Why Organizations Need to Measure Resilience
The events of the past few years demonstrate how important it is for companies to be resilient. The operational disruption and general economic turmoil of the pandemic, geopolitical risks caused by Russia’s invasion of Ukraine, the Israel-Hamas war, and the West’s escalating tensions with China, energy insecurity, and the growing frequency of natural disasters caused by climate change all highlight the need for organizations to prioritize contingency planning and business continuity.
However, there may be a mismatch between the importance organizations place on resiliency and the steps they actually take to be resilient. A recent SAS survey of senior executives uncovered a “resiliency gap,” with 97% of executives saying they believe resilience is important, but just 47% perceiving their company as resilient. Only a quarter of companies surveyed were regarded as “highly resilient.”
At the same time, companies are under growing pressure from regulators, investors and other stakeholders to disclose what steps they are taking to improve their resilience and provide assurance that they can continue to deliver goods and services despite global and local challenges. As a result, risk professionals need to determine the best ways to assess and report on their organization’s level of resilience in the face of risk, including identifying the metrics that can most effectively tell their story and assure constituents that the business is prepared for the risks it may face.
The Value of Resilience Reporting
There are a number of globally-recognized voluntary standards for measuring and reporting resilience. For example, ISO 22301:2019 relates to security and resilience for business continuity management systems; ISO 27001:2017 is for information resilience; and ISO 22316:2017 provides guidance to enhance organizational resilience for any size or type of organization. Additionally, the U.S. National Institute of Standards and Technology (NIST) developed a framework that helps organizations manage and reduce cybersecurity risks and improve IT resiliency, while also fostering effective communication about cybersecurity within the organization and with external stakeholders.
Similarly, the COSO Framework, provided by the Committee of Sponsoring Organizations of the Treadway Commission, helps demonstrate operational resilience by evaluating internal controls and ensuring financial reporting integrity. For financial institutions, the Financial Stability Board’s (FSB) Guidelines on Operational Resilience are specifically designed to enhance the ability of financial services firms to withstand and recover from severe operational disruptions by focusing on maintaining critical functions under duress.
While useful as a starting point, experts warn such standards may have limited use overall. “Formal certification with industry standards will not guarantee a 100% assurance of resilience,” said Steve Richardson, chief resilience innovation officer at software firm Fusion Risk Management.
However, better and deeper disclosure around resilience measures remains important. “Reporting against resilience postures is an opportunity to evangelize the organization’s continued investment in protecting the trust of its customers and stakeholders in that the organization is prepared to address unexpected disruption, has identified key risks and vulnerabilities to the delivery of important products and services, and is executing on remediation plans,” Richardson said.
He added that reporting progress regarding resilience initiatives can also highlight opportunities for value creation—such as how quickly the organization can expand into new markets and geographies—as well as identify changes in operational efficiency to improve customer experiences.
“Current and future customers are expecting more and more from their providers regarding resiliency and risk reduction measures,” Richardson said. “Therefore, providers are experiencing increased levels of scrutiny and diligence from customers regarding their risk and resilience capabilities. Formal reporting can create differentiation opportunities in the market as customers evaluate competitors’ approaches and investments in risk and resilience. As a result, organizations should consistently review their programs to ensure alignment with evolving best practices to bolster their narrative and credibility regarding risk and resilience management.”
Stuart Swindell, third party risk and compliance strategy director at business data firm Dun & Bradstreet, agreed that reporting risks publicly “is an essential part of creating a strong and healthy business ecosystem that is compliant with regulations and mitigates potential threats to operations.” However, reporting on resiliency is patchy, he said, because even though many companies may adhere to ISO standards or similar guidance, there is currently little or no requirement to report on their resilience or the individual risks facing their organizations in the short-, medium- or long-term.
This is slowly changing, however. “The reporting of ESG risks and considerations is rapidly becoming a formalized process in many countries, which may pave the way for other resilience-based reporting criteria in the future,” he said. “However, these criteria will likely differ from ISO standards, which are binary—your business is either compliant or not.”
Swindell believes that, fundamentally, all businesses should strive to report on their risks and their resilience to them, regardless of whether such a duty is enforced by a government body. “By developing a comprehensive understanding of your business’ risks, you will create a resilient operating environment. And while there will inevitably be risks that occur that have not been planned for, by putting in place best practices and a data-led understanding of the business, even unexpected risks will be somewhat mitigated,” he said.
“Ultimately, those companies that are well run will continue to be well run, and they will continue to maintain a good level of governance regardless of whether reporting standards or other criteria change,” Swindell said. “For those businesses that struggle, however, it is crucial that they come to grips with their data estates and develop a comprehensive view of their supply chains. This will go a long way to adhering to existing ISO standards and, eventually, toward understanding their own resilience.”
Measuring Resilience Effectively
Some experts believe that industry standards may only signify compliance rather than providing a “real” view of a company’s level of resilience, so organizations should instead use a range of other tangible metrics.
Bassem Mostafa, lead market analyst and owner of business consultancy Globemonitor, said companies are increasingly looking at how well they manage business continuity as a way of measuring and reporting their resilience. For example, organizations are tracking their recovery time objective (RTO) and recovery point objective (RPO), which measure the time taken to resume operations and the amount of data loss tolerated during a disruption, respectively. They are also conducting regular stress-testing simulations to assess how they would perform under various crisis scenarios, helping identify vulnerabilities and areas for improvement.
Mostafa said risk professionals can play a “pivotal role” in an organization’s resilience efforts, particularly because they are central to identifying what resources are necessary to ensure business continuity and business recovery; how plans should be tested, assessed and updated; and how the resulting strategies should be put into action. Furthermore, risk professionals are central to the process of integrating resilience into the corporate culture. This is because they are often tasked with promoting awareness about resilience across the organization and ensuring that employees at all levels understand their roles in maintaining and enhancing resilience.
“In reporting on resilience, risk managers contribute valuable insights and data,” Mostafa said. “They often lead the process of compiling and analyzing resilience metrics, ensuring that the reports are comprehensive, accurate and reflective of the organization’s true state of resilience. In addition, they are involved in continuous monitoring and improvement of resilience strategies. They keep abreast of new developments, best practices and evolving threats, adjusting the organization’s approach to resilience as necessary.”
Some other experts believe a company’s financial metrics may be a good indicator of resilience. “Industry standards like debt ratios and cash flow are useful,” said Michael Ashley Schulman, partner and chief investment officer at U.S.-based professional services firm Running Point Capital Advisors. “However, they must be looked at not only on an absolute basis, but also relative to industry peers and norms. Some industries, especially those with better cash flow, tend to operate at higher debt levels, for example.”
According to Schulman, some of the key metrics stakeholders should consider are low debt-to-equity ratios, because this indicates a healthier financial structure and allows the company more flexibility during challenging times, or strong and consistent positive cash flow as this may reflect an ability to meet short-term obligations and invest in future growth. Companies in sectors like retail and hospitality are already reporting more on their liquidity positions, cash reserves and debt structures, reflecting an increased focus on financial stability.
He added that it is just as important to understand operational resilience as “maintaining operations during and after a disruption is critical for any company in any location.” Operational resilience can be measured in several ways: by tracking the time it takes to recover from an outage; the percentage of critical systems that remain operational during a disruption; and the number of disruptions that occur over a given time period. It can also be measured through research and development spending and investment in innovation because such expenditures indicate a company’s commitment to staying competitive and adapting to changing market demands.
However, Schulman cautioned against assessing future risk by looking for lessons from previous disruptive or catastrophic events. “Companies may claim resilience to ‘once-in-a-hundred-year’ weather events, but when analyzing risk, that kind of historical perspective may be worthless in an era of global climate change that alters temperature, wind, rain and flood patterns,” he said. “One has to dive deeper into corporate flexibility, redundancies and hardiness to understand operational and financial resilience to glean something meaningful. The common standard deviation graphs of risk make me laugh. I can think of innumerable situational and institutional risks that do not fit a neat standard deviation. Either everything is fine, or something blows up.”
Nicholas Tate, owner of U.K. legal services website Injury Claims, also believes showcasing resilience through operational metrics is an effective method. A focus on adaptability, scalability and efficiency can highlight a company’s ability to pivot in response to market shifts, while metrics such as supply chain flexibility, time to market for new products or services, and the ability to swiftly adjust to changing customer demands can underscore a company’s resilience in the face of unforeseen circumstances.
Employee satisfaction and retention rates are also critical metrics as a motivated and stable workforce contributes significantly to a company’s ability to navigate challenges and sustain long-term success. Some industries may also prioritize some metrics over others. In the tech sector, for instance, placing a premium on digital security and data integrity is crucial, while supply chain resilience might take precedence in sectors such as manufacturing. “By consistently monitoring and improving these metrics, businesses can provide tangible evidence of their resilience and capacity for sustained growth,” Tate said.
According to Erik Pham, CEO and founder of online wellness publication Health Canal, there are three key measures that companies should consider when trying to report their resilience in non-financial areas: 1) metrics relating to talent retention and growth; 2) metrics for supply chain management; and 3) metrics for environmental risk resilience.
Pham said high employee retention rates and a focus on talent growth indicate a positive, robust and resilient workplace, so companies should measure the percentage of employees who stay with the company over a defined period. He also recommended tracking the investment in employee development programs and training initiatives because a commitment to continuous learning contributes to a skilled and adaptable workforce. Additionally, companies should more readily disclose their succession plans as these will show the organization’s readiness to navigate changes in leadership, as well as show the measures in place to ensure a smooth transition during unexpected leadership shifts.
Maintaining a resilient and efficient supply chain is also critical for organizations, said Pham, so companies should assess and provide details about the level of concentration/diversification among suppliers, as well as measure the efficiency of inventory management and the lead time required to restock since a nimble supply chain can adapt to fluctuations in demand and supply.
Finally, environmental resilience “encompasses a company’s ability to adapt and thrive in the face of environmental challenges, including climate change and sustainability concerns.” In terms of measuring such resilience, relevant metrics could include: tracking initiatives to reduce the company’s carbon footprint through energy-efficient practices, sustainable sourcing and responsible waste management; assessing the organization’s commitment to environmental sustainability through certifications such as ISO 14001 or other industry-specific standards; and measuring the company’s ability to adapt and stay compliant with evolving environmental regulations and best practices.
A Question of Survival
While the case for companies to invest in better resilience risk management may be obvious, some experts believe the case for better disclosure around how resiliency is assessed and measured is equally compelling. Stakeholders and regulators increasingly want greater assurance that the companies they do business with can withstand serious shocks, and that they have a plan to quickly and fully get back up and running. Some also believe that better, deeper disclosure using a variety of metrics will give them a competitive advantage in the long-term as better-run companies tend to have better survival rates.
“Resiliency is not just about the chance that something breaks, but also the dynamic capacity for a system to self-repair in response to change or intrusion,” Schulman said. “Resilient firms should pull through difficult periods even stronger and, in doing so, enhance their trust with customers and community.”
Reprinted with permission from Risk Management Magazine. Copyright Risk and Insurance Management Society, Inc. All rights reserved.
Written by Neil Hodge, 2024
Source: https://www.rmmagazine.com/articles/article//2024/07/09/why-organizations-need-to-measure-resilience