How to build business resilience in the Middle East
Oliver Sykes, a partner at PwC Middle East, says the challenges of 2020 have highlighted the importance of resilience.
This article first appeared on Arabian Business.
If nothing else, 2020 has been a stark reminder that resilience is critically important for all of us - individuals, businesses, industries and nations.
While some industries have been hit harder than others, organisations who have invested in their people and technology, maintained a strong balance sheet and established and embedded resilient processes have fared better than others.
Key resilience concepts such as business continuity and crisis management have evolved over decades and have been actively embraced by many organisations. However, the recent pandemic shone a light on the challenges with building broader organisational resilience.
Evolving resilience landscape
In order to improve your resilience posture, it is important to have awareness of the landscape in which you operate. A lot of change is being driven by the well known, macro trends such as digitisation. What is less well known is how quickly the day to day risks and threats are evolving and what is required to identify and mitigate these effectively.
Digitisation
The evolving digitisation of business operations is leading to the increase in value of data, reliance on digital assets and a more complex risk landscape. There is a need to regularly review technology risks and implement mitigating controls.
Due to the increasing prevalence of technology, a disruption causing downtime can have significant financial implications.
In particular, cybersecurity risks are a major focus during threat and risk assessments and crisis scenario planning. Preparing for the emerging attack will improve protection, reduce the risk of financial losses and enable continued function of critical assets that support your employees, your business and your clients.
Critical dependencies
Globalisation has increased the complexity of business processes and supply chains. As a result of this, preparing for supply chain disruptions and enabling an effective response is now more critical than ever.
A disruption to any one organisation can have unexpected impacts across the entire supply chain. The COVID-19 pandemic has demonstrated this interconnected nature of the supply chain for many organisations and the potential for disruption.
This is a particularly high risk for those organisations in the Middle East who rely on imports for critical inventory and equipment. An increased focus on building an effectively resilient supply chain is critical to ensure the continuity of business operations.
Leadership and standards
There are many local and global standards (such as ISO) that help organisations set a baseline for their resilience programme.
In recent years, authorities in the Middle East have shown leadership by introducing standards and guidelines. For example, the National Emergency Crisis and Disaster Management Authority (NCEMA) in the UAE has released a Business Continuity Management Standard (7001:2015) and further guidelines (7002:2020) in response to COVID-19.
The Saudi Central Bank (SAMA) has also released a Business Continuity Management Framework for its member organisations. Alongside international standards, such as ISO22301(Business Continuity Management System) and BS11200 (Crisis Management), these guidelines are encouraging and empowering organisations to standardise and improve their resilience.
This national level attention is also raising awareness of the criticality of resilience, helping those concerned to get resilience on the boardroom agenda and giving it the strategic attention it requires.
Common challenges
Establishing and enhancing resilience in light of the evolving landscape is difficult. This is amplified by the complexity of the organisation's people, premise, equipment and suppliers. Regardless of the size or complexity of the resilience challenge, some are often common to all.
Awareness
A lack of awareness is a significant blocker to being able to build resilience.
At a strategic level, a lack of senior level awareness, can result in a lack of investment and support. It can also drive expectation gaps and unrealistic requirements. As it is difficult to measure the return on investment, a lack of appreciation of the associated threats can result in resilience programmes being overlooked for budget allocation.
At a management and operational level, a lack of knowledge and awareness can limit the organisation’s ability to establish and operationalise a resilience programme.
Approach
As referred to earlier, local and international standards can help an organisation build resilience. However, it is often easy to treat resilience as a compliance exercise. Compliance with standards is important and forms a key part of a resilience programme. However, there is a risk that too much focus is placed on complying with a standard and losing sight of the overall objective - building and embedding a practical and operational resilience programme.
There is also a common misconception that complying with one standard, such as ISO22301, will ensure that an organisation has a complete resilience posture. While compliance with ISO22301 would support an organisation to build one element of its resilience, it would still need to consider other resilience measures such as a deeper consideration of its Crisis Management, Emergency Response, supply chain resilience and cyber security capability.
Integration
Linked to the above, the integration of resilience disciplines are critical for effective business resilience. A multi disciplinary approach is required encompassing Business Continuity Management (BCM), Crisis Management, Supply Chain, IT Disaster Recovery and Cyber resilience.
It is a common challenge for organisations to have different elements of resilience working in silos. This is suboptimal and can weaken your organisation’s resilience. From a governance and organisational perspective, it is critical that roles and responsibilities are clearly defined and management is fully aligned.
This is more difficult in a siloed environment. Greater integration can bring a number of benefits including better threat and risk analysis through the sharing of information, resource optimisation, integrated exercises and alignment on the ongoing review and improvement cycles.
Integration is also important from a supply chain perspective. It is crucial to have communication with external stakeholders and suppliers and perform the necessary third party assessments as part of your overall resilience programme.
Capability
As with any discipline that rapidly emerges in prominence, skills and experience can be in short supply. Therefore, organisations are finding it increasingly difficult to build their own resilience competence. This challenge is compounded by the short supply of the related technology skills and experience, particularly surrounding cyber security and the more nascent technologies.
Another compounding factor is the transient nature of the workforce in Middle East countries. This results in high turnover and ‘brain drain’ - the attrition of skills and experience from an organisation.
While recruiting skills and experience can be challenging, it is important to invest in training and awareness and professional certifications to help build internal capability. But this is dependent on having the right level of support and investment from top management.
Building resilience
With the evolving landscape and common challenges in mind, there are three key areas where I would recommend focus in order to build sustainable resilience.
Culture
I believe that resilience is a board level topic. So, if it is not, my advice to any organisation is to make it one. It is important that an organisation’s resilience is driven from the top, starting with the leadership. From there, the organisation should delegate ownership and responsibility and empower management as necessary.
Do the basics well
The elements of building a resilience programme are well known by the professionals in this field. It is important that sufficient focus is placed on the governance framework, processes, documentation and core activities. It can take some organisations multiple years to fully establish, integrate and embed a resilience programme. It requires investment, understanding, integration and co-operation across the organisation.
Too often organisations jump into tools and technology, to automate as much as possible, without first solving their challenges with people and embedding processes.
Be agile
The resilience landscape is evolving at a fast pace and it is important to be agile in order to move and react with this change.
COVID-19 accelerated the focus on the need for people to be able to work from home.
Depending on how the pandemic evolves, or whether new pandemics arise, this could be the new normal. Some organisations have been slower to react and more resistant to this change than others. What has been clear, those who were more agile suffered less disruption.
Agility can be improved with the right focus and leadership. It requires challenging and refreshing policies, improving feedback loops, breaking down organisational silos, relinquishing control and putting more trust in operational teams.
As technology develops and the broader environmental factors continue to be more volatile, I believe that agility will be an increasingly important part of business resilience moving forward.
