‘Resilience’ has a good claim to be the word of the year in government and business circles.
The UK Government published last December its national Resilience Framework that uses the word no less than 556 times.1 The UK National Risk Register itself published earlier last year includes 61 references to the need for resilience.2 The first Pentagon US Industrial Strategy has 21 resilience references, highlighting the urgent need to restore supply chain resilience.
The new European Defence Industrial Strategy emphasises the importance of maintaining resilience, along with defence readiness and security, as an explicit strategic objective under future relevant EU programmes. The European Council has also emphasised the need to strengthen the European defence technological and industrial base (EDTIB) to make it innovative, competitive and resilient to contribute positively to global and transatlantic security and to complement NATO as the foundation of collective defence for its members. NATO itself is committed to a coordinated approach to strengthening resilience among its members, including the development of National Resilience Plans (NRP).3
The reasons for all this attention to improving resilience are not hard to see.
On the back of the experience of Covid-19, the Russian attack on Ukraine, global supply chain disruptions, conflicts in the Middle East, extreme weather events around the world driven by changes to the climate, and the pace of disruptive technology the lesson is sinking in that we must expect more frequent, and deeper, crises over the coming decade. How well public and private sector organisations, and households, will be able to cope with such external shocks and disruptions is now a major policy concern.
As part of this increased attention to crisis survival we see an important extension of what can today usefully be covered by the term ‘resilience’. Resilience remains at heart a borrowing from engineering and the science of materials. In plain words it is a measure of ‘bouncebackability’ measured by the ability of a material to absorb energy when it is subjected to an external force but then able to release that energy after the impact. Too much energy transferred into the material means the impact will have damaged and deformed it. In materials science therefore the concept measures the maximum energy that can be absorbed per unit volume without creating a permanent distortion.
It is not hard to see how this thinking can be applied to a network or complex system – up to and including an industrial enterprise or sector of critical infrastructure – that suffers a severe disruption. We want the system to keep functioning because of its resilient design, or at least resume functioning after a short period of emergency readjustment. The 2022 US National Defense Strategy defines resilience therefore as the ability to withstand, fight through, and recover quickly from disruption. The disruption could be physical, such as a major interruption in a key supply chain, from a major industrial accident, or from sabotage, or it could be digital in origin such as might result from a ransomware attack.
In materials theory, a measure of resilience would be the area under the curve relating the size of the disruption (the stress the system is put under) and the resulting deformation (the strain showing in the system). But in practice, absolute measures of the overall resilience of a complex organisation or system are not available. In some cases, for example for cyber insurance purposes, a proxy measure might be used, such as the extent to which the organisation meets acknowledged cyber security standards.
And it is not hard to identify changes that organisations might make to improve their resilience, for example instituting regular business continuity exercises, keeping stocks to smooth out disruptions in supply, having the capacity to manufacture locally, including by 3-d printing, and maintaining dormant capacity that can quickly be brought into use when needed. But it is hard, verging on impossible in most cases, to quantify how far such individual steps add to a measure of overall resilience and thus to present meaningful overall organisation-wide costed business cases for Boards to consider what might be the appropriate level of investment in ‘corporate resilience’ against the unknown threats and hazards of the future.
Such considerations need to extend well beyond individual organisations. The Chief Executive of Namma, a Norwegian armaments producer, recently complained that he could not expand his factory to meet the urgent needs of Ukraine since TikTok was using up all the space power capacity in the area, commenting that ‘it can’t be that we lose the war because we store too many cat videos’.4
The emphasis in resilience planning today is on anticipating different generic kinds of possible disruption and then identifying specific vulnerabilities and gaps that could be closed. The UK definition of resilience therefore covers the ability to anticipate, assess, prevent and mitigate upstream, as well as the ability to respond to and recover from crisis. Anticipation is a useful word to add. It involves more than identifying possible risks.
Anticipation requires an act of imagination to feel what it would really be like if a particular crisis beset the organisation, and how well people and systems would cope in those circumstances. Better still if this is done through a contingency planning exercise that brings together all those who would have a part to play advising on the situation, from inside and outside the organisation, so that they can get a flavour of what it would really be like in a crisis. It is highly unlikely that such an exercise would not reveal important practical steps that ought to be taken to close obvious gaps in resilience against a range of possible disruptions. Remembering, of course, that even unlikely events do sometimes happen.
Most organisations have risk registers that provide a starting point for identifying ways of improving the ability of the organisation to bounce back from misfortune. Hedging strategies against adverse exchange rate movements, and insurance against fire, theft and weather damage are traditional prudential steps. These days, shoring up potentially fragile supply chains vulnerable to external events would be sensible.
Even if ‘onshoring’ of components is a step too far, reducing reliance on single sources of supply located at the end of vulnerable logistic chains may be justified. The risk of cyberattacks, or key IT failures, whether malign or just malfunction, is becoming much better understood, along with their costs. The havoc wrought by well-publicised malware attacks such as Solar Wind, Wannacry, and NotPetya (the latter is estimated to have cost the affected businesses – including some household names – around $10 billion to recover from). But managing the cyber risk is not just about being prepared to bring in the cyber security experts to help recover lost data or get compromised networks functioning again.
A resilient organisation will have practiced how in an emergency it would continue to communicate with customers, investors and suppliers, and of course their own staff and the public at large (even when corporate IT is disabled), so as to maintain confidence despite the disruption to normal business. One of the characteristics of resilient organisations is that they are better at managing reputational risk when a major problem arises.
With Western nations facing an increasingly complex risk landscape, Boards and executive committees need to spend longer thinking about how their organisations may be impacted and whether they are best positioned to take advantage of the opportunities as well as downside risks that always accompany crisis. Three different kinds of discussion are needed.
3 different kinds of discussions are needed
First, examination of how vulnerable the organisation would be to exogenous risks arising outside its control. Obvious examples include financial turbulence and political upheaval in key markets, interruptions to the supply of key components, cyberattacks on corporate networks, or any of the other sources of disruption arising from external circumstances. The published UK Risk Register lists 89 distinct acute risks, ranging from flooding to pandemics, that should prompt questioning of the potential exposure of the organisation and the state of contingency planning for provision of communications, legal, technical, market, and other professional advice including at weekends and out of hours. A well-tuned organisation, where it is clear who will be responsible for what in an emergency, will be able to improvise around such contingency planning even in the face of very unexpected contingencies.5
A second category of risks that deserve rather different treatment relates to the risks that are endemic to difference types of business. Mitigation will mostly be about examination of the adequacy of the audit and reporting systems for financial control, and for assurance that delegated limits on authority to make deals and incur liabilities are being used appropriately. Trends in share ownership, liabilities, financial fraud, product faults, accidents and health and safety at work, specialist staff turnover, cyber security incidents, shrinkage in retail and other areas may well be the leading indicators of growing ‘slow burn’ problems that could go critical if the organisation is placed under pressure.
The third category of potential stress, worth careful examination, are those imposed on the organisation by its own leadership, in mergers and acquisitions, entering new markets overseas, launching ambitious new products, embarking on long-term research, opening (or closing major establishments), and of course any decision to introduce new information and technology systems across the organisation. These are all examples of management initiatives that carry considerable risk as well as intended reward. In some cases, they may carry existential risk for the organisation. Examination of how, and how regularly, progress is reported, and whether problems appear to be surfaced early enough to be dealt with, is likely to expose any working and cultural practices that might prove real resilience weaknesses when crisis comes.
A too common example is a culture of keeping back disappointing news in the hope that local management can solve the problems themselves before senior levels get to know, but which too often leads to situations getting out of control before they can be pulled back using the greater authority over resources possessed by the C-suite. Resilient organisations consciously shun blame cultures so as to learn from ‘near-misses’, and do not have the boss surrounded by staff who apply rose tinted filters to the bad news. Resilient organisations recognise problems early and mobilise resource to mitigate or even head off their worst effects. But business schools and schools of government have plenty of case studies where the people at the top resisted too long, allowing the crisis to deepen, before accepting the reality that the world was not behaving as they would like or in the ways upon which their ambitious growth plans depended.
There is a useful distinction to be made here between emergencies, crises and disasters. Emergencies happen all the time in business and resilient organisations cope with them, uncomfortable as the situation may be. Being in crisis is different. In a crisis events are hitting the organisation at a scale and pace such that customary emergency responses do not appear be coping.
The situation is out of control, at least for a while.
Those who are used to being in command and having discretion over how they devote their time as an executive may find it deeply unsettling to be in charge of a deteriorating situation to which, if they are honest, they do not know the solution. Slow burn crisis are the hardest in that respect since the situation will have worsened through failure to spot the problem or, as can happen, senior management did not heed the warning signs. Organisations with underlying resilience will be able quickly to mobilise resource to create ways through the situation, acknowledging the reality of what has to be faced, but inspiring the efforts necessary to prevail. Good leaders in crisis also enable all those involved to learn as they go along in what has been called adaptive resilience so that lessons for the future are learned and the organisation emerges from the experience stronger and wiser.
These ways of thinking about resilience can and should be taken to the national level to ensure that as far as practicable there is the resilience across the nation to anticipate, assess, prevent, mitigate, respond to, and recover from natural hazards, deliberate attacks, geopolitical instability, disease outbreaks, technological revolutions and other disruptive events, civil emergencies or threats to our way of life, thus reducing the risk profile of the nation as a whole.6 We need not be passive in the face of an uncertain future.
References
- The UK Government Resilience Framework (HTML). GOV.UK. Published 2023. Source »
- Office C. National Risk Register 2023. GOV.UK. Published August 2, 2023. Source »
- NATO. Resilience Committee. NATO Online. Published October 7 2022. Source »
- Financial Times, TikTok videos versus weapons, business section, March 20 2024. Source »
- David Omand, How to Survive a Crisis: Lessons in Resilience and Avoiding Disaster, London: Penguin Viking, 2023.
- See the work of the UK National Preparedness Commission. Source »
Featued image ©Tina Krohn. Published by Paladin Capital Group