Topics:   Corporate Governance,Cybersecurity,Risk Management,Strategy

Topics:   Corporate Governance,Cybersecurity,Risk Management,Strategy

September 17, 2018

Identifying Strong Resilience Practices

September 17, 2018

Editor’s Note: This is the fourth in a series exploring the board’s role in corporate resilience. Click here to read the first installment, here to read the second and here to read the third.

Your company has worked hard to understand the complexities of risks and the volatility in the business environment, and it has convinced management and the rest of the board that resilience should be a strategic priority. How can it tell that changes in behaviors are making an impact?

As companies work toward developing resilience practices, certain metrics and indicators should be tracked as a way to gauge if efforts are working.

Culture and business resilience are two parts of one whole

Resilience includes a mix of business and cultural elements, as described in parts one–three of this series. Technology and systems components may need to be adjusted quickly to maintain business resilience, but a healthy corporate culture will be needed to promote a resilient company over the long term.

A healthy corporate culture instills respect for ethics and compliance at all levels while promoting continuous improvement and adapting to an environment of accelerating change. Companies with such cultures will be less likely to get into a crisis in the first place, but when one occurs, the corporate structure and organizational competencies can help mitigate the trauma, rather than exacerbating it.

Part and parcel to oversight of culture is understanding what’s happening to the company from the inside and from an external perspective. Operations across most tiers of the company often do not get enough attention by boards. Chief information and information security officers (CIOs/CISOs) typically want dashboards that report the current status of specific operations, but these may not reflect latent malware in the supply chain, for instance. Counsels general and boards may take comfort in having standards and regulations, but they may not be examining if those policies are outdated, inconsistent, or ineffective. Leaders may promote security even as chief marketing officers and users throughout the company take poorly understood risks to achieve short term results.

The board needs to understand what is really happening on the deck plates. It’s unacceptable if corporate reports indicate that everything’s fine until a reportable breach happens, only to find later that many at lower levels had known about the problem all along. Robust, diverse feedback loops are essential. So is first-hand observation.

What does success look like from the inside and out? The company recognizes that it is operating in complex environments, has built resilience as an organizational capacity, and has the ability to adapt and grow from a disruptive experience. This means that:

  • The corporate culture is based on ethics and compliance that promotes resilience at all levels—management, collective workforce, and individual.
  • Strategies incorporate foresight to anticipate accelerating technological, socio-cultural, and economic change.
  • Insights are converted into effective actions. Iterative approaches to complex problems are encouraged, while pushing for continuous improvement.
  • Leadership has insights into what’s going on at all levels. Effective feedback loops are in place with diverse opinions to recognize disruptions, mitigate shocks, and adapt—not just to restore the status quo.
  • The company at all levels recognizes that investments in preparedness and resilience have much higher payoffs than investments in recovery.
  • The workforce has been trained and exercised in both favorable and stressed environments.

Measuring resilience

Organizations like the Institute of Electrical and Electronics Engineers (IEEE) and universities are working on ways to assess resilience quantitatively. One model expands the resilience timeline graphed in this series’ first article by dividing a disturbance sequence into specific phases, such as the pre-crisis state, initial degradation, post-disturbance degraded state, and so on. Within each phase the rapidity of change and the duration can be measured. This allows different approaches to be tested against each other. Mathaios Panteli of the University of Manchester and his IEEE colleagues used this model to assess the resilience of power systems under different conditions with quantitative data (see especially slide 15 in the link).

The model can be applied to other infrastructures, or processes, such as cybersecurity, transportation, and industrial production, among others. It also can be used with aggregate corporate metrics, such as Proctor & Gamble Co.’s total shareholder return measurement, though the timeline for them may be longer

Several aids can complement the model by highlighting system vulnerabilities and interdependencies.

The Department of Homeland Security’s Cyber Security Evaluation Tool provides an integrated look at cybersecurity readiness. Several products can calculate a company’s cyber risk score, similar to a personal credit score. This can be helpful, but directors should recognize the limits of single aggregate measures. Other tools can help directors understand how critical a particular system is to a particular process and evaluate its potential impact on the overall mission.

Insurance and re-insurance will be needed against threats for which there is little historical data, so forward-looking metrics will be valuable. As NACD pointed out in a 2017 Director Essentials report, these often will be non-financial since most financial metrics look backwards at prior quarters. Such non-financial leading indicators could include metrics for products and services, operations, talent, and sustainability. The cyber risk scores noted above may become valuable as cyber risk insurance grows more important. In the final analysis, however, there is no substitute for detailed, actionable information.

Help from the outside

Engagement outside the company can build the kinds of complex adaptive coalitions that are needed for true resilience. Potential partners include civil and military government agencies, academia (such as the new Community Resilience Lab at George Mason University), non-governmental organizations, and other third parties. The private sector can provide both public and private policy makers with valuable insights into what’s working and what isn’t in balancing domestic needs with a rapidly changing global economy.

Outside firms can offer specialized expertise, especially in technical areas like cyber and critical infrastructure interdependencies. One example of outside support is provided by Axon which seeks to change the conversation from tech-level risk management to board-level risk. A key element includes cyber counterintelligence—who’s already out there doing bad things to the company and what have they learned? Other companies also have offerings, such as ProActive Risk Management.

Business Resilience, focused on technologies and systems, is supported by metrics, analyses of alternatives that include both optimistic and pessimistic scenarios, and a recognition of the growing interdependencies among infrastructures and processes. Outside advice, diverse views, and dissenting opinions are welcome.

In sum, the company can execute Ray Rothrock’s adage: “Resilience is about standing up to do business while effectively fighting back and winning.” Metrics and reflection can help your company identify if it’s effectively living out Rothrock’s adage.