Prepare. - U.S. Resilience Project
Enterprise ResiliencePrepare.Why Enterprise Resilience Matters1
Why Enterprise Resilience MattersE D I T E D BY Debbie van Opstal, Senior Vice President,Policy and Programs, Council on CompetitivenessThis publication may not be reproduced, in whole or in part, inany form beyond copying permitted by sections 107 and 108of the U.S. copyright law and excerpts by reviewers for thepublic press, without written permission from the publishers.The Council on Competitiveness is a nonprofit, 501 (c) (3)organization as recognized by the U.S. Internal RevenueService. The Council’s activities are funded by contributionsfrom its members, foundations, and project contributions. Tolearn more about the Council on Competitiveness, visit us atwww.compete.org.CO PY R I G H T 2010 Council on CompetitivenessD E S I G N Soulellis Studio
Enterprise ResiliencePrepare.Why Enterprise Resilience Matters1
2Council on Competitiveness Enterprise Resilience
3Prepare.Table of ContentsForeward by Deborah L. Wince-Smith 4Agenda 6Workshop Summary 10Words Matter: Defining a Common Vocabulary 12Numbers Matter: Metrics for Resilience 24Actions Matter: Incentives for Resilience 34Briefing MaterialsWarning: Turbulence Ahead 45Capturing Value from Risk Intelligence and Resilience 49Implementing Risk Intelligence 54Reaching for Resilience 64Roles for Governance 76Recommendations for Risk Intelligence and Resilience 84About the Council on Competitiveness 100
4Council on Competitiveness Enterprise ResilienceForeward by Deborah L. Wince-SmithThese first years of the 21st century are bestdescribed by three Ts: transition, turbulence andtransformation. Rapid globalization is altering ourworld in fundamental ways, and we are more connected and more interdependent than ever before.Risks are magnified in an environment in whichdisruptions cascade across networks and borders.What happens anywhere can have profound effectseverywhere.Countries, communities and companies face whatprofessor Anthony Giddens called the new “riskinessto risk.” The impact of point failures, whether triggered by attack or accident, can reverberate quicklyacross networks—and failure to anticipate and adaptto turbulence can cascade into a “bet the company”mistake. An Economist Intelligence Unit surveyfound that one in five companies suffered significant damage from risk failures. Yet, only 25 percentof companies set regular risk targets for managers,and less than one-third provide risk managementtraining. Some companies remain in the dark aboutthe risks they face. Nearly half of the respondentsto a Deloitte survey stated that their company’snon-financial reporting measures were ineffectiveor highly ineffective in shaping the decision-makingprocess.Prepare represents the thought leadership of agroup of C-suite executives and resilience expertswho met for a day and half at a Risk Intelligence andResilience Workshop in Wilmington, Delaware. It wasinitially developed as a briefing book for workshopparticipants on seminal research and recommendations in the fields. It now includes the summary oftheir discussions representing the insights of thoseparticipants, who collectively represent over a millennium of risk management experience.A key conclusion: The next new revolution inbusiness will be in risk management and resilience. Just as we built integrated quality and safetymanagement systems, so we must now buildintegrated risk management systems. Enterpriseresilience is an approach to risk management thatanticipates disruptions, better ensures recoveryand protects business profitability. Risk-intelligentorganizations elevate resiliency to a board-levelconcern and bake it into the DNA of their enterprisewith powerful processes, well-trained people androbust systems. Their goal is to be proactive andadaptive in response to disruptions, whatever formthey take. Resiliency goes beyond minimizing lossesto include preserving shareholder value, findingcompetitive advantage in the ability to manage riskwell and growing the top line.For countries, resilience has replaced the threeGs—guards, gates and guns—as the national strategy. Our work has inspired the government to focuson resilience instead of protection, with the creationof a Resilience Directorate in the National SecurityCouncil. We see the need for continuing dialoguebetween the public and private sectors that lever-
5ages resilience to meet multiple goals of nationalsecurity, homeland security, energy security andeconomic competitiveness.I would like to thank James H. Quigley, CEO of Deloitte, and John Swainson, former CEO of CA Inc., fortheir sponsorship of this opportunity to understandhow different risk functions link to each other andto strategic planning, and what CEOs and boardsneed to know about risk management. Mark Layton,vice chairman of Deloitte; Vikram Mahidhar, directorof operations of Deloitte Research; and MargaretBrooks, vice president at CA Inc.; provided adviceand insights on an ongoing basis. At the Council,senior vice president Debra van Opstal ably led theCouncil team, with the help of David Padgham, Mildred Porter and Michael Ruthenberg-Marshall.Deborah L. Wince-SmithPresident and CEOCouncil on Competitiveness
6Council on Competitiveness Enterprise ResilienceAgendaOctober 30, 2009preparations to fences and firewalls;from business continuity to competitiveadvantage. Words matter—and we need tocreate a common language of risk.12:00 Welcome and IntroductionsLunchGoal: The overall goal is not so much toachieve perfect definitions of “resilience” and“risk intelligence” as it is to get insights fromthe participants on how they operationalizethese objectives in their own organizations.12:30 Setting the Global StageWarning! Turbulence Ahead:Strategic RisksErik PetersonDirectorGlobal Strategy InstituteCenter for Strategic and InternationalStudies1:30Paper PresentationErica SevilleUniversity of CanterburyNew ZealandThe Risk-Intelligent EnterpriseCommentatorsMary HerbstDirector of Business ResiliencyCarlson HotelsRick FunstonPrincipal and National Practice Leader forGovernance and Risk OversightDeloitte & Touche, LLP2:152:45What Risk Executives Think: SurveyResultsAnne LarsenAdvisor, Corporate ResponsibilityNovo Nordisk A/SVikram MahidharSenior Manager, Deloitte ResearchDeloitte & Touche, LLPDarren MulhollandSenior Vice President, Operations andTechnology, NASDAQSession 1Words Matter: Defining Risk Intelligenceand ResilienceCreating a Common Lingo. The terms riskintelligence and resilience actually meandifferent things to different people—spanninga spectrum from disaster management3:45Breakout Sessions: Defining the DesiredState
7Agenda5:00Reports from the Breakouts: DefiningRisk Intelligence & Resilience5:30Break6:00ReceptionBreakout 16:30DinnerBob MooreVice President, Global Security Group, HP7:30Evening Discussion:What should managers and directors beasking about risk?Co-Chairs for Breakout and Reports:Carl GibsonDirector, Risk Management Unit, LatrobeUniversity, AustraliaModeratorDeborah L. Wince-SmithPresidentCouncil on CompetitivenessDirector, NASDAQBreakout 2Joe PetroManaging Director, CitigroupTom O’NeillPrincipal, Sandler O’NeillChair, Audit Committee, ADMJoseph FikselExecutive Director, Center for ResilienceOhio State UniversityLarry RittenbergChairman of COSOErnst & Young Professor of Accounting &Information SystemsUniversity of WisconsinBreakout 3Jim PorterVice President and Chief EngineerDuPont (ret.)Mark LaytonGlobal Leader, Enterprise Risk Services andVice Chairman, AuditDeloitte & Touche, LLPBob FlynnVice President, TravelersBreakout 4Ken SenserSenior Vice PresidentGlobal Security, Wal-Mart, Inc.Branko TerzicSenior Energy Consultant, DeloitteThe Honorable Roy FergusonNew Zealand Ambassador9:30Adjourn
8Council on Competitiveness Enterprise ResilienceOctober 31, 20097:30Networking BreakfastJohn O’ConnorDirector of Supply Chain Risk ManagementCisco Systems, Inc.8:30A CEO’s Perspective on RiskConversation with Charles O. Holliday, Jr.,CEO, DuPontPat GnazzoSenior Vice President, U.S. Public SectorBusiness, CA Inc.9:00Session 2Numbers Matter: Metrics for RiskIntelligence and ResilienceDeveloping a Dashboard: Once a commonlanguage of risk is developed, metrics areneeded that cross risks and functions toaccurately assess enterprise risk—existingas well as emerging risks — or determinewhether management objectives have beenachieved.Goal: The goal is to identify measures ofrisk that are meaningful to management,comparable across risk managementfunctions, and explicitly tied to enterpriseobjectives and performance.Paper PresentationBrian Ballou/Dan HeitgerCo-Directors, Center for Business ExcellenceMiami University of OhioCommentatorsSpiros DimolitsasSenior Vice President, Georgetown University10:00 Breakout SessionsMeasuring Risk Intelligence and Resilience11:30 Reports from Breakout GroupsCo-chairs for Breakouts/ Reports:Breakout 1Bobbi BaileyVice President, Global Network OperationsJane CarlinGlobal Head of Operational Risk, BCP, andInformation Security, Morgan StanleyBreakout 2Steven TrevinoManaging DirectorResilient Civilization InitiativeChris McIlroyDirector, Infrastructure Protection &Resiliency Division, SRA International, Inc.Breakout 3Judith CardenasCEO, Center for Performance andAccountability; and Vice President, UniversityCenter, Lansing Community College
9Goal: To identify how the markets canincentivize better risk management practices,particularly through ratings, insuranceand audit, and what government can doto strengthen and complement marketincentives.Bill RaischDirector, International Center for EnterprisePreparednessBreakout 4Scott McHughVice President, Global Asset ProtectionWal-MartModeratorHenry RistucciaPartnerDeloitte & Touche, LLPSteve SpoonamorePartner, GSP LLC12:00 Networking Break/Luncheon BuffetLinda ConradDirector, Customer Enterprise RiskManagement, Zurich12:30 Roundtable on Recommendations:Policies and Practices that Support RiskIntelligence and ResilienceQuestions for Discussion: The evidenceseems to indicate that companies whichare more risk intelligent and resilientoutperform the market. If that’s true, whydon’t the markets reward companies thatdemonstrate risk intelligence and resilience?What role could the ratings, insurance andaudit industries play in creating incentives/requirements for risk management? Whatshould government do to encourage thesemarket movers to reward resilience? Whatshould government do to protect citizensfrom the consequences of massive failures inrisk management?Christine St. ClareAdvisory Partner, KPMGPhil AuerswaldProfessor of Public Policy, George MasonUniversity2:45Next Steps3:00Adjourn
10Council on Competitiveness Enterprise ResilienceRick Funston, Deloitte & Touche, LLPThe Risk-Intelligent EnterpriseRick FunstonPrincipal and National Practice Leader, Governance and Risk OversightDeloitte & Touche, LLPThe ability to survive and thrive in an uncertain and turbulent environment requires resilience and agility. Resilience is the ability to rapidly recover and resume a former shape.Agility is the ability to assume a desired shape in order to rapidly adapt and seize desiredopportunities. Risk intelligence is the ability to detect and rapidly respond to changes thataffect the business model and bottom line.Risk Intelligence enables: No surprises No big mistakes No missed opportunitiesOf course, brutal reality is that there will always be surprises, mistakes and missed opportunities. But, in a risk-intelligent enterprise, they will not be life-threatening.Critical Skills of Risk-Intelligent EnterprisesCheck Your Assumptions at the Door. It is better to be roughly right than preciselywrong. Risk-intelligent enterprises look for evidence that their assumptions are wrong.Sometimes that means identifying weak signals that key assumptions in your environmentare changing in ways that threaten your business.Anticipate Potential Causes of Failure. It is almost un-American to think of failure, butrisk-intelligent enterprises legitimize a constructive discussion of triggers for failure. Theydo not just step outside the box, they actively attack it.Identify Interconnections and Interdependencies. The weakest links are often at thenexus of core processes.Improve Reaction Time. One of the distinguishing aspects of turbulence is speed—mostcompanies do not factor velocity into their risk assessments. Bad things happen faster
11than good; reputations are gained in inches per year and lost in feet per second. Thespeed of response has to be matched to the speed of onset.Develop Common Senses to Get Insight and Foresight, Not Hindsight. Mostenterprises tend to lack a central risk nervous system and good communications linesbetween multiple appendages. Specialist functions speak specialty languages and have ahard time communicating with one another, with the result that enterprise communicationscan become a tower of Babel. And, management structures sometimes act as buffers toprevent bad news from getting to the corporate brain. Honing the common senses thatidentify over-the-horizon risks require enterprise collaboration and communication.Verify Sources of Information. In God we trust; all others bring data. Prior experience isnot necessarily a good predictor for the future. Executive opinions, while important, needto be corroborated.Maintain a Margin of Safety. October is a particularly dangerous month to invest instocks. Other dangerous months are July, January, September, May, March, November andso on. According to Warren Buffet, the most dangerous words in the investors lexicon are“everyone else is doing it.”Maintain Operational Discipline. For mountaineers, most accidents happen on the waydown. Attention should be constantly focused on operational discipline.Adopt a Long-Term View. Urgent problems are often not the most important ones. Andshort term events carry a risk of over-reaction. Risks have to be taken to sustain ROI.In sum: Build risk intelligence into decision-making processes, but do not bolt it on. Focus on value—protecting what you have while creating new value. Drive out fear of talking about potential for failure. Generate dialogue, not reports. Rely on judgment, not formulas. Manage icebergs first, not ice cubes.
12Council on Competitiveness Enterprise ResilienceWorkshop SummaryWords Matter: Defining a CommonVocabularyThe language we use matters. Often we use thesame words to mean different things. Or, the wordswe use describe qualities, not competencies. Thelack of a common language of risk is one of the chiefbarriers to risk intelligence and resilience. We needcommon understandings about the words we useto communicate effectively with each other, with ourmanagement, with our investors and even with ourregulators.Interdependencies: Another key characteristic isthat resilience cannot be achieved by any one organization. No organization is an island. It operates withina network of other organizations which, if not alsoresilient, could eventually pull down the network. Weneed to raise the game of all the organizations in thenetwork. Equally important are resilient communities.Organizations are only as resilient as their people andthe communities in which they live.Resilience: Great Concept but WhatDoes It Mean?Dynamic: Resilience is dynamic, not static. Everytime an organization implements a new technology or has a fractious round of pay negotiations, itis shifting its resilience space. One-time resilienceaudits do not work—resilience needs to be constantlyre-evaluated.Erica SevilleResearch FellowUniversity of Canterbury, New ZealandResilience is about an organization’s ability toachieve its core objectives, even in times of adversity, so that it survives in good times AND in bad.Resilient organizations are able to cope with boththe foreseeable events that are on their risk radars,and the ones that come out of the blue.Seizing Opportunity: Resilience is not just aboutsurvival, but the ability to seize opportunity out of crisis. There are always opportunities in a crisis, and theorganizations that are able to seize these opportunities for renewal are the ones that will both surviveand thrive. The qualities that enable an organizationto survive in adversity are the same qualities thatenable it to compete successfully on a day-to-daybasis. The case for resilience is about market leadership as well as crisis management.Resilience is an overarching concept that pulls together many aspects of good business management. Itforces business leaders to think about, anticipate andplan for those things that are not on the risk radar—and to develop adaptive management strategies.Four pillars of resilient organizations include: Resilience Ethos: How well has the organizationbuilt a value system and culture that sets resilience as a goal? Has it made the effort to buildwider networks for resilience? Situational Awareness: Does the organizationhave its finger on the pulse of its operating environment. Is it positioned to recognize subtle shifts,identify potential opportunities and threats, andmobilize itself to respond?
13Erica Seville, University ofCanterbury, New Zealand Processes for Managing KeystoneVulnerabilities: Does the organization knowwhere its critical vulnerabilities are and howproactively it is managing them? Adaptive Capacity: When the chips are downand the plan did not work, how well can the organization come up with new strategies and implement them rapidly?Finally, there is no one model for resilience. Likeindividuals, organizations have their own personalities,strengths and weaknesses. The key is to make themost of strengths in times of crisis and understandweaknesses, and hopefully shore them up before thecrisis moment comes.
14Council on Competitiveness Enterprise ResilienceTable 1: Defining Resilience Using a Competencies FrameworkResilience Ethos: A culture of resilience that is embedded within the organization across all hierarchical levels and disciplines,where the organization actively manages its position in an interdependent system and where resilience issues are key considerations for all decisions that are made.INDICATORDEFINITIONCommitment to ResilienceA belief in the fallibility of existing knowledge as well as the ability to learn from errorsas opposed to focusing purely on how to avoid them. It is evident through an organization’s culture, training and how it makes sense of emerging situations.Network PerspectiveA culture that acknowledges organizational interdependencies and realizes the importance of actively seeking to manage those interdependencies. It is a culture where thedrivers of organizational resilience and the motivators to engage with resilience arepresent.Situation Awareness: An organization’s understanding of its business landscape; its awareness of what is happening aroundit, and what that information means for the organization, now and in the future.INDICATORDEFINITIONInternal and External SituationMonitoring and ReportingThe creation, management and monitoring of human and mechanical sensorsthat continuously identify and characterize the organization’s internal and externalenvironment, and the proactive reporting of this situation awareness throughout theorganization.Informed Decision MakingThe extent to which the organization looks to its internal and external environment forinformation relevant to its organizational activities and uses that information to informdecisions at all levels of the organization.Recovery PrioritiesAn organization-wide awareness of its priorities following a crisis, clearly defined at alllevels of the organization, as well as an understanding of the organization’s minimumoperating requirements.Understanding and Analysis ofHazards and ConsequencesAn anticipatory all-hazards awareness of any events or situations which may createshort or long-term uncertainty or reduced operability. An understanding of theconsequences o
training. Some companies remain in the dark about the risks they face. Nearly half of the respondents to a Deloitte survey stated that their company’s non-financial reporting measures were ineffective or highly ineffective in shaping the decision-making process.
FRM:SG2.SP2 Establish Resilience Budgets FRM:SG2.SP3 Resolve Funding Gaps FRM:SG3 Fund Resilience Activities FRM:SG3.SP1 Fund Resilience Activities FRM:SG4 Account for Resilience Activities ; FRM:SG4.SP1 Track and Document Costs FRM:SG4.SP2 Perform Cost and Performance Analysis FRM:SG5 Optimize Resilience Expenditures and Investments
Jan 27, 2021 · Plan for Resilience, Workplace Edition Robertson Cooper Resilience Model How to Build Resilience Skills in the Workplace 30 Ways to Build Workplace Resilience Five Key Stress Resilience Skills 6 unconventional ways to build focus, resilie
resilience in social policy to resilience in two other fields (security and development). It finds, first, that resilience is implicated in the depoliticisation of risk. This follows from the argument of critics of resilience that it functions to render power structures invisible re-cast suffering as inevitable,
Community Resilience Development Framework This framework is intended as a reference tool for the delivery of strategic approaches to community resilience development at the Local Resilience Forum level in collaboration with non-statutory partners. The Community Resilience D
Resilience and strengthening resilience in individuals January 2011 www.mas.org.uk www.orghealth.co.uk 0845 833 1597/01242 241882 Page 9 Who am I? ‐ Personal features We are driven by the need to survive. Resilience
2.2 Global and UK action for building ocean resilience and recovery 18 2.3 Environmental impacts and trends on UK seas 19 2.4 The concept of resilience 20 2.5 Defining marine resilience 22 2.6 The mechanics of ecosystem resilience 24 3. Building resilient ecosystems in W
NATURAL HAZARDS RESILIENCE North Carolina Office of Recovery and Resiliency March 2020 4 resilient. Resilience champions within a community are much more effective than resilience champions from outside a community who are less likely to know the people and place as well as those who live and work there. Incorporating Resilience Today
Building Infrastructure Resilience Planning Guide for Commercial Real Estate will be published in 2019, to coincide with the City of Toronto's announcement of its Resilience Strategy. We are very pleased to publish this Technical Guidance Note on Resilience. We would like to thank the Centre for Resilience of Critical Infrastructure's
