Moving from risk management to building resilience: the journey of 1 000 miles

Last month, I discussed two very important topics. I focused on how future forecasting for companies – while important – is an exercise that needs to be done with cautions as they can often be wrong. I also focused on how risk forecasting and risk management plays an important role in any business.

This is not where the challenge ends. Risk forecasting and risk management – while important – may leave executives running around trying to plug holes in a dam wall. Companies need to move on from risk management to building resilience within their companies.

I recently read a report from McKinsey which discusses this. The report focuses on the feedback from a survey that McKinsey held in association with the Federation of European Risk Management Associations (FERMA).

From risk management to a holistic resilience strategy

The McKinsey report points out that, like many crises, the pandemic revealed hidden vulnerabilities in organizations and weaknesses in their response capabilities. Executives had to respond quickly to a variety of arising challenges in operations, including workforce discontinuities and supply chain issues involving critical shortages and logistics barriers.

Decision makers learned to value timely and insightful data as they defined priorities and actions under stressed conditions. The FERMA–McKinsey survey revealed some good examples of resilient responses to the immediate pandemic-driven challenges:

• Operational and supply chain challenges. Many companies enabled digital solutions, including advanced analytics, to supply chain issues from the beginning of the crisis. A leading global consumer firm improved the reliability of its supply chain by moving toward predictive maintenance of its machinery; another global company applied next-generation AI technology to monitor and identify unusual ordering patterns and respond accordingly; an energy company applied a smart supply chain digitization plan to provide business continuity. As the crisis evolved, cargo demand surged and ports became congested. Some companies took bold measures in response: a beverage giant shifted some operations from their container shipping to bulk carriers; big-box retailers began leasing their own containers and chartering ships;
• Technological challenges. During the pandemic, cyberattackers have been taking advantage of security vulnerabilities created in the shift to work-from-home operations. In response, many organizations have strengthened defenses, closing potential gaps before hackers can compromise networks. Some companies have made significant investments in their capabilities, sometimes hiring experts; tech giants and other global firms have also acquired smaller cybersecurity companies;
• Organizational challenges. At the beginning of the crisis, remote-working arrangements needed to be scaled and implemented for office work, while on-site workers needed appropriate safety measures, including testing and protective equipment. The record for on-site work has been spotty, especially at the beginning of the pandemic, and many lessons should be incorporated into future plans. The switch from office to home, however, was handled with ready competence by many large companies. The remote workforce required a new cyberstrategy, extending the security shield into the remote endpoints in people’s homes. Leaders then explored avenues to prevent the fragmentation of organizational culture, maintain high performance, and support the health and well-being of the remote workforce; and
• Beyond these often well-executed responsive actions, however, few firms have adopted a comprehensive strategic perspective to meet the challenges of the next disruption over the horizon. Yet this is what organizations need to do if they are to pivot during crises and accelerate into the new crisis-defined environment. The needed orientation is proactive, based on a business perspective, and goes beyond a reactive, second-line-of-defense approach to uncertainty. To build resilience into their long-term strategic decision making, organizations need to develop certain cross-functional capabilities and strengthen resilience in a number of strategic areas.

Overarching capabilities and core resilience areas

The McKinsey report points out that the overarching capabilities include foresight skills and disruption and crisis response preparedness. To develop foresight capabilities, organizations gather and study the relevant data, develop pertinent scenarios to discover gaps in resilience, and use this method to anticipate and prepare for future crises.

Appropriate crisis response capabilities can then be pursued: those that can be developed and implemented in advance, to be applied quickly and effectively in case of disruptions. These capabilities—such as strengthened financials, better security (whether for IT and software or physical assets), market flexibility, and optionality—can by design create a competitive advantage that drives superior performance through the next industry cycle.

The core resilience areas can be grouped as follows:

• Financial resilience. Institutions must balance short- and longer-term financial aims. A solid capital position and sufficient liquidity enable organizations to weather rapid drops in revenue, increased cost, or credit issues. Resilient companies are able to achieve superior margins by increasing revenue more than controlling costs. But McKinsey research also suggests that tomorrow’s resilient firms are more likely to be those driving value-added growth while balancing optionality (retained earnings growth)—rather than those that focus most of their attention on maintaining operating margins at the expense of other proportionate measures;
• Operational resilience. Resilient organizations maintain robust production capacity that can pivot to meet changes in demand or remain stable in the face of operational disruption, all without sacrificing quality. They also fortify both their supply chains and delivery mechanisms to maintain operational capacity and the provision of goods and services to customers, even under stress of all forms ranging from failures of individual suppliers or distributors to natural catastrophes and geopolitical events;
• Technological resilience. Resilient firms invest in strong, secure, and flexible infrastructure to manage cyberthreats and avoid technology breakdowns. They maintain and make use of high-quality data in ways that respect privacy and avoid biases, compliant with all regulatory requirements. At the same time, they implement IT projects both large and small—at high quality, on time, in budget, and without breakdowns—to keep pace with customer needs, competitive demands, and regulatory requirements. If something does go wrong, they maintain robust business continuity and disaster recovery capability, avoiding service disruptions for customers and internal operations;
• Organizational resilience. Resilient firms are able to attract and develop talent in areas critical to their future growth; where many others fail, they find a way to secure sought-after people—with scarce analytics or cybersecurity skills, for example. Such organizations foster a diverse workforce where everyone feels included and can perform at their best. They deliberately recruit the best talent, develop that talent equitably, and upskill or reskill flexibly and fast. They implement strong people processes that are free of bias and maintain robust succession plans throughout the organization. Culture and desired behavior are mutually reinforcing, supported by thoughtful rules and standards that promote fast and agile decision making;
• Reputational resilience. Resilient institutions align values with actions and words. A wide range of stakeholders—employees, customers, regulators, investors, and society at large—are holding firms accountable for their actions, brand promise, and stance on environmental, social, and governance (ESG) issues. Resilience demands a strong mission, values, and purpose that guide actions. It also requires flexibility and openness in listening to and communicating with stakeholders, anticipating and addressing societal expectations, and genuinely responding to criticism of firm behavior; and
• Business-model resilience. Resilient organizations develop business models that can adapt to significant shifts in customer demand, the competitive landscape, technological changes, and the regulatory terrain. This involves maintaining an innovation portfolio and valuing entrepreneurship. Particularly during times of crises, resilient organizations are able to adapt business models to the dynamic and uncertain environment.

Resilience as a competitive advantage

The report adds that the holistic approach to building resilience advances the organization from a narrow focus on risk, controls, governance, and reporting to a longer-term strategic view of the total environment. Rather than hunting for blind spots in risk coverage within today’s business model, resilient organizations embrace the holistic view, in which resilience becomes a competitive advantage in times of disruption.

An important aspect of the holistic approach involves using crisis scenarios to test for resilience in a downturn. Accordingly, foresight capabilities are used to develop the scenarios; scenario-based modeling can then pressure-test strategies and business models through future volatile environments—such as those defined by economic downturns, rising geopolitical tensions, disruptions in the regulatory landscape, as well as technological disruptions. Such an approach enables leaders to move beyond resilience capability assessments to active strategic thinking to find new opportunities and shape new business models. Risk management needs to be done alongside building resilience.

I will focus on designing and implementing strategic resilience in my next thought leadership article.

Robin Nicholson is the Director of Corporate-911 and is a Senior Business Rescue Practitioner.