After COVID-19, It’s Not a Question of ‘If’ Another Disruption Will Occur. It’s ‘When.’

The business model is akin to a finely tuned machine requiring the coordination of multiple components to deliver value to customers according to the company’s brand promise. Business models vary by industry. For example:

• A manufacturer’s model combines a robust supply chain, an accessible labor pool, cutting-edge innovative processes, efficient facilities and equipment and access to power, water and other necessary resources to produce quality products at competitive prices.
• A bank’s business model might emphasize critical third-party providers, differentiating skills and competencies and proprietary systems to enable superior customer experiences.
• An e-commerce retailer’s model leverages supplier partnerships, efficient omnichannels or multichannels, world-class logistics and distinctive branding to offer a compelling value proposition and experience to consumers.

Unless the organization has an effective response plan, the absence or ineffective functioning of any of these components compromises the business model’s viability. A loss of one or more components can take away the advantages of the model’s underlying cost structure, ability to produce or deliver product, capacity to provide essential services and/or accessibility to customers. Herein lies the crux of operational risk, or the risk that one or more scenarios impair the effectiveness of the business model in fulfilling customer expectations and realizing acceptable returns.

The COVID-19 pandemic has proven to be an object lesson on how severe this risk can be. Many were unprepared for an event that literally shut down major segments of the economy – and even whole industries dependent on the gathering and concentration of people. Widespread failures of supply chains and third-party providers, and almost complete cessation of demand for products and services in some industries, are unforgettable experiences that many might have regarded as implausible prior to the onset of the pandemic.

The pandemic experience has served as a reminder that, in today’s interconnected global marketplace, most companies are boundaryless due to their tight coupling with upstream suppliers and providers and downstream channels to reach ultimate end users. The concept of an extreme but plausible event becomes more pervasive when these dependencies extend, for example, as far upstream as third- and fourth-tier suppliers. Furthermore, the determination of “plausibility” when assessing extreme events continues to evolve over time as their frequency, severity, velocity and persistence increase.

COVID-19 is just one example of a resilience event that stops the show. Others, such as cyberattacks – for example, the recent ransomware attack on the Colonial Pipeline in the United States – or catastrophic natural disasters also can grind companies, sectors or industries to a halt. The velocity of such events varies. Whereas companies could see pandemic risk charging on the horizon toward them like a gray rhino, cyberattacks can occur suddenly and without warning.

As this evolution gravitates scenarios previously considered “implausible” into the “plausible” category – in effect, shifting probabilities assigned to tail-risk events closer to the mean – the question arises as to executive management’s and the board’s role in overseeing operational resilience. To that end, we offer several considerations for senior leaders and directors as their organizations enter into and learn to operate successfully a post-COVID-19 world:

Learn from the COVID-19 Experience

Much has been said about the importance of continuous learning during the COVID-19 experience to understand what went well and what did not go well. The extremity of the pandemic offers powerful lessons for companies to consider and apply in formulating an effective response plan should another pandemic or equally severe catastrophic scenario occur. Not only should this review be encouraged, but a summary of actions to be taken because of it should be requested as well.

Pay Close Attention to Concentration Risk

The term concentration risk is most often used in financial services to refer to exposures within a bank’s asset portfolio or an insurer’s underwriting portfolio arising from concentration to a single counterparty or insured category, sector, country or region. It also applies to other industries. Geographic concentrations of critical assets, significant operational exposure to a geographically specific event (including sovereignty risk and regional conflicts), concentration of information assets with outsourced functions, reliance on sole suppliers of critical raw materials and components, dependence on major customers for business and other factors peculiar to a company’s business model create concentration risk. For example, what if major customers were to fail, major customer contracts were not renewed or major customers were to consolidate? Senior management and boards should be aware of these risks and, when they exist, inquire of management as to whether the specific concentration risk has been weighed against the cost and the ability to recover within an appropriate time frame from an extreme but plausible event.

Enhance Resilience Through a Reimagined Work Environment

The pandemic has accelerated workplace redesign in most organizations. Companies able to virtualize their processes have been more successful during the pandemic lockdown than those that did not or were unable to do so. Going forward, an opportunity exists to reimagine work processes to ensure the highest form of resilience possible. This focus can lead to distributing the workforce, continuing remote-work arrangements, reducing dependence on business travel and supporting a hybrid model combining remote work with work physically performed in an office environment. The objective is twofold: Accommodate the “new normal” workplace, however it evolves, and contribute to increased operational resilience in facing catastrophic events that restrict workforce mobility. And the byproduct is as attractive: Enhance employee retention by giving employees a voice and choice about where and when to work.

Leverage Technology to Increase Resilience

As noted above, companies able to operate their business virtually have provided an object lesson on the power of technology to facilitate resilience. In addition, while most companies use the cloud, quite a few still do not fully exploit its unique benefits. The cloud offers a scalable ecosystem where damage to, or the loss of operation of, any single component of that ecosystem would not have a significant effect on the company’s overall operations. It can contribute to the efficient deployment of the technologies enabling a virtual environment and improved operational resilience.

Facilitate Response Readiness Assessments by Using the Right Factors

Management should ensure the right questions are being asked when assessing exposure to extreme but plausible scenarios. The first is: Which critical business model functions, services and ecosystem components are most affected by the scenario? With respect to each scenario, what is:

• the velocity or speed to impact (i.e., can the loss of key functions, services and ecosystem components occur without warning (e.g., a power outage))?
• the persistence of the impact (i.e., the duration of time before the loss of the functions, services and ecosystem components can be addressed and the “headline effect” regarding the organization’s attempts to recover)?
• the extent of the company’s agility and readiness in responding to the event?
• the magnitude of uncompensated risks the company faces as a result of the loss of the component (e.g., loss of revenue due to downtime of services, permanent loss of customers and emergence of health and safety issues)?

Likelihood of occurrence is not a prime consideration in a resiliency assessment. The focus is not on if the event occurs, but on what management will do when the event occurs.

Manage the Intersection Between Risk Management and Crisis Management

Every director and CEO faces the specter that no matter what they do, an unforeseen disruptive crisis event may occur for which there is no playbook available. But this reality should not stifle efforts to plan and prepare for disruptions. As a crisis is a severe manifestation of risk, crisis management is the natural follow-on to risk management. Rapid response to sudden, unexpected events depends on the enterprise’s preparedness and response plans. Building an agile crisis management capability is a management imperative for scenarios with a high reputation impact and velocity. A world-class response to a persistent crisis is vital to a company’s ultimate recovery and preservation of its brand image. Operational resilience assessments focused on the aforementioned factors can help identify areas where preparedness is more critical, prompting action to develop robust response plans.

Be More Engaged at the Top with Resilience

Now that the world has experienced the worst pandemic in a century, executive management and directors should pay more attention to operational resilience going forward. Senior leaders and the board should understand and offer input to the operational resilience strategy, including the identification of functions, services and ecosystem partners identified as critical to the execution of the business model. They should also request a prompt notification when an event occurs that either is likely to require public and/or regulatory disclosure or meets specified criteria – such as a “close call” involving a business function or service that has been deemed “critical.” Such notifications should address the strategy for disclosure (if warranted) and the plan for recovery and, if necessary, improving resilience. While views about the granularity of senior management’s and the board’s focus on operational matters may differ, there should be general agreement as to the organization’s targeted recovery time for an important business service or process that guides the assessment of its resilience plan. Company leaders and directors should also be comfortable with the company’s operational resilience team and their line of sight into the team’s activities.

Position Operational Resilience as a Strategic Imperative

The scope of resilience planning should encompass an end-to-end extended enterprise view of the value chain that looks upstream to suppliers and third-party providers, as well as downstream to channels and customer relationships. These business ecosystem partneurial relationships are just as important to the execution of the business model as the organization’s internal processes, personnel and systems. An evaluation of operational threats, therefore, should be directed to understanding the company’s resilience in addressing any of these key links in the chain and whether the time frame to recover is acceptable in terms of sustaining the operation of the business model.

This comprehensive view is important. According to Gartner, business continuity management and organizational resilience programs are not keeping up with digital transformation initiatives and emerging, more complex threats. These programs should be a business-as-usual activity inextricably tied to the achievement of corporate objectives, customer fulfillment commitments and expressed or implied brand promises. A comprehensive view of all key components of the business model is needed to create that linkage. The operative question is: what would happen to the organization’s ability to execute its business model when any of these components are taken away through an unexpected catastrophic event or altered in a significant way to place it at a strategic disadvantage?

Asked another way: At every stage of the value creation process, what would be the implications of a shortage, disruption or quality problem in a particular input or output? In such scenarios, how long would the company be able to operate? This pervasive question applies to such inputs as the available labor force and talent pool, the availability of power at a reasonable price, lines of credit and working capital, among other factors. This kind of thinking is needed in a disruptive world.

In considering the above points, senior leaders and their boards should be mindful of business continuity regulatory requirements and standards specific to the sector(s) in which the company operates, as well as the organization’s processes for complying with them. These regulations and standards often provide guidance on required or suggested areas of focus and approaches. The most comprehensive guidelines and standards are geared toward financial services. Using these more rigorous guidelines, it is not uncommon for other industries to apply the strategies and controls that are most relevant as they offer a model of best practices.

Questions for Executive Management and Boards

Following are some suggested questions boards of directors may consider based on the risks inherent in the company’s operations:

• Do we have sufficient transparency into our organization’s:

• • Definition of the business functions, services and ecosystem partners that are critical to the execution of its business model?
  • Determination of the impact tolerances for these functions, services and ecosystem partners (i.e., how long can our company operate without them)?
  • Consideration of extreme but plausible events that could result in an impact on the business that exceeds the established tolerances?
  • Events that have occurred that either require disclosure or meet our specified criteria for timely notification?
• How prepared is our organization for operational resilience? Have we implemented reliable processes, systems, metrics and response plans to ensure organizational preparedness? Is our organization conducting periodic tabletop exercises that are effective in testing its ability to recover against extreme but plausible scenarios? How do we know?