Ep. 28: 2024 Reflections & 2025 Resilience: Navigating Disruptions & Regulatory Shifts

Full transcript

Bobbie Ramsden-Knowles: Hi everyone, and welcome to the Emerge Stronger Through Disruption podcast series. I'm Bobbie Ramsden-Knowles, co-leader of PwC’s Global Centre for Crisis and Resilience, or GCCR for short. And I'm coming to you from our office in London. I'm also joined by Dave Stainback, my GCCR co-leader. Great to be here with you as always, Dave. 

David Stainback: Thanks, Bobbie and hello everyone. The aim of this podcast series is to explore the challenges facing businesses in this environment of constant crisis and change and discuss how successful business leaders can emerge stronger through disruption. In our last episode, we focused on the topic of measuring and reporting enterprise resilience maturity.

What's on our agenda today, Bobbie? 

Bobbie Ramsden-Knowles: Yeah, so look, today we're gonna reflect a little bit on the major disruptions that we've seen this year, and also importantly the regulatory shifts we've seen. And then I think it'd be great actually to start sharing some predictions, Dave, as we head in towards 2025.

David Stainback: That sounds great. Let's dive in. So I think we can all agree that 2024 was a year marked by significant disruptions. Many of these were due to either tech outages or cyber-attacks on key third party technology providers or software companies that really serve large ecosystems of businesses. One of the most notable was the major IT outages in July of this year, which downed millions of machines globally disrupting operations across nearly every industry.

And it just shows how in today's connected world, a simple software upgrade can cause massive impacts with combined losses, potentially totaling billions of dollars. 

Bobbie Ramsden-Knowles: Absolutely Dave. And look, I think this year has been challenging in many ways for organisations and we published a point of view in the last few months around that, and we can absolutely include a link to that as well today.

But there's also been disruption from AI generated misinformation and disinformation, and that's caused widespread confusion and impacted business operations. And look, we've also seen extreme weather events, certainly in the UK very recently, but also we've seen heat waves across markets, droughts, wildfires, flooding, and it's all gonna continue to increase.

And what it really does is impact supply chains. 

David Stainback: Yeah and we also saw societal and political polarisation creating fragile environments for businesses, and this affected those global supply chains, operational continuity and market stability with industries like technology and manufacturing being hit particularly hard.

Bobbie Ramsden-Knowles: Yeah, exactly. And I think it's been a big year, but let's not forget that actually during disruption there's also opportunity, right? So I was speaking to an online auction technology platform recently and they were talking about the fact that when supply chains are disrupted, actually demands spikes for them as customers shift to second hangers.

So there's absolutely opportunity in this disruption as well. And also what's been really interesting I think this year is we've seen some key regulatory shifts aimed at enhancing Operational Resilience (OpRes) and that's impacting organisations across all different markets. And you know, we had a separate podcast recently focusing on that very topic, but actually why don't we just recap on a few key points around that, Dave?

David Stainback: Sure Bobbie, so there's a lot happening in that space for sure. And let's cover quickly a few of them now. You can take the EU’s Digital Operational Resilience Act, or DORA, for example. It's the European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities, primarily focused on financial entities and organisations deemed as critical third-party providers. We're now just a month away from the compliance date of January 17th, 2025. In addition, the Financial Conduct Authority, Bank of England, and Prudential Regulation Authority recently introduced new rules that align closely with international standards, similar to DORA as well.

The Critical Entity's Resilience Directive or CERD is another key EU regulation that has implications on many businesses. As it applies to organisations across 11 key sectors, including energy, transport, healthcare, and digital infrastructure. In Australia, the Prudential Regulation Authority has introduced CPS 230, which aims to strengthen the way operational risk is managed by, again, the financial services sector there.

And in the US there's been a ton of heavy push as OpRes has been really moving up the list of regulatory priorities. So we can keep going on and on here, but I think you get the idea that this is a clear global trend coming out of 2024.

Bobbie Ramsden-Knowles: Yeah, 100% Dave. And I think we are seeing regulation relating to Operational Resilience coming across all markets and all sectors and not just financial services. Right?

And these regulatory changes have an increased compliance costs, of course, but actually it creates opportunity for innovation and competitor advantage as well. I think businesses have had to enhance their focus on risk management and contingency planning. But what we're also seeing is that it's leading to actually greater collaboration between the public and private sectors as well to address that global risk.

David Stainback: Yea, great point there, Bobbie. Do you have any examples to share for our listeners on that point? 

Bobbie Ramsden-Knowles: Yeah, absolutely. So I'm due to join a briefing on a panel in January in the UK, all around the topic of regulation around resilience, and it comes off the back of a report called Regulating for Resilience, which looks at the necessity of how to evolve regulatory frameworks and identifies four key problems around prioritisation, boundaries, time and emergence, and the fact that that requires an integrated regulatory approach. 

And what we're looking at is the recommendations around three new elements, and this is for the UK, I should say:a national body for governance, a system-wide overview map, and polycentric regulatory systems.

And the whole aim of this is actually to enhance the resilience of critical national infrastructure by fostering a whole system approach to resilience, which hopefully with the aim enables preparedness, but also adaptability in the face of these internetconnected risks. So I think it's gonna be a really interesting start to the year in the UK when we have this breakfast and start to look at how are we gonna regulate resilience in the UK market.

David Stainback: It is. It's really interesting, and it's true that we as a society rely upon social, physical, digital, and natural infrastructures that all too often we take for granted until they fail. As our society becomes increasingly complex and interconnected, interdependent, the regulatory frameworks, they have to evolve accordingly.

And I think that's part of the reason we're seeing more comprehensive regulations in this space. So now that we've reflected on what happened this year, shall we shift gears a little and talk about what's to come in the new year as we approach 2025? 

Bobbie Ramsden-Knowles: Yeah, absolutely. Let's do that. So looking ahead to 2025, I think there's a few key trends we can expect.

Firstly, I think it goes without saying that disruption is going to continue. We're gonna likely see disruption that is quicker, more widespread, but also I think. the risks that organisations face are far more interconnected than they've ever been. If you take, for example, technology and Gen AI, you know, that's clearly there's huge opportunity for organisations, but that also brings risk that needs to be managed.

And then we've got digital transformation. Many organisations are continuing to go through that transformation, and cybersecurity remains a key risk as well. So organisations need to continue to manage those risks. Inflation remains high, and we could see a range of impacts for business from that. And clearly the focus on sustainability will continue and we're gonna do a podcast next year, which looks at the interplay between climate risk, sustainability, and resilience, which I think will be fantastic.

Second, as already mentioned, we're gonna see a continued focus on resilience regulation. We've got a number of key dates coming in, as all of you will be very familiar with. We've got DORA coming into full effect by January. We've got the UK financial institutions deadline set for March 31st, and also we've got NIS2 coming in, which is requiring member states to establish a list of essential and important entities by April ‘25.

And then finally I think we'll see a trend in which more and more organisations have to take a holistic approach to building resilience and building it top down across the enterprise. And with more disruptions and regulation, I think it's essential that organisations really start to focus on protecting what matters most to them.

And doing that by integrating their different resilience capabilities and putting the right governance in place to be able to do that, both so that they can transform their business, but also gain that competitive advantage that we talked about earlier. 

David Stainback: All great points, Bobbie, and honestly, I agree with all of them in terms of trends going forward and kind of building onto your last point, if I might add for our listeners just a little bit about what we think organisations can do to prepare for some of these upcoming trends.

I think you know, number one, it's engaging in proactive risk management and scenario planning, being more thoughtful around severe, but plausible disruptions, applying them to your business, to your industry, etc. is really something that needs to pick up as you enhance your risk management programs.

Secondly, measuring current enterprise resilience capabilities of your own organisation and tracking them regularly. It's prudent to understand how your resilience capabilities stack up today, and then monitor their maturity as you continue to invest. It's important both to Board and customer confidence, but it will also help with readiness for regulatory compliance with the litany of things that we've mentioned to date.

Thirdly, I would say build resilience for strategic reasons, and not for compliance reasons. The myriad of regulations are gonna become harder and harder to keep up with anyway. And we have seen over and over again that simply performing check the box compliance resilience steps rarely actually help organisations when true disruption hits.

So truly building your programme with effective resilience in mind is critical. And if you do, you'll most importantly be ready for when disruption hits. And frankly, the ability to meet any future regulations will naturally follow from there. 

Fourthly, invest proactively in building resilience with the help of technology and AI. Technology makes managing resilience easier, get out of paper, right?

There's a lot of different tools and platforms out there that make this something that can become a living and breathing programme and AI, it’s gonna have a powerful use case around scenario planning as well as frankly, assessing impacts rapidly within your own organisation that we're already seeing leading firms begin to leverage today.

And lastly, if you don't mind, I'd like to give one final prediction for 2025. I wonder if we may see an increasing need for a Chief Resilience Officer. In our Global Crisis and Resilience Survey from 2023, our respondents highlighted that need for a responsible party for the overall resilience programme, and it goes to the governance you talked about Bobbie.

And yet the reality was at the time, many organisations lacked that dedicated role with that responsibility for the whole programme. And I think it was only 10% of organisations had at the time appointed a Chief Resilience Officer. So I think it's gonna be interesting to see if we're gonna see an upward tick or an upward trend in this over the coming year, as more and more businesses realise the need and the benefit of having that type of a role. 

Bobbie Ramsden-Knowles: Brilliant. Dave. I absolutely agree. I think that the whole role as the Chief Resilience Officer is really gonna come into focus next year across different sectors, but I think that's a really great place to wrap up.

Thanks as always, Dave, for a great discussion and also to all of our listeners for tuning in. It was brilliant today to take the opportunity to both reflect on what's happened this year, and also what we can and might expect for next year. 

David Stainback: Thank you, Bobbie. It's clear that staying informed and proactive in managing risks and building resilience, it's more important than ever.

So in upcoming episodes of Emerge Stronger Through Disruption we’ll continue to tackle the topics that keep business leaders up at night, and we'd love to hear ideas from those leaders and from our listeners about topics you'd like us to address. So please get in touch with both Bobbie and me via LinkedIn.

And in the meantime, remember to subscribe to Emerge Stronger Through Disruption wherever you get your podcasts. Thanks for listening. Have a lovely holiday season and we'll see you next year. 

© 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.