From geopolitical tensions to cyber-attacks, and anything in between–being prepared in the face of a disruption is more important now than ever before.
Disruptive events can fundamentally undermine an organisation’s overall business resilience and objectives if it is not armed with adequate capabilities to adapt to the shock and recover. As a result of many recent disruptions and major data breaches, a new regulatory push for resilience has already begun, including the EU CER Directive, DORA, NIS2, and the EU Cybersecurity Act. These new regulations include new requirements as well as leadership and board accountability on organisational resilience.
Resiliency and accountability
Resilience is an intrinsic component of risk mitigation; without it, an organisation may be unable to survive a crisis, even one that the organisation has anticipated and planned for. Resilience is often needed to address a broad range of risks, such as disruption in the capital markets, damage to facilities, cyber incidents, and the sudden departure of a CEO.
Resilience is not absolute. Just as an organisation cannot mitigate all risks, it cannot prepare to react efficiently and effectively to every situation. However, organisations can plan for those crises that are most probable and as a result, enhance their overall resiliency.
Risk oversight is one of the board’s key responsibilities, and boards are increasingly being held accountable for an organisation’s failure to anticipate and avoid crises, as well as for the organisation’s inability to bounce back from a crisis.
How the board can support organisational resiliency
Oversight of an organisation’s culture has become a significant issue for boards in recent years, both to mitigate risk culture and to reap the benefits of a strong positive culture. A truly resilient organisation fosters a culture that responds quickly and effectively to crises. Accordingly, the board should encourage management to train the workforce on likely crisis scenarios and appropriate responses. Boards should also ask whether appropriate stakeholders are involved and whether management is utilising crisis management resources across all applicable local, regional, and national levels.
Additionally, a resilient organisation should engage in effective scenario planning and develop detailed crisis response plans. These plans can help take the emotion out of a crisis, as can war-gaming exercises that stress-test the organisation’s response plans, processes and procedures at all applicable levels—including the board—so that the first time these plans are practiced is not during a crisis. More mature organisations invite their key third-party dependencies for these exercises to make it a joint effort to protect and prepare against disruptions.
Ensuring the “minimal viable business”
Similar to achieving the right risk and resilience culture, it is key for the management and board to grasp the concept of the minimum viable business during a severe disruption. In addition to the important business services, boards are increasingly monitoring organisation’s technology activities, from cyber risk to disruption risk to digital transformation. They should ask management the tough questions about the important business services and supporting technologies that are vital to the business and whether they are truly protected from the most likely and impactful risks.
In the current digital age resilience includes understanding the most critical data as well as the dependencies across the organisation, and the prioritisation of resources. Is it logical how they are backed up and protected? Directors should make sure that management and themselves (at a high level) understand what the minimal viable business is, what are the most critical business services, associated data asset sets, third party dependencies and/or capabilities to the organisation and its ecosystem, and the risks posed to them. Additionally, it will be key to consider innovative technologies to both protect assets and enable quick recovery in the event of potential loss.
Furthermore, it is not enough anymore to look at risks posed by third parties; it’s key to join forces and to consider third-party solutions that can build resilience across the ecosystem.
Conclusion
Organisational resilience is essential for navigating constant change and risks, and the board must prioritise it as a strategic initiative. This requires a holistic approach that expands beyond traditional resilience practices, securing resilience across the entire value chain. The board’s role is to support management in exploring different options, ensuring adequate resourcing, financing, and talent, and fostering a resilience culture.
To strengthen the organisation’s resilience boards should learn about proactive risk management including achieving the right risk culture, crisis management, and operational resilience (including business continuity, cybersecurity, physical security, third party risk management, supply chain resilience). Using crisis simulations and training can enhance experience in handling real-life situations, exploring organisational structure, recovery objectives and challenges in a crisis setting.
The more an organisation prepares, the more agile and resistant it will be in the face of disruptive events.
Key questions to ask to better understand organisations’ resilience1. What do we want to make resilient?Making everything resilient is an unrealistic goal for organisations. Organisations should instead establish strategic priorities for resilience that can be clearly communicated to the organisation and broader stakeholder groups. 2. What are our vulnerabilities?How resilient is the organisation now and in the future? Organisations should understand what makes their strategic priorities more or less resilient, and the risks that threaten to disrupt their continuity. 3. What is our appetite for significant and prolonged disruption?Organisations should consider how much impact they are prepared to tolerate through shock, which could be based on a minimum viable business or level of service needed to deliver their strategic priorities. 4. What is our commitment to resilience?How are we building, maintaining, and demonstrating resilience? What is our commitment? Organisations should stress test to assess the effectiveness of mitigation efforts and identify weaknesses. |
The full version of this article was published in Boardview magazine 1/2024.