A Nordic telecommunications company and its primary competitor, another European telecom manufacturer, both depended on the same Koninklijke Philips Electronics NV semiconductor plant in New Mexico for chips to power their mobile phones. But when a fire broke out at the factory in March 2000, the supply chain was disrupted.
The Nordic company’s officials noticed the problem even before being told that a plant had gone down. Its chief supply troubleshooter immediately put together a team of 30 supply chain experts to fan out across Europe, Asia, and the U.S. to patch together a solution. They redesigned chips, accelerated a project to boost production, and used the company’s clout to obtain more chips from other suppliers. The other company, with fewer fail-safe and troubleshooting systems built into its supply network, came up millions of chips short of the supply needed to launch a critical new product.
The result, according to the Wall Street Journal: The Nordic company’s market share grew by 3 percent; the competitor’s dropped by the same amount. Before long, the other company withdrew from the handset market.
This stark tale of gain and loss underscores a new operating reality confronting companies everywhere: Drivers of earnings, definitions of risk, underlying risk interdependencies, and ways to manage them have changed. Firms generally have thought of risk as the downside hazard to their financial portfolios and have concentrated their risk management efforts on hedging their portfolios against loss. But the Nordic company’s success in weathering a potentially debilitating disruption to its supply chain, and ultimately gaining competitive advantage from its efforts, shows that companies can profit by adopting a broader understanding of and more comprehensive processes for managing risk across the extended enterprise in an increasingly complex global economy. In doing so, they establish greater enterprise resilience (ER).
In this article, we detail the differences between conventional enterprise risk management and enterprise resilience, and explain why a keen understanding of the distinction is essential today, when the boundaries of every major corporation have expanded, increasing a company’s vulnerabilities and its potential for competitive advantage. We also identify how senior executives can assess their organization’s resilience profile and risk management approach. And we explain how corporate managers can align risk mitigation strategies with the most significant earnings-driver risks, and close dangerous gaps in their company’s resilience profile.
The Adaptation Imperative
Enterprise resilience is the ability and capacity to withstand systemic discontinuities and adapt to new risk environments. A resilient organization effectively aligns its strategy, operations, management systems, governance structure, and decision-support capabilities so that it can uncover and adjust to continually changing risks, endure disruptions to its primary earnings drivers, and create advantages over less adaptive competitors.
A resilient organization establishes transparency and puts in place controls for CEOs and boards to address risks across the extended enterprise. It can withstand improper or fraudulent employee behavior, IT infrastructure failures, disruptions of interdependent supply chains or customer channels, intellectual property theft, adverse economic conditions across markets, and the myriad other discontinuities companies face today.
Establishing greater resilience is especially necessary in the current economic and security environment, which poses a new set of challenges to executives and boards. The openness and complexity of today’s extended enterprise increases the firm’s dependence on a global financial, operational, and trade infrastructure. Although that provides for greater efficiency and effectiveness, it also exposes most companies to risks that were unfamiliar during the era of national markets and the vertically integrated enterprise — and compounds the effect of conventional business risks.
What’s more, the legal and regulatory landscape has undergone significant change since the September 11, 2001, terrorist attacks and the accounting and governance scandals in the United States, raising the level of diligence stakeholders expect from senior executives, boards of directors, and board audit committees in ensuring the safety and continuity of the enterprise. The July 2002 United States’ National Strategy for Homeland Security recommends that industry sectors and corresponding government agencies responsible for critical infrastructure protection develop national infrastructure assurance plans that bridge the public and private sectors. The Sarbanes-Oxley Act of 2002 has tightened boards of directors’ audit committee responsibilities, imposed new CEO and CFO certification requirements, and raised the “standard of care” obligations on management dramatically. The Basel II Accord commits financial-services institutions to set aside larger capital reserves against possible future operational disruptions.