A survey of how companies monitor and analyse the risk landscape, organisational risk governance, and the gap between theoretical understanding and practical application.
Call Girls in Gomti Nagar - 7388211116 - With room Service
The State of Enterprise Resilience - Resilience Survey 2015
1. Managing Risk | Maximising Opportunity
THE STATE OF ENTERPRISE RESILIENCE
RESILIENCE SURVEY 2015
2. FOREWORD 2
INTRODUCTION 4
Key findings 4
THE STATE OF ENTERPRISE RESILIENCE 6
1. Translating the threat: the important “so what?” analysis 6
2. The impact of political instability 7
3. Governance and ownership: the importance of senior level responsibility 8
4. The role of business continuity and crisis management 8
5. The importance of third-party management 9
CONCLUSION 11
Key recommendations 11
ABOUT THE SURVEY 13
TABLE OF CONTENTS
3.
4. 2
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
FOREWORD
With increasing globalisation and economic interconnectivity has come increased risk for businesses. It is through
these interconnected pathways that risk to organisations can accumulate, propagate, and potentially culminate in a
much greater scale of effects. What would previously have been isolated risk events can now have an impact far
beyond their immediate confines, extending across geographical areas, national borders, and continents.
Over the last decade we have also witnessed developing interest in the concept of organisational resilience as a
means of successfully navigating an increasingly complex risk landscape. For many though it remains a nascent and
sometimes poorly understood idea; for relatively few it has evolved into an all-encompassing approach spanning all
business functions and extending to supply chains and other third-party providers.
At Control Risks we define resilience as the ability of an organisation to assess, anticipate, mitigate, and recover from
disruptive events. This in turn helps drive stakeholder value. In summer 2015 we conducted a global resilience survey
across our client base and wider contacts in order to gain a better understanding of the degree to which the concept
of resilience has gained currency and become embedded within organisations. We sought to address issues such
as how companies monitor and analyse the risk landscape, organisational risk governance, and the gap between
theoretical understanding and practical application. The findings from the survey are discussed and analysed in this
report and provide a comprehensive view of the state of resilience in respondent organisations.
5. 3
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
6. The success of an organisation is intrinsically linked to its ability to identify and successfully manage risk.
With an increasing focus on resilience in the market, this survey examines the range of understanding and
capability within organisations to identify, interpret, and prioritise threat and risk as well as the organisation’s
ability to develop adaptive strategies and its capacity for managing risks.
It is clear that resilience, and initiatives to support it, is increasingly on the corporate agenda. There are, however, a
significant number of organisations that continue to experience disruption, implying that risk forecasting and
preparation is inadequate. Risk information appears to be poorly communicated within organisations thereby limiting
the ability to build resilience to disruptive events.
KEY FINDINGS
• The gap between monitoring and effective analysis. Many organisations are proactive in risk monitoring, but still
86% of respondents experienced some form of disruption in the last five years. This highlights the disconnect
between the identification of risks and the timely adjustment of risk mitigation strategies to reflect changes in the
operating environment.
• The importance of top level responsibility. 60% of all respondents indicated that potentially the most disruptive
internal challenge facing their organisation was the ability to anticipate change and adapt quickly. To build
sufficient adaptability, resilience should be driven from the executive and embedded across the organisation.
• The role of business continuity and crisis management. The majority of respondents (78%) exercise crisis
management or contingency plans on an annual basis, with nearly 20% conducting quarterly exercises.
However, the frequency and impact of disruptive events indicates that either lessons are not being identified and
learnt through training, or that risk forecasting is leading organisations to prepare for low likelihood, low impact
events whilst remaining unprepared for higher impact and likelihood events.
• The impact of political instability. 62% of respondents indicated that they were concerned about both direct
political risks to their business and the impact of political instability on the broader security environment.
Respondents rated political and security instability considerably higher than macroeconomic volatility.
• The importance of third-party management. Whether it is about being a “third party” or managing their own
suppliers and providers, resilience is rarely on the agenda when discussing projects and contracts with 35% of
respondents having never reviewed the business continuity plans of key service providers.
INTRODUCTION
7. 5
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
8. 6
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
1. TRANSLATING THE THREAT: THE IMPORTANT “SO WHAT?” ANALYSIS
68% of respondents state that their organisation monitors and analyses risks, conducting forecasts for up to five
years. However, disruptive events continue to have a significant impact on business performance. This means that
although the majority of companies are committing resources to monitoring incidents and trends, the survey
appears to show a disconnect between monitoring and risk analysis and the timely adjustment of risk mitigation
strategies to reflect changes in the operating environment.
The survey results underline this as follows: 86% of respondents experienced some form of disruption in the last
five years. 28% experienced more than seven disruptive events in this time period. The impact of these events
on respondents has been significant: 37% of respondents faced events with an average financial loss in excess
of £1m.
The survey results imply that organisations should address the question of when, not if, a disruptive event will take
place. Whilst the majority of respondents rated themselves as capable of responding to an event, their apparent
ability to capture risk and forecast is limited.
Respondents stated that they monitor threats to their organisation long in advance, but evidence from this survey
would indicate that they are either not monitoring for the most relevant threats or they are being provided with
inadequate analysis that is unsuitable to plan and prepare robust contingency options. Organisations should
examine specific threat events which may result in direct disruption to business activities including political,
economic, social, technological (including cyber-crime), legislative and compliance, and environmental factors
which may impact on organisational resilience.
THE STATE OF ENTERPRISE RESILIENCE
Organisational risk monitoring - To what point in the future are risks monitored and analysed within your organisation?
1 MONTH AHEAD
3 MONTHS AHEAD
12 MONTHS
34.8% 5+ YEARS
21.2% 6 MONTHS
15.2%
2 YEARS
12.1% 10.6% 6.1%
Organisational capability to respond to disruptive events - How would you rate the capability and experience within your
organisation to manage disruptive events? (1 = insufficient; 5 = highly capable)
7% 9% 14%28% 42%
1 2 3 4 5
9. 7
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
Many risks are interrelated and can often be the driver behind political instability and a change in the security
environment. These may prove to be either positive opportunity or negative business risks and should be
considered accordingly.
2. THE IMPACT OF POLITICAL INSTABILITY
62% of respondents indicated that they were concerned about both direct political risks to their business and the
impact of political instability on the broader security environment. Respondents rated political and security instability
considerably higher than macroeconomic volatility.
In our view this underlines two trends: respondents are increasingly aware of the interconnected nature of risk and
acknowledge the significant impact of political instability on the wider operating environment. Organisations are
increasingly seeking to avoid instability in the macro environment resulting from political gridlock, extremism, and
political dysfunction as this will have an impact on everything from profits and operations to the working conditions
of employees. Organisations should be prepared to manage both the local and international outcomes of political
legislation that can affect the relationship between the firm and its customers, its suppliers, and other firms.
FACTORS TO MONITOR AND ANALYSE
Most disruptive external threats - What do you consider to be the most disruptive external threats to your organisation’s
business over the next 5-10 years?
POLITICAL AND SECURITY INSTABILITY
TRANSPORT DISRUPTION
LOSS OF UTILITIES (POWER/WATER ETC)
PRESSURE GROUP PROTEST
OUTSOURCE SERVICE FAILURE
LOSS OF TELECOMMUNICATIONS
CHANGES IN THE LABOUR MARKET
CURRENCY VOLATILITY
REGULATORY CHANGE
CHANGING COMPETITIVE LANDSCAPE
SECURITY/TERRORISM INCIDENT
MACROECONOMIC UNCERTAINTY
CHANGING MARKET DYNAMICS
SUPPLY CHAIN DISRUPTION
IMPACT OF NATURAL HAZARDS
62.1%
39.4%
37.9%
36.4%
58%
43%
43%
39%
30%
21%
19%
34.8%
30.3%
22.7%
18.2%
9.1%
9.1%
7.6%
7.6%
7.6%
6.1%
4.5%
Political
Legislative Compliance Environmental
Economic Social Technological
(including cyber risks)
10. 8
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
Organisations should identify relevant political threats and then continuously analyse the trends that underlie these
threats with an appreciation and understanding that threat categories are usually interconnected. There are a
number of political risk indices that provide an idea of the risk exposure an organisation faces in certain countries
that may act as a useful guide.
3. GOVERNANCE AND OWNERSHIP: THE IMPORTANCE OF SENIOR LEVEL RESPONSIBILITY
Organisations should be clear about who is responsible
and accountable for risk management, including risk
reporting, monitoring, and ownership.
All functions within an organisation should remain
sufficiently flexible and adaptable to respond to
disruptive events. There was little agreement amongst
respondents on which function should lead resilience
programmes: 37% of respondents considered business
resilience planning as a function of risk management
and 22% of respondents stated that the security
department is directly responsible for this function.
Regardless of which department takes the lead on
resilience, there was unanimous agreement on the fact
that responsibility for resilience should be driven from
the executive.
Resilience requires buy-in at the executive level.
BS65000 specifically states that the governing body
and senior management are jointly and ultimately
accountable for ensuring that an appropriate level of
resilience is achieved by the organisation alongside
other desirable outcomes such as profitability, service delivery, quality, and compliance. Indeed, where
necessary, it is their obligation to define the balance of such outcomes.
Supporting standards such as BS16000 Security Management Strategic and Operational Guidance and ISO22301
Business Continuity Management Systems in conjunction with other industry and compliance standards should be
used when planning at an operation level: roles, responsibilities, accountability, and ownership should be clearly defined.
4. THE ROLE OF BUSINESS CONTINUITY AND CRISIS MANAGEMENT
89% of respondents consider resilience as either key
to maintaining continuity of operations or providing
sufficient adaptive capacity to respond to market
conditions and business demands. BS65000 guidance
on organisational resilience defines resilience as a
holistic activity which considers the ability of an
organisation to anticipate, prepare for, and respond
and adapt to incremental change and sudden
disruption in order to survive and prosper.
Organisations should continue to focus on the
capacity and capability to respond effectively to
disruptive events. The majority of respondents (78%)
exercise crisis management or contingency plans on
an annual basis, with nearly 20% conducting
quarterly exercises.
Business functions with responsibility for resilience - Which
function within your organisation is primarily responsible for
business resilience planning?
Frequency of testing crisis management and contingency
plans - How frequently are your Crisis Management Plans or
Contingency Plans exercised and validated?
Risk
Management
Business
Continuity
Operations
Finance
HR
Security
department
ITdepartment
22.2%
0%0%
2.8%
23.6%
13.9%
37.5%
3.7%
MONTHLY
QUARTERLY
ANNUALLY
77.8% 18.5%
11. 9
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
However, the frequency and impact of disruptive events indicates that either lessons are not being identified and
learnt or, as suggested previously, the risk forecasting is leading organisations to prepare for and build capability for
managing low likelihood, low impact events. Organisations should review the link between the risk assessment
process and the definition of exercise objectives to ensure that capability is being developed appropriately.
5. THE IMPORTANCE OF THIRD-PARTY MANAGEMENT
70% of respondents have never been asked or are rarely asked for information on their own resilience planning.
Many organisations will seek to understand third party resilience simply through the review of business continuity
plans at procurement or contract negotiation stage and whilst this will not provide an in-depth analysis of an
organisation’s resilience it does provide some assurance that continuity of operations is being addressed.
Alarmingly, however, 35% have never reviewed the business continuity plans of key service providers. This is in
spite of the fact that 54% of respondents consider the most disruptive external threats to their organisations as
events including loss of utilities, supply chain disruption, outsource failure, and loss of communications.
Disruption in the supply chain could result in the failure to meet service level agreements with business partners,
inability to meet customer demand, or the high cost of transferring production or distribution to a third party. All
this can have a significant reputational impact resulting in the loss of client base and, potentially, a loss of market
share which are directly linked to reduced revenue and shareholder value; both significant concerns of over 84%
of respondents.
Organisational priorities should be defined to support resilience and inform operational activities with partners and
suppliers. Organisations should consider integrating risk management activities and operational disciplines, thereby
ensuring that knowledge is actively shared across internal organisational boundaries. This will ensure that risks and
opportunities are addressed coherently by all parts of the organisation and externally with supply chain partners.
Using an effective risk management methodology such as ISO31000 to identify risk and managing those risks using
recognised standards such as BS65000 will enable an organisation to satisfy itself that its relationships with
partners, outsourcers, suppliers, and other key stakeholders are sufficiently resilient.
Impacts of most concern to business - Which impact would be of most concern to your business?
REPUTATIONAL DAMAGE
LOSS OF PUBLIC TRUST
REDUCED REVENUE
LOSS OF CUSTOMERS/CLIENTS
STAFF LOSS OF CONFIDENCE IN YOUR ABILITY TO
MANAGE A DISRUPTIVE EVENT
LOSS OF NEW BUSINESS OPPORTUNITIES
REDUCED SHAREHOLDER VALUE
INCREASED MEDIA SCRUTINY
72.7%
51.5%
50.0%
47.0%
45.5%
37.9%
34.8%
28.8%
12. 10
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
13. 11
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
The threat from political and security events has encouraged clients from all sectors to consider the specific
threats to their operations and identify areas in which they may be vulnerable. It is clear that many
organisations are focussed on the need to become more resilient, but the implementation of supporting
strategies and tactics is currently lagging.
There is widespread recognition that building resilience requires organisation-wide action. It is only through the
continued engagement with senior leadership that the appropriate capacity, capability, plans, and controls can be
put in place to reduce organisational risk exposure to disruptive events. In spite of the fact that most organisations
take the issue of resilience seriously there are important gaps in planning and management. A majority of respondents
rated themselves as effective at updating and testing their existing plans, but organisations should consider whether
they are building capability and experience to respond to the right scenarios.
Organisations should continue to focus on being adaptive and responsive to changing threats. The potential for loss
and reputational damage resulting from a failure to protect and prepare an organisation, in terms of damage to
assets, lost revenue, and tarnished reputation, is significant.
KEY RECOMMENDATIONS
The top five key recommendations from the survey are as follows:
1. Organisations should look not only at specific threat events which may result in direct disruption to business
activity, but should also consider political, economic, social, technological (including cyber-crime), legislative
and compliance, and environmental factors which may impact on organisational resilience.
2. Organisations should clearly define who is responsible and accountable for risk management, including risk
reporting, monitoring, and ownership.
3. Organisations should build and maintain capacity and capability to respond effectively to disruptive events.
4. Organisational priorities should be defined to support resilience and inform operational activity with partners
and suppliers.
5. Organisations should consider integrating the risk management activities and operational disciplines, thereby
ensuring that knowledge is actively shared across internal organisational boundaries.
CONTACT THE AUTHORS:
Mark Whyte, Senior Managing Director, mark.whyte@controlrisks.com
Andy Cox, Director, andy.cox@controlrisks.com
CONCLUSION
14. 12
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
15. 13
THE STATE OF ENTERPRISE RESILIENCE RESILIENCE SURVEY 2015
With an increasing focus on the development of resilience, this global survey was commissioned to
gauge opinion on what resilience means for our clients and how it is currently viewed across our contact
base. This global survey, conducted between June and August 2015, took the opinion of 83 respondents
into account.
While there was a geographical focus on Europe, we had respondents from across the globe, representing all
major industries.
The survey has been sent out to many of Control Risks’ clients. We also received huge interest via our social media
channels, leading to a wide range of job functions that are represented.
ABOUT THE SURVEY
Respondents by region - In which region are your headquarters located?
Respondents by industry - Which of the following best describes the industry of your organisation?
NORTH AMERICA
3.6%
2.4%
AUSTRALIA/OCEANIA
ASIA
MIDDLE EAST/
NORTH AFRICA
6%
SUB-SAHARAN
AFRICA
3.6%
EUROPE
69.9% 14.5%
CENTRAL AMERICA 0%
SOUTH AMERICA 0%
1.2% RETAIL
0% HEALTHCARE
1.2% PRIVATE EQUITY
1.2% MINING
2.4% AEROSPACE AND DEFENCE
3.6% PHARMACEUTICALS
3.6% NON PROFIT
4.8% ENGINEERING AND CONSTRUCTION
6.0% TECHNOLOGY
7.2% PROFESSIONAL SERVICES
8.4% TRANSPORTATION
8.4% GOVERNMENT AND PUBLIC SECTOR
9.6% BANKING AND FINANCIAL
13.3% MANUFACTURING
20.5% OIL AND GAS
2.4% AUTOMOTIVE
2.4% ENTERTAINMENT, MEDIA AND COMMUNICATIONS
1.2% ASSET MANAGEMENT
1.2% CHEMICALS
1.2% INSURANCE