The 2015 Resilience Survey by Control Risks highlights the necessity for organizations to enhance their ability to predict, prepare for, and recover from disruptive events while exploiting opportunities. Key findings indicate a disconnect between risk monitoring and actionable strategies, concerns over political and external risks, and inadequate due diligence on third-party providers. Recommendations include linking strategy with risk management, enhancing crisis response capabilities, and improving oversight of business continuity plans for key service providers.

1. www.controlrisks.com © Control Risks Group Limited
THE STATE OF ENTERPRISE
RESILIENCE
Resilience Survey 2015
Resilience survey analysis and implications for
business
4 April 2016

2. 2 Building resilient organisations © Control Risks Group Limited
Resilience is an organisations ability to assess, anticipate, prepare for and recover
from disruptive events while creating competitive advantage.
What is resilience?
Anticipate :
Ability to predict
and
prepare for
events
Recover :
Reshape to promote
growth and competitive
advantage
Respond :
Mitigate the
impact of those
events through
preparedness
Preventative
Adaptive
Initially focussed on protection
from adverse events that
could affect organisational
performance.
The concept of resilience has
moved on considerably,
seeking to enhance
capability and capacity to
exploit opportunity, while
also guarding against threats
to business objectives.

3. 3 Building resilient organisations © Control Risks Group Limited
A resilient organisation is one that has the capability to:
 Withstand sudden shocks - “resilience characteristics”
 Respond to and recover quickly from emergencies - “resilience performance”
And, in the longer term:
 Adapt to changes in the risk environment - “adaptation planning”
And in doing so protects the interests of all stakeholders and creates long term
value for the organisation
Adapted from: WEF “Global Risks 2013”
What is a resilient organisation?

4. 4 Building resilient organisations © Control Risks Group Limited
Some background - risk drivers Advances in science and
technology that have in
some cases increased the
cases of “manufactured
risk”
INCREASE IN
NUMBER AND
SEVERITY OF
NATURAL
DISASTERS
URBANISATION
AND POPULATION
CONCENTRATION
INCREASING
INTER-
CONNECTEDNESS
INTERDEPENDENT
ECONOMIES
MANUFACTURED
RISK
INCREASE IN
PUBLIC
EXPECTATION
Concentration of economic
activity and population
density, coupled with the
centralisation of critical
systems, heightens the
breadth of impact of disruptive
events and natural disasters
The past twenty
years have seen
a dramatic
increase in the
number, severity
and casualties of
natural disasters
Heightened mobility of
goods, capital, people
and information
Growing
interdependence of
production , delivery
systems and supply
chains
Recent years have
seen a rise in public
expectation for
governments to
manage and prevent
risk
ADVANCED
PERSISTENT
THREAT
DEFENCES
Strength of processes
to protect against and
detect advanced
persistent threats

5. 5 Building resilient organisations © Control Risks Group Limited
Building resilience for what kind of risks?
Adapted from Cambridge University Risk Centre Taxonomy

6. www.controlrisks.com
Resilience Survey
Findings

7. 7 Building resilient organisations © Control Risks Group Limited
Our resilience survey 2015: summary
Our global survey found that 52% of respondents felt that their organisations
captured global risk and opportunities well however…

8. 8 Building resilient organisations © Control Risks Group Limited
“Although the majority of companies
are committing resources to
monitoring incidents and trends, we
found a disconnect between
monitoring and risk analysis and
the timely adjustment of risk
mitigation strategies to reflect
changes in the operating
environment.”
Our experience
Many organisations naturally monitor risk
on a regular basis – but consistent with
our global research, this good information
is often not analysed and translated into
action to reduce risk and exploit
opportunity.
1) Confirm strategy and risk management activity
are effectively linked from the executive – this is
particularly important for dynamic markets
2) Avoid simply updating old risk assessments
3) Build capacity and capability in operational teams
4) Set targets and measure maturity levels
Risk monitoring and analysis
Recommendations

9. 9 Building resilient organisations © Control Risks Group Limited
“Companies address the challenge of resilience in different ways, but there was
unanimous agreement on the fact that responsibility for resilience should be
driven from the executive.”
Our experience
 Despite risk being an issue that should
be linked to strategy, risk and
resilience activity is often compliance-
driven
 Corporate/Group policy
 Often inadequate structure to seek and
exploit opportunity in a risk-based
manner
Companies can refresh approaches intended to
focus on compliance in order to capture opportunity.
This should be supported by building capacity
through the organisation (as opposed to a ‘risk
manager’ driving all activity).
Responsibility for resilience
Recommendations

10. 10 Building resilient organisations © Control Risks Group Limited
“Companies are concerned
about both direct political risks
to their business and the impact
of political instability on the
broader security environment.”
Our experience
 Many companies have dedicated teams in
place to address security, long a serious
issue in the country.
 Existing teams are often configured based
on legacy
 Many companies are typically considerably
less adept at addressing political risks
Significant change in the political and business
environment is underway.
Companies should assess how key objectives
could be affected. Begin by mapping
stakeholders and ensure findings included in risk
management plans. Adopt a multi-pronged
approach to mitigate risk and exploit opportunity.
Politics creates risk to business
Recommendation

11. 11 Building resilient organisations © Control Risks Group Limited
“The frequency and impact of disruptive events
indicates that either lessons are not being
identified and learnt or, as suggested previously,
the risk forecasting is leading organisations to
prepare for and build capability for managing low
likelihood, low impact events.”
Our experience
Many companies often have good incident management, which is
generally tested on a regular basis. But we also find that:
 Lessons are often not then translated into action.
 When looking ahead and building capacity, there tends to be
focus on previous experience, at the expense of forecasting
and potential harm to objectives, based on likelihood and
impact
 Enhance maturity of
forecasting, catering for a
range of external and
internal contextual factors
 Stress-test incident- and
crisis-response
capabilities
Crisis management effectiveness
Recommendations

12. 12 Building resilient organisations © Control Risks Group Limited
“35% have never reviewed the business continuity plans of key service providers.
This is in spite of the fact that 54% of respondents consider the most disruptive external
threats to their organisations as events including loss of utilities, supply chain disruption,
outsource failure, and loss of communications.”
Our experience
Control Risks has found that organisations are
increasingly relying on 3rd parties to enhance
performance and enable them to focus on
core business.
In some countries, we find persistent and
pervasive challenges associated with the 3rd-
party supplier / host community nexus
 Take a more active role in third-party
management, to include deeper technical
diligence
 Combine use of ‘best practice’ contractual
clauses and performance management with
relationship-building and incentives
 Forecast what external pressures may
necessitate increased reliance on third
parties
Reliance on 3rd parties
Control Risks’ 2015/16 business attitudes to corruption survey also found third-parties as to be a
major source of risk. Effective procedures and management can drive performance and enhance
compliance objectives.
Recommendations

13. 13 Building resilient organisations © Control Risks Group Limited
Our resilience survey 2015:
We identified five key observations about the state of resilience.
 There is a disconnect between risk monitoring and analysis
 Companies are concerned about ability to anticipate change and
adapt, resilience should be driven from the executive and
embedded across the organisation
 Respondents concerned about political risks to their business
and the impact of political instability on the broader security
environment
 There are opportunities for improvement in how companies
respond to disruptive events. This may be because of
inadequate forecasting or may be a result of focussing on
incidents rather than crisis capability
 Most companies regard key disruptive events as relating to
service providers, but there is a lack of due diligence regarding
business continuity arrangements of third parties

14. 14 Building resilient organisations © Control Risks Group Limited
Summary

15. www.controlrisks.com
Questions?

16. www.controlrisks.com
Andy Cox
Director
Andy.cox@controlrisks.com