When discerning what the pandemic taught us about business resilience, the lessons contain good news and bad news.
On a positive note, we learned that effective business resilience, much like psychological resilience, is the result of “ordinary magic.” Organizations that demonstrated the greatest capacity to overcome COVID-driven adversity in 2020 did not summon futuristic technologies, extraordinary leadership or never-seen-before innovations to do so. Instead, they took advantage of strategies, frameworks and processes – most of which were both conventional and highly effective — they already had in place. These capabilities helped them quickly and successfully adapt in the face of historic volatility and uncertainty. The bad news affects companies without these plans and procedures in place: they have a lot of work to do.
Yet, even this bad news has an upside, given that these efforts will be straightforward. Few if any of the primary enablers of organizational resilience – including business continuity management, disaster recovery, cybersecurity incident response management and third party risk management (TPRM) – involve rocket-science levels of complexity. Building organizational resilience requires comprehensive consideration of what can go wrong, some sharp assessments of what’s likely to go wrong, a thorough consideration of cause and effect, and strict adherence to common sense.
Of course, the disruptions that arose during the pandemic showed that common sense can get thrown out the window during high-pressure scrambles to react to new conditions and business realities. It makes sense to address cybersecurity controls when putting place new technology systems, but that didn’t occur in the first several months of the work from home (WFH) shift. It makes sense to assess third parties virtually when travel bans and other social-distancing measures prevent on-site visits, but not every TPRM team had developed virtual assessment procedures prior to the pandemic.
The pandemic also revealed that five pieces of conventional wisdom about resilience were off the mark:
- Resilience is an innate capability: Recent psychological research shows that human resiliency is not an inherent trait; it can be developed with the right tools and processes. The same holds true for business resilience, despite lingering misperceptions that born-digital companies are somehow wired to be more resilient. Yes, born digital companies tended to adapt swiftly and effectively to the WFH shift during the early months of the pandemic, but that transition had more to do with their cloud technology environments. Older, larger companies with cloud technology environments also tended to adapt swiftly and effectively On the other hand, companies with legacy, on-premises IT systems had more difficulty making the transition.
- There is only one type of business resilience: Human resilience comes in different flavors – psychological, emotional, physical, social and community; so, too, does organizational resilience. Yet “business leaders often tend to view resilience solely through a balance sheet lens, examining leverage and liquidity, but ignoring other potential sources of fragility,” note the co-authors of the Bain briefing document, “Getting Business Resilience Right.” The consultants cite two reasons that it is helpful to distinguish among five different types of business resilience – strategic, financial, operational, technological and organizational. First, recognizing those five resilience “dimensions” encourages leaders to keep in mind that external disruptions challenge the company in many different ways, which compounds the impact of the disruption. Second, by understanding this compounding effect, business leaders are better equipped to make wiser decisions about how and where to invest in resilience improvements. While each of the five resilience dimensions Bain identifies are important to TPRM teams, two are especially pertinent to their activities: operational (which includes supplier concentration) and technological (which includes cybersecurity).
- Building organizational resilience is a complex endeavor: The phrase “ordinary magic” appears in the title of a 2001 American Psychologist article by A. S. Masten. The article makes the case that resilience “is made of ordinary rather than extraordinary processes,” which in turn means that practical practices and processes can be designed and deployed to enhance the development of resilience in at-risk children. A similar dynamic applies to business resilience. Nissan was able to resume production comparatively quickly after the 2011 Japan earthquake because it had developed clear BCM and disaster recovery plans and diversified its suppliers prior to the catastrophe, according to the Bain article. Southwest Airlines limited its exposure to the oil price spike at the turn of this century because it had hedging processes in place.
- Resilience is a fixed competency: There is a tendency to view business resilience like regulatory compliance: a company is either compliant (resilient) or non-compliant (not resilient). In practice, business resilience fluctuates in response to several factors, including the nature of external risks and the degree to which internal processes keep pace with the changing external environment. Veteran TPRM professionals will be familiar with this pattern. They know firsthand that that efficacy of their programs can decline even when they notch significant improvements because the pace of external risks exceeds that internal progress. TPRM leaders also recognize the need to continuously improve.
- Resilience is the sole responsibility of risk management teams: The Bain consultants argue against relegating resilience to a “corner of the business” because the “combinatorial nature of many risks demands that companies identify and mitigate risks for the entire business. A piecemeal buying down of specific risks in specific functions and business units will probably not achieve the resilience needed for the business as a whole (or at least not at an acceptable cost). Moreover, many future risks will emerge from the ecosystem of partners outside the firm, and traditional risk-management functions are ill-suited for this challenge.” In other words, third party risk management plays a crucial, and growing, role in fostering business resilience.
To execute their role, TPRM teams also need to evaluate and monitor vendor business resilience plans to ensure that they remain relevant and current. Additionally, TPRM teams should keep business impact assessments (BIAs) updated, ensure that the IT resilience and availability strategy aligns with the operational resilience strategy, and prioritize vendor SLAs.