Topics:   Audit and Risk,Corporate Governance,Strategy

Topics:   Audit and Risk,Corporate Governance,Strategy

July 10, 2018

Resilience: Building an Essential Corporate Capacity

July 10, 2018

Editor’s Note: This is the first in a series exploring the board’s role in corporate resilience.

Resilient companies produce impressive results. They have shown positive earnings and sales growth during recessionary years, improved their corporate image by effective strategic responses to natural disasters, raised dividends for several consecutive decades, and won back market share against low cost and online competitors. They also invest wisely. By one estimate, “…for every dollar invested in resilience before a disaster, there is a four-dollar savings in the cost of recovery response in the wake of the crisis.”

The examples mentioned above support the claim that organizational resilience is an important concept for corporate boards and senior executives, but companies often don’t include it in executive planning exercises. Instead, many mistakenly categorize resilience as disaster recovery plans or business continuity plans, leaving the details to mid-level operations.

Others see resilience as a part of corporate succession planning, risk management, or other programs that are important. However, in today’s dynamic, disruptive operating environments, organizational resilience requires that companies integrate features that others’ plans and programs lack.

To succeed, leadership, supported by the board, must resource and incent resilience into the infrastructure and the culture of the company. Similar to other cultural paradigms like workplace safety, resilience matures and becomes integral to people, processes and technology. Suggestions for doing so follow.

What is resilience?

Most importantly, resilience involves strategy. It’s not just a plan. It includes two critical concepts: organizational capacity and the ability to “adapt and grow from a disruptive experience.”

Judith Rodin, former president of the Rockefeller Foundation, includes the following concepts in an excellent definition of resilience made in a speech from 2014:

“Resilience is the capacity of any entity—an individual, a community, an organization, or a natural system—to prepare for disruptions, to recover from shocks and stresses, and then to adapt and grow from a disruptive experience.”

In sum: Be prepared to bounce forward better.

Effective organizational resilience requires strategy that spans vertically and horizontally across the organization. “Resiliency requires alignment in all levels of management and all lines of business,” said Israel Martinez, CEO of Axon Global, where his team is charged with cyber risk and resilience strategy for the Japanese government and private sector leadership as they prepare for the Tokyo 2020 Summer Olympic Games. “It integrates risk; governance; policies; principles; partners such as supply chain; technology and most of all a culture.”

At maturity, resilience represents value as an organizational capacity—a core characteristic of the corporation. At this stage, it requires a continuous improvement process so that it remains effective as a core value. The distinguished venture capitalist Ray A. Rothrock notes that resilience needs to be treated as a “positive business asset” and resourced accordingly. Demonstrating effectiveness in a company’s resilience allows leadership to innovate confidently knowing that calculated risk mitigation strategies are in place. This impacts valuation and reputation, which are core to boardroom concerns.

The mantra “adapt and grow” requires actions that are different from yesterday’s. Many approaches to resilience focus on returning to the status quo ante, such as disaster recovery, but this isn’t enough. Today’s definition of organizational resilience is closer to Nassim  N. Taleb’s notion of being “antifragile.” Taleb, distinguished professor of risk engineering at New York University’s Polytechnic Institute, is the famous author who introduced us to antifragile resilience characteristics that insulate or even benefit from “black swan” risks in his 2014 book Antifragile: Things that Gain from Disorder (Incerto). His concept builds on principles such as “…things [that] benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty.” Resilience strategy should incorporate similar concepts and principles such as the ability to recognize disruptions, mitigate shocks, and adapt to accelerating change with agility.

Preparedness is the principal muscle that implements resilience. Unexercised, resilience’s value to the corporation diminishes. Over time, preparedness provides a higher return on investment (ROI) than reactive approaches, and its value is multiplied when it includes partners outside of the company. Therefore, to maximize outcomes in crises, the preparedness principle requires leadership to incentivize proactive and collective exercises with communities, governments, and stakeholders at all levels.

As former New York City Mayor Rudolph W. Giuliani notes in Leadership, it wasn’t the plan that helped New York recover after 9/11—it was the planning processes, and the pre-crisis exercising of the plans. Within this framework, preparedness drives the effectiveness of resilience. Resilience cannot be effective as a static concept. It requires practice with action. Preparedness exercises feed the continuous improvement process that must anticipate a dynamic environment, from accelerating technologies, to socio-cultural factors, to changing workforces, expanding cyberattack surfaces, and climate change.

As with other boardroom enterprise initiatives, resilience requires cultural considerations across the enterprise. Resilience depends on understanding growing interdependencies within and among societies—such as links among power, telecommunications, transportation, and water infrastructures. These will become more important as we build smarter, more connected cities and societies.

Getting to good

Enterprise Risk Management (ERM) integrates across core functions such as corporate succession planning, continuity of operations, supply chain management, and cybersecurity. But resilient corporations demand more. Daniel Newman of Broadsuite Media Group points out that companies must build both business resilience and cultural resilience. The former depends on technology and systems, while the latter is “the ability to maintain composure and an effective business image regardless of the situation.” In Rothrock’s words, “Resilience is about standing up to do business while effectively fighting back and winning.”

Figure 1. Conceptual diagram for measuring vulnerability and resilience (expanded from KANG Shian Chin, et. al. (2014); based on Richards, Ross, Shah, and Hastings, 2009. Click image to review original.)

As shown in Figure 1, components of resilience, such as acceptable performance and extent of degradation, can be assigned measures of effectiveness (MOEs) and tracked. Within the company there may be several such curves—for sales, cybersecurity, backlogs, etc. But leadership also must define an overall measure of corporate performance. Proctor & Gamble Co., for example, has defined total shareholder return as their “measure of value.”

Metrics will be explored in more detail in a future installment of this series, but there is no silver bullet solution. A resilient culture is built on a foundation of ethics, principles, and governance, as well as compliance—not blind adherence to checklists, but a structure that assesses damage and prioritizes meaningful responses when things go wrong. Collectively the measures must promote continuous improvement and use stresses and shocks to strengthen the organization against operational impacts from cyberattacks and other challenges. Beyond predictive analyses, strategic foresight and scenario planning are important.

Building the capacity for resilience: the board’s role

Successful corporate directors are keen to build resilience. Only senior leadership, supported by the board, has the breadth of vision and the experience to address these issues comprehensively. Far more important than compliance checklists, the board members’ strategic impact on business and cultural resilience can help leadership build valuation through quality control incentives and measurements like MOE.

NACD’s Robyn Bew explains in the 2017 Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset what a resilient company culture looks like and roles the board can play. These will be explored in the remaining parts of this series, which will examine:

  • Why does resilience matter now more than ever?
  • How is resilience different from conventional approaches to ERM?
  • How can companies build resilient capacity and integrate it into corporate culture and practices? What does “good” look like?
  • What should the board’s role be? What questions should boards be asking?