Rethinking resilience

Emily Khan:

Hello, I'm Emily Khan, and I'm your host for today's episode of Business in Focus. The theme for our discussion today is resilience, and I am delighted to be joined by Paul Williams and Bobbie Ramsden-Knowles to talk about why that's such an important topic for all types of organisations right now. Paul, Bobbie, thank you so much for joining me today for a really important conversation about resilience. Before we get started, Paul, why don't you introduce yourself?

Paul Williams:

Hello, Paul Williams, formally of the Bank of England PRA, I'm here today in a personal capacity as a special advisor to PwC.

Emily:

Brilliant, thank you very much for joining us. Bobbie, how about you?

Bobbie Ramsden-Knowles:

Hi, I'm Bobbie Ramsden-Knowles, partner at PwC in our crisis and resilience practice.

Emily:

Fantastic, well, thank you so much for being here today. On this Business in Focus series, we've talked a lot about risks of different kinds throughout the series, and increasingly we're starting to talk about resilience in response to these risks, so I'm delighted that you're here today to talk about what it might mean to re-think resilience. That's a phrase that we use a lot at the firm. Paul, given your wealth of experience, I'd love for you to, kind of, kick us off with a case for looking at resilience differently in the current context. What do you think?

Paul:

Great, thank you. Well, I think it's important to draw a distinction between financial resilience and non-financial resilience, and a lot of my comments will be through the lens of financial services, but a lot of the content is applicable outside of financial services. So, what we're specifically concerned with here is operational resilience, and why that matters as much as financial resilience does. That I think is to do with the way financial systems have evolved over the last decade. The economy, in general, has evolved, so digitisation of services has occurred allowing services to be delivered more quickly, more easily and more cheaply online to users within the financial system, without the real economy. That means the relationship between the real economy and the financial system has fundamentally changed over the last decade, so if you give people the ability to transfer money in seconds, they will come to rely on the fact that they can transfer money in seconds. If that then fails because of an operational issue, you can have a real harm issue occur quite quickly, public opinion certainly gets outraged quite quickly. Then if you amplify that through the lens of social media and recognise that the financial system is one that's built upon trust, you can get a financial crisis evolve much more quickly, perhaps, through non-financial interruptions than perhaps you could in the past.

Emily:

Okay, that makes a lot of sense, although some quite, kind of, stark messages there about how quickly things can unfold and the impact on reputation. Bobbie, how does that come to bear in your world?

Bobbie:

I think just to go back to that re-think resilience, I think that the reason organisations have to do that now, and not just those in financial services, is because the external environment has just changed so rapidly. We are seeing so many different types of high-impact events impacting organisations right now. They are the severe scenarios that were on risk registers for years but are absolutely plausible now. So, as a result of that, organisations have to accept we're operating in an environment which is really, really challenging, and actually these disruptive events are going to happen and the question therefore is are you resilient to be able to adapt and respond and be agile to those disruptor events, or if you can't, do you have the appropriate crisis response mechanism in place in order to maintain trust with stakeholders. The final thing I would say is I think in amongst all of that complexity we also have an environment were quite rightly consumers, stakeholders, communities, expect more of business now. They expect business to be responsible.

Emily:

Yes, absolutely. I noticed in both of your answers you touched on financial services, and clearly you background, Paul, is in financial services, our global risk survey from this year has identified a top 10% of organisations that are really getting this right and are reaping the rewards of a strategic approach to risk and resilience. Would you say that top 10% is financial services? Is that where people should be looking for the example of what good looks like in terms of resilience?

Paul:

I think financial services has done something very interesting and innovative with its latest policy, which financial services firms are now implementing, and that is to bring a degree of simplification to what is an extremely complex problem. So, the financial system in the UK is one that's built on principals and outcomes, that means we're not very prescriptive and we're not standards-based around how these complex issues in firms should be resolved. I think that's an innovative and interesting lens. That said, firms outside of financial services, I think, have been embracing resilience for a very long time, particularly those industries where life safety is a key issue, you'll find a heavy focus on resilience. Perhaps in the energy sector, again, where there's a life safety or a significant environmental risk. I think there's plenty of innovation there, and what we've tried to do is learn from those observable capabilities within those kinds of firms, and then the financial services translate that into some principals and outcomes, which, if implemented, will drive a high degree of introspection in firms around how are they really approaching non-financial risk and do they need to be thinking about it differently.

Emily:

I definitely recognise what you're saying there about, for instance, energy companies. In my career, I've had some time working with oil and gas field services, and there is a noticeable culture from the minute you walk into reception and you're greeted as a guest, the focus on your safety whilst you're on their premises is everywhere. Is that a big aspect in resilience, in your experience, that companies need to be factoring into this challenge at the moment?

Bobbie:

As in the health and safety or the-,

Emily:

Well, the cultural, kind of-,

Bobbie:

Culture is absolutely fundamental to it, and I think actually what a lot of organisations can learn from financial services is actually how do you apply and build resilience top-down? How do you factor or build resilience in decision-making and into the culture of an organisation so you're driving the right behaviours right through the organisation? That requires, for me, an enterprise resilience mindset, and actually, that conversation needs to start at the C suite and the board level. What we're still seeing is perhaps, you know, the conversation still in some ways is focused on, say, business continuity or IT disaster recovery in silos, it's not thought of from an enterprise-wide point of view. Actually, now that conversation to drive that culture needs to happen at the C suite and the board level from an enterprise-wide perspective.

Paul:

There are a number of reasons for that. So, there's a tendency to see business continuity, for example, IT risk management, third-party risk management, various other forms of non-financial risk management as hygiene activities, things that you need to do but that don't necessarily create a competitive advantage if you do them well. There's a tendency in business leaders then the delegate the execution of those things to specialist functions within the organisation. The risk with that of course is that delegation can quickly become abdication, so you end up with business leaders who are somewhat disconnected from the reality of the really challenging decisions which need to be made by those infrastructure teams within the organisation. Then the cultural point is fundamental to that because what will underpin most of the way those functions work is a risk-based approach to prioritising which risks need to be mitigated, which ones can be risk-accepted. The risk acceptance point I think is where the difficulty lies and where thinking about resilience in a new way needs to change. It seems to be true that there's an increasing occurrence of what might historically be described as low probability but high impact events crystallising in the real-world.

Emily:

Yes, pandemics, for instance.

Paul:

Pandemics, wars in Europe, these kinds of things would be in the low probability but high impact category. The trouble with that is that risk frameworks have a tendency then to ignore them, and that can lead to risk blindness within firms, such that when those events crystallise, firms actually are just unprepared for how to deal with them. So, getting an organisation to shift its mindset from a probability mindset to a plausibility mindset is not something that you can easily do from the ground up, it's something that needs to be led from the top-down, from a cultural, from a tonal messaging point of view because people will need permission to engage in that way of thinking. There can be inventive issues within the organisation. If you're working in a technical function or a risk management function and you've been given some budget to address an issue, the expectation is you will have addressed that issue. To be able to then turn around and say, 'Well, there's still a plausible case where that event may crystallise,' may have consequences from a personal performance reward remuneration point of view. So, having the right culture that can embrace those kinds of challenging conversations is really important, and that can't be done without the right culture in the organisation to allow it.

Emily:

There are a lot of parallels between what you've just said and the global risk survey that I've already mentioned, and two findings in particular that resonate. One is a recommendation to double down on the risks that really matter, which I think you've, kind of, flagged there in these risks not to be ignored just because they're low probability but also that risk management's a team sport. I think that point that you've just made around a culture, that the functional ownership, (TC 00:10:00) we need to work across those functional boundaries to share some of these more complex scenarios where the risk will be felt system-wide and beyond the organisation.

Paul:

There's a really important point in there as well, which is emphasising that plausibility over probability point, that if you look at what we've done within financial services, there are really only two significant innovations in the policy. One of them is that firms must now work on the basis that bad things will happen, so to think beyond that probability context. Certainly, my experience is that you have to shift your mindset from, 'It could happen,' to, 'It might happen, and what are we going to do if it does?' allows you to have a completely different set of conversations. If you're going to engage with a risk function that says, 'Yes, but that's unlikely to happen and we think we've got that risk well-mitigated,' if you then have permission to say, 'I'm sure you have, but what if it did? What would you do then?' can unlock a whole series of conversations and explorations around organisational capability that would be ignored if you didn't have that conversation.

Emily:

I think also what we were talking about previously, Paul, is that actually that then drives the conversations around, 'Are we going to be efficient or are we going to make further investment into being more resilient? So, if we have an impact to our supply chain, for example, are we going to accept that the risk might happen and therefore invest in another supplier or are we going to accept, actually, that that risk might happen and decide not to because we want to be more efficient?' Actually, that whole conversation really needs to start to happen to change resilience in organisation, and what I think we're going to start to-, we've already seen is actually the call from investors to actually think about and consider how resilient organisations are as well.

Paul:

That touches on a really important point as well, which is why the cultural point and the tone from the top is so important in terms of how organisations think about things, and this is where I think you can go beyond financial services and think about things. So, if you think about supply chains and optimising supply chains, we're very familiar with the just-in-time concept of optimising supply chains, okay? I'm always struck by the phrase, 'What about just-in-case?' relative to how you manage supply chains. That pushes you towards a challenging business issue which is resilience broadly comes from the presence of substitutes. Now, if you're not careful, that substitute conversation can drive very quickly towards a duplicate conversation, thinking that you need to duplicate suppliers, for example, in the supply chain context, or technology systems in the technology context. If you're a cost-constrained organisation, and which organisation isn't cost-constrained these days, then there are some really hard choices to be made around where are you going to invest in non-financial resilience and at what cost relative to where that investment could be made in advancing business value in other ways. That is not something that the organisation could do without the executive being brought into that discussion and making it clear that that needs to be a balanced discussion within the organisational culture.

Emily:

I think that's at the heart of the issue in, you know, the current climate where a lot of businesses are under pressure as a result of cost of living and all of those kinds of economic forces that are driving difficult choices in business, the value of resilience is almost a new lens on it that we haven't necessarily always talked about in the past. We're talking about some quite big questions though now, and I'm keen that we get to some concrete first steps that people could take if they wanted to start looking at this. What would you do first? Bobbie, I'm going to ask you that question first. So, if you were faced with wanting to build in greater resilience, where would you start?

Bobbie:

I think just having an idea of actually how resilient you are to start with is a really useful point, and I would actually focus on the operational resilience part first. Of course, when you talk about enterprise resilience, we're looking at operational resilience, financial resilience, strategic resilience, but actually the operational resilience is understanding that, particularly those organisations that are outside financial services, and actually learning from the approach that FS has taken, I think, is a really good starting point. The other thing I would say is a lot of organisations are starting to, again, outside financial services, stand up (ph 14.17) resilience functions and bring together business continuity, crisis management, ITDR, because they've actually been sat separately across the organisations. Actually, there's a real need to bring that together, to build the case for resilience, and also to understand where is your level of maturity right now.

Emily:

Brill, thank you, Bobbie. Paul, anything you'd add?

Bobbie:

Yes, two things. (1) firstly, make sure the organisation has an ambition to be resilient, operationally resilient in the first place, and make sure that's part of the stated business objectives from the board through the rest of the organisation. That's important, and we've touched on it so far, the business case for resilience can be somewhat elusive, perhaps. I would describe that operational resilience is fundamentally a choice, it's a business choice as to whether you want to be operationally resilient or not. There are two things that influence that choice though, one is if you're in financial services now, that choice is eliminated because you've got a regulatory imperative to be operationally resilient, so if you're outside of financial services and you don't have a regulatory imperative for operational resilience, what's your business case? The business case I think there is cyber and managing cyber risk, and I think cyber risk eliminates the optionality around operational resilience because if you describe the capabilities an organisation needs to have to be cyber resilient, what you actually do is describe the capabilities they need to have to be operationally resilient. So, they're different sides of the same coin. Then having made that choice, and this is exactly the problem we wrestled with when we were thinking about the regulations for financial services, it's an incredibly complex problem, and you've got lots of organisations of different sizes, scales and maturities all trying to address the issue. So, trying to prescribe a standardised basis for implementing resilience, I think, is almost impossible. What occurs to me though is if you've got a really complex problem, if you can't simplify the problem, then simplify how you look at it. In the context of resilience, and what we've asked financial services firms to do, that first step is understanding what they care most about. So, if you want to be resilient, the first step is, 'Well, what do you want to be resilient? Back to our prior point around resilience has a cost and there can be a duplicate conversation, you don't need to make everything the organisation does resilient, but you need to pick which of those things it does that you want to be resilient. That's best done through the lens of business outcomes, 'What is it our business does and what services does it provide to external customers? That surely is what our business should care most about.' So, simplify your organisation, identify what you care most about.

Emily:

That feels like a brilliant place to draw the circle back around to where we started, which is in this environment, what our customers and stakeholders think of us matters more than ever before. We've had some great practical tips from you both along the way, thank you both very much, and thank you everyone else for joining. If we have whetted your appetite to hear more on the theme of resilience, please do take a look at PwC.co.uk/rethinkrisk, where you can find the Global Risk Survey 2022 that I mentioned, and a lot more on resilience coming soon. Thanks again, bye for now.

Participants

• Emily Khan
• Paul Williams
• Bobbie Ramsden-Knowles