I have had numerous conversations about resilience with clients recently and one of the first questions people ask is; what is it? Usually followed by; is this not just good risk management? And; aren’t we already doing this? Sadly, and in the majority of cases, the answer to the last question is; no I am afraid you aren’t.
We know that organisations are becoming increasingly vulnerable to change and uncertainty as they become more complex, virtual and interdependent with further pressures exerted by cost reduction programmes and aggressive streamlining. We also know that most leaders are acutely aware of their exposure to short term disruptions which have historically been the focus of many risk management activities. We are also aware from PwC research that resilience is at the top of the agenda for many CEOs. Yet often businesses lack the capabilities, tools, and approaches needed to make their investment in risk management effective. And very few understand or measure the factors that contribute to their long term resilience and sustainability.
So let me say up front. For me Enterprise Resilience is much more than what most organisations currently call resilience. It provides the ability to spot, react and recover from short term disruptive challenges and most importantly, adapt and evolve in response to more significant changes. You could dress this up with lots of fluffy management speak but essentially it’s about survival and evolution.
The problem I have is that the activities most people label as resilience are in fact a small part of what needs to be a much bigger picture. Let me use a fictitious discussion to help explain:
Imagine you are sitting on your company’s Board. You ask for the Heads of your Risk Management, Business Continuity, Incident Management, Information Security and IT Resilience teams in for a chat. Your conversation goes like this:
Board: So are you all doing a great job?
Function Leads: Of course, we are the best we can be; we are all specialists in our fields and care passionately about doing our jobs well.
Board: Do you work together?
Function Leads: Yes, we collaborate on a daily basis to ensure the company is well protected from the risks we face.
Board: Good, so we are resilient then?
Function Leads: Well, urm no, I cannot say for sure. You see, whilst we are good at what we do, we have no control over the decisions you make as a Board, we don’t decide on corporate strategy, we don’t know if you are hiring the right people or making the correct financial decisions.
So resilience is much more than the various functions that most organisations have to manage their risks. You can see from this rather flippant exchange that many CEOs are likely to be receiving false assurance on their resilience.
I believe that Enterprise Resilience is grounded in well-established risk management disciplines, like those referenced in the example above. These are, and always will be, very important to protect an organisation. However, what is missing in most organisations is a strategic focus on the less tangible indicators, let call it ‘stuff’, which helps to make an organisation resilient. For example, research tells us that shared corporate values will help prevent the emergence of bad behaviours (think rouge traders), social capital will improve relations with key stakeholders and customers giving them a greater capacity for forgiveness if something goes wrong and disciplined innovation ensures you invest in the right areas at the right time to stay ahead of competitors.
These indicators, and other like them, can be monitored and measured to give management valuable insights into levels of resilience and a chance to do something should they dip below acceptable levels.
Of course I believe that no company can ever claim to be 100% resilient. Even with the best controls in place you are never more than one bad decision from failure. However, I believe that by making risk management disciplines work much more closely together supported by a focus on the strategic indicators that give management a view of current levels of resilience, organisations can be better prepared to meet the challenges of the future and stay relevant in an ever competitive market.
Comments are moderated and will not appear until the author has approved them.
If you have a TypeKey or TypePad account, please sign in
