The role of the board in creating organisational resilience

Disruptive events can fundamentally undermine an organisation’s overall business resilience and objectives if it is not armed with adequate capabilities to adapt to the shock and recover. As a result of many recent disruptions and major data breaches, a new regulatory push for resilience has already begun, including the EU CER Directive, DORA, NIS2, and the EU Cybersecurity Act. These new regulations include new requirements as well as leadership and board accountability on organisational resilience.

Resiliency and accountability

Resilience is an intrinsic component of risk mitigation; without it, an organisation may be unable to survive a crisis, even one that the organisation has anticipated and planned for. Resilience is often needed to address a broad range of risks, such as disruption in the capital markets, damage to facilities, cyber incidents, and the sudden departure of a CEO.

Resilience is not absolute. Just as an organisation cannot mitigate all risks, it cannot prepare to react efficiently and effectively to every situation. However, organisations can plan for those crises that are most probable and as a result, enhance their overall resiliency.

Risk oversight is one of the board’s key responsibilities, and boards are increasingly being held accountable for an organisation’s failure to anticipate and avoid crises, as well as for the organisation’s inability to bounce back from a crisis.

How the board can support organisational resiliency

Oversight of an organisation’s culture has become a significant issue for boards in recent years, both to mitigate risk culture and to reap the benefits of a strong positive culture. A truly resilient organisation fosters a culture that responds quickly and effectively to crises. Accordingly, the board should encourage management to train the workforce on likely crisis scenarios and appropriate responses. Boards should also ask whether appropriate stakeholders are involved and whether management is utilising crisis management resources across all applicable local, regional, and national levels.

Additionally, a resilient organisation should engage in effective scenario planning and develop detailed crisis response plans. These plans can help take the emotion out of a crisis, as can war-gaming exercises that stress-test the organisation’s response plans, processes and procedures at all applicable levels—including the board—so that the first time these plans are practiced is not during a crisis. More mature organisations invite their key third-party dependencies for these exercises to make it a joint effort to protect and prepare against disruptions.

Ensuring the “minimal viable business”

Similar to achieving the right risk and resilience culture, it is key for the management and board to grasp the concept of the minimum viable business during a severe disruption. In addition to the important business services, boards are increasingly monitoring organisation’s technology activities, from cyber risk to disruption risk to digital transformation. They should ask management the tough questions about the important business services and supporting technologies that are vital to the business and whether they are truly protected from the most likely and impactful risks.

In the current digital age resilience includes understanding the most critical data as well as the dependencies across the organisation, and the prioritisation of resources. Is it logical how they are backed up and protected? Directors should make sure that management and themselves (at a high level) understand what the minimal viable business is, what are the most critical business services, associated data asset sets, third party dependencies and/or capabilities to the organisation and its ecosystem, and the risks posed to them. Additionally, it will be key to consider innovative technologies to both protect assets and enable quick recovery in the event of potential loss.

Furthermore, it is not enough anymore to look at risks posed by third parties; it’s key to join forces and to consider third-party solutions that can build resilience across the ecosystem.

Conclusion

Organisational resilience is essential for navigating constant change and risks, and the board must prioritise it as a strategic initiative. This requires a holistic approach that expands beyond traditional resilience practices, securing resilience across the entire value chain. The board’s role is to support management in exploring different options, ensuring adequate resourcing, financing, and talent, and fostering a resilience culture.

To strengthen the organisation’s resilience boards should learn about proactive risk management including achieving the right risk culture, crisis management, and operational resilience (including business continuity, cybersecurity, physical security, third party risk management, supply chain resilience). Using crisis simulations and training can enhance experience in handling real-life situations, exploring organisational structure, recovery objectives and challenges in a crisis setting.

The more an organisation prepares, the more agile and resistant it will be in the face of disruptive events.

The full version of this article was published in Boardview magazine 1/2024.