Episode 9: How to build resilience into your company’s DNA

Emerge stronger through disruption podcast Podcast, PwC United States April 2021

Nearly 70 percent of respondents to PwC’s Global Crisis Survey 2021 said they plan to bolster their resilience capabilities. For starters, a successful reset requires elevating crisis management to the C-suite.

PwC Global Crisis Leader Kristin Rivera and US Crisis Leader Dave Stainback tap into survey results and their client experience to discuss how to create resilience in your organisation.

Release date: April 2021

Full transcript

Kristin Rivera: Welcome to our podcast series, Emerge stronger through disruption. I'm Kristin Rivera, and I lead PwC’s Global Forensics practice and our Global Crisis Centre. I'm coming to you today once again, from my office, just outside San Francisco, California. In each episode of this series, we talk with global leaders about the challenges facing businesses during disruption.

And today I'm once again joined by Dave Stainback, our US crisis consulting leader. In today's podcast episode, we'll talk once again about resilience, what it means to be a resilient organization, and why it's now more important than ever to understand resilience. In simplest terms, to be resilient means being able to bounce back from disruption and ideally to grow and as I like to say, to emerge stronger. We're going to continue our discussion today, but approach it from a more tactical level. How can businesses build resilience into their cultural DNA? First though, let me welcome Dave. Dave, you're a repeat guest, but if you wouldn't mind, please just share a little bit about yourself and your role at PWC.

David Stainback: Yeah, thanks for having me again, Kristin, it's great to talk to you. As you mentioned, I lead our crisis consulting practice for the US. I'm based in Atlanta and primarily what I do to support our clients is two-fold: it's helping clients to build preparedness and readiness and build resilience programs before something might happen that is disruptive. And then the other half of it is actually responding and helping our clients through those crisis scenarios when a disruptive event actually takes place.

Kristin: So before we jump into our conversation, I want to remind our listeners that PwC’s Global Crisis Survey recently launched. Take a look — as some of the data reveals an interesting story on resilience.

David: Yes, we're excited to share the full report. It's really a global business after-action review of corporate responses to COVID-19. There's really a lot to learn from the data and the experiences that our respondents have shared, and it provides great insights into how business leaders plan to revamp and strengthen their crisis and resilience capabilities for the future.

Kristin: Dave, let's dig into resilience again on a more tactical level. A year into the pandemic, vaccinations in many countries are finally in the double digits and it seems that we're turning a corner. We hear more good news every day than we have in the past year. And all eyes are now turning to the future. I know I'm certainly looking to the future and maybe even taking a vacation this summer.

We continue to hear from business leaders that the real lesson learned from the past year is the need to be more resilient. So as they're rethinking and reinvigorating their resilience capabilities, what would you suggest as a first step?

David: Yeah. So the first step is committing to truly elevate the role of resilience in your organization.

Resilience needs to be sponsored at the C-suite level, and we're actually starting to see that happen in many organizations, but it should be viewed as a priority, not as a nice-to-have or a backup plan in case of emergency. Resilience is now foundational to how organizations weather inevitable disruption, and create new opportunities.

So to build that into your organisation, you need to have the authority of a truly senior-level person as the executive sponsor of your resilience program, someone who has visibility across all functions, and then beyond your sponsor, it's important to then establish a governance framework to oversee a true resilience program, ensuring that it has the proper funding, resources, cross-functional collaboration and more. When you elevate the role and take steps to create the right accountability, you can then begin to make the changes that are needed in your organization to create and sustain resilience. This is step one, and it's the most critical thing that you can do right now while resilience is still top of mind for leadership. If you wait, you risk falling back to your old ways.

Kristin: So it's interesting you say that, Dave. I was just reviewing our Global Crisis Survey and there is a statistic there that shows that almost 70% of the respondents are discussing organizational resilience and have committed to bolster their capabilities. So no question that what you described is happening in corporate boardrooms around the world.

So after these companies have made that commitment to build resilience, after they've implemented senior sponsorship and have put into place some governance — from your perspective, what should they do next?

David: Yeah, the next step is really for that governance team to examine your current capabilities. How have your resilience functions been operating to date?

We talked in our last podcast discussion about the traditional siloed approach that most organisations have had previously when it comes to resilience. So what we need to do is really lay out who has historically been responsible for different resilience capabilities. Things like crisis management, business continuity, disaster recovery, physical security, and emergency response.

And once you have that inventory or that current-state snapshot, if you will, then you can really begin to dig in. Are there gaps in your resilience capabilities? Is there duplication of effort? Is there confusion as to who is truly responsible for what aspects? How integrated are these resilience capabilities?

Only 23% of our global crisis survey respondents said that their organisational resilience functions were actually very well integrated. What technology do we have supporting a resilience program? And is it the right technology? 64% of organizations told us that they're investing in new technology as a result of the pandemic. So really your goal at the end of this exercise is to step back and say, OK, this is where we are today. This is our current-state maturity. We need to get better from here, and let's build the roadmap for how to accomplish that.

Kristin: So often, Dave, when I'm talking to companies, I hear that they've perhaps gone in and assessed their crisis management plan, or maybe they've looked at their business continuity plan.

But I think what you're describing is really something larger and more integrated. Have you seen companies taking this step? And any tips you can share from those who have already moved on this? How do they get started?

David: Yeah, so we are, and one of the ways we've actually seen companies kickstart this process and get it going is actually taking a look through the lens of their response to the COVID-19 crisis.

You have that perfect opportunity right now to examine your organization and how it responded and performed during the pandemic, really via an after-action or an in-flight review of that response. So you can take a deep dive into how your teams performed, where your pain points have been, who was responsible for what, and how you can improve. In terms of your question about companies that are simply taking a look at their business continuity plan, for example, it's really about looking at all of your plans, holistically, all elements of resilience that sit across your organization. A crisis plan is just one piece, a business continuity plan is just one piece. And even if you have looked at them seriously, it's critical to look at them holistically as you perform this current-state snapshot of your resilience program.

Our experience tells us that most organizations haven't actually done this before. And as a result, they have business continuity plans that may overlap with each other, or may overlap with the crisis plan. And then you begin to have a problem. In other cases, we've actually seen plans within the same organization that actually contradict one another.

We were recently working with a client who had two different plans with severity levels built into them. Both of those plans had severity levels of zero through four. But in one plan zero was the worst case in seven, four was the lowest risk issue. And in the other plan, it was the exact opposite.

So that creates a big problem. And I wish I could say that's the only time I've ever seen that, but we really have seen it in many different places. And you can lose a lot of significant time and create unnecessary confusion if you don't look across your resilience program and capabilities holistically, making sure that there's consistency in the way the plans are built across the functions and how they're structured — and that those escalations and handoffs are distinct from one to another.

Kristin: It's such a simple example, Dave, but I can really see how in the heat of the moment in a crisis, you could lose a handful of very critical days on that miscommunication alone.

So a great example of a simple fix that could really pay dividends in the moment that really matters. So another thing that I see with the companies I speak to is that they're sometimes over-rotated to a particular type of crisis, especially now that every organisation in the world has been dealing with a pandemic for the past year or more, and so there may be a tendency to over-rotate towards the crisis — perhaps a pandemic, or another that we see very frequently is a cyber attack. Again, both because these are things that we've experienced recently that we read about in the news. And there's a very natural human tendency to focus on what you've experienced.

In fact, pandemic topped the list of threats that were named by business leaders in both PwC’s Global CEO Survey, which was released March 11th, as well as our Global Crisis Survey. But there are plenty of other threats that businesses will need to contend with in the future. Cyber, as I mentioned, technology disruption, climate change, fraud — all of these were issues named by business leaders in both surveys.

So it's important to be crisis-agnostic or broad in your thinking, as you're doing your planning. And that will give you the flexibility that you need in order to be prepared to respond to whatever it is that comes next.

David: Absolutely. And really, I think we see this all the time, what you were describing.

It's a form of “recency bias” impacting the way that we view potential future risks. And it really places what we've seen to be highly impactful recently at the top of our minds. And we think about that as the biggest thing we should be concerned about for the future. But this is where the linkages of enterprise risk management, resilience, and crisis management need to work together to put a company in a position to face disruption, head on, and any type of disruption.

ERM, and other risk functions, play a critical role in assessing those threats and the risk landscape for an organisation. And that frankly lays a very strong foundation for where the company should prioritise its mitigation efforts. And that's where the resilience program picks up and can build plans to consider some of those higher likelihood, higher- impact scenarios.

And they should. But in the end, you need plans — particularly a crisis plan that can be threat-agnostic. Like you said, Kristin, it's not always the high-likelihood threats that hit you. Global pandemic barely existed on corporate risk registers prior to last year. So you need to have an approach that quickly brings the right people together at the right time to respond to anything that may come your way.

Moreover, to support this point, ancillary crises are out there as well. 75% of organisations experienced a secondary crisis during the COVID-19 pandemic. So that goes to the point that having an individual plan for every possible scenario is never going to be a reality. And you need to be able to think about crisis agnostically in your organization and respond to whatever you may face.

Kristin: So we've talked about the importance of governance. We've talked about looking at your plans and being broad in terms of, you know, creating consistency across the multiple different teams you might have that can contribute to resilience. We talked about being crisis agnostic or threat agnostic in your planning and thinking broadly about the types of issues that could impact you.

So the next tactical step that we see successful companies taking as they look to build resilience is to conduct exercises or simulations. Again, as we come out of COVID-19 and the crisis begins to abate, you know, going back to practicing will be something companies will be looking to do. And that, that is an important part of a program.

We talked in a past podcast episode with Andrew McPherson, PwC’s Global Risk and Regulatory Leader, about bottling up that sense of urgency that we've all experienced in this crisis so that we can carry it forward with us into the post pandemic era.

David: Yes, exercises are definitely one way that we can recreate some of that rigor and that focus, but without experiencing the negative parts of dealing with an actual crisis. Similar to the way that we've talked about plans being built in silos, we often see that exercises are performed in pockets across the organisation.

For instance, you might be exercising a disaster recovery plan, which is great. But in reality, if you have a ransomware situation, for example, that's going to trip your disaster recovery plan, cyber incident, response plan, business continuity plans, and communication plans. And if you're not exercising those things together to figure out how they're going to interact, you're missing the point.

On top of that, training is also key, in between sorting out how to make everything work and actually doing these types of exercises is the training phase and making sure that your people understand their roles in the response plan and the roles of others around them. Where does one end and another pick up?

And training can be differentiating — your plans have to work in concert with one another. So taking into consideration all these traditionally siloed capabilities, making sure they work together is the key that a lot of people miss when they are moving from design to exercising. You have to take that training step into account.

Kristin: Another thing we see companies that are leading in resilience do is to do their own sort of stress test. So to ask someone internally or a team of people internally to really poke for vulnerabilities, to think through what are the scenarios that could bring the company down. After all, insiders have the best knowledge of where your vulnerabilities are.

And often, in fact, I think most organisations, if not all, have people that naturally think this way: They might have a bit of pessimism in them and they would thrive in this type of environment — being asked to go in and look for vulnerabilities. It's not unlike what we see in cyber — intentionally looking for vulnerabilities in the system to prevent hackers from finding them first.

And you can use the output of this kind of exercise to feed your scenarios and to make them all the more realistic. Absolutely. So to summarize, regardless of whether you are a board member or a senior leader or a member of management that has some responsibility for resilience in your organization, Dave, what are the key ingredients to building long-lasting resilience?

David: Yeah. So it is elevating resilience in your organization and building that true governance model to make sure that it stays that way. It's examining those current capabilities and your current maturity to design a more integrated and aligned program that's overseen by the governance model that you created, and then it's training and exercising.

If you're putting on a Broadway play, you make sure that every character knows their roles and the timing of their roles, as well as the timing of those around them. And then you practice, practice, practice. And lastly, know that this is not a one-and-done situation. If you're truly trying to build something into the DNA of an organisation, it has to be a continuous improvement exercise. Now is an ideal time to completely reframe your approach to enterprise resilience, but you have to turn it into a living, breathing, and constantly maturing competitive advantage.

Kristin: Totally agree. So one last thought before we wrap: As business leaders, we have all been through something incredibly trying over the past year.

And yet, most organizations came together as a team and forged through. These are the kinds of experiences that build cultures. They bind people together. So don't miss out on capturing that opportunity: Recognise what your team has accomplished together. Take stock and celebrate the successes that you've had, and the fact that you're still standing.

These things are a wonderful foundation upon which you can build your resilience DNA. Thanks Dave, for joining us once again. As always, it was a great conversation. Remember to subscribe to our podcast series, Emerge stronger through disruption, wherever you get your podcasts. And don't forget to connect with Dave and me on LinkedIn. Until next time, thanks for listening.

Contact us

Dave Stainback

Dave Stainback

Global Crisis & Resilience Co-Leader, PwC United States

Tel: +1 678 419 1355

Bobbie Ramsden-Knowles

Bobbie Ramsden-Knowles

Global Crisis & Resilience Co-Leader, PwC United Kingdom

Tel: +44 (0)7483 422701

Hide