the state of enterprise resilience - resilience survey 2015
TRANSCRIPT
Managing Risk | Maximising Opportunity
THE STATE OF ENTERPRISE RESILIENCERESILIENCE SURVEY 2015
FOREWORD 2
INTRODUCTION 4
Key findings 4
THE STATE OF ENTERPRISE RESILIENCE 6
1. Translating the threat: the important “so what?” analysis 6
2. The impact of political instability 7
3. Governance and ownership: the importance of senior level responsibility 8
4. The role of business continuity and crisis management 8
5. The importance of third-party management 9
CONCLUSION 11
Key recommendations 11
ABOUT THE SURVEY 13
TABLE OF CONTENTS
2THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
FOREWORD
With increasing globalisation and economic interconnectivity has come increased risk for businesses. It is through these interconnected pathways that risk to organisations can accumulate, propagate, and potentially culminate in a much greater scale of effects. What would previously have been isolated risk events can now have an impact far beyond their immediate confines, extending across geographical areas, national borders, and continents.
Over the last decade we have also witnessed developing interest in the concept of organisational resilience as a means of successfully navigating an increasingly complex risk landscape. For many though it remains a nascent and sometimes poorly understood idea; for relatively few it has evolved into an all-encompassing approach spanning all business functions and extending to supply chains and other third-party providers.
At Control Risks we define resilience as the ability of an organisation to assess, anticipate, mitigate, and recover from disruptive events. This in turn helps drive stakeholder value. In summer 2015 we conducted a global resilience survey across our client base and wider contacts in order to gain a better understanding of the degree to which the concept of resilience has gained currency and become embedded within organisations. We sought to address issues such as how companies monitor and analyse the risk landscape, organisational risk governance, and the gap between theoretical understanding and practical application. The findings from the survey are discussed and analysed in this report and provide a comprehensive view of the state of resilience in respondent organisations.
3 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
The success of an organisation is intrinsically linked to its ability to identify and successfully manage risk. With an increasing focus on resilience in the market, this survey examines the range of understanding and capability within organisations to identify, interpret, and prioritise threat and risk as well as the organisation’s ability to develop adaptive strategies and its capacity for managing risks.
It is clear that resilience, and initiatives to support it, is increasingly on the corporate agenda. There are, however, a significant number of organisations that continue to experience disruption, implying that risk forecasting and preparation is inadequate. Risk information appears to be poorly communicated within organisations thereby limiting the ability to build resilience to disruptive events.
KEY FINDINGS
• The gap between monitoring and effective analysis. Many organisations are proactive in risk monitoring, but still 86% of respondents experienced some form of disruption in the last five years. This highlights the disconnect between the identification of risks and the timely adjustment of risk mitigation strategies to reflect changes in the operating environment.
• The importance of top level responsibility. 60% of all respondents indicated that potentially the most disruptive internal challenge facing their organisation was the ability to anticipate change and adapt quickly. To build sufficient adaptability, resilience should be driven from the executive and embedded across the organisation.
• The role of business continuity and crisis management. The majority of respondents (78%) exercise crisis management or contingency plans on an annual basis, with nearly 20% conducting quarterly exercises. However, the frequency and impact of disruptive events indicates that either lessons are not being identified and learnt through training, or that risk forecasting is leading organisations to prepare for low likelihood, low impact events whilst remaining unprepared for higher impact and likelihood events.
• The impact of political instability. 62% of respondents indicated that they were concerned about both direct political risks to their business and the impact of political instability on the broader security environment. Respondents rated political and security instability considerably higher than macroeconomic volatility.
• The importance of third-party management. Whether it is about being a “third party” or managing their own suppliers and providers, resilience is rarely on the agenda when discussing projects and contracts with 35% of respondents having never reviewed the business continuity plans of key service providers.
INTRODUCTION
5 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
6THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
1. TRANSLATING THE THREAT: THE IMPORTANT “SO WHAT?” ANALYSIS
68% of respondents state that their organisation monitors and analyses risks, conducting forecasts for up to five years. However, disruptive events continue to have a significant impact on business performance. This means that although the majority of companies are committing resources to monitoring incidents and trends, the survey appears to show a disconnect between monitoring and risk analysis and the timely adjustment of risk mitigation strategies to reflect changes in the operating environment.
The survey results underline this as follows: 86% of respondents experienced some form of disruption in the last five years. 28% experienced more than seven disruptive events in this time period. The impact of these events on respondents has been significant: 37% of respondents faced events with an average financial loss in excess of £1m.
The survey results imply that organisations should address the question of when, not if, a disruptive event will take place. Whilst the majority of respondents rated themselves as capable of responding to an event, their apparent ability to capture risk and forecast is limited.
Respondents stated that they monitor threats to their organisation long in advance, but evidence from this survey would indicate that they are either not monitoring for the most relevant threats or they are being provided with inadequate analysis that is unsuitable to plan and prepare robust contingency options. Organisations should examine specific threat events which may result in direct disruption to business activities including political, economic, social, technological (including cyber-crime), legislative and compliance, and environmental factors which may impact on organisational resilience.
THE STATE OF ENTERPRISE RESILIENCE
Organisational risk monitoring - To what point in the future are risks monitored and analysed within your organisation?
1 MONTH AHEAD
3 MONTHS AHEAD
12 MONTHS
34.8%5+ YEARS
21.2%6 MONTHS
15.2%2 YEARS
12.1% 10.6% 6.1%
Organisational capability to respond to disruptive events - How would you rate the capability and experience within your organisation to manage disruptive events? (1 = insufficient; 5 = highly capable)
7% 9% 14%28% 42%
1 2 3 4 5
7 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
Many risks are interrelated and can often be the driver behind political instability and a change in the security environment. These may prove to be either positive opportunity or negative business risks and should be considered accordingly.
2. THE IMPACT OF POLITICAL INSTABILITY
62% of respondents indicated that they were concerned about both direct political risks to their business and the impact of political instability on the broader security environment. Respondents rated political and security instability considerably higher than macroeconomic volatility.
In our view this underlines two trends: respondents are increasingly aware of the interconnected nature of risk and acknowledge the significant impact of political instability on the wider operating environment. Organisations are increasingly seeking to avoid instability in the macro environment resulting from political gridlock, extremism, and political dysfunction as this will have an impact on everything from profits and operations to the working conditions of employees. Organisations should be prepared to manage both the local and international outcomes of political legislation that can affect the relationship between the firm and its customers, its suppliers, and other firms.
FACTORS TO MONITOR AND ANALYSE
Most disruptive external threats - What do you consider to be the most disruptive external threats to your organisation’s business over the next 5-10 years?
POLITICAL AND SECURITY INSTABILITY
TRANSPORT DISRUPTION
LOSS OF UTILITIES (POWER/WATER ETC)
PRESSURE GROUP PROTEST
OUTSOURCE SERVICE FAILURE
LOSS OF TELECOMMUNICATIONS
CHANGES IN THE LABOUR MARKET
CURRENCY VOLATILITY
REGULATORY CHANGE
CHANGING COMPETITIVE LANDSCAPE
SECURITY/TERRORISM INCIDENT
MACROECONOMIC UNCERTAINTY
CHANGING MARKET DYNAMICS
SUPPLY CHAIN DISRUPTION
IMPACT OF NATURAL HAZARDS
62.1%39.4%37.9%36.4%
58%
43%
43%
39%
30%
21%
19%
34.8%30.3%22.7%18.2%9.1%9.1%7.6%7.6%7.6%6.1%4.5%
Political
Legislative Compliance Environmental
Economic Social Technological (including cyber risks)
8THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
Organisations should identify relevant political threats and then continuously analyse the trends that underlie these threats with an appreciation and understanding that threat categories are usually interconnected. There are a number of political risk indices that provide an idea of the risk exposure an organisation faces in certain countries that may act as a useful guide.
3. GOVERNANCE AND OWNERSHIP: THE IMPORTANCE OF SENIOR LEVEL RESPONSIBILITY
Organisations should be clear about who is responsible and accountable for risk management, including risk reporting, monitoring, and ownership.
All functions within an organisation should remain sufficiently flexible and adaptable to respond to disruptive events. There was little agreement amongst respondents on which function should lead resilience programmes: 37% of respondents considered business resilience planning as a function of risk management and 22% of respondents stated that the security department is directly responsible for this function.
Regardless of which department takes the lead on resilience, there was unanimous agreement on the fact that responsibility for resilience should be driven from the executive.
Resilience requires buy-in at the executive level. BS65000 specifically states that the governing body and senior management are jointly and ultimately accountable for ensuring that an appropriate level of resilience is achieved by the organisation alongside other desirable outcomes such as profitability, service delivery, quality, and compliance. Indeed, where necessary, it is their obligation to define the balance of such outcomes.
Supporting standards such as BS16000 Security Management Strategic and Operational Guidance and ISO22301 Business Continuity Management Systems in conjunction with other industry and compliance standards should be used when planning at an operation level: roles, responsibilities, accountability, and ownership should be clearly defined.
4. THE ROLE OF BUSINESS CONTINUITY AND CRISIS MANAGEMENT
89% of respondents consider resilience as either key to maintaining continuity of operations or providing sufficient adaptive capacity to respond to market conditions and business demands. BS65000 guidance on organisational resilience defines resilience as a holistic activity which considers the ability of an organisation to anticipate, prepare for, and respond and adapt to incremental change and sudden disruption in order to survive and prosper.
Organisations should continue to focus on the capacity and capability to respond effectively to disruptive events. The majority of respondents (78%) exercise crisis management or contingency plans on an annual basis, with nearly 20% conducting quarterly exercises.
Business functions with responsibility for resilience - Which function within your organisation is primarily responsible for business resilience planning?
Frequency of testing crisis management and contingency plans - How frequently are your Crisis Management Plans or Contingency Plans exercised and validated?
Ris
kM
anag
emen
t
Bus
ines
sC
ontin
uity
Ope
ratio
ns
Fina
nce
HR
Sec
urity
depa
rtm
ent
IT d
epar
tmen
t
22.2%
0%0%
2.8%
23.6%
13.9%
37.5%
3.7%MONTHLY
QUARTERLY
ANNUALLY77.8% 18.5%
9 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
However, the frequency and impact of disruptive events indicates that either lessons are not being identified and learnt or, as suggested previously, the risk forecasting is leading organisations to prepare for and build capability for managing low likelihood, low impact events. Organisations should review the link between the risk assessment process and the definition of exercise objectives to ensure that capability is being developed appropriately.
5. THE IMPORTANCE OF THIRD-PARTY MANAGEMENT
70% of respondents have never been asked or are rarely asked for information on their own resilience planning. Many organisations will seek to understand third party resilience simply through the review of business continuity plans at procurement or contract negotiation stage and whilst this will not provide an in-depth analysis of an organisation’s resilience it does provide some assurance that continuity of operations is being addressed. Alarmingly, however, 35% have never reviewed the business continuity plans of key service providers. This is in spite of the fact that 54% of respondents consider the most disruptive external threats to their organisations as events including loss of utilities, supply chain disruption, outsource failure, and loss of communications. Disruption in the supply chain could result in the failure to meet service level agreements with business partners, inability to meet customer demand, or the high cost of transferring production or distribution to a third party. All this can have a significant reputational impact resulting in the loss of client base and, potentially, a loss of market share which are directly linked to reduced revenue and shareholder value; both significant concerns of over 84% of respondents.
Organisational priorities should be defined to support resilience and inform operational activities with partners and suppliers. Organisations should consider integrating risk management activities and operational disciplines, thereby ensuring that knowledge is actively shared across internal organisational boundaries. This will ensure that risks and opportunities are addressed coherently by all parts of the organisation and externally with supply chain partners. Using an effective risk management methodology such as ISO31000 to identify risk and managing those risks using recognised standards such as BS65000 will enable an organisation to satisfy itself that its relationships with partners, outsourcers, suppliers, and other key stakeholders are sufficiently resilient.
Impacts of most concern to business - Which impact would be of most concern to your business?
REPUTATIONAL DAMAGE
LOSS OF PUBLIC TRUST
REDUCED REVENUE
LOSS OF CUSTOMERS/CLIENTS
STAFF LOSS OF CONFIDENCE IN YOUR ABILITY TO MANAGE A DISRUPTIVE EVENT
LOSS OF NEW BUSINESS OPPORTUNITIES
REDUCED SHAREHOLDER VALUE
INCREASED MEDIA SCRUTINY
72.7%
51.5%50.0%47.0%45.5%
37.9%
34.8%28.8%
10THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
11 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
The threat from political and security events has encouraged clients from all sectors to consider the specific threats to their operations and identify areas in which they may be vulnerable. It is clear that many organisations are focussed on the need to become more resilient, but the implementation of supporting strategies and tactics is currently lagging.
There is widespread recognition that building resilience requires organisation-wide action. It is only through the continued engagement with senior leadership that the appropriate capacity, capability, plans, and controls can be put in place to reduce organisational risk exposure to disruptive events. In spite of the fact that most organisations take the issue of resilience seriously there are important gaps in planning and management. A majority of respondents rated themselves as effective at updating and testing their existing plans, but organisations should consider whether they are building capability and experience to respond to the right scenarios.
Organisations should continue to focus on being adaptive and responsive to changing threats. The potential for loss and reputational damage resulting from a failure to protect and prepare an organisation, in terms of damage to assets, lost revenue, and tarnished reputation, is significant.
KEY RECOMMENDATIONS
The top five key recommendations from the survey are as follows:
1. Organisations should look not only at specific threat events which may result in direct disruption to business activity, but should also consider political, economic, social, technological (including cyber-crime), legislative and compliance, and environmental factors which may impact on organisational resilience.
2. Organisations should clearly define who is responsible and accountable for risk management, including risk reporting, monitoring, and ownership.
3. Organisations should build and maintain capacity and capability to respond effectively to disruptive events.
4. Organisational priorities should be defined to support resilience and inform operational activity with partners and suppliers.
5. Organisations should consider integrating the risk management activities and operational disciplines, thereby ensuring that knowledge is actively shared across internal organisational boundaries.
CONTACT THE AUTHORS:
Mark Whyte, Senior Managing Director, [email protected]
Andy Cox, Director, [email protected]
CONCLUSION
12THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
13 THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
With an increasing focus on the development of resilience, this global survey was commissioned to gauge opinion on what resilience means for our clients and how it is currently viewed across our contact base. This global survey, conducted between June and August 2015, took the opinion of 83 respondents into account.
While there was a geographical focus on Europe, we had respondents from across the globe, representing all major industries.
The survey has been sent out to many of Control Risks’ clients. We also received huge interest via our social media channels, leading to a wide range of job functions that are represented.
ABOUT THE SURVEY
Respondents by region - In which region are your headquarters located?
Respondents by industry - Which of the following best describes the industry of your organisation?
NORTH AMERICA
3.6%
2.4%AUSTRALIA/OCEANIA
ASIA
MIDDLE EAST/NORTH AFRICA
6%SUB-SAHARAN AFRICA
3.6%
EUROPE
69.9% 14.5%
CENTRAL AMERICA 0%SOUTH AMERICA 0%
1.2% RETAIL
0% HEALTHCARE
1.2% PRIVATE EQUITY
1.2% MINING
2.4% AEROSPACE AND DEFENCE
3.6% PHARMACEUTICALS
3.6% NON PROFIT
4.8% ENGINEERING AND CONSTRUCTION
6.0% TECHNOLOGY
7.2% PROFESSIONAL SERVICES
8.4% TRANSPORTATION
8.4% GOVERNMENT AND PUBLIC SECTOR
9.6% BANKING AND FINANCIAL
13.3% MANUFACTURING
20.5% OIL AND GAS
2.4% AUTOMOTIVE
2.4% ENTERTAINMENT, MEDIA AND COMMUNICATIONS
1.2% ASSET MANAGEMENT
1.2% CHEMICALS
1.2% INSURANCE
Control Risks is a global risk consultancy. We help some of the most influential organisations in the world to understand and manage the risks and opportunities of operating around the world, particularly in complex and hostile markets. Our unique combination of services, our geographical reach and the trust our clients place in us ensure we can help them to effectively solve their problems and realise new opportunities in a dynamic and volatile world. Working across five continents and with 36 offices worldwide, we provide a broad range of services to help our clients to be successful.
Published by Control Risks Group Limited (“the Company”), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company’s negligence (or that of any member of its staff) or in any other way. ©: Control Risks Group Limited 2015. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company.
Control Risks’ offices
www.controlrisks.com