One of the challenges of becoming a resilient organization is understanding exactly what that means. Even the scope of “resilience” varies from one leadership team to another: to some, it means everything and to others it means nothing. At some organizations, it’s the wrapper that brings together all risk management functions, and for others, it’s a theoretical or academic term – even just a buzzword – that doesn’t translate well. Resilience is interpreted and implemented in many different ways and today’s global business environment likely won’t change that anytime soon.
Recently, Control Risks’ 2020 Global Resilience Survey results confirmed these findings: “resilience” still does not have one common definition, nor is there consensus on how, or even whether, it should be used. Thirty percent of respondents said that their organizations do not use the term “resilience”. Of those that do use the term, 65% of businesses describe resilience as “a proactive function detecting risk and disruption early” and use this information to make critical decisions followed by actions; 26% of businesses apply it as a “reactive function for responding to disruptions and incidents.”
Further complicating the matter is that resilience differs sector to sector. For example: for traditional brick and mortar retail, resilience is often defined as a focus on physical facility and supply chain resiliency; alternatively, manufacturing organizations tend to focus on the critical infrastructure used to support key production operations, including critical suppliers and equipment; different still, forward-leaning technology companies are shifting away from a sole focus on IT resiliency to now include an emphasis on people or communities, thereby ensuring community resilience; and finally, financial services thinks of resiliency in alignment with risk management disciplines and the “three lines of defense” model most closely associated with operational risk. Ultimately, no matter the industry, global institutions must ensure they are compliant across all regions and countries within which they operate and provide services.
Differences in interpretation doesn’t stop at the sector level – we see differences across geographies as well. Geographic differences are often rooted within the laws, regulations and standards governing conduct associated with ensuring resiliency. For example, specific laws and regulations in the UK and Australia often drive robust business continuity compliance efforts, whereas these same initiatives in the United States (notably outside of financial services, insurance and healthcare) are motivated by market trends associated with being viewed as good stewards to their geo-markets, as well as ensuring a competitive advantage while protecting investors and the bottom line (factors that may also be at play in countries where official regulations and standards apply).
The other aspect of geographic difference lies in spend allocated to resilience-related activities and the accompanying remit of resilience professionals. In regions such as Europe, resilience professionals have enjoyed a broadening scope of responsibility and increasingly strategic positions over the past two decades. In others such as the United States, these professionals have often traditionally maintained a more siloed or operational role – but COVID-19 may have just changed that, and better global alignment on spend and resilience remits appears to be emerging.
Given the ambiguity around the definition and implementation of resilience capabilities, it is helpful for companies to examine the characteristics of a resilient organization, regardless of the sectors and geographies they are in, and consider how those characteristics could be applied across the organization. Luckily, the word “resilience” provides the perfect acronym to describe those characteristics:
- Risk aware. Resilient organizations are aware of both their existing and emerging risks and proactively address them to reduce the likelihood that they will materialize into a crisis.
- Engaged top to bottom. Everyone in the organization – from the board of directors down to the entry-level staff – must be aware and engaged in resilience activities so that they know their roles and responsibilities before, during and after crises strike.
- Secure. Being resilient starts with avoiding crises where possible – and that’s impossible to do unless you’ve secured your core physical and technology assets.
- Intel-driven. Acting on a whim and a prayer isn’t a reliable, workable plan during a crisis; decisions must be intelligence driven if the company is going to avoid or minimize the impact of crises.
- Locally-informed. Having a global mindset is key, but nuance matters in a crisis and that mindset must be locally informed. What works in one location may not in another due to cultural and geographic differences.
- Improvement-minded. The companies that succeed in avoiding, responding to and emerging stronger from crises often do so due to their deep commitment to continuous learning. These are the organizations that take governance and planning seriously and ensure exercising and training are a core part of their DNA.
- Elastic. Companies must be flexible and adapt to both the changing risk environment as well as challenges they face throughout the lifecycle of a crisis. Flexibility often breeds innovation, which can make the difference between surviving and thriving during a disruptive event.
- Near- and far-sighted. All too often, organizations in crisis are only focused on what is right in front of them, including myopic pursuits of root cause analysis and operational solutions. Truly resilient organizations understand the importance of delegation of authority and empowering management to focus on the day-to-day of the crisis, while leadership focuses on achievement of their strategy and the future.
- Culture-led. Organizations must lead with their values and embrace their unique culture as they prepare for, respond to and recover from crises. Veering away from your core values during the most difficult of times not only leaves employees and customers confused and wondering what the organization really stands for but also whether they want to embrace that going forward.
- Empathetic. Crisis communications is one of the most important aspects to an organization’s ability to avoid and respond to crises, and nothing in crisis communications is more important than empathy. Displaying genuine empathy in a crisis can make the difference in how employees and customers see the organization and have a real impact on the organization’s reputation after the crisis is over.
In many ways, embracing a characteristics-based approach to resilience negates the need for a common definition and provides organizations with the flexibility to embrace resiliency however they think is appropriate given their risk profiles and cultures. The key to implementing a successful resilience strategy requires upfront agreement on what the organization wants to be resilient against (i.e., the program scope) and obtaining buy-in from key stakeholders prior to building out the capabilities in alignment with the strategy. From there, patience is key: obtaining resilience is not an overnight activity but a mission that will take time, evolve as the organization and the global business environment evolves and require ongoing commitment from leaders and everyday employees alike.