A vital part of this phase is the development of an “interdependency map” to identify interdependence risks across the extended enterprise — hazards to earnings drivers that may result from unanticipated regulatory action, changes in supplier relationships, problems at clients, or other externalities. The baselining exercise also seeks to understand how market trends and corporate strategies will influence earnings drivers in the future. For example, a consumer goods manufacturer might discover that the business unit managing logistics between the factory and retailers for the company’s flagship Product A is unaware of a new distribution chain developed by the team overseeing up-and-coming Product B. These redundant distribution channels could leave the manufacturer vulnerable because the delivery of two critical products would be interrupted simultaneously if the supply chain network sustained a disruption.
Such profiling and baselining helps identify gaps between existing risk mitigation programs and identifiable needs, allowing management to visualize at a glance weaknesses and strengths in the firm’s current risk exposure and resilience posture. This impact analysis can identify areas for new investment and disinvestment. For example, a major retailer with state-of-the-art just-in-time inventory systems that require continual data inflows to determine how to stock shelves could be financially crippled if a disruption were to temporarily shut down its network grid.
By contrast, even the largest advertising agency could get by without too much damage if it lost its computers for a day or longer. However, an ad agency must protect the safety of its key personnel because its human assets are its most significant earnings driver. Consequently, during the diagnostic’s analysis stage, the to-be resilience state for the retailer would establish that the safeguarding of technology infrastructure is its highest target for investment, and personnel security is a lower investment target; the ad agency might have the opposite resilience profile. This rating does not imply that the retailer has a lower regard for personnel safety; it simply recognizes that the retailer’s investments need to be focused on the technology infrastructure because that infrastructure is one of its primary earnings drivers.
Step Three: Resilience Strategy. The final phase of an enterprise resilience audit aims to develop a new resilience program based on the analyses of the firm’s earnings-related risk mitigation needs. The most critical gaps between existing risk management programs and the to-be profile are isolated. After the financial commitment needed to close these gaps is determined, a cost-benefit analysis helps rationalize investment needs, finding the optimal balance among components of the risk mitigation effort.
The cost assessment examines business resilience from three perspectives: people, operations (process and technology), and interdependencies. As an example, an established meat products company might learn that, overall, it has well-protected supply and distribution networks, moderate operations risk thanks to mature crisis and disaster management plans, but weak personnel security because its hiring and management procedures at international subsidiaries are inadequate. On the basis of this evaluation, the company could decide to reduce resources earmarked for disaster management and network oversight and redirect them to improve its recruitment, training, and inspection practices. Otherwise, it increases the risk that a devastating incident will occur (e.g., poor inspection practices could allow tainted meat to reach consumers and cause them to become ill).
After setting the gap-closing priorities and developing the full risk mitigation strategy, the executive team should agree on a migration path and gain the board’s agreement on a timetable for the institution of near-term and longer-term resilience goals. Over time, enhanced business intelligence and information sharing should be developed to promote greater situational awareness.
Risk Is Reality
We believe that companies need to adopt a more integrated approach to risk management — one that links business strategy to enterprise resilience and business continuity planning. Using diagnostic tools, war-gaming, and decision-support capabilities, companies can establish a more effective, continuous, and consistent methodology for protecting the enterprise from internal and external risks.