We know resilience is a priority in our polycrisis environment, and we understand the key to resilience is managing risks effectively. But how do organizations keep their resilience programs fresh and fit for purpose in a demanding and quickly evolving threat and business landscape?
Everyone, from customers, shareholders, employees to regulators, increasingly expects organizations to respond quickly and comprehensively in the event of a disruption. Even in crisis, organizations need to keep up with the new speeds of delivery made possible by the digital transformations of the sectors they serve.
To do this, leaders must protect what matters most and prioritize investment based on what’s critical to their organization and stakeholders.
Here we outline three practical recommendations for Canadian leaders to ensure their resilience program matures ahead of a changing environment. These are: (1) take a customer-centric approach, (2) use technology and (3) exercise your resilience program.
Slightly over 4 out of 10 (42%) Canadian respondents to our Global Crisis and Resilience Survey say their organization found it challenging to maintain critical business services through continuity measures in the most serious disruption they faced in the last two years.
Part of the problem has been that in many cases, organizations have assessed the criticality of their operations in business unit silos, rather than taking a service-based approach. While there are practical and logistical reasons for this, it’s challenging to recover services when some functions are up but others are down.
Leaders need to focus on recovering the services their organization provides for customers rather than recovering business functions in isolation.
Organizations need to take a more customer-centric approach to resilience. To put it simply, leaders need to shift the focus of efforts from recovering business functions to recovering the services their organization provides for customers. You’ll need to identify your organization’s most critical services, the business functions used to perform those services and the assets needed to perform those functions at an acceptable level during a disruption. These include people, technology, facilities and interdependent third parties.
To do this successfully, start small: choose one or two of your most critical services, and then go through this mapping process and learn how to do it before you roll it out on a larger scale. Make sure you build on existing materials rather than starting from scratch. For example, take advantage of impact analyses already used for business continuity, product taxonomies and process maps from previous transformation activities.
Historically, when things have broken down from a technology standpoint, that’s created the biggest disruptions for organizations. As technology solutions become more complex, the risk of technology disruptions continues to rise. The good news is that there are technology solutions for that.
If you’re thinking about how to use technology within your business processes to enhance your organization’s resilience, the question is: Are you going to invest in additional disaster recovery technology, or are you going to move to the cloud?
We haven’t seen many organizations making significant investments in disaster recovery infrastructure programs in the last decade. More clients are investing in baking resilience into their technology platforms, which often involves migration, in whole or part, to a cloud environment. Advantages of moving to cloud include significant enhancements to availability, scalability, centralization of control and reduction of the cost of having the infrastructure.
A move to cloud, however, isn’t without risk: it’s a transfer from technology risk to third-party risk.
You’ll still need to make sure you have controls in place. Confirm the cloud vendor has appropriate security protocols. Understand what will happen if there’s an outage to the cloud provider. If you’ve got critical services and ways of doing business that rely on that technology, you’ll need to reduce these risks.
Organizations can also use technology to enable their resilience programs. When asked about the future of resilience, 56% of Canadian respondents to our survey rank technology enablement of their program (leveraging resilience tools and software) as the most important for their organization.
When asked about the future of resilience, 56% of Canadian respondents rank technology enablement of their program as the most important for their organization.
Technology solutions integrate with other systems organizations use to manage their tech environment, third parties, real estate and people, and they use that data to help organizations better understand their risks within each one of those elements in a connected way. In addition to helping organizations better anticipate, prevent, prepare for, respond to and learn from risks and disruptions, tech solutions reduce the amount of manual effort needed to sustain a program.
Most organizations already have all the information they need in different systems, and they just need an extra tech layer to make all those systems talk to one another. There are different tools that can help entities of different sizes and complexities do this. These range from the Microsoft suite (specifically, Teams and Power BI) all the way to modules of existing governance risk and compliance systems and intelligent solutions like Fusion, which map and visualize relationships, dependencies and risks across people, processes, technology, suppliers and sites.
Exercising is where the rubber meets the road. While analysis, training and integrating the components of your resilience program are important, exercising is how you truly build—and sustain—your organization’s capability and capacity for response.
Far too often, we see organizations spending too much time building programs and never getting to the exercise phase. But exercising is crucial: it helps organizations identify gaps, builds muscle memory in the people expected to respond to disruption and makes sure the program you’ve built stays fresh.
How should your organization exercise? In part, the exercises you choose should be based on the highest residual risks for your organization, but there’s also value in exercising for black swan events since a resilience program should be resilient to all hazards. You’re not necessarily exercising the specific steps you’d take to respond to a scenario—what you’re trying to build is a capability that’s strategic and agile.
You should also enhance the maturity of your exercise program over time to build capability. Start with facilitated walk-throughs, move through to tabletop exercises and then on to full simulation and digital twinning (creating a replica of a physical process in a digital environment so you can run scenarios and exercises in that environment).
Capture lessons observed during exercise, and make sure you have the processes and capabilities in place to turn them into lessons learned.
Finish the job once you’ve done the work. Capture lessons observed during exercise, and make sure you have the processes and capabilities in place to turn them into lessons learned.
Business leaders are increasingly recognizing that in addition to being a strategic imperative, resilience is the right thing to do—both for their organization and their customers. Many regulators are coming to the same conclusion. The financial services industry globally is being regulated from a resilience standpoint, and additional guidance being provided in other industries may indicate similar moves towards regulation.
The time to address all of this is now. Are you ready to build a resilience program that’s fit for the future?
We’ve been at the forefront of resilience for a long time, and we have the tools and accelerators to help organizations understand the right level at which they should invest to build their capabilities quickly.
How organisations are adapting to constant disruption by transforming their approach to building resilience
Building your corporate immune system, together
Partner and National Enterprise Risk Management and Operational Resilience Leader, PwC Canada
Tel: +1 514 290 2809