value insights

Adaptation Imperative for Enterprise Resilience- Valutrics

The stark tale of gain and loss underscores a new operating reality confronting companies everywhere: Drivers of earnings, definitions of risk, underlying risk interdependencies, and ways to manage them have changed. Firms generally have thought of risk as the downside hazard to their financial portfolios and have concentrated their risk management efforts on hedging their portfolios against loss. But the corporate success in weathering a potentially debilitating disruption to   supply chain, and ultimately gaining competitive advantage from its efforts, shows that companies can profit.

The Adaptation Imperative
Enterprise resilience is the ability and capacity to withstand systemic discontinuities and adapt to new risk environments. A resilient organization effectively aligns its strategy, operations, management systems, governance structure, and decision-support capabilities so that it can uncover and adjust to continually changing risks, endure disruptions to its primary earnings drivers, and create advantages over less adaptive competitors.

A resilient organization establishes transparency and puts in place controls for CEOs and boards to address risks across the extended enterprise. It can withstand improper or fraudulent employee behavior, IT infrastructure failures, disruptions of interdependent supply chains or customer channels, intellectual property theft, adverse economic conditions across markets, and the myriad other discontinuities companies face today.

Establishing greater resilience is especially necessary in the current economic and security environment, which poses a new set of challenges to executives and boards. The openness and complexity of today’s extended enterprise increases the firm’s dependence on a global financial, operational, and trade infrastructure. Although that provides for greater efficiency and effectiveness, it also exposes most companies to risks that were unfamiliar during the era of national markets and the vertically integrated enterprise — and compounds the effect of conventional business risks.

What’s more, the legal and regulatory landscape has undergone significant change since the September 11, 2001, terrorist attacks and the accounting and governance scandals in the United States, raising the level of diligence stakeholders expect from senior executives, boards of directors, and board audit committees in ensuring the safety and continuity of the enterprise. The July 2002 United States’ National Strategy for Homeland Security recommends that industry sectors and corresponding government agencies responsible for critical infrastructure protection develop national infrastructure assurance plans that bridge the public and private sectors. The Sarbanes-Oxley Act of 2002 has tightened boards of directors’ audit committee responsibilities, imposed new CEO and CFO certification requirements, and raised the “standard of care” obligations on management dramatically. The Basel II Accord commits financial-services institutions to set aside larger capital reserves against possible future operational disruptions.

Guided Interdependence Risk
Our emphasis on the importance of earnings consistency matches that of the capital markets. A company’s fate is determined The business activities that enable the firm to gain a competitive advantage and sustain growth vary across both industries and companies. For some, manufacturing facilities represent the core earnings driver; for others, IT networks, customer support operations, supply chains, intellectual property, or a combination thereof power earnings. Traditionally, risks have not been perceived in the context of key earnings drivers, but rather in broad categories, each of which was managed in a functionally isolated way. Thus, financial risk became the province of the CFO, operations risk the responsibility of the COO, and network security the task of the CIO. Rarely do they or their business continuity or security programs link together in support of strategic objectives.

Senior executives have understandably renewed their attention to conventional risk mitigation programs. Seventy-five percent of Fortune 1000 CEOs surveyed Networks are one of the great advances in industrial organization. Over the course of the last half century, the vertically integrated company has given way to the networked enterprise, an organizational structure characterized Yet while the organizational and economic impact of networks is well known, their vulnerabilities remain largely unexplored The scale and impact of a disruptive event is a function of the relative importance of the dislocated entity and the degree of its integration into a broader extended enterprise. A problem that appears localized could ripple across an extended enterprise, an industry sector, or even a national or multinational economy. The capacity to withstand such disruptions is a function of a firm’s systemic resilience — its ability to understand its interdependencies, and to foresee and plan around discontinuities that can occur within them.

Interdependencies have grown not only within the private sector. Governments and industries are increasingly dependent on each other at a level of intricacy not seen — in the United States, at least — since World War II. The National Strategy for Homeland Security calls for the development of protection plans in 14 “critical infrastructure sectors” (such as energy, telecommunications, defense industrial base, and banking and finance); although private industry overwhelmingly owns and operates these sectors, government and business must collaborate to develop and implement the assurance plans. One current public–private sector partnership model is the National Security Telecommunications Advisory Committee (NSTAC), which supports the Office of the President in addressing telecommunications issues vital to U.S. national security and emergency preparedness needs. The stakes in such collaboration can be enormous. A war game, cosponsored ER vs. ERM
Risk management models have not kept pace with the shift from centralized to networked organizations. In military terminology, most enterprise risk management (ERM) programs rely on “point solutions,” which attempt to moderate risks Directors and senior managers, many of whom are faced with analogous challenges, have not followed suit. In a recent survey of Fortune 1000 CFOs, treasurers, and risk managers In pursuing strategic objectives, boards and CEOs must factor into their decision making the trade-offs involved in selecting one risk alternative over another. Conventional ERM programs certainly help focus executives and directors on the nature of specific vulnerabilities, and they can provide partial frameworks to help firms protect potentially weak links from low-probability catastrophic risks. But they do not fully prepare companies for the discontinuities that can jeopardize earnings drivers. Conventional enterprise risk management fails to account for interdependencies across vertical and horizontal corporate operations and thus tends to underestimate the range and severity of risks faced In sharp contrast to traditional ERM, enterprise resilience planning advances a company’s speed and flexibility ER planning begins with the identification of the greatest risks across the enterprise, including interdependencies, and then generates a targeted program, integrated with overall corporate strategy, for mitigating these risks. ER is a continuous process that creates the ability to adjust readily to new risks and opportunities, based on the strategic priorities and operational tempo of the business. It enables executives and managers to make educated trade-off decisions when they develop a risk mitigation strategy, balancing the costs and benefits to meet overall risk management targets and improve earnings consistency.

There are three essential steps to becoming a resilient enterprise:

Diagnose enterprise-wide risk and interdependencies. A company must first define its extended enterprise and determine its earnings drivers. Once this is achieved, a transparent and consolidated view of risks across the extended enterprise can be developed, helping executives to understand the company’s network interdependencies. After the enterprise is mapped, a baseline view of risk mitigation plans and spending can be developed to identify gaps and prioritize risk mitigation objectives. The resilience diagnostic should yield quick-hit opportunities associated with critical risks that management must address in the near term.

Adapt corporate strategy and operating model. The enterprise should use cost-benefit analysis that links cross-functional risk mitigation planning to corporate strategy. Equally important, the CEO and board must adopt a common risk management and resiliency vocabulary that is comprehensible and intuitive to all, enabling executives and directors to understand a company’s risk exposure and to make trade-off decisions in implementing risk mitigation strategies while pursuing strategic objectives.

Endure increased risk and complexity. This step involves developing an organizational structure that oversees and integrates business intelligence and risk monitoring for the extended enterprise; has the analytical tools and support capabilities to improve decision making and responses to risk as it changes; can measure risk mitigation with clearly defined benchmarks; can monitor the organization’s resilience profile; and can implement best-practice risk mitigation solutions. The resilient organization, through an enhanced sensing capability, integrates business intelligence to improve situational awareness.

The ER Audit
As an initial step to building enterprise resilience, companies can apply a comprehensive, three-phase ER audit procedure that can aid senior management teams in developing integrated risk mitigation programs grounded in a company’s real needs and built around its actual earnings drivers.

Step One: Enterprise Topology and Earnings-Driver Classification. In the diagnostic’s first stage, the firm should identify its key earnings drivers and their associated risks.


Step Two: Resilience Profiling and Baselining. After plotting the earnings drivers, the firm should use modeling tools and best practices in enterprise design to produce initial snapshots of an enterprise’s “resilience profile” for each essential aspect of a company: financial, operations, technology, personnel, and security. Then the company’s existing profile should be compared with an optimal level of resilience — a “to be” state — in each of these operations.

The firm’s current risk mitigation plans, procedures, and costs, including business continuity and security programs, are examined in this phase. The intent is to determine how the current programs and the spending on them align with the earnings drivers identified in phase one. Both explicit and implicit risk mitigation spending must be baselined. Such spending includes costs associated with known security, business continuity, and disaster recovery programs, as well as costs associated with security, continuity, and recovery that are buried in budgets for departments or functions, such as IT or marketing. War-gaming is a particularly useful exercise in doing such advanced resilience profiling. (See “War-Gaming and Resilience Planning.”)

War-Gaming and Resilience Planning

Frequently conducted in conjunction with an enterprise resilience audit, war-gaming is an effective tool for understanding a company’s or an industry’s resilience posture. These strategic simulations use mock crises to gauge how well executives and staff are prepared to face serious business discontinuities.

The most effective war games occur over two days and involve a series of crisis simulations in which critical components of a company’s or an industry’s resilience are tested with players from different, yet related, stakeholder groups. Through a real-time simulation — with one group making a move, and others responding, action A vital part of this phase is the development of an “interdependency map” to identify interdependence risks across the extended enterprise — hazards to earnings drivers that may result from unanticipated regulatory action, changes in supplier relationships, problems at clients, or other externalities. The baselining exercise also seeks to understand how market trends and corporate strategies will influence earnings drivers in the future. For example, a consumer goods manufacturer might discover that the business unit managing logistics between the factory and retailers for the company’s flagship Product A is unaware of a new distribution chain developed Such profiling and baselining helps identify gaps between existing risk mitigation programs and identifiable needs, allowing management to visualize at a glance weaknesses and strengths in the firm’s current risk exposure and resilience posture. This impact analysis can identify areas for new investment and disinvestment. For example, a major retailer with state-of-the-art just-in-time inventory systems that require continual data inflows to determine how to stock shelves could be financially crippled if a disruption were to temporarily shut down its network grid.

Step Three: Resilience Strategy. The final phase of an enterprise resilience audit aims to develop a new resilience program based on the analyses of the firm’s earnings-related risk mitigation needs. The most critical gaps between existing risk management programs and the to-be profile are isolated. After the financial commitment needed to close these gaps is determined, a cost-benefit analysis helps rationalize investment needs, finding the optimal balance among components of the risk mitigation effort.

The cost assessment examines business resilience from three perspectives: people, operations (process and technology), and interdependencies. As an example, an established meat products company might learn that, overall, it has well-protected supply and distribution networks, moderate operations risk thanks to mature crisis and disaster management plans, but weak personnel security because its hiring and management procedures at international subsidiaries are inadequate. On the basis of this evaluation, the company could decide to reduce resources earmarked for disaster management and network oversight and redirect them to improve its recruitment, training, and inspection practices. Otherwise, it increases the risk that a devastating incident will occur (e.g., poor inspection practices could allow tainted meat to reach consumers and cause them to become ill).

After setting the gap-closing priorities and developing the full risk mitigation strategy, the executive team should agree on a migration path and gain the board’s agreement on a timetable for the institution of near-term and longer-term resilience goals. Over time, enhanced business intelligence and information sharing should be developed to promote greater situational awareness.

Risk Is Reality
We believe that companies need to adopt a more integrated approach to risk management — one that links business strategy to enterprise resilience and business continuity planning. Using diagnostic tools, war-gaming, and decision-support capabilities, companies can establish a more effective, continuous, and consistent methodology for protecting the enterprise from internal and external risks.

The establishment of enterprise resilience should involve not only those routinely responsible for risk management and security, such as the CFO, CIO, and chief security officer, but also the CEO, the business unit general managers, the board of directors, and the board’s audit committee. With their collaboration, a new risk management approach can be developed to provide a steady stream of information to the organization’s top decision makers about the vulnerability of earnings drivers. Done this way, ER planning will improve corporate governance and enhance decision making within a company.


Businesses have always faced risks, but recent events have provided dramatic evidence that, in today’s economy, risk is reality. Not all risks can be anticipated, but they can be managed, by senior executives, boards, and stakeholders working together to create a resilient enterprise. Stakeholder expectations are higher than ever, and enterprises that are more resilient will experience more rewards — from increased customer and partner loyalty to the realization of premiums for improved earnings consistency.