Organisations of all sizes, from all sectors, and based in all countries are at risk of severe disruption from a technology outage or cyber attack. If giants like Facebook and Amazon can fall victim, anyone can.
To reduce the impact from disruptions, many companies have traditionally looked to a risk avoidance strategy; large organisations usually employ risk officers, who identify, and work to avoid, events that could threaten its operations. However, as operational and technological complexity grows, there is emerging consensus that risk avoidance is not enough; it’s no longer a question of if your organisation will suffer an incident, but rather when it will occur. As a result, Chief Resilience Officers and resilience teams have emerged as strategic hires; major players like HSBC, Virgin Money, BNP Paribas and more have recruited for Operational Resilience staff and, according to LinkedIn, over 7,500 Operational Resilience staffers started their roles in the past two years.
The Role of the CRO
Rather than focus solely on avoiding disruption, resilience officers accept that something will go wrong at some point. Their focus is on how to ensure the organisation continues to run smoothly when it does.
Unlike traditional executive officers who are focused on a single function’s goals, the CRO must act as a bridge between these functions. To be effective, CROs should have a top-down perspective of the organisation, sitting directly under the CEO and working hand in hand with executive leaders: with Chief Information and Technology Officers to embed technological resilience into the organisation, with HR leadership to build skills resilience, and more.
A Strategic Imperative
In February 2022, Gartner released a report, Building Organisational Resilience is a Strategic Imperative, which concluded that organisations which do not have a robust resilience plan will struggle. This is due in large part to the changing nature of business: operations get more complex with each year, and there is no question every business will face disruption at some point along their supply and operating line.
This is compounded by the “just in time” strategy many businesses are employing to reduce costs and increase turnover: a single point of delay or disruption will have a domino effect, risking failure along the entire business model.
This interconnectedness means it is imperative to have a joined-up approach to resilience. A siloed approach with isolated initiatives will limit the impact of any resilience measures, as they will not spread throughout the business – therefore underscoring the importance of the CRO working across all departments with the backing of the CEO.
Dimensions of Resilience
Enterprise operations are entwined with technology, so successful resilience strategies will need to have a strong approach to technological continuity. Emphasising the importance of technology resilience to broader operational resilience, the UK and EU are bringing in new Digital Operational Resilience regulations for the financial services sector this year.
There are technologies which can help with this, for example a Digital Platform Conductor (DPC) tool simplifies the management of organisations’ increasingly complex technology environments and can provide not just a unified view of all technologies and applications used by an organisation but also sense disruptions and automatically recover the affected applications to an alternative environment.
However, true resilience reaches across all dimensions of an organisation, to include regulation; continuity; automation; composability; innovation; environmental, social, and governance (ESG); and people.
A recent Grant Thornton study in the US found that ESG plays a larger role in resilience than previously thought. According to the report, organisations which have a strong ESG framework in place are more likely to have considered potential future changes to operating procedures to achieve resilience. They therefore are more likely to succeed in the face of volatility or disruptions.
A Resilience Spectrum
Operational resilience exists along a spectrum. At the riskier end are organisations which are able to survive some disruptions for a limited period, but ultimately are unable to sustain themselves during times of prolonged turbulence. In the middle is a state of ‘Continuous resilience’. Organisations in this state are able to sustain operations and survive disruptions at length. This is the minimum requirement for some regulatory standards such as DORA and FCA, and should be the minimum desired state for organisations looking to improve their resilience.
However, a CRO should seek to move the organisation even further along the spectrum towards antifragility or, ideally, competitive antifragility. This is the pinnacle of resilience in practice, meaning the organisation can become stronger or benefit compared with competitors even in turbulent times. We know the Covid-19 pandemic led to a rise in cyber attacks; who knows what disruptions will come next?
As organisations seek new opportunities to grow, they will be exposed to new external and often uncontrollable forces, increasing their risk surface and opening up new and unknown vulnerabilities. Resilience is a prerequisite for survival in the digital age, but continuous resilience helmed by a Chief Resilience Officer is what will help you thrive.
By Ross Gray, CEO of Cloudsoft.
Cloudsoft is based in Edinburgh and specialises in applications and automation.