FOREWORD With increasing globalisation and economic interconnectivity has come increased risk for businesses. It is through these interconnected pathways that risk to organisations can accumulate, propagate, and potentially culminate in a much greater scale of effects. What would previously have been isolated risk events can now have an impact far beyond their immediate confines, extending across geographical areas, national borders, and continents. Over the last decade we have also witnessed developing interest in the concept of organisational resilience as a means of successfully navigating an increasingly complex risk landscape. For many though it remains a nascent and sometimes poorly understood idea; for relatively few it has evolved into an all-encompassing approach spanning all business functions and extending to supply chains and other third-party providers. At Control Risks we define resilience as the ability of an organisation to assess, anticipate, mitigate, and recover from disruptive events. This in turn helps drive stakeholder value. In summer 2015 we conducted a global resilience survey across our client base and wider contacts in order to gain a better understanding of the degree to which the concept of resilience has gained currency and become embedded within organisations. We sought to address issues such as how companies monitor and analyse the risk landscape, organisational risk governance, and the gap between theoretical understanding and practical application. The findings from the survey are discussed and analysed in this report and provide a comprehensive view of the state of resilience in respondent organisations.
The success of an organisation is intrinsically linked to its ability to identify and successfully manage risk. With an increasing focus on resilience in the market, this survey examines the range of understanding and capability within organisations to identify, interpret, and prioritise threat and risk as well as the organisation’s ability to develop adaptive strategies and its capacity for managing risks. It is clear that resilience, and initiatives to support it, is increasingly on the corporate agenda. There are, however, a significant number of organisations that continue to experience disruption, implying that risk forecasting and preparation is inadequate. Risk information appears to be poorly communicated within organisations thereby limiting the ability to build resilience to disruptive events. KEY FINDINGS • The gap between monitoring and effective analysis. Many organisations are proactive in risk monitoring, but still 86% of respondents experienced some form of disruption in the last five years. This highlights the disconnect between the identification of risks and the timely adjustment of risk mitigation strategies to reflect changes in the operating environment. • The importance of top level responsibility. 60% of all respondents indicated that potentially the most disruptive internal challenge facing their organisation was the ability to anticipate change and adapt quickly. To build sufficient adaptability, resilience should be driven from the executive and embedded across the organisation. • The role of business continuity and crisis management. The majority of respondents (78%) exercise crisis management or contingency plans on an annual basis, with nearly 20% conducting quarterly exercises. However, the frequency and impact of disruptive events indicates that either lessons are not being identified and learnt through training, or that risk forecasting is leading organisations to prepare for low likelihood, low impact events whilst remaining unprepared for higher impact and likelihood events. • The impact of political instability. 62% of respondents indicated that they were concerned about both direct political risks to their business and the impact of political instability on the broader security environment. Respondents rated political and security instability considerably higher than macroeconomic volatility. • The importance of third-party management. Whether it is about being a “third party” or managing their own suppliers and providers, resilience is rarely on the agenda when discussing projects and contracts with 35% of respondents having never reviewed the business continuity plans of key service providers.
THE STATE OF ENTERPRISE RESILIENCE
1. TRANSLATING THE THREAT: THE IMPORTANT “SO WHAT?” ANALYSIS 68% of respondents state that their organisation monitors and analyses risks, conducting forecasts for up to five years. However, disruptive events continue to have a significant impact on business performance. This means that although the majority of companies are committing resources to monitoring incidents and trends, the survey appears to show a disconnect between monitoring and risk analysis and the timely adjustment of risk mitigation strategies to reflect changes in the operating environment. The survey results underline this as follows: 86% of respondents experienced some form of disruption in the last five years. 28% experienced more than seven disruptive events in this time period. The impact of these events on respondents has been significant: 37% of respondents faced events with an average financial loss in excess of £1m. The survey results imply that organisations should address the question of when, not if, a disruptive event will take place. Whilst the majority of respondents rated themselves as capable of responding to an event, their apparent ability to capture risk and forecast is limited. Respondents stated that they monitor threats to their organisation long in advance, but evidence from this survey would indicate that they are either not monitoring for the most relevant threats or they are being provided with inadequate analysis that is unsuitable to plan and prepare robust contingency options. Organisations should examine specific threat events which may result in direct disruption to business activities including political, economic, social, technological (including cyber-crime), legislative and compliance, and environmental factors which may impact on organisational resilience. THE STATE OF ENTERPRISE RESILIENCE Organisational risk monitoring - To what point in the future are risks monitored and analysed within your organisation? 1 MONTH AHEAD 3 MONTHS AHEAD 12 MONTHS 34.8% 5+ YEARS 21.2% 6 MONTHS 15.2% 2 YEARS 12.1% 10.6% 6.1% Organisational capability to respond to disruptive events - How would you rate the capability and experience within your organisation to manage disruptive events? (1 = insufficient; 5 = highly capable) 7% 9% 28% 42% 14% 1 2 3 4 5 7 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015 Many risks are interrelated and can often be the driver behind political instability and a change in the security environment. These may prove to be either positive opportunity or negative business risks and should be considered accordingly. 2. THE IMPACT OF POLITICAL INSTABILITY 62% of respondents indicated that they were concerned about both direct political risks to their business and the impact of political instability on the broader security environment. Respondents rated political and security instability considerably higher than macroeconomic volatility. In our view this underlines two trends: respondents are increasingly aware of the interconnected nature of risk and acknowledge the significant impact of political instability on the wider operating environment. Organisations are increasingly seeking to avoid instability in the macro environment resulting from political gridlock, extremism, and political dysfunction as this will have an impact on everything from profits and operations to the working conditions of employees. Organisations should be prepared to manage both the local and international outcomes of political legislation that can affect the relationship between the firm and its customers, its suppliers, and other firms. FACTORS TO MONITOR AND ANALYSE Most disruptive external threats - What do you consider to be the most disruptive external threats to your organisation’s business over the next 5-10 years? POLITICAL AND SECURITY INSTABILITY TRANSPORT DISRUPTION LOSS OF UTILITIES (POWER/WATER ETC) PRESSURE GROUP PROTEST OUTSOURCE SERVICE FAILURE LOSS OF TELECOMMUNICATIONS CHANGES IN THE LABOUR MARKET CURRENCY VOLATILITY REGULATORY CHANGE CHANGING COMPETITIVE LANDSCAPE SECURITY/TERRORISM INCIDENT MACROECONOMIC UNCERTAINTY CHANGING MARKET DYNAMICS SUPPLY CHAIN DISRUPTION IMPACT OF NATURAL HAZARDS 62.1% 39.4% 37.9% 36.4% 58% 43% 43% 39% 30% 21% 19% 34.8% 30.3% 22.7% 18.2% 9.1% 9.1% 7.6% 7.6% 7.6% 6.1% 4.5% Political Legislative Compliance Environmental Economic Social Technological (including cyber risks) 8 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015 Organisations should identify relevant political threats and then continuously analyse the trends that underlie these threats with an appreciation and understanding that threat categories are usually interconnected. There are a number of political risk indices that provide an idea of the risk exposure an organisation faces in certain countries that may act as a useful guide. 3. GOVERNANCE AND OWNERSHIP: THE IMPORTANCE OF SENIOR LEVEL RESPONSIBILITY Organisations should be clear about who is responsible and accountable for risk management, including risk reporting, monitoring, and ownership. All functions within an organisation should remain sufficiently flexible and adaptable to respond to disruptive events. There was little agreement amongst respondents on which function should lead resilience programmes: 37% of respondents considered business resilience planning as a function of risk management and 22% of respondents stated that the security department is directly responsible for this function. Regardless of which department takes the lead on resilience, there was unanimous agreement on the fact that responsibility for resilience should be driven from the executive. Resilience requires buy-in at the executive level. BS65000 specifically states that the governing body and senior management are jointly and ultimately accountable for ensuring that an appropriate level of resilience is achieved by the organisation alongside other desirable outcomes such as profitability, service delivery, quality, and compliance. Indeed, where necessary, it is their obligation to define the balance of such outcomes. Supporting standards such as BS16000 Security Management Strategic and Operational Guidance and ISO22301 Business Continuity Management Systems in conjunction with other industry and compliance standards should be used when planning at an operation level: roles, responsibilities, accountability, and ownership should be clearly defined. 4. THE ROLE OF BUSINESS CONTINUITY AND CRISIS MANAGEMENT 89% of respondents consider resilience as either key to maintaining continuity of operations or providing sufficient adaptive capacity to respond to market conditions and business demands. BS65000 guidance on organisational resilience defines resilience as a holistic activity which considers the ability of an organisation to anticipate, prepare for, and respond and adapt to incremental change and sudden disruption in order to survive and prosper. Organisations should continue to focus on the capacity and capability to respond effectively to disruptive events. The majority of respondents (78%) exercise crisis management or contingency plans on an annual basis, with nearly 20% conducting quarterly exercises. Business functions with responsibility for resilience - Which function within your organisation is primarily responsible for business resilience planning? Frequency of testing crisis management and contingency plans - How frequently are your Crisis Management Plans or Contingency Plans exercised and validated? Risk Management Business Continuity Operations Finance HR Security department IT department 22.2% 0% 0% 2.8% 23.6% 13.9% 37.5% 3.7% MONTHLY QUARTERLY ANNUALLY 77.8% 18.5% 9 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015 However, the frequency and impact of disruptive events indicates that either lessons are not being identified and learnt or, as suggested previously, the risk forecasting is leading organisations to prepare for and build capability for managing low likelihood, low impact events. Organisations should review the link between the risk assessment process and the definition of exercise objectives to ensure that capability is being developed appropriately. 5. THE IMPORTANCE OF THIRD-PARTY MANAGEMENT 70% of respondents have never been asked or are rarely asked for information on their own resilience planning. Many organisations will seek to understand third party resilience simply through the review of business continuity plans at procurement or contract negotiation stage and whilst this will not provide an in-depth analysis of an organisation’s resilience it does provide some assurance that continuity of operations is being addressed. Alarmingly, however, 35% have never reviewed the business continuity plans of key service providers. This is in spite of the fact that 54% of respondents consider the most disruptive external threats to their organisations as events including loss of utilities, supply chain disruption, outsource failure, and loss of communications. Disruption in the supply chain could result in the failure to meet service level agreements with business partners, inability to meet customer demand, or the high cost of transferring production or distribution to a third party. All this can have a significant reputational impact resulting in the loss of client base and, potentially, a loss of market share which are directly linked to reduced revenue and shareholder value; both significant concerns of over 84% of respondents. Organisational priorities should be defined to support resilience and inform operational activities with partners and suppliers. Organisations should consider integrating risk management activities and operational disciplines, thereby ensuring that knowledge is actively shared across internal organisational boundaries. This will ensure that risks and opportunities are addressed coherently by all parts of the organisation and externally with supply chain partners. Using an effective risk management methodology such as ISO31000 to identify risk and managing those risks using recognised standards such as BS65000 will enable an organisation to satisfy itself that its relationships with partners, outsourcers, suppliers, and other key stakeholders are sufficiently resilient. Impacts of most concern to business - Which impact would be of most concern to your business? REPUTATIONAL DAMAGE LOSS OF PUBLIC TRUST REDUCED REVENUE LOSS OF CUSTOMERS/CLIENTS STAFF LOSS OF CONFIDENCE IN YOUR ABILITY TO MANAGE A DISRUPTIVE EVENT LOSS OF NEW BUSINESS OPPORTUNITIES REDUCED SHAREHOLDER VALUE INCREASED MEDIA SCRUTINY 72.7% 51.5% 50.0% 47.0% 45.5% 37.9% 34.8% 28.8% 10 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015 11 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015 The threat from political and security events has encouraged clients from all sectors to consider the specific threats to their operations and identify areas in which they may be vulnerable. It is clear that many organisations are focussed on the need to become more resilient, but the implementation of supporting strategies and tactics is currently lagging. There is widespread recognition that building resilience requires organisation-wide action. It is only through the continued engagement with senior leadership that the appropriate capacity, capability, plans, and controls can be put in place to reduce organisational risk exposure to disruptive events. In spite of the fact that most organisations take the issue of resilience seriously there are important gaps in planning and management. A majority of respondents rated themselves as effective at updating and testing their existing plans, but organisations should consider whether they are building capability and experience to respond to the right scenarios. Organisations should continue to focus on being adaptive and responsive to changing threats. The potential for loss and reputational damage resulting from a failure to protect and prepare an organisation, in terms of damage to assets, lost revenue, and tarnished reputation, is significant. KEY RECOMMENDATIONS The top five key recommendations from the survey are as follows: 1. Organisations should look not only at specific threat events which may result in direct disruption to business activity, but should also consider political, economic, social, technological (including cyber-crime), legislative and compliance, and environmental factors which may impact on organisational resilience. 2.Organisations should clearly define who is responsible and accountable for risk management, including risk reporting, monitoring, and ownership. 3.Organisations should build and maintain capacity and capability to respond effectively to disruptive events. 4.Organisational priorities should be defined to support resilience and inform operational activity with partners and suppliers. 5.Organisations should consider integrating the risk management activities and operational disciplines, thereby ensuring that knowledge is actively shared across internal organisational boundaries.
ABOUT THE SURVEY
With an increasing focus on the development of resilience, this global survey was commissioned to gauge opinion on what resilience means for our clients and how it is currently viewed across our contact base. This global survey, conducted between June and August 2015, took the opinion of 83 respondents into account. While there was a geographical focus on Europe, we had respondents from across the globe, representing all major industries. The survey has been sent out to many of Control Risks’ clients. We also received huge interest via our social media channels, leading to a wide range of job functions that are represented.