Companies that are not resilient are on course to go out of business. Experts Paul Walker and Dan Sharp explain how to go from enterprise risk management to ‘continuous resilience’
This article was first published in the January 2016 international edition of Accounting and Business magazine.
A walk through the Computer History Museum in Silicon Valley, California, reveals a simple message: innovate, respond to innovation, or cease to exist. The museum is full of success stories but also of companies that created great ideas or products but which no longer exist. Today’s rapidly changing environment requires successful organisations to be resilient – anticipating and responding effectively to the rising number of major changes in their markets.
The ISO 31000 risk management standard notes that risk management should be part of decision-making, be timely, based on the latest information, and take cultural factors into account. The ISO framework and process identifies a separate step for establishing the context to help evaluate the significance of a risk.
Context can be internal or external. Internal context includes costs, personnel, supply chain, and so on. External includes political, legal, regulatory, economy, society and social change, as well as natural events such as the weather.
Continuous resilience – a method for which Dan Sharp has copyright pending – aims to establish both the external and internal context and manage these potentially game-changing risks. Specifically, it is a company’s ability to anticipate and respond quickly and competitively to any change in its markets. Importantly, it can be tied into enterprise risk management (ERM) or any other risk management system.
Today, companies often operate in many locations in multiple countries and have to manage an ever growing set of risks that can vary according to location. One of many lessons from the 2008 economic crisis is that problems in one country quickly flow over to another.
Continuous resilience focuses and builds the discipline of anticipation, with the aim of learning about emerging changes in markets before rivals do. There is much more monitoring than with most risk management systems. It also teaches companies to respond faster and more effectively than rivals. Also, instead of an enterprise risk map (composed of snapshots of existing risks), continuous resilience provides a moving picture of emerging risks. It links these risks to strategy, overcoming the common complaint about the difficulty of doing this within ERM.
Continuous resilience requires two elements. First, an internal early alert system monitors a company-specific checklist of the major driving forces and issues in its markets where an important change can create risks and opportunities for the company.
Second, a high-level committee performs additional functions to those found in most risk management processes. The committee’s functions can be made a part of the company’s risk management committee. Its roles include:
- managing the early alert system and the responses to its alerts
- ensuring that each company department and function has an adequate preparedness plan that is up to date and exercised at least annually
- running an annual exercise responding to a potential disaster
- becoming the command centre for a company’s response to a sudden major market change.
The committee should meet just once or twice a year (unless an unexpected event makes it the command centre), and its meetings should involve scenarios and reviews of early alert reports that highlight the most important changes in risks, opportunities and driving forces, with a proposed immediate action plan for the highest priority changes. No box-checking, no big documents to review, just short action-oriented sessions.
The committee should include senior executives from strategy (to ensure the risks and opportunities feed directly into strategy) and other key functions. The early alert system will cover changes in the local economy, legislation and regulation, disruptive technology, attitudes of customers, workers/unions, plus emerging pandemics or other health or environmental changes of great significance. How a company responds to such changes can create a competitive advantage or disadvantage.
For the early alert process to begin, a checklist must be created listing the major risks to monitor. This should be no longer than two pages and cover about a dozen risks. It must be very company-specific, so its preparation will require collaboration with key executives at corporate level and with local managers in each reporting unit. General categories of risks are often appropriate – for example, economic, political, social, environmental, health, society, customers, labour, technology and cybersecurity, with subcategories that could be more specific.
The specifics will often emerge from a combination of a SWOT (strengths, weaknesses, opportunities, threats) analysis and a driving forces analysis of those forces of greatest importance to the company in each market. Only by monitoring all the driving forces, risks and opportunities can a company count on being resilient and prepared for any important change in its markets.
As an example, consider a company in the office equipment market. Its driving forces start with technology, including the introduction of possibly disruptive new technology and the company itself developing or acquiring new tech. Other driving forces include changes in office routines, attitudes of office workers, the ability to import/export finished products and supplies, transborder data flow restriction and local laws, as well as the driving forces of the economy, political stability, tax and other laws and regulations, environment and health. Each of these elements would probably go on the checklist for this company.
The process of creating the checklist for each reporting unit (often a country, state or city) begins by asking the local management ‘what drives your business?’ This is a distinguishing feature of continuous resilience and is different from creating a checklist of risks. By initiating the process bottom-up from where the local knowledge exists, the local manager is in a position to inspire trust. When the planning process is top-down, local managers often disagree with headquarters because they have a better knowledge of their markets.
This bottom-up early alert process gives the company a knowledge-based continuous moving picture of the most important trends and changes in the forces that drive its profits and success, and reduces the lead time for responding to those crucial changes.
Once the checklist has been compiled, each decentralised unit of the company designates a senior executive to monitor its business environment on an ongoing basis, looking for any important changes in any item on its checklist. At least once a year, and whenever the change is sudden or significant, that person prepares a brief report for the company’s headquarters.
The annual report is usually just two pages long: one page of up to 10 priority changes, and a second that answers three key questions about the top priority risk:
- What is the change?
- How does it impact our company?
- What are we doing about and what should we do about it?
Ahead of the game
In between these annual reports there might be a flash report of a sudden change, consisting of one-page answers to the same three questions. Those reports go to regional headquarters where they are consolidated with reports from other units in ways that often show emerging patterns of interest. Flash reports go up to regional and/or global headquarters depending on urgency and where action needs to be taken. The annual reports, consolidated at regional headquarters and then globally at corporate headquarters, can become a prime basis for strategic planning.
The following example illustrates this point. For years US companies were aware there was a European Commission but few took it seriously. However, because Xerox set up a monitoring system with a checklist that included international organisations, especially those related to trade and business, the company learned of a profitable opportunity much sooner than its competition.
Over a period of two years of using its early alert system, several Xerox companies in Europe noticed there was growing interest among businesses in their markets in transforming the commission into an organisation that could control business activities in Europe. This was long before it became front-page news and was identified by most US companies.
When Xerox’s European regional consolidation of priority changes in driving forces was prepared for the annual strategy exercise (based on this continuous resilience-type monitoring system), the progress towards a powerful European Commission was listed almost two years before it became a reality. This was because the gradual changes were deemed to be of potential interest to Xerox by local managers, though not yet by regional or national executives.
Threat or opportunity?
Once this had been identified as an emerging important change in the driving force of international organisations and regulations, Xerox saw it as a threat if it failed to act, but more importantly, an opportunity if it acted earlier than competitors. When the global consolidated annual continuous resilience report was presented to senior management, they implemented a speedy European response, regionalising their supply and distribution activities (more than a year ahead of competitors), leading to a significant profit and cost advantage.
A company that is not resilient has a long-term strategy of going out of business. A continuous resilience process can help complete or enhance an ERM process by using local knowledge not only of risks, but also of opportunities, and not only of presently identifiable risks and opportunities, but also those that are just emerging. Continuous resilience can also help a company respond to changes in a timely way and link its response to a strategic one.
Becoming continuously resilient can avoid a going-out-of-business strategy and instead, increase profits and chances of survival.
Dr Paul Walker co-developed one of the first courses on enterprise risk management and has done ERM training for executives and boards around the world. Dan Sharp is a recognised thought leader and practitioner of continuous resilience.
"Continuous resilience requires two elements. First, an internal early alert system monitors a company-specific checklist of the major driving forces and issues in its markets where an important change can create risks and opportunities for the company"