strategy+business is published by PwC Strategy& LLC.
or, sign in with:
strategy and business
 / Spring 2003 / Issue 30(originally published by Booz & Company)


Enterprise Resilience: Managing Risk in the Networked Economy

Interdependencies have grown not only within the private sector. Governments and industries are increasingly dependent on each other at a level of intricacy not seen — in the United States, at least — since World War II. The National Strategy for Homeland Security calls for the development of protection plans in 14 “critical infrastructure sectors” (such as energy, telecommunications, defense industrial base, and banking and finance); although private industry overwhelmingly owns and operates these sectors, government and business must collaborate to develop and implement the assurance plans. One current public–private sector partnership model is the National Security Telecommunications Advisory Committee (NSTAC), which supports the Office of the President in addressing telecommunications issues vital to U.S. national security and emergency preparedness needs. The stakes in such collaboration can be enormous. A war game, cosponsored by Booz Allen with the Council for Excellence in Government in December 2001, and designed to model the effects of an intentional release of pneumonic plague in multiple metropolitan locations, found that casualties would be dramatically reduced by cross-sector knowledge-sharing mechanisms.

Interdependence risk — within the private sector or across the public and private spheres — underlies many recent reports of operating loss. Consider what happened in September 2002 when a labor dispute shut down West Coast ports for several weeks. As critical supply chains stopped functioning normally, severely constraining manufacturing and product replenishment, U.S. companies lost an estimated $1 billion per day. The events highlighted the interdependencies among shipping companies, supply chain–intensive industries, contract logistics providers, and government agencies.

ER vs. ERM
Risk management models have not kept pace with the shift from centralized to networked organizations. In military terminology, most enterprise risk management (ERM) programs rely on “point solutions,” which attempt to moderate risks by “hardening” potentially vulnerable spots against attacks, a futile exercise in a networked enterprise. An organization cannot simultaneously harden all the nodes within its network; threats will just migrate from a hardened node to more vulnerable points. Military strategy has long since adapted to this new understanding. In the early 1990s, when the U.S. Department of Defense recognized that its war-fighting doctrine of “information superiority” increased its dependence on networked communications systems, it transitioned from the traditional risk management technique of hardening every node to a “defense in depth” model, which uses a layered approach to security.

Directors and senior managers, many of whom are faced with analogous challenges, have not followed suit. In a recent survey of Fortune 1000 CFOs, treasurers, and risk managers by the National Association of Corporate Treasurers and other organizations, three-quarters of respondents agreed that a major disruption to their top earnings driver would either cause sustained damage to their company’s earnings or threaten business continuity. Yet fewer than one-quarter of respondents said their current risk management efforts sufficiently anticipate a wide variety of potential large-loss events. (See Exhibit 1.)

In pursuing strategic objectives, boards and CEOs must factor into their decision making the trade-offs involved in selecting one risk alternative over another. Conventional ERM programs certainly help focus executives and directors on the nature of specific vulnerabilities, and they can provide partial frameworks to help firms protect potentially weak links from low-probability catastrophic risks. But they do not fully prepare companies for the discontinuities that can jeopardize earnings drivers. Conventional enterprise risk management fails to account for interdependencies across vertical and horizontal corporate operations and thus tends to underestimate the range and severity of risks faced by the firm. Such network discontinuities can accumulate exponentially and often spiral out of control, subjecting a company to levels of loss without modern precedent. So Barings Bank learned when the actions of a single trader in Singapore destroyed the centuries-old institution.

Follow Us 
Facebook Twitter LinkedIn Google Plus YouTube RSS strategy+business Digital and Mobile products App Store



  1. Mark Gerencser and DeAnne Aguirre, “Security Grounds the CEO Agenda,” s+b, Second Quarter 2002; Click here.
  2. Ralph W. Shrader and Mike McConnell, “Security and Strategy in the Age of Discontinuity: A Management Framework for the Post-9/11 World,” s+b, First Quarter 2002; Click here.
  3. Diane L. Coutu, “How Resilience Works,” Harvard Business Review, May 2002; Click here.
  4. Gary Fields, “An Ominous War Game,” Wall Street Journal, December 4, 2002
Sign up to receive s+b newsletters and get a FREE Strategy eBook

You will initially receive up to two newsletters/week. You can unsubscribe from any newsletter by using the link found in each newsletter.