Operational Resilience Gets a Makeover in the ‘New Normal’
The business model is akin to a finely tuned machine requiring the coordination of multiple components to deliver value to customers according to a company’s brand promise. For example, a manufacturer’s model combines a robust supply chain, an accessible labor pool, cutting-edge innovative processes, efficient facilities and equipment, and access to power, water, and other necessary resources to produce quality products at competitive prices.
Unless an organization has an effective response plan, the absence or ineffective functioning of any of these components compromises the model’s viability. This concept of operational risk applies to all industries. The COVID-19 pandemic has proven to be an object lesson on how severe operational risk can be.
Widespread failures of supply chains and third-party providers and the almost complete cessation of demand for products and services in some industries are unforgettable experiences that have led many to rethink the notion of plausibility. As scenarios previously considered “implausible” were jolted into the “plausible” category—in effect, shifting probabilities assigned to tail-risk events closer to the mean—the question arises: What is the board’s role in overseeing operational resilience post-pandemic? Below we offer several considerations for directors.
1. Learnings from the COVID-19 experience should drive advancements. Boards should encourage management to review lessons learned that can be applied to improve the effectiveness of response plans should another pandemic or equally severe catastrophic scenario occur, and request a summary of actions that management plans to take.
2. Concentration risk warrants close attention. The term “concentration risk” is most often used in financial services, but it also applies to other industries. Geographic concentrations of critical assets, significant operational exposure to a geographically specific event, concentration of information assets with outsourced functions, reliance on sole suppliers of critical raw materials and components, and dependence on major customers can create concentration risk.
3. Technology and a virtual environment can be leveraged to enhance resilience. The pandemic has accelerated workplace redesign in most organizations, creating the opportunity to reimagine work processes to ensure the highest form of resilience when facing catastrophic events that restrict workforce mobility. Also, the cloud can contribute to the efficient deployment of the technologies that enable a virtual environment and improved operational resilience.
4. The right factors facilitate response-readiness assessments. Directors should ensure that management is asking the right questions when assessing exposure to extreme but plausible scenarios. When evaluating the impact of scenarios on key business model functions, services, and ecosystem components, the following questions are useful, with respect to each scenario:
What is the velocity or speed to impact?
What is the persistence (or “headline effect”) of the impact?
What is the extent of the company’s agility and readiness in responding to the event?
What is the magnitude of uncompensated risks the company faces as a result of the event (e.g., due to the loss of revenue stemming from downtime of services, permanent loss of customers, or the emergence of health and safety issues)?
The likelihood of occurrence is not a prime consideration in this assessment. The focus is on what management will do when the event occurs.
5. Operational resilience intersects risk and crisis management. Operational resilience assessments focused on the factors mentioned above help identify areas where preparedness is more critical. Building a reliable crisis management capability is a management imperative for scenarios with a high-reputation impact and velocity.
6. The board needs to be more focused on resilience. Now that we’ve experienced the worst pandemic in a century, directors should pay more attention to being agile and adaptive. For example, the board should do the following:
Understand and offer input on the operational resilience strategy, including the identified functions, services, and ecosystem partners that are critical to the business model.
Request that it be notified promptly when an event occurs that is likely to require public or regulatory disclosure or that meets specified criteria—for example, “close calls” such as a nearby hurricane or an attempted cyberattack that could have adversely affected an important business function or service.
When reportable events are brought to the board’s attention, understand and advise on management’s strategy for improving resilience.
Agree with management as to the organization’s targeted recovery time for the most important business services or processes that guide the assessment of resilience plans.
Gain confidence in the company’s operational resilience team and their activities.
7. Operational resilience is a strategic imperative. According to Gartner, business continuity management and organizational resilience programs are not keeping up with digital transformation initiatives and emerging, more complex threats. That is why directors should inquire about the scope of resilience planning at the companies they serve to ensure that it encompasses an end-to-end extended enterprise view of the value chain that looks upstream to suppliers and third-party providers, and downstream to channels and customer relationships.
Evaluation of operational threats, therefore, should be directed toward understanding the company’s resilience in addressing any of these key links in the chain. The operative question is: What would happen to the organization’s ability to operate if any of the model’s underlying components are taken away through an unexpected catastrophic event or altered in such a significant way to place the company at a strategic disadvantage? This kind of thinking is needed in a disruptive world.
In considering these boardroom discussions, directors should be kept up to date on business continuity regulatory requirements and standards specific to the sector(s) in which the company operates, as well as on the efficacy of management’s processes for complying with them. These regulations and standards often provide guidance on required or suggested areas of focus and approaches.
Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk.