Enterprise Resilience
Modern theories of the firm remain focused on transaction costs, operational efficiency, employee motivation, leadership, strategy and other related factors. While any of these may support our success at various times, none of them alone will facilitate it in the long run. Even strategy, while vitally important, is set at a point in time and is vulnerable to change. The one factor that enables our company’s long-term viability is Enterprise Resilience which enables a company to adapt to a change.
Technological Upheaval
We are in an ever-shifting maelstrom of change. Climate change causes more frequent and intense natural disasters. Changing climate patterns could potentially wipe out whole island nations on one hand and create new trade routes and energy opportunities in the melting Arctic on the other. In the last 25 years alone we saw thirty-four new nations formed. Borders, political alliances, migration and trade patterns transform ever more swiftly. Technologies emerge or become redundant overnight, disturbing established industries and altering economic futures of entire countries. These or a host of other changes threaten to render our products or services obsolete, cause dramatic shifts in the market and change our customer base for better or worse.
Forget, for a moment, the Internet and the mobile revolution, or potential cryptocurrencies and blockchain revolutions. Just look at the example of desktop PCs. A mere decade ago, they perched in every workspace as the main computing platform. Now, sales of such devices have largely died, outside of a few remaining markets[1]. Their work today occurs on mobile devices, with back-end computing and data collection moving to the cloud and connected devices.
Or look at stand-alone GPS receivers. Not long ago, they were the pinnacle of navigation technology; today they are merely an incidental feature standard on the lowest entry model smartphones and IoT devices. Their makers, such as Garmin or TomTom, survived only by adapting to changes.
Others, like Kodak Co. or Nokia Corp, were not so lucky. These pioneers in film-based photography and digital mobile phones, respectively, failed to adapt to technological upheaval and lost their prominence. Kodak, for decades a corporate giant, was even forced into bankruptcy.
Adaptability is critical in today’s market. We have no all-knowing oracle to predict future developments. Change is on an ever-accelerating climb; a new or disruptive technology may emerge at any moment and upset all our carefully laid plans. Resilient enterprises can take greater risks and respond more quickly when unexpected change occurs. They can better cope when plans go awry. Organizations that have a greater risk tolerance have a distinct advantage over those that do not.
First-hand Observation
I was lucky in my career to experience companies on both ends of the spectrum. I saw both, those that used radical changes in their business environments to prosper, and those that failed to adapt and suffered.
I worked with IBM, Apple, Experian, Accenture, Toyota, Expedia, AXA and other regulars on the lists of most innovative companies. I observed how they used changes in their business environments to their advantage.
On the other hand, Kodak enlisted me in efforts to optimize and automate film processing in their futile attempt to reverse digital cameras’ dominance of store shelves. I promoted Nokia’s Symbian OS when iOS was already gaining ground. Other change-impaired clients included Motorola, Sun Microsystems, and European dotcom web technology darling Reef, on whose domain one can now buy sandals. No, correlation does not imply causation.
As I observed those business cycles first-hand, I was also building a background in technology risk, business continuity and disaster recovery. That pairing of backgrounds and interests moved me to jump at a chance to lead PwC Enterprise Resilience – a field that grew out of business continuity and related disciplines and now helps organizations survive, or even prosper, when faced with radical changes in their business environments.
Traditional Business Resilience
Business resilience, at its core, is an organization’s ability to adapt to disruptions and maintain, or quickly recover, continuous business operations, assets and brand equity.
Resilience typically contains four major capabilities[2]. The first is preparedness. Preparedness encompasses the tactical plans we will enact in case of a disaster or crisis. Preparedness must be implemented cross-functionally through all critical parts of our organization.
Secondly is protection. Protection hardens us against both identified and, where possible, unidentified threats. Protection also includes our contingency plans and the alternatives we will enact if we are completely disrupted.
The third is response. Response encompasses the steps we will take during and immediately after a crisis. It is essential to formulate our comprehensive response before a crisis begins. If we try to devise it in the middle of an emergency, we have already lost.
Lastly is recovery. Recovery describes the activities we will employ to bounce back quickly. We might mistake recovery for activating our Disaster Recovery (DR) plans. DR plans, however, focus on getting us back on our feet at only a basic level. That makes them more of a response function. Recovery has a distinctly tactical bent. It focuses on maintaining or recovering the level of business operations existent before the disruption.
Disciplines that have matured over recent decades to support the traditional approach to business resilience include Crisis Management, Emergency Management, Disaster Recovery, Incident Response, Operational Risk Management and Business Continuity Management.
Today’s Enterprise Resilience
For a somewhat different take on resilience, let’s consider these definitions: “Enterprise resilience is the capability of an organization to anticipate change and react to it, perhaps even to evolve, in order to survive”[3]. Enterprise Resilience enables us “to change before the case for change becomes desperately obvious”[4] and to “withstand systems discontinuities and adapt to new risk environments”[5]. British Standard, BS65000(2014) defines “organisational resilience” as “ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper.”
In addition to the PwC and the British Standards Institution, many other organizations and academics increasingly view Enterprise Resilience as a more strategic capability, enabling organizations to respond to any kind of change, not only to maintain the level of business operations, but ideally to prosper from the changes.
The framework proposed by PwC gives an example of such a strategic approach. We see resilience defined as adaptive capacity, agility, coherence, relevance, trust, and reliability[6]. These aspects are segmented into two groups: an organization’s ability to respond to change, composed of adaptive capacity, agility and coherence; and an organization’s outside relationships, relevance, trust, and reliability. These areas are defined as follows:
Ability to respond to change
- Adaptive capacity – Ability to reorganize for change
- Agility – Ability to make decisions at required speed
- Coherence – Ability to make mutually beneficial decisions
Outside relationships
- Relevance – Consistently delivering on stakeholder needs
- Trust – Knowing how to create investment-worthy relationships
- Reliability – Consistently delivering to expected quality, on time
These two sets of definitions have somewhat different focus areas. They are not mutually exclusive. The mix of these factors, or even inclusion of others, will vary from one organization and situation to another.
In the new thinking about Enterprise Resilience, we still want to build an ability to return to approximately where we were before we entered the crisis. We may, however, have evolved along the way, grown stronger as we responded to crises. We want to capture and retain those benefits as well.
A concept related to enterprise resilience is antifragility. Antifragility was coined by Nassim Nicholas Taleb, who explains it as a step beyond resilience or robustness, “that category of things that not only gain from chaos but need it in order to survive and flourish,” or “Antifragility is a property of systems that increase in capability, resilience, or robustness as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures.” For example, when we exercise, our muscles and our whole body and mind get stronger and more resilient. Furthermore, we get stronger in a healthier way when exercised in a wide variety of ways.
It is then a fortunate confluence of events that, just as the pace of change accelerates, we see disciplines that support business resilience mature and get adopted across enterprises. With this maturity come the practices, methodologies and standards that enable us to integrate these concepts into an organization. That brings us, who manage the larger body of enterprises, to a juncture where we can apply those concepts of Enterprise Resilience to a wide variety of changes and issues, and not just disasters. Adapting and adopting traditional business resilience disciplines and exercising them in a response to any change, positive or negative, is what will make us stronger and build up our enterprise immune system.
Enterprise Resilience is not a Magic Bullet
Lest we mistake Enterprise Resilience for some buzzword magic bullet management fad, let’s consider where these ideas originated. Enterprise Resilience grew out of traditional and by now well-established business resiliency disciplines and is a superset of most of them. While the individual capabilities are important, Enterprise Resilience is more than just reacting to crisis events as they happen. It is not even just about proactive crisis-proofing the organization. It is about embedding the capability to adapt to any change deeply throughout our organization and regularly exercising it.
The practices behind Enterprise Resilience require more commitment than just approving the idea in an executive meeting and walking away claiming to espouse them. These concepts require hard work to implement well, but, the good news is, Enterprise Resilience is not a new buzzword that would require organizations to adopt a whole new methodology. Even most moderately successful organizations have already built some of the foundations on which Enterprise Resilience can rest. Organizations now have to recognize the broader applicability of traditional business resilience disciplines and make an executive commitment to exercise them regularly.
Are we Resilient Enough?
Most organizations unfortunately still struggle to implement the basics of the various disciplines that support resiliency, let alone exercise them regularly.
Others embrace Enterprise Resilience and antifragility concepts and apply them to every aspect of their business. One such organization is Netflix. Netflix, in its cloud infrastructure, has implemented an internally developed tool called Chaos Monkey. Chaos Monkey simulates system failures by intentionally causing them – not simulated failures, but actual, randomly generated failures in their production systems. This drives an effort to create a system capable of withstanding serious problems without failing, while simultaneously exposing vulnerabilities so the entire environment can be fortified.
Most IT executives would view the idea of intentionally causing failures in production systems as terrifying, if not downright unthinkable. But ask yourself, when a real disaster strikes, which organization will have a better chance of survival? Such efforts can launch us toward a much stronger stance for resilience.
Wrap Up
The pace of technology drives the pace of change we see in the marketplace. Every passing day seemingly brings advances in existing technologies: faster networks, increasingly dense storage and faster and smaller processors. Additionally, we see new technologies emerge: self-driving vehicles, IoT, blockchain, hyper-efficient renewable energy and spaceflight technology driven by corporations and private companies. Technology innovations create immense opportunities, but also make organizations increasingly vulnerable as they become more complex, virtual and interdependent.
To fully understand the potential impact of evolving technologies, a technology background and baseline understanding are key. Technology management should thus drive Enterprise Resilience adoption within our organizations so we can use technological changes to our full advantage and to use technology to be more resilient to other changes in our environment. Building resilience is a prerequisite for taking risks. As Mark Zuckerberg once said “The biggest risk is not taking any risk. In a world that’s changing really quickly, the only strategy that is guaranteed to fail is not taking risks.”
References
1. Darrow B. PC Sales Are Worse Than You Think. In: Fortune [Internet]. 9 Jun 2016 [cited 15 Oct 2016]. Available: http://fortune.com/2016/06/09/pc-sales-are-worse-than-you-think/
2. Building a Resilient Nation: Enhancing Security, Ensuring a Strong Economy – PolicyArchive [Internet]. [cited 15 Oct 2016]. Available: http://www.policyarchive.org/handle/10207/9662
3. PricewaterhouseCoopers. Increase enterprise resilience. In: PwC [Internet]. [cited 15 Oct 2016]. Available: http://www.pwc.com/gx/en/services/advisory/consulting/risk/enterprise-resilience.html
4. The Quest for Resilience. In: Harvard Business Review [Internet]. 1 Sep 2003 [cited 15 Oct 2016]. Available: https://hbr.org/2003/09/the-quest-for-resilience
5. Randy Starr JN, Delurey M. Enterprise Resilience: Managing Risk in the Networked Economy. In: strategy+business [Internet]. [cited 15 Oct 2016]. Available: http://www.strategy-business.com/article/8375?gko=1c92d
6. PricewaterhouseCoopers. The emerging capability every business needs. In: PwC [Internet]. [cited 15 Oct 2016]. Available: http://www.pwc.com/gx/en/services/advisory/consulting/risk/resilience/publications/enterprise-resilience.html
7. Definition of RESILIENCE [Internet]. [cited 17 Oct 2016]. Available: http://www.merriam-webster.com/dictionary/resilience
8. Taleb NN. Antifragile: Things That Gain from Disorder [Internet]. Random House; 2012. Available: https://market.android.com/details?id=book-5fqbz_qGi0AC
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.
