or
break down graceful extensibility have emerged from multiple studies of how people in various roles
adapt to surprises (e.g., Cook, 2006; Wears et al., 2008; Finkel, 2011; Stephens et al., 2015).
Risk Governance as Control of Brittleness-Induced Failures
From the perspective of graceful extensibility, risk governance addresses how system performance
changes when events challenge the limits or boundaries of that system’s normal range of adaptive
behavior. The location of the boundary of a system’s normal range of adaptive behavior is dynamic
and uncertain, yet stakeholders’ estimate of its performance boundaries easily becomes misplaced
and overconfident. In general, systems as designed and operated are more brittle than stakeholders
realize (Woods, 2006). However, responsible people in various roles throughout organizations,
compensate by anticipating potential bottlenecks and adapting to fill the gaps in order to stretch
system performance in the face of smaller and larger surprise events (e.g., Cook, 2006). As a result, it
is easy for other perspectives to miss the need for graceful extensibility and, inadvertently, to
undercut the resources that produce graceful extensibility when that system adapts to meet
production pressures (Woods, 2006).
There are three ways that graceful extensibility breaks down to produce brittle systems:
Decompensation, Working at Cross-purposes, and Getting Stuck in Outdated Approaches (Woods
and Branlat, 2011). Decompensation occurs when a system exhausts its capacity to deploy and
mobilize responses as disturbances cascade. The risk is that the organization’s adaptations are too
slow and stale to keep pace with the tempo of events. Skill at anticipation offsets this risk.
Working at Cross-purposes is the inability to coordinate different groups at different echelons as
goals conflict (Dietz et al., 2003). As a result of miscoordination, the groups work at cross-purposes.
Each group works hard to achieve their local goals for their scope of responsibility, but these
activities make it more difficult for other groups to meet the responsibilities of their roles or
undermine the global goals that all groups recognize. In other words, the different roles act in ways

that are locally adaptive, but globally maladaptive (see Stephens et al., 2015 for a case in hospitals).
Skill at synchronizing over multiple roles and levels offsets this risk.
Getting Stuck in Outdated Approaches refers to a breakdown in how systems learn to revise models,
strategies, and tactics as changes occur and new evidence arrives. The key is the ability to revise
models as new evidence accumulates before experiencing collapse or failure events—proactive
learning. However, organizations can rationalize away evidence that contradicts current models and
plans especially in complex systems under production/resource pressures. As a result, previous
approaches can become rigid even as information builds that the world is changing and that the
usual approaches are not producing desired results. The Columbia Space Shuttle accident is a vivid
example of discounting evidence under productions pressure even though the indicators showed the
system was operating well outside of its boundaries (e.g., Woods, 2005). Skill at proactive learning
offsets this risk.
Instruments for Resilience Management
The key evidence about the difference between resilient and brittle systems comes from studies of
cases where graceful extensibility developed to compensate for increasing brittleness and from
studies of cases where graceful extensibility was reduced, undermined, or exhausted leading to
failures (Cook, 2006; Finkel, 2011; Stephen et al., 2015). The empirical base of cases is growing and
provides information for organizations to enhance their Resilience Management approaches.
Techniques to build the resilience of critical digital infrastructure have emerged (e.g., Allspaw, 2012;
Robbins et al., 2012). These organizations, against conventional wisdom, ‘embrace’ small failures —
even during important periods of operations — because they recognize that edge of the envelope
events will continue to arise regardless of efforts to better plan ahead and utilize more automation.
These events at the edge provide crucial information and learning opportunities. These events reveal
and highlight what skills and tools provide graceful extensibility: the abilities to recognize anomalies,
coordinate across roles, intervene to block potential cascades, decide which infrastructure functions
are key to preserve, and prepare to recover operations, all quickly. Plus, shortly after the anomaly is
resolved, extensive blameless post-mortem learning methods are used to revise how infrastructure is
managed. The learning process develops general skills needed for future anomalies, because the
organization knows the next anomaly they experience is likely to be quite different from the last
anomaly they faced.
Measurements and Indicators of Graceful Extensibility
All systems have boundaries, or a range of adaptive behavior, whose location is uncertain and
continually changing. All systems face surprises that challenge their boundaries and create the risk of
brittleness-induced failures. Saturation occurs when the system is no longer able to respond to keep
pace with changing demands, disturbances, and challenges (e.g., Cook, 2006). Saturation is
dangerous, for example, the risk of the decompensation rises as the response capability of the
system becomes saturated (hence, why avoiding saturation is a basic goal in control engineering
This means that all systems need mechanisms that can come into play to provide sufficient graceful

extensibility to control the risk of saturation. The risk of saturation provides a general control
parameter to manage the risk of failures due to brittleness (Fariadian et al., 2016). No matter what is
to be controlled or managed, and no matter how well that is controlled or managed, things can and
will change. When that change or new challenge occurs, some capacity has to be there to draw on to
adjust to the change or challenge — otherwise the system is too brittle and the risk of collapse in
performance on an important dimension is too high.
This quick overview of the basics of the emerging Theory of Graceful Extensibility highlights what is
the fundamental capacity to be measured. It is the risk of saturating that system’s capacity to
maneuver as new events occur. Saturation refers to how much of the system’s capacity to maneuver
has been used up to handle ongoing events which then reduces what remains available to handle
future events. As a system nears saturation, it has exhausted its ability to handle upcoming events —
it is at the brittle breaking point (Woods & Branlat, 2011).
Understanding what capabilities and resources produce graceful extensibility leads to new
descriptions of critical measurable and actionable concepts. Examples include:
Saturation: When responses to current demands exhaust a unit’s range of adaptive behavior
or capacity for maneuver.
Risk of saturation: Contrast of remaining range of adaptive behavior or capacity for
maneuver to what is needed to handle ongoing and upcoming demands.
Brittleness: Insufficient graceful extensibility to manage the risk of saturation (as a new more
actionable operational definition).
These and related concepts are leading to new control engineering approaches to measuring and
managing the risk of failures due to brittleness for complex systems (e.g., Doyle and Csete, 2011;
Fariadian et al., 2016).
On Resilience-based Risk GovernanceJianhua Xu, Lan Xue1
On Resilience-based Risk Governancei
Jianhua Xu1 and Lan Xue2
1College of Environmental Sciences and Engineering, Peking University, P. R. China
2School of Public Policy and Management, Tsinghua University, P. R. China
Keywords: Risk governance, Risk assessment, Resilience, adaptation
Resilience is a frequently-used but loosely-defined term. It has its hidden attributes, though, which
lead people to reach their conclusion on the resilience of a system. If we say a system is resilient, we
mean that it cannot be easily impacted and/or it can be easily recovered once impacted. In existing
literature, resilience is defined in various forms in different disciplines. For instance, in ecology,
resilience is defined as the ability of a system to absorb changes and still persist (Holling, 1973); in
psychology, resilience is defined as the capacity for positive adaptation (Luthar et al., 2000); in
human geography, resilience is defined as the ability of groups or communities to cope with external
stresses and disturbances (Adger, 2000). Nevertheless, the essence of these definitions is no
difference from ours, which is the resistance to damage and the ability to recover once damaged.
Risk governance, as a management mechanism, deals with issues which concern multiple actors or
affect the interests of multiple actors in a system or organization. In a world where population and
technologies explode, the risks confronting a system or organization have become more and more
complicated, and the plausible consequences associated with the risks could be wide-ranging and
devastating. Abundant examples manifested this. The subprime mortgage crisis around 2008,
triggered by a large decline in housing prices after the collapse of the housing bubble, resulted in
massive defaults and hence caused severe harm to the whole banking system. The Fukushima
nuclear disaster, initiated by the tsunami induced by an offshore earthquake, resulted in the
equipment failures and finally the release of radioactive material. To prevent disastrous outcomes, it
is necessary to enhance the resilience of both the system and the people involved. Of course, this is
likely constrained by the availability of resources.
Objective & purpose of resilience
The difference between traditional risk governance and resilience-based risk governance can easily
be comprehended by borrowing the terms of mitigation and adaptation in the climate change
sphere. Mitigation there refers to reductions in emissions associated with each unit of output
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

achieved by technological change and substitution; adaptation is focused primarily on increasing the
resilience of human and nature towards the actual or expected outcomes. The traditional risk
governance bears a resemblance to mitigation, and resilience-based risk governance bears a
resemblance to adaptation. Traditional risk governance puts more efforts on the causes of the risks;
resilience-based risk governance is consequence-centred.
Thus, resilience-based risk governance is most wanted when we don’t have much leverage on the
causes of the risks and the foci of efforts can largely be exerted on coping with consequences. By
examining the causes of risks, it was found that there are situations where the causes are known but
uncontrollable (at least to the current generation), and there are also situations where the causes are
multiple and intertwined and the causal mechanisms are to be unravelled. An example of the former
situation is natural disasters; an example of the latter situation is risks associated with climate
change. It is worthy of mentioning that resilience-based risk governance is not a panacea for these
situations, and only works when the consequences are foreseeable.
Instruments for resilience management
The philosophy of management is no difference in traditional risk governance and resilience-based
risk governance, e.g., by making rules to spread the risks, by taking engineering measures to build or
reinforce the infrastructure systems, by incentivizing people to change their behaviours, with
coercive laws to make people refrain certain actions, by reforming the structure of organizations to
improve its robustness, and by educating people to raise their awareness. Thus, the policy
instruments for resilience management can be directly chosen from the arsenal of management
instruments, for instance, to provide insurance to those living in flood-prone or earthquake-prone
areas, to construct levee on the seashore along low-lying coastal lines to cope with the rising sea
level as a result of climate change, and to build redundant fibre cables for providing robust
backbones for the internet.
But, resilience management centres on the consequences, instead of the causes of risks. Being
resilient means resistance to damage and the ability to recover; management instruments should
then be chosen with the goals of enhancing the ability to resist damage and/or to recover from
damage. To cope with specific risks requires specific measures. As we are not discussing specific risks,
we propose a procedure to help to come up with management alternatives in a general sense.
Within a system or organization, the prerequisite for developing resilience-based management
strategies is that the risk managers have an awareness of the risks they have to deal with. Then,
serious risk assessment can be conducted, with a focus on assessing the damages or consequences.
These include identifying who are the impacted, and what are the consequences, and how severe are
these consequences. Centring on the assessment results, generation and evaluation of coping
alternatives can then be conducted.
Risk governance requires the active involvement of the multiple actors through informal or formal
approaches in coping with risks. In generating resilience-based coping strategies, it is necessary to
identify these relevant actors first. For instance, to cope with a nationwide risk, governmental
agencies, enterprises, and the general public all can play a role. Then, centring on alleviating
consequences, the instruments available to each category of actors can be identified by fully

considering the resources and roles of these actors in the system or organization. These alternatives
can then be evaluated based on the basic criteria of cost, benefit, and equity, etc.
Metrics, criteria, indicators for resilience
Resilience is easy to comprehend, but is quite elusive to measure. We define a system or
organization as having good resilience when it is not easily damaged and/or it is easy to recover once
damaged. Thus, developing indicators for resilience centres on these two aspects.
By ‘not easily damaged’, we mean it is difficult to make a system or organization to deviate from its
status quo. The assumption is that the status quo is preferred than the status of being impacted.
Since we are talking about risk governance and thus the impact is by default negative, this
assumption is valid. The degree of deviation from status quo given the level of external shock can be
an indicator of resilience, and the difference between the status after being impacted by the
maximum possible external shock and the status quo as expressed by the percentage of deviation
can be used to measure this indicator. The smaller the difference is, the better the resilience is. The
status quo of a system or organization needs to be assessed, and the expected damage to the system
or organization by the maximum possible external shock needs to be assessed as well. In practice,
things are often more complicated. A system or organization may have many components, and the
degree of the expected damage to the different components could vary greatly. In evaluating the
resilience of the system or organization as a whole, how to weigh the resilience of the different
components is itself a difficult task. We can assign weight to the components, we can just make a
judgement based on the component with the poorest resilience, or we can turn to other courses.
This is both a science and an art.
By ‘easy to recover once damaged’, we mean it is easy for the system or organization to recover to its
original status or to a comparable status, after being impacted. Comparing with measuring ‘not easily
damaged’, it is more difficult to measure the easiness to recover. It is related to the resources
needed and the resources available to recover the system after being damaged to the original status
or to a comparable status. By assuming that the original status and the comparable status are
equivalent, we then can design and measure the indicator of easiness to recover. This indicator can
be defined either as the difference between the resources needed and the resources available to
recover the system to its original status from the status of being damaged, or the difference between
the original status of the system and its status after recovery from damage given the resources
available. The smaller the difference is, the better the resilience is. Of course, the first challenge is to
estimate the resources needed and the resources available to recover the system once it is damaged.
The second challenge is to estimate the level of recovery with the resource available. These are again
Finally, integrating the indicators of the two aspects above to measure the resilience of a system is a
daunting task as could be imagined. For specific system or organization, details are required to
quantify these indicators, and the discussion in this section should be able to serve as guidance.
Aligning Different Schools of Thought on Resilience of Complex Systems and NetworkDavid J. Yu, P. Suresh C. Rao, Christopher J. Klinkhamer, Elisabeth H. Krueger, Nikhil Sangwan, Kyungmin Sung1
Aligning Different Schools of Thought on Resilience of Complex
Systems and Networksi
David J. Yu1,*, P. Suresh C. Rao1,*, Christopher J. Klinkhamer1, Elisabeth H. Krueger1,2, Nikhil Sangwan1,
Kyungmin Sung1
1Purdue University, 2Helmholtz Centre for Environmental Research - UFZ Germany
Keywords: Resilience, Robustness, Adaptability, Transformability, General resilience
Resilience Thinking, Robust Control, Resilience Engineering, and Spatial Resilience
Multiple schools of thought have emerged on how complex systems persist or reorganize in response
to change. A first step towards resilience management should be clarifying how these different
schools of thought fit together. With this aim, we synthesize the following four concepts: resilience
thinking as developed in the fields of ecology and social-ecological systems (SESs) research, resilience
engineering as developed in the safety management research of engineered systems, robust control
as developed in control theory of feedback systems, and spatial resilience as developed in the fields
of geomorphology, landscape ecology, or complex network studies.
Resilience thinking is a cluster of concepts that has been expanded to represent how complex selforganized
systems persist or reorganize among multiple regimes of reinforcing processes (or multiple
stable attractors or basins of attraction). It focuses on three emergent system-level features:
resilience as persistence, adaptability, and transformability (Walker et al., 2004; Folke et al., 2010).
• Resilience is the ability to respond to external (or internal) disturbances while
undergoing change so as to still preserve essentially the same functions of the current
regime. Resilience can be further classified into specified and general resilience. Specified
resilience is specific about "resilience of what to what" (Carpenter et al., 2001). It refers
to the capacity of a system to maintain a specific set of functions in relation to a welldefined
set of disturbances. General resilience, in contrast, relates to the capacity of a
system to deal with all kinds of disturbances, both expected and unexpected ones (Folke
et al., 2010). Many resilience studies focus on the aspects of self-organization that
generate multiple regimes, thresholds that form the boundaries of these regimes, and
how a system may suddenly flip between such regimes from a seemingly small change in
a condition (regime shift). Finally, resilience by itself does not address normative
considerations; a resilient regime can be either good or bad to human welfare.
• Adaptability is the ability of a system to learn and adjust its responses to changing
conditions and continue operating within the current regime. Hence, adaptability
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016

enhances resilience. Adaptability is aided by structural and functional diversity and
redundancy of components, connections, and processes. Loss of such features, either
through natural or anthropogenic changes, contributes to decreased adaptability and
thus resilience loss.
• Transformability is the ability to create a fundamentally new system when the existing
system becomes untenable because of great change. In a complex system with nested or
multi-level hierarchy (e.g., households make up neighbourhoods, neighbourhoods
comprise districts, districts make up a city, etc.), transformability at a lower level can
help the resilience at a higher level. For example, periodic district-level water supply
failures and the resulting rehabilitation of pipes in these districts can make the whole city
resilient to a major water supply failure. Therefore, it is crucial to understand that multilevel
interactions drive the interplay among resilience, adaptability, and transformability.
Adaptive cycle and panarchy of nested adaptive cycles are useful heuristics about how
such interplays unfold across multiple levels (Allen et al., 2014).
In the field of robust control, robustness relates to the sensitivity of a designed system’s
performance to a well-defined set of disturbances (Csete & Doyle, 2002). Unlike resilience, aspects of
multiple regimes are not explicitly covered by robustness. Robustness represents a degree of
resistance relative to a particular set of disturbances with known and anticipated (with some
probability) frequency and intensity that are identified through risk analysis. Hence, robustness and
specified resilience are analogous when the focus of analysis is on system dynamics in the vicinity of
a regime’s steady-state. When the focus of analysis is expanded to cover potential regime shifts,
robustness and specified resilience mean different things. Further, a fundamental property of all
feedback systems is that designed features that confer robustness to certain kinds of disturbances
necessarily lead to hidden fragilities to some other set of disturbances (Carlson & Doyle, 2002). This
so-called robustness-fragility trade-off has been observed in SESs (Janssen & Anderies, 2007). In
coupled engineered-social systems, this debate is focused on balancing fail-safe designs (robustnessbased)
with safe-fail (resilience-based) design paradigms; that is, there is a need for an integration of
both risk and resilience approaches for design and operations of coupled systems (Park et al., 2013).
Safety management engineers have traditionally focused on robustness through risk analysis. They
have begun to embrace resilience ideas (Fiksel, 2003), and termed their approach as “resilience
engineering.” They define resilience as "the intrinsic ability of a system to adjust its functioning prior
to, during, or following changes and disturbances, so that it can sustain required operations under
both expected and unexpected conditions" (Hollnagel, 2014). This definition is essentially the same
as that of general resilience. Hollnagel (2014) outlines four main traits of resilience engineering: the
ability to respond to various kinds of disturbances (both familiar and unfamiliar ones), the ability to
monitor system states, the ability to learn from the consequences of past decision-making, and the
ability to anticipate and proactively adapt to changing conditions. Engineered complex systems, such
as urban infrastructure networks, indeed are designed to monitor system state and performance,
and re-rout flows of traffic or water, etc. when necessary. Yet, these systems are not inherently
resilient, because they do not have the ability to adapt or transform structure and functions through
self-organization, as do ecological and social systems/networks. Further, when engineered systems
fail, either through long-term erosion of physical structures or suddenly from major shocks, they do
not re-emerge or re-organize by themselves; rather, it is the urban communities that use and depend
on them that actively invest to repair and rehabilitate the failed infrastructure.

Resilience characterization of a complex system needs to incorporate processes and feedbacks, not
only over different time scales but also across the spatial domains of the system. It is important to
observe and model changes in spatial heterogeneity (statistical spatial moments), spatial structure
and patterns (geo-statistical analyses), flows (of matter, energy, etc.) across gradients and interfaces,
connectivity (network topological metrics) among spatial elements, and dispersal (diffusion of
matter, information, organisms, etc.). Such spatiotemporal attributes respond dynamically to both
internal and external forcing, whether deterministic or stochastic, to maintain local (specific) or
overall (general) resilience. Just as cumulative adverse impacts of sequences of internal and external
disturbances can lead to either gradual erosion of system functions (performance) over time or
experience a sudden collapse, so too do spatial cascades of losses of diversity, patterns, connectivity,
and flows lead to propagation of regime shifts across space. Thus, spatial resilience can be
understood as the ability to maintain the appropriate combination of spatial attributes required to
enable emergence of asymmetries, heterogeneity, patterns, connectivity, flows, and feedbacks (Allen
et al., 2016). Spatial resilience is linked to the "preservation of a system's structure", which does not
necessarily refer to the spatial layout of a system, but rather the "functional map" and topology of
the system. Such functional mapping of urban infrastructure networks has been suggested by several
authors (Porta et al., 2006; Masucci et al., 2014).
Strategies for Resilience Improvement
How do these schools of thought fit together? How can we use them in concert as instruments for
resilience management of coupled complex systems? It is important to realize that resilience and
robustness are not conflicting concepts as shown in Figure 1. When the time scale of analysis is in the
units of decades or longer, resilience may be more fitting because it incorporates aspects such as
adaptability and transformability that begin to matter in such longer time scales (Anderies et al.,
2013). When the time scale is shorter (i.e., in the units of few hours or days) and system boundaries
are more narrowly defined, robustness (resistance) may be more fitting because it explicitly deals
with the sensitivity of a system output to a well-defined set of disturbances. In a similar manner,
when specificity or predictability of key outputs and system dynamics is high, risk analysis can still be
useful and planned adaptation or deliberate transformation can be possible. When the opposite is
true, learning-by-doing may be necessary and unplanned adaptation or forced transformation is
more likely. Hence, resilience and robustness are complementary concepts—the choice between the
two concepts ultimately depends on the nature of the spatial boundary, time-scale, and specificity or
predictability of key variables that one is considering. However, continuously applying robustness as
the sole basis for ensuring persistent performance is dangerous: It can lead to catastrophic failures
when another type of hazard co-occurs, as illustrated by the examples of Park et al. (2013) and the
notion of robustness-fragility trade-offs.

Figure 1: Relevance of the resilience-related concepts discussed along four analytical dimensions (time scale, spatial
boundary, specificity of key variables, and predictability).
In the short term, robustness can be achieved by deciding which disturbances will be controlled and
which ones will be tolerated at a particular point in time. Robustness ideas facilitate this process by
forcing analysts to consider a precise system boundary and output measure and potential
robustness-fragility trade-offs associated with design choices. When predictability is low and the time
scale is longer, general resilience can be achieved by taking short-term and local robustness to the
global scale with dynamically changing conditions and disturbances. This requires moving from the
idea of protecting the system from failure ("fail-safe"), which is achievable only to expected risks, to
embracing the potential of failure and creating a "safe-fail" environment in the event of unknown or
unexpected shocks (Park et al., 2013). Implementation of this dynamic adjustment requires learningby-
doing, i.e., an iterative cycle of experimentation, monitoring, learning, and adaptation (Hollnagel,
2014; Yu et al., 2016). Similarly, resilience engineering scholars suggest that resilience ideas do not
replace the conventional risk-based engineering approach. The basic idea is that risk analysis alone is
insufficient for dealing with irreducible uncertainties associated with complex systems and thus
should be accompanied by improved adaptability. Hence, practitioners should use robustness
(through risk analysis) and general resilience (through learning-by-doing and dynamic adaptation) in
concert to operationalize resilience management.
Quantifying Resilience
Quantifying resilience has received increasing attention in recent years, both from systems and
networks modeling and composite indicators construction perspectives (Angeler & Allen, 2016), and
is moving beyond earlier work defining terminology, concepts, and conceptual frameworks (Park et
al., 2013; Ayyub, 2014). More recent attempts at quantifying resilience of technological systems were

based on performance recovery from a single shock, or used an aggregate measure (average level of
service provision) computed from system responses to multiple events over multiple years (Ganin et
al., 2016).
New modeling approaches are based on either systems analyses perspectives or complex network
analyses based on graph theory and acknowledge increasing vulnerability to unexpected shocks, or
combinations of series of chronic, low-intensity and infrequent acute shocks (Moore et al., 2015;
Klammler et al., 2016). Two key state variables of interest, aggregated at the system or network level,
are: (1) the "system performance” ("functions", e.g., ecological or infrastructure or social services)
and (2) “adaptive capacity”, which defines the ability of the system to cope with disturbances,
recover from losses, learn from, and improve the process. While it is easy to monitor system
performance, it has been much more challenging to quantify and monitor “adaptive capacity”; this
gap remains the focus of current and future research efforts.
Klammler et al. (2016) developed a model to quantify resilience using multiple metrics of coupled
systems performance under a stochastic disturbance regime. Here, resilience is modeled as a
dynamic and emergent property of the coupled system with respect to regime shifts between a
desirable regime (full service) and limited service conditions or complete system collapse. They also
showed that resilience is a non-stationary (i.e., memory- or path-dependent) and emergent
phenomenon under stresses, contingent on initial conditions, and the nature of the stochastic
disturbance regime. However, lack of required long-term data for engineering system (infrastructure)
performance under a series of stochastic shock (i.e., disturbances of varying frequency and intensity),
and how to measure and monitor the dynamics of social system’s “adaptive capacity” remains a
major obstacle to model testing and applications
Representation of the systems of interest as interdependent networks has also been examined.
Examples include engineered and natural networks (e.g., river) and engineered networks (e.g., roads,
pipes, power) and social networks (e.g., communities) in urban settings. Recent work (Newman,
2006; Barzel & Barabasi, 2013) has shown that many engineered and natural networks have
topological similarities in that they all exhibit distinct features of functional self-similarity and scaleindependence.
Such networks have few well-connected critical nodes (hubs) and a large number
poorly connected (terminal) nodes. Such networks are known to be vulnerable to structural
fragmentation, and functional disruptions with the loss of only a few hubs, but robust to the loss of
other less-connected nodes (Barabasi, 2016). Interdependent networks generally tend to be less
robust, and more likely to be vulnerable to cascading failures initiated in other networks. Several
quantitative measures of network topology, interconnectedness, and resilience have been recently
proposed (Gao et al., 2016).
Despite continued advances in understanding and quantifying resilience, accurately measuring
resilience remains an ongoing challenge, often only possible after system failure has already occurred
and the recovery is underway. As a result, the design and management of engineered systems follow
fail-safe strategies rooted in robustness and risk analysis. These strategies, however, often fail to
recognize the importance of people, i.e., social capacity in imbuing resilience within an engineering
system that is otherwise designed, built and operated on robustness, resistance, and redundancy,

but does not inherently has resilience (as in adaptation and transformation) (Klammler et al., 2016).
Recognizing the community’s contributions to adaptive capacity should be a principal component of
any future quantitative measure of coupled systems resilience.
Flood ResilienceChris Zevenbergen1
Flood Resiliencei
Chris Zevenbergen1
Keywords: Flood risk management, Engineering resilience, Socio-ecological resilience
Resilience is widely used in flood risk management policies, but still largely conceptually. Despite
notable advances in social-ecological sciences and numerous attempts to make it operational, there
is still a limited number of empirical and quantitative case studies to demonstrate the practical
relevance in flood risk management. Nevertheless, the concept of resilience (as opposed to
resistanceii) represents a new way of thinking about flood disaster mitigation embracing the
philosophy that, as a society, we should learn to live with floods and to manage flood risk and not
seek to avoid it. Resilient flood risk strategies aim at reducing flood risk through a combination of
protection, prevention and preparedness spanning a wide range of flood probabilities (from regular
to rare flood events).
Flood resilience is applied in at least two different ways. In the first, more traditional definition and
applied in engineering, resilience is conceptualized as an outcome. It is defined as the ability of a
system to resist or absorb disturbances (such as storm surges and cloudbursts) and to remain
functioning under a wide range of flood wave or rainfall intensities. In this definition, continued
functioning implies either withstanding the flood wave (resistance) or quick recovery with limited
impact after being exposed to flood water (e.g. due to failure of the flood defense system) (e.g. De
Bruijn, 2004; Gersonius et al., 2010) with the ultimate aim to avoid impacts from which recovery is
extremely difficult (e.g. Mens et al., 2011). Here resilience depends on properties such as robustness,
or the capacity to withstand a disturbance without functional degradation, redundancy or the extent
to which system components are substitutable, and rapidity or the capacity to restore the system in
a timely manner (Bruneau et al., 2003; Liao, 2012). Engineering resilience is increasingly being
applied in the domain of architecture and building technology involving the deployment of flood
resilient design and technologies to adapt or construct buildings that remain undamaged or
unaffected by flood water (e.g. Garvin, 2012). It is also being used in the domain of disaster reduction
aiming at recovering from shocks and preserving the status quo (Mayunga, 2007).
Building on the paradigm of multi-equilibria (or non-equilibrium) in ecology (Holling, 1973), in the
i This paper is part of the IRGC Resource Guide on Resilience, available at:
resilience/. Please cite like a book chapter including the following information: IRGC (2016).
Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
ii Resistance in this context is often defined as the ability of the system to prevent floods

second definition, resilience has evolved into a broader concept of socio-ecological resilience and is
typically defined from a holistic system’s perspective. It is being used as an approach for
understanding the dynamics of social–ecological systems. In this emerging concept resilience is
observed as a process, where the post-disruption state can be different than the pre-disruption state,
but the whole recovery process is resilient (Folke, 2006; Wardekker et al., 2010; Linkov et al., 2014).
This resilience approach recognizes non-linear dynamics, thresholds, uncertainty and surprise, how
periods of gradual change interplay with periods of rapid change and how such dynamics interact
across temporal and spatial scales (e.g. Folke, 2006; Gersonius et al., 2010). In this context resilience
is defined as “the capacity of linked social-ecological systems to absorb recurrent disturbances such
as floods so as to retain essential structures, processes and feedbacks” (Folke, 2006). In addition,
resilience also reflects the degree to which complex adaptive systems are capable of selforganization
and to which these systems can build capacity for learning and adaptation (e.g. Folke,
2006; Cutter et al., 2010). This broader concept of resilience has been adopted in the domain of
climate change adaptation as a way to deal with both gradual, disturbing changes and shocks
(resulting from climate change and variability, resp.) (Wardekker et al., 2010; Bahadur et al., 2010;
Linkov et al., 2014).
response stress aim/strategy
Resistance Ability to withstand
disturbance without
shock stability (preserve status quo)
flood protection
Ability to bounce
back and recover
from disturbance
shock constancy (efficiency of function,
preserve status quo)
Fail-safe design
This definition is appropriate for
engineering components and systems
Capacity to absorb
disturbance, recover
and re-organize
(adapt) while
undergoing change
gradual/shock persistency (existence of function)
learning, adaptive capacity,
Table 1: Definitions and features of resilience used in flood risk management
Objectives and instruments
In many parts of the world flood risk management has focused primarily on the implementation of
structural engineering solutions, favoring large-scale infrastructure systems, such as flood
embankments and channelization (Brown & Damery, 2002; Ashley & Brown, 2009). These traditional
approaches have not been designed for failure and as a consequence impacts of extreme flood

events may be catastrophic. In the recent past, major flood disasters have indeed acted as catalysts
for changing flood risk management approaches. Currently, there is a growing recognition that flood
risk management systems are complex systems. They bring together human, ecological and technical
components. Contemporary thinking about the behavior of these systems has led to a paradigm shift
in managing those systems (see Table 2). The broader concept of socio-ecological resilience has
provided guidance for building more resilient FRM systems involving (e.g. Sayers et al., 2002; Dawson
et al., 2011; Huntjens et al., 2011; Zevenbergen et al., 2013): (i) accepting that knowledge will never
be perfect and that changes are uncertain and hence that there is no ‘optimal’ or ‘best’ solution, (ii)
nurturing the capacity to adapt and allowing to learn from the outcomes of experimentation, (iii)
taking into account all of the potential interventions that may alter flood risks and (iv) facilitating
participation and collective action. These resilient approaches aim to establish a balance between
flood protection, prevention and preparedness, both now and into the future (e.g. Zevenbergen et
al., 2008; Gersonius et al., 2010; Aerts et al., 2014).
Traditional (flood risk-based)
Flood resilient approach
Problem perception Changes in system are
Changes in system are
Key objective Control changes, stability
Persistence, enhance capacity
to adapt to uncertainties
Governance perspective Sequential process of
Top-down strategy making
Focus on flood probability
reduction (protection)
Systems of static norms and
Continuous alignment of
content and process with
Bottom-up initiatives
Balance between protection,
prevention and preparedness
System of strategic
alternatives (e.g. adaptation
Table 2: Features of the traditional flood risk-based approach and the flood resilient approach
Most of the frameworks to measure flood resilience focus on the relationship between probability
and (direct) impact of flooding (engineering resilience), and factors that attribute to resilience such
as economic resources, assets and skills, information and knowledge, support and supportive
networks, and access to services (socio-ecological resilience). The factors are being used to select
resilience surrogates as they relate to a particular component or notion of flood resilience. Flood
models are being used to assess probabilities and consequences of flooding and the effectiveness of

management interventions. Attempts to quantify flood resilience are based on indicators which
relate system response to flood waves (see Figure 1) (e.g. Termes et al., 1999; Klijn & Marchand,
2000; De Bruijn, 2004; Mens et al., 2011). For instance, De Bruijn (2004) provided an analysis of what
makes river basins flood resilient and how resilience can be enhanced. She quantified resilience using
three indicators that reflect the different aspects of the reaction. Gersonius (2008) has further
extended this framework comprising the following indicators: the reaction threshold, amplitude,
graduality, and recovery rate. The reaction threshold involves the recurrence time of the maximum
load the system can withstand such as the maximum river discharge or rainfall intensity which is not
expected to cause floods. The amplitude of the reaction indicates the severity of the expected
(direct) damage resulting from a certain peak discharge or extreme rainfall event. The graduality
reflects the extent to which the damage increases with increasing disturbances caused by flood
waves.The recovery rate describes how fast a system will recover from the reaction to a disturbance.
The resilience of a system can only be assessed by considering the whole set of indicators as each
indicator reflects only one aspect of the reaction of a system to flood waves. Although these resilient
indicators reveal relevant information on the system’s performance, they cannot be aggregated and
expressed in one numerical value (Zevenbergen, 2007).
Figure 1: Theoretic response curve, showing system response as a function of disturbance magnitude (e.g. magnitude of
flood wave), indicating resistance and resilience (adapted from Mens et al., 2011)
Annotated bibliography of flood resilience studies
Aerts, J. C. J. H., Botzen, W. J. W., Emanuel, K., Lin, N., Moel, H. de & Michel-Kerjan, E. O.
(2014). Evaluating Flood Resilience Strategies for Coastal Megacities. Science, 344(6183), 473-
475. doi: 10.1126/science.1248222
The study described in this paper is a nice example that uses a combination model for storms
and floods, damages and protections, to evaluate flood resilience planning and investments for

coastal cities using New York City as a case study.
De Bruijn, K. M. (2004). Resilience and flood risk management. Water Policy 6(1): 53-66.
Gersonius, B., Ashley, R., Pathirana, A., & Zevenbergen, C. (2010). Managing the flooding system's
resiliency to climate change. Proceedings of the ICE-Engineering Sustainability 163(1): 15-23.
Zevenbergen, C., Veerbeek, W, Gersonius, B., & van Herk, S. (2008). Challenges in urban flood
management: travelling across spatial and temporal scales. Journal of Flood Risk Management
1(2): 81–88.
To enable the evaluation of resilience and resistance strategies under different conditions, the
concepts of resilience and resistance must first be sufficiently understood. The abovementioned
papers discuss the meaning of resilience and resistance and apply the concepts to
flood risk management systems.
Concluding Remarks to the IRGC Resource Guide on ResilienceMarie-Valenting Florin, Igor LinkovConcluding Remarks to the IRGC Resource Guide on Resiliencei
By Marie-Valentine Florin and Igor Linkov
The papers assembled in this resource guide collectively demonstrate the richness of the field of resilience. Each piece represents the independent views of the respective authors, including methodological and theoretical considerations of resilience from the perspective of various disciplines. The structure of this collection inherently allows for a comparison of perspectives on resilience analysis and theory, such as by Craig Allen and Allison Quinlan in the social-ecological sector, by Ivonne Herrera in the field of resilience engineering, by Henry Willis for infrastructure, or by David Woods and David Yu across systems and organisations. Other authors such as with Marcus Snell and Thomas Seager provide a multi-dimensional review of resilience. Finally, a number of papers illustrate resilience as it is currently applied, such as with the IBM scorecard or the 100 Resilience Cities programme.
This resource guide also aims to stimulate thinking about how and to what extent further work to structure the field of resilience would be necessary and helpful. At this stage, IRGC does not have an answer. However, we believe that the points raised below are important for consideration for the field of resilience as it continues to mature and develop:

Resilience-building is a process that requires a multi-disciplinary perspective and the involvement of all actors potentially affected by a risk. Since it applies to systems, a system approach is generally required.

Building resilience is important for systems potentially affected by uncertain yet potentially consequential shocks. Such shocks may be quite disastrous and affect the capacity of the system to deliver the critical services that humans need from it.

Even though there are multiple schools of resilience applied in varying domains, there are common themes and features of resilience that include the necessity to focus on critical functions of the system, to assess degradation of these systems in time after disruptive event, to consider recovery, and finally the ability of the system to change or adjust based on experiences with dealing with emergencies

Resilience quantification tools range from simple metrics up to advanced probabilistic tools and network science applications. There is a clear need to identify situations and application needs where one or another approaches may be useful. The tiered structure of resilience proposed by Linkov et al may be a good starting point to construct a taxonomy of resilience methods and applications

There is substantial variance regarding scholarly views on the relationship between resilience and risk assessment. Approaches for consideration of risk as a part of resilience, resilience as a part of risk, and independent views on risk and resilience have all been proposed in individual papers and schools of resilience.

i This conclusion is part of the IRGC Resource Guide on Resilience, available at:­
governance/resilience/. Please cite like a book chapter including the following information: IRGC (2016). Resource Guide on Resilience. Lausanne: EPFL International Risk Governance Center. v29-07-2016
• It is clear that resilience is a necessary and complementary component in and to risk management. Depending on the field, the approach could either start from (a) the need to build resilience, e.g. in a community that is affected by low-probability high-severity risk such as disaster risk from extreme weather or climate events, or (b) the outcome of a risk assessment, e.g. when the conclusion is that routine risk reduction strategies will not be sufficient, when strategies to avoid the risk are not possible or, when building robustness or resistance in the system is not sufficient.
Style Switcher

NOTE: Vertical headers will not work on pages that have the naked header enabled