The adage, “the best defense is a good offense,” is attributed to many, including Machiavelli, Sun Tzu and George Washington. It has been applied as a reference in sports, board games and warfare. It means to take advantage of your opponent by being prepared, focusing on the basics, looking for opportunities and taking them.
Today, I’m applying this concept to operational resiliency, which is the ability for an organization to bounce back after a disruption – to bend but not break.
It’s important to define what organizations need to be resilient against. Generally, it’s disruptions or risks, and includes natural and manmade disasters, cyberattacks, economic downturns, supply chain interruptions, competitive threats, war or civil unrest, loss of public infrastructure, etc. Anything that could get in the way of your organization achieving its objectives is a disruption you need to be prepared to address.
The way to lessen the impact of such threats include new supply chain strategies; external and internal digital transformation; market expansion or retraction; financial strength; structural, strategic, and operating changes that build resiliency; or business and IT recovery plans.
McKinsey studied a group of publicly traded companies through economic downturns between 2007 and 2011 to see what set the leaders apart. The study broke down the companies into two groups: “resilients” and “non-resilients,” and evaluated financial performance between them.
As the graph shows, the resilients not only outpaced the non-resilients, but they outpaced the entire population that makes up the S&P 500. McKinsey said their analysis suggests that these companies succeeded because they moved further and faster before, during and after the crisis.
ISO 22316, the international standard for Organizational Resilience (OR), is defined as the ability for an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper. A synonymous term in the market is operational resilience. Organizational resilience addresses company culture, objectives and strategies, while operational resilience addresses the practical workings outside and inside of an organization to build resilient practices, processes and systems.
Contrast these terms with traditional business recovery, which is focused on recovery after the crisis and returning operations to "normal" after a disruption. Today, a shift is occurring: organizations, regulators and the business continuity industry are moving from business recovery to operational resiliency. This will not only help prepare organizations for disruptions but positions them to for growth.
Let’s outline five ways your organization can build operational resiliency:
1. Expect Disruption
It’s not a matter of “if,” but “when” a disruption will occur. Organizations are not accustomed to making this type of assumption. A critical step in maturing operational resilience is not only understanding what the organization’s most important external products, services and the internal processes and systems that support them, but what scenarios could impact them.
If the current health crisis has taught us anything, it’s that anything can happen at any time, and the impact could be felt for a long time. Looking ahead, another disruption will come, and your business needs to identify what it could be and think through that scenario now: What are the risks, the potential impacts and the likelihood across your entire business model.
You also need to think outside-of-the-box. One way to start is to look at the past to try to predict the future. Ways to do this include: identifying disruptions that have occurred to your organization or those around you; losses incurred; risks your company lists in its quarterly and annual financial statements; regulator opinions and more. There are many sources of information you should consider in determining what could go wrong and how it could impact your business. Learn from the past but know this doesn’t provide an exact blueprint for the future.
2. Focus on Your Objectives
During a disruption, organizations often pull back, become defensive and try to protect. The McKinsey study asserts that one of the reasons the “resilients” thrived is because they continued to focus on growth – even in a time of uncertainty. Before the recession, the “resilients” were a nose ahead of their competition because they were already doing some good things. Later in the recovery, this slight differentiation created a significant gap and fueled their growth. It’s all because they kept an eye on their goals.
Business objectives take many forms, such as market expansion, financial targets, efficiency measures, moving to the cloud, launching a new product and more. These objectives bring benefits and risks. The key is to continue to focus on business objectives and not abandon them during a crisis. In fact, your resiliency strategies need to be informed by and tied closely to your business objectives so they support them versus distract from them.
3. Create the Playbook BEFORE the Crisis
I can’t tell you how many times I’ve said, “I wish I’d known that before I (fill in the blank).” I’m sure you have too.
The scenario analysis I spoke of earlier must lead to action to address the outcomes. It means planning for the risks, the threats and the negative effects of what could go wrong. This can get very expensive, especially if you have scenarios that can significantly impact your organization. The process must include cost/benefit analysis and measures and metrics to ensure your actions are aimed at reducing the risk.
The objectives of building resiliency, reducing risks and hitting impact tolerances must be top-of-mind for executives and risk and resiliency teams. One way to do that is by maintaining visibility through self-assessment and continuous monitoring. This will help determine success and serve as guardrails against scope creep or wandering direction. Develop balanced scorecards that include elements like:
- Organizational objectives and strategies
- Defined resiliency objectives
- Risk Management
- Communication, coordination and cooperation
4. Practice Makes Perfect
I recently surveyed a group of resiliency experts. I asked if their organizations test resilience capabilities. Half said they use tabletop exercises. Tabletops are a common, and important, way to test business recovery plans, but don’t provide deep levels of assurance that the organization will be resilient in that scenario.
Encouragingly, 35% of respondents said they test their resilience plans using full-scale and comprehensive tests. This gives me hope! Now, a test is much different than a real event, but the goal of testing is to simulate the scenario as realistically as possible to show how your organization will react and what measures are in place beforehand to make the organization resilient against that scenario.
Periodic tests and reviews should be performed to ensure the organization’s resilience continues to meet expectations. Reviews should also consider:
- Changes in organizational vision, strategy or objectives
- Major structural or business model changes, including mergers, acquisitions and divestments
- New markets or territories that the organization has entered
- Newly introduced products and services
- Significant staff changes, including top management
- Effectiveness of improvements made since the previous review
5. Plan for the Long Run
The famed author L. Frank Baum said in his book, The Marvelous Land of Oz, “Everything has to come to an end, sometime.”
Crises come to an end, disruptions stop, organizations get back to normal. It means you’ve got to include in your assumptions and plans how to emerge from the scenario you’re planning for. How does your organization look past the horizon of the disruption (or disruptions) to the future while staying true to the strategies and business objectives you’ve developed?
Thus, this brings me back to the introduction of this blog post: The best defense is a good offense. The resiliency you develop today will enable your organization to not only come out of the disruption, but emerge more quickly, in better financial shape, more agile and ready to capitalize on opportunities that present themselves during and after a crisis.