The ER Audit
As an initial step to building enterprise resilience, companies can apply a comprehensive, three-phase ER audit procedure that can aid senior management teams in developing integrated risk mitigation programs grounded in a company’s real needs and built around its actual earnings drivers.
Step One: Enterprise Topology and Earnings-Driver Classification. In the diagnostic’s first stage, the firm should identify its key earnings drivers and their associated risks. (See Exhibit 2.)
This should be done by mapping the extended enterprise and drawing a consolidated and transparent picture of how the company organizes systems, processes, and relationships inside and outside its walls to generate revenue and profits. The company must distinguish the earnings drivers themselves; the business processes, capabilities, and technologies that support them; and their vulnerabilities. To accomplish this, interviews are held with corporate decision makers and key management staff in all functional domains. Relationships among customers, partners, and suppliers are explored; IT network safeguards inventoried; and assets charted.
Step Two: Resilience Profiling and Baselining. After plotting the earnings drivers, the firm should use modeling tools and best practices in enterprise design to produce initial snapshots of an enterprise’s “resilience profile” for each essential aspect of a company: financial, operations, technology, personnel, and security. Then the company’s existing profile should be compared with an optimal level of resilience — a “to be” state — in each of these operations.
The firm’s current risk mitigation plans, procedures, and costs, including business continuity and security programs, are examined in this phase. The intent is to determine how the current programs and the spending on them align with the earnings drivers identified in phase one. Both explicit and implicit risk mitigation spending must be baselined. Such spending includes costs associated with known security, business continuity, and disaster recovery programs, as well as costs associated with security, continuity, and recovery that are buried in budgets for departments or functions, such as IT or marketing. War-gaming is a particularly useful exercise in doing such advanced resilience profiling. (See “War-Gaming and Resilience Planning.”)
War-Gaming and Resilience Planning
Frequently conducted in conjunction with an enterprise resilience audit, war-gaming is an effective tool for understanding a company’s or an industry’s resilience posture. These strategic simulations use mock crises to gauge how well executives and staff are prepared to face serious business discontinuities.
The most effective war games occur over two days and involve a series of crisis simulations in which critical components of a company’s or an industry’s resilience are tested with players from different, yet related, stakeholder groups. Through a real-time simulation — with one group making a move, and others responding, action by action — vulnerabilities can be exposed and mitigation strategies developed.
For example, Booz Allen Hamilton and the Conference Board sponsored a port security war game in October 2002, just after West Coast ports in the U.S. were shut by a labor action. Participants included representatives from government agencies, supply chain–intensive industries, and contract logistics providers. The war game simulated an unanticipated closure of shipping ports after several “dirty bombs” were found in containers shipped to U.S. ports. The exercise found that companies reliant on the ports would likely have to sacrifice just-in-time efficiency to some degree, and replace it with a more robust “just-in-case” supply pipeline.
With such insights, companies can attempt to find the necessary balance between just-in-time production and just-in-case resilience, and to answer crucial questions: What would be the effect on earnings if we stockpiled three weeks of supply? Are there innovative ways to create these reserves besides paying for them outright? What loss would insurance cover? What are the projected costs of alternative shipping versus stockpiling? How well do we understand whom to call and what to do during such an event? How prepared are we to communicate mediation steps?
War-gaming’s greatest value is that it exposes ideas that participants don’t realize they have and uncovers solutions that are not apparent. Additionally, war-gaming forces organizations to think differently, to examine the validity of their assumptions about systemic risks. For example, the port security war game uncovered the critical fact that companies must consider security a strategic and necessary element of global trade resilience. Another insight was that local and national public–private partnerships are essential to finding an effective global port security solution. When war games include participants from interdependent companies or involve a mix of private-sector and public-sector players, consensus can be forged on the need for collective action, and the action plan itself can take shape.
— R.S., J.N., and M.D.