Moreover, the attacks demonstrated a vulnerability to “interdependence risk” — a new kind of discontinuity for most companies in most industries. Bound intimately to the globalization of communications, finance, trade, and corporate activity, as well as to the deregulation and privatization of supporting infrastructures, interdependence risk is the potential for ostensibly small events — a trader improperly covering derivatives trades, a rogue computer hacker, a fire in a supplier’s factory — to spiral rapidly into a company-threatening crisis.
It is easy to be fatalistic after terrible events like those of September 11, and to assume that there is no way to prepare — or to presume that government will step in, leaving business to face the consequences later. But pragmatic leaders will not wait for the next assault or for legislative action. We believe it is possible to protect ourselves against even the seemingly brutal discontinuities we now face. Protecting the company in this way involves far more than installing appropriate technologies, buying the right insurance policies, protecting data networks, and guarding critical infrastructure: It requires the integration of organizational security and corporate strategy. Indeed, by assimilating security and strategy, firms can not only lessen their risk exposure, but also secure opportunity, thus maintaining business resiliency, which we define as the combination of continuity and conditions for growth.
To create business resiliency, CEOs must frame a security regimen around three primary goals, which naturally build upon one another (see Exhibit 1):
- first, securing people — reducing the vulnerability of the men and women in the company and the fear that vulnerability generates;
- second, securing the core business — ensuring continuity by protecting critical owned operations and facilities, to accommodate and adapt to traditional events as well as new kinds of discontinuities;
- third, securing the networks — preserving the open information systems, supplier links, alliances, customer relationships, knowledge communities, and other components of the organization’s extended ecosystem that are necessary to the functioning and growth of the modern corporation and the economies it comprises.
Underlying this enterprise-based examination of the firm’s needs and prospects is a fourth requirement: a reengagement with government at all levels. Our business leaders must work closely with state and federal legislators to make certain that the security of the microeconomies they guide complements the broader measures undertaken by government, while also guaranteeing that public policy does not sacrifice openness on the altar of security, to the detriment of the economic advancement of society.
In each stage of this framework, there is both a need for risk mitigation and an opportunity for value capture, which will differ among industries and for individual companies in those industries. Furthermore, a firm must recognize that each stage has both an immediate goal — ensuring business continuity — and a longer-term objective: to examine and implement a business-model transformation, if analysis determines its necessity.
In this article, we will elaborate on this framework and the rationale for its adoption and realization. The goal is a state we call “strategic security” — security achieved in an open environment and within the context of a corporate strategy designed to facilitate growth and profitability.
Perhaps the most salient lesson during the months that have followed the terrorist attacks on the World Trade Center and the Pentagon and the anthrax assaults that closed the Congress is that our nation’s icons of freedom and prosperity also present a rich suite of targets for an elusive set of enemies. Various kinds of security threats have always existed, and some may become more prevalent over time as small-group terrorist activity spreads. But the life-changing consequence of September 11 is the perception of vulnerability in the homeland that the United States never appreciated before.