In sharp contrast to traditional ERM, enterprise resilience planning advances a company’s speed and flexibility by crafting an integrated first line of defense and an offensive strategy to guard the entire extended enterprise against new, unavoidable risks that are the by-products of interdependent operations. ER results from a planned series of safeguards against discontinuities — encompassing everything from logistics, inventory control, and distribution channels to relations with government agencies, customers, and suppliers. Unlike enterprise risk management programs, which tend to focus only on how major categories of corporate risk interact at a tactical level, ER planning better aligns risk management activity and spending with the most fundamental components of corporate strategy and performance: corporate growth and profit drivers, earnings consistency, and shareholder value. Resilient organizations are sensing, agile, networked, and prepared. They think ahead to even the most outrageous possibilities, training themselves, as the Harvard Business Review put it, “how to survive before the fact.” (See “Diagnose Your Enterprise Resilience: Eight Fundamental Questions.”)
Diagnose Your Enterprise Resilience: Eight Fundamental Questions
1. Are the complexity of the extended enterprise and major earnings drivers across it transparent?
2. Are interdependencies understood and interdependence risks identified?
3. What programs are in place to ensure the viability of earnings drivers?
4. Are these programs fully aligned with corporate strategy and objectives, and do we understand the trade-offs within these programs?
5. Do we know what we spend on resilience?
6. How good is our situational awareness — that is, do we have enough business intelligence, internal and external, and is it directed to the appropriate parties?
7. Do we distill such intelligence properly and in a timely enough fashion to react to it?
8. Who is accountable for resilience, and how do we make decisions and measure progress?
ER planning begins with the identification of the greatest risks across the enterprise, including interdependencies, and then generates a targeted program, integrated with overall corporate strategy, for mitigating these risks. ER is a continuous process that creates the ability to adjust readily to new risks and opportunities, based on the strategic priorities and operational tempo of the business. It enables executives and managers to make educated trade-off decisions when they develop a risk mitigation strategy, balancing the costs and benefits to meet overall risk management targets and improve earnings consistency.
There are three essential steps to becoming a resilient enterprise:
Diagnose enterprise-wide risk and interdependencies. A company must first define its extended enterprise and determine its earnings drivers. Once this is achieved, a transparent and consolidated view of risks across the extended enterprise can be developed, helping executives to understand the company’s network interdependencies. After the enterprise is mapped, a baseline view of risk mitigation plans and spending can be developed to identify gaps and prioritize risk mitigation objectives. The resilience diagnostic should yield quick-hit opportunities associated with critical risks that management must address in the near term.
Adapt corporate strategy and operating model. The enterprise should use cost-benefit analysis that links cross-functional risk mitigation planning to corporate strategy. Equally important, the CEO and board must adopt a common risk management and resiliency vocabulary that is comprehensible and intuitive to all, enabling executives and directors to understand a company’s risk exposure and to make trade-off decisions in implementing risk mitigation strategies while pursuing strategic objectives.
Endure increased risk and complexity. This step involves developing an organizational structure that oversees and integrates business intelligence and risk monitoring for the extended enterprise; has the analytical tools and support capabilities to improve decision making and responses to risk as it changes; can measure risk mitigation with clearly defined benchmarks; can monitor the organization’s resilience profile; and can implement best-practice risk mitigation solutions. The resilient organization, through an enhanced sensing capability, integrates business intelligence to improve situational awareness.