Saturday, November 30, 2019

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO and Board of Directors.

The 34th Overseas Security Advisory Council event was held the week before Thanksgiving as usual.  Yet flashback to when Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC on November 16th, 2006, when her words were music to our ears:

"It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security."


On the doorstep of 2020, globalization, technological complexity, interdependence, and speed of digital information are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.

Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies.

Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk, demand new methods of Risk Management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding?

After all, now we aren't trying to scare people into the "Low Probability - High Impact" incidents anymore and focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption.

What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore, because you have transfered the risk to someone else?  Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to Homeland Security and Critical Infrastructure Protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of "An hour of computer downtime by industry group". These numbers are now 19 years old:
INDUSTRY SECTOR (Millions)
  • Energy - $2.8
  • Telecommunications - $2.0
  • Manufacturing - $1.6
  • Financial Institutions - $1.4
  • Information Technology - $1.3
  • Insurance - $1.2
  • Retail - $1.1
  • Pharmaceuticals - $1.0
  • Banking - $0.996
We all know that it costs lot of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP).

Yet is this the kind of resilience that is going to make you more competitive, to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident (ransomware) that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term "Legal Risk" new emphasis and meaning.

Once corporate management understands the need for a "Resilience" mentality in place of a "Protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in its adaptability, can be achieved with a new perspective.

Compete or die.

"Enabling Global Enterprise Business Resilience
" is just the beginning...