From risk management to strategic resilience

| Article

In a volatile world, resilience is an increasingly critical prerequisite for corporate performance. The COVID-19 pandemic has caused a massive shock to public health, with dire human consequences. The crisis has dramatically demonstrated the sensitivity of economies to demand shocks as well as industry vulnerabilities to supply chain disruptions. Furthermore, the pandemic spread in an environment defined by accelerating climate change and the increasingly urgent demand to reduce greenhouse-gas emissions.

On top of public-health and environmental pressures, organizations are subject to many business challenges, societal uncertainties, and geopolitical tensions. The disruptive currents include accelerating digitization, cyberthreats, and inflation and price volatility. The dynamic pace of change makes disruptions hard to predict, even as they grow in severity and frequency. Companies in all industries thus need to plan for the unexpected and build up their response capabilities in advance.

The pandemic crisis also revealed the true value of resilience management to business leaders. They recognized that their crisis contingency plans were instrumental to managing through the crisis. Though the magnitude of the pandemic and its domino effects were not generally foreseen, the processes and procedures companies had in place proved themselves (or not) in very trying conditions.

Key findings from the FERMA–McKinsey survey

McKinsey recently supported the Federation of European Risk Management Associations (FERMA) on a comprehensive survey about the pandemic’s impact on corporate resilience. The survey drew responses from more than 200 senior executives and risk and insurance professionals, reflecting a wide range of industry sectors and countries. The survey probed for views on the relevance for organizations, the capabilities for managing strategic resilience, and the importance of resilience in and across corporate functions, including strategy, operations, and risk.

The executives revealed that in the past, their risk management focus was on a small number of well-defined risks, primarily financial risks. They told us that now, risk is encompassing the broader mandate of resiliency management. It is woven into long-term strategy development at top organizations, helping companies navigate a far more dynamic operating environment.

Almost 60 percent of respondents feel their organizations have excellent or very good resilience capabilities, meaning they are well equipped to build and manage resilience overall. In part, that is a direct response to the pandemic, which broadened leaders’ view of the risk function beyond one or two specific risks. More than half of respondents acknowledge that the global pandemic has made risk and resilience significantly more important to their organizations.

Among specific areas of resilience, companies are clearly focusing on workplace safety and remote working in managing through the pandemic. More than 75 percent say implementation measures in these two areas are largely completed. Fifty-two percent of respondents said that for their organizations, the most effective capabilities are in place to manage financial resilience.

At the same time, executives reported room for improvement. Management of business operations and the supply chain emerged as weak points during the pandemic. Many companies have yet to fully implement new remedial measures. Senior executives state that risk is still mainly involved in crisis response.

“We are learning from the crisis, reviewing, for example, our evaluation process for suppliers,” said the chief risk officer at a company in Italy. “In the past, we focused mainly on financial impact but have since adopted a holistic view, looking at the geographic footprint and compliance issues, among other factors.” Survey results included these findings:

  • Nearly two-thirds of responding companies said that resilience is central to their organizations’ strategic process—either as a top priority or to an important extent. Risk and insurance managers are strongly involved in resilience areas, including operational resilience and digital and technology resilience. In addition to those two areas, finance and operations were more often cited by survey respondents as the four most important resilience areas.
  • Foresight capabilities (scenarios and stress testing) emerged as one of the core areas for improvement. Companies were split in their use of scenarios and stress-testing exercises. Roughly half of executives rarely or never use them in strategic decision making, and half use them often or in every risk and resilience exercise.
  • The pandemic continues to highlight the need for secure and flexible technical infrastructure and the strong intersection of digitization within other resilience areas, including implementing work-from-home processes.
  • Risk functions and executive teams play leading roles in building a resilient organization, much more so than strategy teams. However, risk managers are not yet at the center of resolving crises at all times. A better risk governance model is key for efficient and effective decision making and crisis management.

To strengthen resilience in the future, most risk managers (75 percent) believe that the most important actions will be to improve risk culture and strengthen the integration of resilience in the strategy process. Important additional areas are improved risk data aggregation and reporting and more advanced foresight capabilities. Executives also want to revisit risk governance and radiate a better understanding of the critical role the risk function plays.

The challenge now is to move out of a reactive, crisis response mode and integrate risk with other core functions on a more permanent basis. Likewise, as they guide their organizations in the transition from crisis and risk management to resilience, top managers can can emphasize risk governance and risk data aggregation to develop better reporting and foresight capabilities. Risk has a key role to play and should partner with strategy and the executive team to guide organizations in the transition from risk and crisis management to resilience.

From crisis response to a holistic resilience strategy

Like many crises, the pandemic revealed hidden vulnerabilities in organizations and weaknesses in their response capabilities. Executives had to respond quickly to a variety of arising challenges in operations, including workforce discontinuities and supply chain issues involving critical shortages and logistics barriers. Decision makers learned to value timely and insightful data as they defined priorities and actions under stressed conditions. The FERMA–McKinsey survey revealed some good examples of resilient responses to the immediate pandemic-driven challenges:

  • Operational and supply chain challenges. Many companies enabled digital solutions, including advanced analytics, to supply chain issues from the beginning of the crisis. A leading global consumer firm improved the reliability of its supply chain by moving toward predictive maintenance of its machinery; another global company applied next-generation AI technology to monitor and identify unusual ordering patterns and respond accordingly; an energy company applied a smart supply chain digitization plan to provide business continuity. As the crisis evolved, cargo demand surged and ports became congested. Some companies took bold measures in response: a beverage giant shifted some operations from their container shipping to bulk carriers; big-box retailers began leasing their own containers and chartering ships.
  • Technological challenges. During the pandemic, cyberattackers have been taking advantage of security vulnerabilities created in the shift to work-from-home operations. In response, many organizations have strengthened defenses, closing potential gaps before hackers can compromise networks. Some companies have made significant investments in their capabilities, sometimes hiring experts; tech giants and other global firms have also acquired smaller cybersecurity companies.
  • Organizational challenges. At the beginning of the crisis, remote-working arrangements needed to be scaled and implemented for office work, while on-site workers needed appropriate safety measures, including testing and protective equipment. The record for on-site work has been spotty, especially at the beginning of the pandemic, and many lessons should be incorporated into future plans. The switch from office to home, however, was handled with ready competence by many large companies. The remote workforce required a new cyberstrategy, extending the security shield into the remote endpoints in people’s homes. Leaders then explored avenues to prevent the fragmentation of organizational culture, maintain high performance, and support the health and well-being of the remote workforce.

Beyond these often well-executed responsive actions, however, few firms have adopted a comprehensive strategic perspective to meet the challenges of the next disruption over the horizon. Yet this is what organizations need to do if they are to pivot during crises and accelerate into the new crisis-defined environment. The needed orientation is proactive, based on a business perspective, and goes beyond a reactive, second-line-of-defense approach to uncertainty. To build resilience into their long-term strategic decision making, organizations need to develop certain cross-functional capabilities and strengthen resilience in a number of strategic areas.

Overarching capabilities and core resilience areas

The overarching capabilities include foresight skills and disruption and crisis response preparedness. To develop foresight capabilities, organizations gather and study the relevant data, develop pertinent scenarios to discover gaps in resilience, and use this method to anticipate and prepare for future crises. Appropriate crisis response capabilities can then be pursued: those that can be developed and implemented in advance, to be applied quickly and effectively in case of disruptions. These capabilities—such as strengthened financials, better security (whether for IT and software or physical assets), market flexibility, and optionality—can by design create a competitive advantage that drives superior performance through the next industry cycle.

The core resilience areas can be grouped as follows:

  • Financial resilience. Institutions must balance short- and longer-term financial aims. A solid capital position and sufficient liquidity enable organizations to weather rapid drops in revenue, increased cost, or credit issues. Resilient companies are able to achieve superior margins by increasing revenue more than controlling costs. But McKinsey research also suggests that tomorrow’s resilient firms are more likely to be those driving value-added growth while balancing optionality (retained earnings growth)—rather than those that focus most of their attention on maintaining operating margins at the expense of other proportionate measures.
  • Operational resilience. Resilient organizations maintain robust production capacity that can pivot to meet changes in demand or remain stable in the face of operational disruption, all without sacrificing quality. They also fortify both their supply chains and delivery mechanisms to maintain operational capacity and the provision of goods and services to customers, even under stress of all forms ranging from failures of individual suppliers or distributors to natural catastrophes and geopolitical events.
  • Technological resilience. Resilient firms invest in strong, secure, and flexible infrastructure to manage cyberthreats and avoid technology breakdowns. They maintain and make use of high-quality data in ways that respect privacy and avoid biases, compliant with all regulatory requirements. At the same time, they implement IT projects both large and small—at high quality, on time, in budget, and without breakdowns—to keep pace with customer needs, competitive demands, and regulatory requirements. If something does go wrong, they maintain robust business continuity and disaster recovery capability, avoiding service disruptions for customers and internal operations.
  • Organizational resilience. Resilient firms are able to attract and develop talent in areas critical to their future growth; where many others fail, they find a way to secure sought-after people—with scarce analytics or cybersecurity skills, for example. Such organizations foster a diverse workforce where everyone feels included and can perform at their best. They deliberately recruit the best talent, develop that talent equitably, and upskill or reskill flexibly and fast. They implement strong people processes that are free of bias and maintain robust succession plans throughout the organization. Culture and desired behavior are mutually reinforcing, supported by thoughtful rules and standards that promote fast and agile decision making.
  • Reputational resilience. Resilient institutions align values with actions and words. A wide range of stakeholders—employees, customers, regulators, investors, and society at large—are holding firms accountable for their actions, brand promise, and stance on environmental, social, and governance (ESG) issues. Resilience demands a strong mission, values, and purpose that guide actions. It also requires flexibility and openness in listening to and communicating with stakeholders, anticipating and addressing societal expectations, and genuinely responding to criticism of firm behavior.
  • Business-model resilience. Resilient organizations develop business models that can adapt to significant shifts in customer demand, the competitive landscape, technological changes, and the regulatory terrain. This involves maintaining an innovation portfolio and valuing entrepreneurship. Particularly during times of crises, resilient organizations are able to adapt business models to the dynamic and uncertain environment.

Resilient organizations develop business models that can adapt to significant shifts in customer demand, the competitive landscape, technological changes, and the regulatory terrain.

Resilience as a competitive advantage

The holistic approach to building resilience advances the organization from a narrow focus on risk, controls, governance, and reporting to a longer-term strategic view of the total environment. Rather than hunting for blind spots in risk coverage within today’s business model, resilient organizations embrace the holistic view, in which resilience becomes a competitive advantage in times of disruption.

An important aspect of the holistic approach involves using crisis scenarios to test for resilience in a downturn. Accordingly, foresight capabilities are used to develop the scenarios; scenario-based modeling can then pressure-test strategies and business models through future volatile environments—such as those defined by economic downturns, rising geopolitical tensions, disruptions in the regulatory landscape, as well as technological disruptions. Such an approach enables leaders to move beyond resilience capability assessments to active strategic thinking to find new opportunities and shape new business models.

Designing and implementing strategic resilience

Companies have lately developed tools to deal with the challenges of the COVID-19 pandemic, but the “resilience muscle” must still be strengthened. Future disruptions will be different, and institutions need to plan for the primary impact and also for second- and third-order effects. Some of these knock-on effects appear only after a long delay but then suddenly accelerate; others gather momentum incrementally until an emergency tipping point is reached.

For a number of reasons, few institutions have built sufficient strategic resilience. The goal of becoming a resilient company can sometimes run counter to the more immediate objective of value creation. Building redundancy in supply chains builds resilience but it also increases costs, reduces returns on investment, and thus can make resilience a tough sell to business leaders.

Another barrier is organizational forgetfulness. Resilience is not needed every day; big disruptions are not happening all the time. The importance of resilience can be forgotten between big crises. These trigger big investments, but the next crisis will not necessarily be recognizable as a repeat of the last one. Over time, the effort to achieve strategic resilience peters out and new leaders shift priorities.

Resilience as we have been defining it cannot be achieved in a siloed approach. Yet due to inertia and biases, efforts to achieve a holistic resilience agenda can begin to veer off course, back toward familiar patterns. And siloed resilience efforts cannot collectively achieve the integrated solution.

Finally, as yet, we have no universal means of measuring resilience (we are working on it!). Consequently, the efficacy of investments in resilience tends to be based on qualitative judgements. Likewise, people are not trained in resilience, and performance evaluation is not much based on it. Managers are promoted for expertise in pattern recognition and for avoiding mistakes; however, resilience leadership requires creative thinking, first-principles problem solving for navigating through disruptions, and a predisposition to learn from and adjust to crises and downturns. A defensive stance and routinized thinking will prevent the organization from pivoting and accelerating in the next upswing.

Robust steps toward building sustainable resilience

Companies across industries have learned to successfully navigate fundamental disruptions, emerge stronger, and gain competitive advantage in tough times. The following steps briefly sketch a path to overcome pitfalls while systematically building and strengthening strategic resilience. The steps are not, of course, a simple how-to guide. Rather, each element relies upon talent, capabilities, and deep commitment to the integrated effort.

  • Measure resilience and start to report it internally. Taking a business-model view, review resilience dimensions regularly and systematically, identifying strengths and weaknesses compared with industry peers. The ability to conduct these reviews is of critical importance to decision making and balancing value creation and resilience building.
  • Pick your disruptions. A resilience agenda built around generic disruptions or overly specific scenarios is rarely useful. Instead, choose a particular type of disruption to start with, then probe it deeply for expected initial impact and longer-term secondary and tertiary effects.
  • Put less emphasis on extrapolations based on planning and budgeting processes. The approach is too slow and narrow for our disrupted world. Define instead a mechanism for creating scenarios systematically. Define increasingly disruptive scenarios across a widening circle and embed the impact of structural factors.
  • Risk functions need to move beyond the formal views of administration, control, and governance, as well as the formal processes for risk assessment. Find a way to replace these structures, integrating their constituent activities into strategy. Like strategy, risk and resilience management requires a strong business and market perspective, a risk mindset, and interdisciplinary thinking. For risk professionals, this is a call to come out of the ivory towers and into the marketplace.
  • Identify the organization’s natural strengths and Achilles’ heels. Test strategy and underlying assumptions against different scenarios—for example, by deploying qualitative and quantitative scenario analyses.
  • Define a portfolio of resilience investments. This step will entail revising short-term performance and corporate resilience strategies to enable longer-term profitable growth. Consciously invest in the resilience dimensions, with strategic options and big bets, when needed, to strengthen the strategies. Develop action plans for alternative futures.
  • Build first-line capabilities in resilience; build personal resilience and resilience within teams. These efforts also better integrate people into the transition.
  • Create an early-warning system that truly monitors internal and external risks. The board should be involved, but crowdsourcing can be used judiciously, for a more secure view on the risks the organization is facing.

History teaches us that the conditions of future growth are often created as organizations respond to the vulnerabilities crises expose. In times of disruption, survival and the wherewithal to achieve future prosperity depend on strategic resilience, which, as the participants in the FERMA–McKinsey survey stress, importantly means adaptability and decisiveness.

Explore a career with us