Building and sustaining a resilient business is a commercial imperative.
Your business immune system is what protects your business from illness – if it’s in good shape and something strikes, you are ready to respond.
Organisations that have a developed immune system are more capable of tackling challenges, such as Covid-19, and bounce back more quickly. These organisations also learn from the challenges faced, in order to adapt and be better prepared for the next one.
Successful business resilience initiatives require an approach that is broader than traditional business continuity planning, and permeates across people, processes and operations, technology, physical assets and financial areas of the business. These are all underpinned by the business strategy and culture set by the business owner/management.
To be prepared, businesses need to:
- Understand and prioritise your most important assets, along with potential threats to those assets.
- Assess and address any gaps in your controls to manage the potential threats.
- Have a plan that is:
* tailored to your business risks
* practical and adaptive
* well understood
* revised for lessons learnt.
Highly resilient organisations have some common characteristics, being:
- Prepared for uncertainty through identifying and responding to change.
- Focused on protecting what’s important (customers, people, assets).
- Processes in place to manage risk.
- Using resilience to create and exploit opportunities.
- Avoiding remediation by getting it right the first time.
- Monitoring key risk indicators and performance at the same time.
- Building trust – your customers, your staff, your suppliers.
Building trust is particularly important as this provides your business’s social licence and reputation. Those businesses that looked after their staff during the Covid-19 lockdowns are now seeing the benefits, whereas those that did the bare minimum or let staff go without a corresponding impact on business performance, have faced public scrutiny.
Disruptive events that may put an organisation’s resilience at risk can occur in one or across a number of the operating model components described earlier.
Often, in today’s business environment, these events stem from a technology/cyber risk and have wider implications. For example:
- A ransomware attack impacted the operations for a food and beverage company. Its insurance claim was denied – with the insurer stating the attack was excluded from coverage.
- A similar ransomware attack on a transport/logistics company forced it to reinstall all its servers and PC workstations, creating major business disruptions.
- Smoke in a data centre caused an extended outage for a business, preventing customers from transacting with the business. It was the second outage within a month and customers vented on social media, leading to brand reputation damage.
Current disruptions to businesses include ongoing supply chain delays that are restricting supplies of stock, spare parts, raw materials, and delays for exporters. These are resulting in increased costs and potential reputation impacts.
While the expectation of no disruptive events is unreasonable, when the inevitable disruption occurs, the resilient business can immediately put its plan into operation, so that the impact is managed and minimised.
Common roadblocks in becoming more resilient that we see in organisations include:
- Fragmented and incomplete views of information as it is spread over multiple systems.
- Vulnerabilities in third party systems and operations.
- Lack of budget to support proper resilience investment.
- Thinking of resilience as a point in time project.
- Lack of balance sheet strength.
To succeed, business leaders must drive resilience in an integrated manner, so that resilience becomes part of the organisation’s DNA and culture – this way everyone will own their resilience actions.
While it’s possible to survive in the short term, business resilience is a fundamental pre-requisite for success over the longer term.
The comments in this article of a general nature and should not be relied on for specific cases. Taxpayers should seek specific advice.