2020 was a wake-up call. To thrive in the coming decade, companies must develop resilience—the ability to withstand unpredictable threat or change and then to emerge stronger.
This perspective piece introduces our approach to resilience. “Develop resilience” is easy to say but hard to define, and yet harder to do. In this article, we reiterate the imperative, define the components of resilience, and introduce the approaches companies can take to become more resilient. In the coming months, we will publish a series of more detailed articles on the topic, focused on the actions that institutions of different types can take to measure and improve their resilience.
The resilience imperative
The world is undergoing increasingly rapid, unpredictable, and unprecedented change. But across industries, most companies have remained persistently focused on near- and medium-term earnings, typically assuming ongoing smooth business conditions. The COVID-19 pandemic heralds the need for a new approach.
Catastrophic events will grow more frequent but less predictable. They will unfold faster but in more varied ways. The digital and technology revolution, climate change, and geopolitical uncertainty will all play major roles (exhibit).
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:
The digital revolution has increased the availability of data, the degree of connectivity, and the speed at which decisions are made. This offers transformational promise but also comes with potential for large-scale failure and security breaches, together with rapid cascading of consequences. It also increases the speed at which a company’s reputation can change in the eyes of consumers and employees.
Insights to Impact: Olivia White on business resilience
McKinsey senior partner Olivia White describes key insights from this article. Learn more about Olivia
The changing climate presents structural shifts to companies’ risk-return profiles, which will accelerate nonlinearly. Companies need to navigate concerns for their immediate bottom line together with pressures from governments, investors, and society at large. All this while natural disasters are growing more frequent and severe.
An uncertain geopolitical future provides the backdrop. The world is more interconnected than ever before, from supply chains to travel to the flow of information. But these ties are under threat, and most companies have not designed their role in the global system for robustness, to keep functioning smoothly even if connections are abruptly cut.
In a world where the future is uncertain and change comes fast, companies need to look beyond short-term performance and basic organizational health. They must be able not only to withstand unpredictable threat or change but to emerge stronger. In short, they need to be resilient.
Broad-based resilience: Beyond financials
Firms cannot afford to be either inflexible or imprudent. Those unwilling to take sufficient risk will not respond or innovate to meet changing circumstances. But at the same time, those too focused on financials, growth, or expansion may take on risk that kills their long-term success. Industries have developed specific resilience capabilities, but when disruptions occur, “surprise gaps” become visible (see sidebar, “Resilience capabilities and surprise gaps in select industries”).
Many companies have thought about such risk–return trade-offs in financial terms, making sure they have the financial reserves needed to withstand some uncertainty around a single planning scenario.
But today’s world demands more than financial resilience. As an example, take climate change. Severe climate hazards will threaten the sourcing, production, and distribution of products and services and can come from both nearby and afar, in the era of global supply chains. Moreover, firms must take a stance on the role they want to play in reducing emissions, accounting for expectations from governments, employees, customers, shareholders, and society at large. Such climate adaption and mitigation, together with technology change, will shift business mix and business models, and companies will need the flexibility to respond.
Internally driven change also requires a broad view of resilience. Consider a company-wide digital and analytics transformation, addressing both internal processes and product and service delivery to customers. While efficiency and the art of the possible expand, so does the potential for broadscale technological failure or massive cyber incursion. Employees need to develop new skills and different ways of working together. Analytics offers new horizons but also can embed bias in decision making.
We believe that true resilience requires balanced focus on six dimensions: financials, operations, technology, organization, reputation, and business model.
Institutions must balance short- and longer-term financial aims. A solid capital position and sufficient liquidity enables organizations to weather rapid drops in revenue, increased cost, or credit issues. Most companies must protect themselves against the deterioration of markets and reduced access to capital, debt, or equity or, for financial institutions, decreases in net interest income and credit loss. Financial resilience.
Resilient organizations maintain robust production capacity that can both flex to meet changes in demand as well as remain stable in the face of operational disruption, all without sacrificing quality. They also fortify both their supply chains and delivery mechanisms to maintain operational capacity and the provision of goods and services to customers, even under stress of all forms ranging from failures of individual suppliers or distributors to natural catastrophes to geopolitical events. Operational resilience.
Resilient firms invest in strong, secure, and flexible infrastructure, including to manage cyber threats and to avoid technology breakdown. They maintain and make use of high-quality data in a way that respects privacy and avoids bias, compliant with all regulatory requirements. At the same time, they implement IT projects both large and small—at high quality, on time, in budget, and without breakdown—to keep pace with customer needs, competitive demands, and regulatory requirements. In case something does go wrong, they maintain robust business continuity and disaster-recovery capability, avoiding service disruptions for customers and internal operations. Technological resilience.
Resilient firms foster a diverse workforce in which everyone feels included and can perform at their best. They deliberately recruit the best talent, develop that talent equitably, upskill or reskill employees flexibly and fast, implement strong people processes that are free of bias, and maintain robust succession plans throughout the organization. Culture and desired behaviors are mutually reinforcing, supported by thoughtfully developed rules and standards to which adherence is enforced, while also promoting fast and agile decision making. Organizational resilience.
You are what you do. Resilient institutions align their values with their actions, with their words. A wide range of stakeholders—from employees to customers to regulators to investors to society at large—increasingly looks to hold firms accountable in a range of ways, spanning from their brand promise to their stance on environmental, social, and governance (ESG) issues. Resilience demands a strong sense of self—enshrined in mission, values, and purpose—which guides actions. It also requires flexibility and openness in listening to and communicating with stakeholders, anticipating and addressing societal expectations and responding to criticism of firm behavior. Reputational resilience.
Resilient organizations maintain business models that can adapt to significant shifts in customer demand, the competitive landscape, technological changes, and the regulatory terrain. This involves maintaining an innovation portfolio and valuing entrepreneurship. Particularly during times of crisis, resilient organizations will place strategic bets to evolve their business models. Business-model resilience. Anticipating and responding
Firms with the capabilities to prepare for and respond to disruption dynamically are more resilient across the six dimensions.
Developing the understanding and fact base to anticipate relevant future scenarios enables firms to pressure test their resilience and to anticipate some types of disruption. By examining specific significant potential disruptions, institutions will learn more about gaps in their resilience across the six dimensions. Specific, hypothetical Anticipation. supply-chain disruptions, for example, probe a part of operational resilience; cyberattack scenarios are most relevant to technological resilience; and physical climate-risk events require several types of resilience. At the same time, firms can systematically identify potential industry-wide disruption stemming from a range of sources: from technical change to macroeconomic downturns, or from geopolitical disruption to major regulatory shift. Not all such disruptions can be anticipated. But some can, at least in part, and early anticipation can provide significant advantage, as demonstrated through numerous examples during the COVID-19 pandemic.
Institutions cannot anticipate or prepare for all disruptions. The capability to respond rapidly and effectively after something happens can make a determinative difference in company success. In the face of company-specific crises, a poor and indecisive response can drive as much as half of the lost shareholder value. On the flip side, companies that respond well stand to gain. Firms that respond early to industry disruption or economic downturn can create competitive advantage that drives superior performance through the Response. next industry cycle. For example, as measured through total returns to shareholders, top-quintile performance through the global financial crisis (2007–11) outperformed other companies in 2017 by more than 150 percentage points. Embedding resilience
Traditionally, to stave off disaster, institutions have put in place business-continuity plans to respond to a list of potential threats—hurricanes, server outages, cyber incursion, and so on. They have tended to include a dose of conservativism in a single-scenario planning approach. This approach is outdated.
Firms should strive as much as possible to embed resilience in the way they work, in a way that makes them better in normal times, not just in the face of unpredictable threat or change. We delineate three approaches firms can take to increase resilience:
Add on. Boxes of supplies, emergency generators, backup servers, and redundant pathways all fall in this category. This is the domain of the traditional business-continuity plan and is certainly necessary in some cases. This approach to buffering against threat is isolated and easy to understand and does not get in the way of core operations or business models. On the other hand, in practice, this approach is almost never as reliable as one wants—for example, emergency supplies expire, generators do not work. Add-ons also tend to increase complexity and can lead to unpredictable knock-on effects. So relying entirely on add-ons is ill advised.
Trade off. Capital buffers, stocks of goods, and overstaffed call centers all fall in this category. These are considered explicit trade-offs between resilience and other parts of the system, often returns or productivity. Leveraging trade-offs requires transparency, true understanding of the desired risk–return balance, and practical ability to retune the system fast. Financial resiliency is perhaps most easily suited to this approach. Systems with physical constraints (such as production facilities) and networks (such as shipping networks) present greater challenge for making quick shifts.
Bake in. This is the happy convergence between what is best for resilience and what is best for other business aims. Organizational resilience is where the “baked-in” approach is most in its element and springs from diversity of skills and experience, fostering of innovation and creative problem solving, and the basic psychological safety that enables peak performance. These characteristics are helpful in good times and indispensable when quick, collaborative adaptation is needed for an institution to thrive.
Add-on resilience is necessary, but it is not the full answer. Backups can fail, they add complexity, and they typically do not help companies emerge from change stronger. Some trade-offs are also required. But companies should look to maximize the amount of baked-in resiliency they can create. This helps better target add-on redundancy, reduce the degree of needed trade-offs, and at the same time improve institutional ability to emerge stronger from change or threat.
The path forward
To get started in building resilience for the years ahead, companies can take three steps:
Describe how resilient you are today. How resilient are you currently—overall and across each of the six dimensions of resilience? Do you have well-developed capabilities to anticipate and respond to disruption or crisis? What are you doing to promote resilience? In particular, to what degree and where do you rely on add-ons or trade-offs and in what ways do you bake resilience into the way you operate in normal times? Systematic diagnostic tools enable quick but comprehensive understanding of the current state.
Determine the degree and nature of resilience you need for the future. What types of threats or potential change matter most to your institution? Where do you have gaps across each of the resilience dimensions? This analysis should consider each company-led change (for example, a digital transformation), industry-specific dynamics (for instance, rapidly changing levels of regulatory scrutiny), and global dynamics (for example, climate change) that may pose the greatest threat to the institution.
Design your approach to building and maintaining the resilience you need. Where do you most need to shift or supplement your current approach? Ongoing resilience requires embedding related considerations into day-to-day decision making as well as into strategy setting. Institutions should link this business-focused approach toward resilience to any existing enterprise-risk-management processes and should consider investment in anticipation and response capabilities. An ideal design will maximize practices that make you stronger in normal times and better ready to withstand and adapt to threats, but it will also accommodate add-ons and trade-offs where needed.
Companies that understand the resilience they need for the future can implement sensible change. In case of vulnerabilities, this may mean transforming in ways big or small to enhance resilience directly. But, as importantly, firms should look to build resilience into any transformation they undertake, regardless of the primary goals—from digital to growth to cost. This yields more robust change and helps you bake in resilience from the outset.