Guided by these and other requirements, underwriters of risk, such as insurance, equity, and debt markets, will more aggressively distinguish between those businesses that are resilient and those that are not. To maintain earnings consistency and preserve and grow shareholder value, chief executives and board members need the capacity to sense and respond effectively to increasingly complicated levels of risk — risks that cannot necessarily be transferred through conventional means, such as insurance.
Our emphasis on the importance of earnings consistency matches that of the capital markets. A company’s fate is determined by its ability to generate a reliable pattern of earnings growth. Companies that reduce earnings volatility and lower the probability of large losses are rewarded by financial markets with less expensive and better access to capital. What’s more, markets place “consistency premiums” on the stock valuations of companies that both promise and produce a steady pattern of increasing profits.
The business activities that enable the firm to gain a competitive advantage and sustain growth vary across both industries and companies. For some, manufacturing facilities represent the core earnings driver; for others, IT networks, customer support operations, supply chains, intellectual property, or a combination thereof power earnings. Traditionally, risks have not been perceived in the context of key earnings drivers, but rather in broad categories, each of which was managed in a functionally isolated way. Thus, financial risk became the province of the CFO, operations risk the responsibility of the COO, and network security the task of the CIO. Rarely do they or their business continuity or security programs link together in support of strategic objectives.
Senior executives have understandably renewed their attention to conventional risk mitigation programs. Seventy-five percent of Fortune 1000 CEOs surveyed by RoperASW on behalf of Booz Allen Hamilton in late 2001 expressed increased concern about such day-to-day activities as mail processing, travel, protection of employees, and protection of infrastructure. But by defining risk and security narrowly as the protection of personnel, plant, data, and financial position, CEOs and boards overlook the more prevalent perils they face conducting business in a networked global economy.
Networks are one of the great advances in industrial organization. Over the course of the last half century, the vertically integrated company has given way to the networked enterprise, an organizational structure characterized by greater agility and adaptability. Successful firms today must deal with intertwined layers of information, raw materials, analytical data, customer communication and service, and network infrastructure — at unprecedented speed — while maintaining countless secure relationships with third-party organizations, such as suppliers, technology outsourcers, and government regulators. “The diversity of networks in business and the economy is mind-boggling,” writes Albert-László Barabási, the physicist and author of Linked: The New Science of Networks (Perseus Publishing, 2002). “There are policy networks, ownership networks, collaboration networks, organizational networks, network marketing — you name it.”
Yet while the organizational and economic impact of networks is well known, their vulnerabilities remain largely unexplored by businesses. The reliance on open borders, transnational alliances, and global markets for capital, goods, and services has generated a “just in time” economy, which, although remarkably cost-efficient, leaves companies open to a range of discontinuities that can affect operations, reputation, customer habits, legal standing, regulatory compliance, earnings performance, and ultimately shareholder value. We call these new vulnerabilities, collectively, interdependence risk, and define it as unanticipated risk exposure across the extended enterprise that is beyond an individual organization’s direct control. Examples of interdependence risk include supply chain disruption, government intervention, and public infrastructure destruction.
The scale and impact of a disruptive event is a function of the relative importance of the dislocated entity and the degree of its integration into a broader extended enterprise. A problem that appears localized could ripple across an extended enterprise, an industry sector, or even a national or multinational economy. The capacity to withstand such disruptions is a function of a firm’s systemic resilience — its ability to understand its interdependencies, and to foresee and plan around discontinuities that can occur within them.