Ep 27: How to better measure and report on enterprise resilience maturity?

Full transcript

Dave Stainback: Hi, everyone, and thanks so much for joining us today for this episode of Emerge Stronger Through Disruption. My name is Dave Stainback and I'm the co-leader of PwC’s Global Centre for Crisis and Resilience, or GCCR for short. I'm coming to you from our office in Atlanta, Georgia. I'm also joined today by Bobbie Ramsden-Knowles, my GCCR co-leader. Great to be with you, as always, Bobbie.

Bobbie Ramsden-Knowles: Thanks, Dave, and really good to be here again today. Now, for those of you who are regular listeners, you'll know that the aim of this podcast is to explore the challenges facing businesses in this environment of constant crisis and change. And also to discuss how do successful business leaders emerge stronger through that disruption. So in our last episode, we focused on the increasing regulation landscape around resilience globally.

Dave what's going to be on our agenda today?

Dave: Today, I wanted us to discuss reporting and measuring enterprise resilience. There's been greater pressure for organisations to track and report on resilience maturity globally, and often I get asked by companies and those in industry about how to really go about that. Given that background, I thought it would be interesting to take a closer look at this and explore what it means for organisations and how one might go about tackling it.

Bobbie: Yeah, that sounds really interesting. I'm certainly seeing this from a lot of organisations as well. There's a lot of questions around resilience maturity and how do you measure it. So I think it's perfect timing for this topic.

Dave: Awesome. So let's dive right in. I think both of us can agree that we're seeing a lot of demand in this area. And that's really because of just the greater scrutiny for organisations, including, for example, obviously increasing regulations, which we talked about in our last episode. We discussed how regulators are placing that expectation on the industry to provide guarantees that they can continue to provide their critical services during a disruptive event.

That's exactly why it's important to show them how you're tracking your ability to actually do so, by conducting assessments and being able to demonstrate it via reporting and metrics, whether that's to regulators, customers or other stakeholders.

Bobbie: Yeah, exactly. And I think we also shared our view, didn't we, that it's important to get ahead of the regulation, because clearly there are some industries and sectors that they might not feel that time pressure just yet around resilience regulation, and perhaps there's a perception they don't need to necessarily worry about Operational Resilience (OpRes). But I think it is going to impact many organisations and many industries at some point.

So definitely worth getting ahead of it now.

Dave: Yeah, that's right, Bobbie. And not only is it going to become a more common requirement for organisations to track and measure those resilience capabilities, but it's also going to benefit them if they do so proactively. Like we've been talking about, we recommend organisations use the regulations not to just protect value, but to create value and ensure that longer term sustainability and success of their programme.

Bobbie: Right. So now the reason why it's important for companies to assess their maturity around resilience. Can you tell us, Dave, a bit about how we're going to go about measuring and reporting resilience?

Dave: Yeah, sure. So let's get into a bit of the nuts and bolts. First, I think we really have to reframe the approach. In the past, you and I and many of our colleagues would get requests from organisations to do very specific assessments of certain resilience capabilities. “Can you please come assess my business continuity programme?” or “Can you please come look at my crisis communications plan?”

Whereas today, we're really aiming to take a holistic snapshot of your overall resilience capabilities. That gives a better view into the strengths and areas of opportunity across different resilience domains, and also includes how well they're working together. We've been designing our Enterprise Resilience Assessment framework that really focuses on two major categories. The first being Strategic Resilience and the second being Operational Resilience.

Under that Strategic Resilience umbrella, we really cover a number of things like leadership, strategy, culture and behaviors, reputation management, financial management, workforce resilience, and enterprise risk management and those connections. Whereas, under the Operational Resilience Pillar, we include primarily six domains overall Operational Resilience and how you are adhering to OpRes. Crisis management, business continuity management, cyber resilience, physical security and emergency management, and technology resilience, which obviously is inclusive of disaster recovery.

And within each of those six Operational Resilience domains, we do a deeper dive looking at the following areas around their programme governance and policy, the programme design and maintenance of it, the technology enablement of those programmes, the assessment and analysis that is specific to each one of those Operational Resilience domains, their actual plans and plan development processes, real response and recovery experience, and then training and exercising.

And really the way that we try to go about these types of assessments is through interviews and facilitated discussions, we’ll gather information, asking a lot of different questions and collecting, reviewing documentation that exists. And then we really map it using a five-point scale capability maturity model integration or CMMI scoring system that aligns with international standards and leading practices.

And we put a lot of those into our overall thinking around this. And then we report on any company's maturity level for each of those areas, as well as holistically across all of those areas and map that up with what they believe their target state should be and some recommendations for how to get there. And that really allows us to then continue that conversation and help to build on that resilience journey, figure out what's next, what's working well in terms of the integration of capabilities and where they can improve to do so better going forward.

Bobbie: That all makes a lot of sense. I think is certainly going to help organisations, as you say, almost understand where they currently are, that baseline around this integrated Enterprise Resilience approach versus where do they want to be and then track the maturity as it improves over time and actually, I think it's going to be interesting because it will show the future, allow organisations to actually demonstrate the return on investment they've made when they do that.

Do you have any recent examples of where we've done this before and any insights from that?

Dave: Yeah, we have a number of these, but a good example is recently performed one of these holistic assessments, right? Broader assessments for a healthcare organisation. And like I mentioned before, this was a company that had historically performed individual assessments, ad hoc, on different resilience domains, whether that's business continuity or crisis management or disaster recovery. But following obviously a number of recent large-scale disruptions in the healthcare industry.

The Board pressed them and wanted to have a comprehensive view across all of the programmes and disciplines. So, it really allowed management and the Board to see which areas were strong and which ones might need shorter- and longer-term investment to improve them in order to meet the target maturity expectations across the board of the Resilience programme as opposed to within just individual silos.

One of the things that we've done as a result of that, and certainly the high demand for this, as well as the work that our global team has been putting into developing our framework, is we've taken that framework, and we've built out what we call PwC’s Enterprise Resilience Assessment or ERA tool. And it's an interactive web-based platform with algorithmic analysis, and it gives us the ability to take all of that framework and go through question sets and questionnaires with organisations and then be able to provide maturity scoring and recommendations and road mapping all in one seamless, integrated platform.

So it's an exciting development that we've been able to leverage and hope to use many more times going forward.

Bobbie: Yeah, that's great, Dave. I think for me what's been really interesting and exciting actually in working this is just the amount of knowledge we've pulled together across the network, across the global centre, to inform the development of the assessment tool, but also that it really does nicely align with the PwC Enterprise Resilience Framework, which we've talked about on many other episodes as well.

I mean, I'm personally very excited about the launch of the tool. So we've covered the why and the how, which are both clearly really important. And with all our episodes, we'd like to give our listeners actionable takeaways. So, do you have any tips on what they might want to take away and start doing today or is there a specific call to action you'd like them to hear Dave?

Dave: Well, I think a call to action in terms of assessing overall resilience maturity is really the change of approach and not doing it on an individual resilience domain or silo by silo approach. And sort of shifting to looking at it across the entire integrated programme. I think that would be the big recommendation that I would give coming out of this and  hope organisations will think about as they go forward.

And then separately, while assessing maturity is certainly a critical step to identify where you are on a curve, the other type of measurement for a resilience programme is the metrics. Metrics, data reporting on the programme day to day, week to week, year over year. And it's really how you track activity, action, response and recovery times, incident types and trends and many more things.

And I think that we see a lot of organisations that are focused on trying to develop this, but it's not necessarily easy. Right? And so there's a few factors that we are seeing, as many different companies are working to establish resilience metrics and we're trying to assist them. The first is that data and technology are paramount. There's an important role for technology and software both in maintaining and integrating the resilience data, but also being able to use it to drive better informed risk decision making.

But there's a number of inherent difficulties in this process from selecting the right indicators and metrics to the complexities of the data and where you're pulling it from, how you collect it, and then frankly, how you interpret it. A lot of the traditional ways of collecting and maintaining data within resilience disciplines has been manual and inefficient and software and strong programme governance are required to do this really well today.

So tactically, the solution is beginning to invest and embrace the power of technology. One of the things from our Global Crisis and Resilience Survey from last year was that almost 60% of the business leaders that responded understand the need to underpin their resilience strategy with technology that allows them to actually mine actionable intelligence from the data across the business.

And so, if properly configured and built into a well-governed programme, that type of technology, that type of software can provide that single pane of glass, panoramic view of your resilience programme and a lot of your risks. And it allows you to transform your resilience programme from being kind of static and manual to dynamic, scalable, integrated and frankly, proactive.

It certainly takes effort and it takes investment, but by overcoming those challenges, you can really build a robust framework for resilience and that gives you the measurable metrics that can then serve as the backbone for any successful resilience initiatives and future risk decisioning, enabling organisations to withstand and adapt to unexpected challenges and disruptions as they occur.

Bobbie: Brilliant. And I think that's a really, really good place to wrap it up. It's been a great discussion, as always, and I hope for our listeners they found it a useful one. I think we should definitely continue the topic of the critical role that technology plays in building resilience and hope to do so in one of our next podcasts.

So, I definitely recommend to our listeners to stay tuned because we've got some exciting speakers lined up for that one.

Dave: Sounds great. Thank you, Bobbie, and thank you all so much. In upcoming episodes, Emerge Stronger Through Disruption, we'll continue to tackle these topics that keep business leaders up at night, and we'd love to hear ideas from listeners about topics you'd like us to address. So please get in touch with both Bobbie and me via LinkedIn. We would love to hear from you.

And in the meantime, remember to subscribe to Emerge Stronger Through Disruption wherever you get your podcasts. Thanks for listening. We'll see you next time.

© 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.