The return on business resilience

COVID showed the best-laid corporate contingency plans aren’t good enough

business resilience

As the world begins to emerge from the COVID-19 crisis, business leaders are thinking about how to best prepare for the next crisis, however it manifests.

The key to survival, says Dave Wright, ServiceNow’s chief innovation officer, is organizational resilience, which he defined as an organization’s ability to continue to serve customers, deliver products and services, protect its workforce, and safeguard its reputation during adverse events.

Recently, Wright held a virtual roundtable with ServiceNow customers to examine the future of business resilience, risk, and the rise of a new C-suite member: the chief resilience officer.

Resilience is siloed—disaster is not

The modern enterprise faces a grave threat, Wright says, and it comes from within. In most organizations, risk and resilience are delegated to executives responsible for specific functions. But many of the greatest threats to organizational resilience impact the entire enterprise, if not the entire planet (think COVID-19).

Resilience matters because adverse events are not rare.

While resilience is siloed, events like extreme weather, trade wars, cyberattacks, geopolitical conflicts, or unforeseeable supply chain disruptions (caused by, say, a cargo ship stuck sideways in the Suez Canal) are often not recognized as threats to the organization as a whole. Even minor adverse events—for example, a construction crew accidentally cutting business-critical fiber-optic cables—can severely disrupt the organization.

Resilience matters because adverse events are not rare. In fact, the number of billion-dollar disasters that occur annually in the United States has tripled since 1999; the average cost of a data breach is $8.6 million. To safeguard against financial and human disaster, the entire organization—not just individual departments—must become resilient.

Enterprise-level resilience

In response to changes in customer and employee behavior throughout the pandemic, many organizations have begun or accelerated a digital transformation. While useful for managing vulnerability, uncertainty, and complexity, digital transformation also increases the level of risk.

Crises can affect the entire enterprise, so solutions must reach every aspect of it; any modern enterprise, Wright says, must consider the gamut of external (or internal) risk. Predicting every potential risk is impossible, so organizations must learn how to respond to disruption quickly and resiliently.

However, because many organizations view risk from departmental silos, business leaders often can’t achieve holistic views of an adverse event’s impact on the organization, or what a proper response to it should be. COVID, for instance, sent employees home, quickly adding a technology challenge to a massive HR disruption. To mitigate organizational risk, Wright argues that leaders must take steps to break down silos. Resilience has to occur at the organizational level and incorporate people, processes, and technology.

Business continuity plans fought the pandemic…and the pandemic won

COVID-19 was the mother of all reality checks, Wright says. An MIT Technology Review research report noted that 62% of North American respondents had business continuity plans in place before 2020 but that only half said those plans were effective during the pandemic.

That’s mainly because most continuity plans focus on conventional disasters like corporate network outages and easy-to-imagine black swan events.

Even businesses that, at the start of the first wave of pandemic lockdowns, moved their employees out of the office within days faced resiliency challenges. For them, the challenge quickly moved beyond technology, Wright says; it was people—how to support employees who were suddenly working from home while caring for families and who could no longer communicate with one another by simply walking across a hallway.

Resilience learnings, resilience unlearnings

Wright describes lessons he’s learned, and unlearned, by studying organizational resiliency.

The biggest learning is that organizations that adopted an agile practice before or during COVID-19 are more resilient and better able to withstand this disruption. On the whole, flatter organizations were (and are) more resilient than hierarchical ones, Wright says, because they foster a feeling of trust that provides psychological safety for employees.

[Read also: Rethinking operational risk]

Companies that have sought employee input on issues like schedules, benefits, and even strategy have also seen the development of greater trust, which is correlated to resilience and, ultimately, with a stronger bottom line.

Another learning: resilience pays dividends, especially in tough times. Boston Consulting Group, in a study that examined the performance of more than 1,800 companies over a quarter-century, found that resilience in unfavorable periods accounted for nearly 30% of long-term outperformance, even though crises occurred during only 11% of the study period. As the study put it, “performance during a crisis had almost three times the impact of performance during stable periods.”

3x

Number of billion-dollar disasters that occur annually in the U.S. since 1999

Also: adversity breeds resilience, not just for organizations but also for employees. A study by ADP found that people who had experienced at least 5 of 11 so-called “risk factors”—such as furloughs, layoffs, changing work hours, and unplanned moves to work from home—were 13 times more likely to be resilient, Wright says.

As for unlearnings, Wright says, the pandemic challenged his assumption that resilience is mostly about technology; that is, about having the right backup systems, the right redundancy. In fact, resiliency “is as much about your people and processes as it is about your technology,” he says.

The rise of the chief resilience officer

Wright says it’s crucial for organizations to build “a living fabric of resilience” that covers all departments and the individuals within them. In most large companies nowadays, the task of fostering resilience is left to the chief risk officer, or is made a shared responsibility among, say, the CIO, CHRO, and COO. But those executives rarely have the remit and resources to focus on resilience as a companywide priority.

One way to promote resilience at the organizational level is to create a role for it: a chief resilience officer.

This C-suite collaboration and accountability is the sort of structure that needs rethinking, Wright says, because in a world where disruption is the norm, resilient organizations will outperform their peers, and businesses must build resilience into the strategy and structure of the organization.