The Black Swan Is Dead – The Case for Operational Resilience (Part 1)

April 8, 2021
Jennifer Bisceglie

What is Operational Resilience?

Operational resilience is the ability of a commercial or public sector organization to continue to provide their products or services in the face of adverse market or supply chain events (“shocks”). Given the remarkable disruptions of the past year, you know if your supply chain is resilient or not. An organization lacking operational resilience:

  • Scrambles to cope with events as they happen
  • Wastes resources because of siloed teams, duplicated efforts, or poor communication
  • Suffers brand damage because of product or service disruptions or slowdowns

On the other hand, organizations that are operationally resilient:

  • Continuously monitor for potential risks and proactively make adjustments to minimize and potentially prevent disruption
  • Quickly identify disruptive events to evaluate exposure, find alternatives, and respond fast
  • Anticipate, model, and plan for possible scenarios and build the organizational skills to address and respond to these challenges

Only operationally resilient organizations can minimize disruptions, recover from shocks faster, protect their reputations, and ultimately capitalize on opportunities. In this age of hyperconnectivity, being operationally resilient isn’t just about managing risk, it is just good business.

There is No More “Not Knowing”

In 2020, we witnessed a watershed year of “Black Swan” events. So much so that the phrase does not really apply anymore—we can’t pretend that these kinds of disruptions are rare, unpredictable, or even shocking. It is not a matter of “if” similar events will occur, but when. Which is why governments are putting in place legislation (i.e., Germany’s “Initiative Lieferkettengesetz”) and regulations (such as EO14017, NDAA FY19 Section 889, and CMMC in the U.S.) to hold organizations and executives responsible for making sure these events do not impact national security, economic prosperity, and public safety.

Given the threat of backdoors, bad actors, and bottlenecks, today’s corporate boards of directors and government leaders around the world need to ask tough questions of their organizations:

  • Is SolarWinds in your digital supply chain? If so, where and how might it come back to harm the organization?
  • When is your sensitive or confidential data shared with partners or with their partners? Do you know who your partners’ partners are and how they are protecting your data?Do you use suppliers (or suppliers to your suppliers) who operate in the Xinjiang region where forced labor is a growing global concern?
  • Which of your suppliers (or suppliers to your suppliers), if they were to pause or cease operations, would significantly disrupt your operations?
  • Which of your suppliers (or suppliers to your suppliers) show up on any of the many prohibited or restricted lists (i.e., Section 889)? And are you tracking their subsidiaries, affiliates, or controlled entities?

Corporate boards and government leaders are demanding to know what their exposure is and are starting to hold the organizations—and their leaders—personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now and they want to know what steps the company is taking to prevent the “next one.”

How does your organization respond to these demands and this level of oversight? In today’s fast paced world, responding before your competitors is not just a competitive advantage, it may be essential to your organization’s brand, reputation, and very survival—and your continued employment.

Institutionalizing Operational Resilience – People and Processes

Commercial and public sector organizations looking to achieve operational resilience face challenges inherent within their own organizations:

  • Shift behavior from response to prevention. Eisenhower was quoted as saying, “Plans are worthless, but planning is everything.” What this means is that today’s organizations require a change in mindset: they need to anticipate, prevent, evaluate alternatives, and model all scenarios and options. Reacting to events as they happen is not sufficient in today’s competitive market.
  • Make managing risk an organization-wide job, not the domain of one person or team. Current approaches to managing risk are siloed within business units, such as procurement, supply chain operations, and IT, or in single focus organizations, such as information security and compliance. By breaking down silos, organizations improve how they coordinate, collaborate, and prepare. Those are essential capabilities when you need to uncover risk across activities and proactively respond faster and smarter to modern threats.
  • Manage risk beyond the walls of your company. Today’s organizations rely on an extensive network of suppliers and partners that play an integral part in developing and producing their products and services. Yet most do not know who these suppliers and partners are. Only by identifying third-party relationships in the extended supply chain can an organization decide if those connections are a good or bad business choice, thereby identifying and preventing potential risk.

 

To meet these demands, leading organizations are looking to expand from their decades-old, learned experience in setting up and running Security Operations Centers (SOC) by embracing the Resilience Operation Center (ROC). This is a framework that, from the onset, connects people and processes to organizational goals around operational resilience.

Institutionalizing Operational Resilience – Technical Requirements

As organizations shift to forward-looking Operational Resilience, they are finding that traditional tools fall short. Supply Chain Management (SCM), Supplier Relationship Management (SRM), Governance, Risk, and Compliance (GRC), point-in-time surveys, spreadsheets, and broadly deployed manual processes only reinforce silos. They also lack the external business relationships and real-time event data needed to provide the situational awareness executives require so they can ensure operational resilience and make better informed decisions based on real-world scenarios.

To achieve Operational Resilience, organizations require tools that can:

  1. Map suppliers instantly and automatically.
    Know who is in the supply chain – potentially to the Nth tier – to decide if those relationships are helpful or pose risk.
  2. Monitor continuously for changes in risk profile before operations are disrupted.
    – Assess suppliers against multiple risk factors such as finance, cyber, geopolitical, regulations, operations, and Environment, Social, Governance (ESG).
    – Track global events that could impact the operations of suppliers (and their suppliers).
    – Get alerts about the changes that matter.
  3. Model anticipated or actual changes in the extended supply chain in order to reduce risk and improve business performance.

To successfully map, monitor, and model extended supply chains, you need access to data about an ever-changing number and array of global business entities and events—a monumental undertaking for any organization. But machine learning, AI, and Natural Language Processing (NLP) make it possible to collect, analyze, and liberate massive amounts of high-velocity data so you can:

  • Identify and visualize multiple tiers of suppliers and ascertain business relationships.
  • Identify and assess potential risks.
  • Uncover hidden opportunity.

And the kicker? All of the above can be achieved and kept relevant in near real time, compared to the weeks or months that it takes organizations using manual processes, point-in-time surveys, and spreadsheets.

Operational Resilience—Your Business Depends on It

Operational resilience does not mean operating free of disruption or challenges.

  • It means having the insights you need when you need them in order to change course, mitigate loss, and find opportunity in your supply chain.
  • It’s about seeing everything—the relevant business relationships and the inherit risks within—sharing that knowledge across the organization, and acting on it to improve outcomes.
  • It’s about deep, comprehensive and ongoing planning—and responding collectively when the need arises to pre-empt unnecessary disruption.

As we have all learned, the world is complex, and connections are tenuous. The prepared will not be immune from disruption in the always fragile supply chain. But they will see it coming, have plans in place to cope with events, and emerge from them as a stronger competitor and a better business.

The upshot: Operational Resilience is just good business.

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money