Crisis Resilience and the Board—Taking Risk Oversight to the Next Level

Michael Gelles is Managing Director at Deloitte Consulting LLP, James Turgal is Managing Director at Deloitte & Touche LLP, and Wendy Overton is Manager at the Center for Board Effectiveness at Deloitte LLP. This post is based on their Deloitte memorandum.

Companies seek to anticipate and avoid or proactively mitigate crises that pose risk to their business. As part of their oversight responsibility, boards seek to assist management in carrying out these responsibilities. However, no matter how prepared a company is, and regardless of the levels of management attentiveness and board oversight, crises will happen; they are a matter of when, not if. Because of this reality, it is important for companies, including their management and board, to build resilience.

The need to build resilience is more critical in an age of disruption and rapid exponential change. Crises that used to take days or even weeks to unfold may now take minutes or even seconds. Consequently, preparedness and agility are key to the board’s success in resilience oversight. Companies cannot plan for the unknown, but the more a company proactively identifies risks and builds resilience to crises through organizational, cultural, and technological facets, the more capable it can be at bouncing back from a broad set of crises.

What is resilience and why is it the board’s responsibility?

As noted earlier, management, with board oversight, plan for and seek to prevent crises from disrupting their companies, whether through enterprise risk management, innovation, or other activities. However, crises may be inevitable and, in today’s digital age, without proper planning and practiced response, even “small” crises can have severe consequences in a matter of minutes.

To remain viable in this environment, companies should be resilient—that is, they should be able to quickly and effectively continue or resume operations and execute their strategic plans in the wake of a crisis, whether caused by external or internal forces. Resilience is an intrinsic component of risk mitigation; without it, the company may be unable to survive a crisis, even one that the company has anticipated and planned for. Resilience is often needed to address a broad range of risks, such as disruption in the capital markets, damage to facilities, cyber incidents, and the sudden departure of a CEO. It is important to note that resilience is not absolute. Just as a company cannot mitigate all risk, it cannot prepare to react efficiently and effectively to every situation. However, companies can plan for those crises that are most probable and can help to make the company more resilient overall.

Risk oversight is one of the board’s key responsibilities, and boards are increasingly being held accountable for a company’s failure to anticipate and avoid crises and for the company’s inability to bounce back from a crisis (i.e., for not being resilient). As such, and as expectations for board risk oversight continue to grow, so does the board’s role in resilience. Although not necessarily explicitly listed as a responsibility, the intertwined nature of risk and resilience makes resilience oversight a growing unwritten expectation.

According to a recent Deloitte survey of over 500 crisis management executives, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once in the past two years, with cyber and safety incidents topping the list of crises requiring management intervention.[1]

 

The board’s role in overseeing resilience

As the board guides management in building resilience, there are three overarching facets that could benefit from director oversight: organizational, cultural, and technological. By overseeing the establishment of resilience within these three facets, boards may not only establish a more comprehensive understanding of the company’s end-to-end risk management process, but may also lead management to strategically identify areas for improvement.

Resilient companies can be built through three main facets

Organizational resilience

While the board’s role is generally one of oversight, management succession is one of the areas for which the board bears direct responsibility. The board can mitigate risks of significant leadership gaps and susceptibility to unanticipated risks by effectively executing this responsibility on two levels—“regular” succession planning and planning for appropriate leadership in crisis situations.

“Regular” succession planning need not entail identifying potential successors. However, boards can discuss the key skills, experience, or other attributes that align with the company’s values and strategic goals. Agreeing upon and prioritizing those attributes allows the board to begin the process, expediting the succession selection process should the need suddenly arise.

The most advanced organizations have also created a leadership structure for crisis management, usually in three tiers: tactical, operational, and strategic. It is critical that the board and senior leaders determine beforehand how they want to organize themselves and define their various roles and responsibilities in a crisis, including determining the role the board is to play in addressing the crisis. [2]

Operationally, directors who understand a company’s industry and market trends, its available workforce, and its current and likely future states can help management mitigate risks to talent that could adversely impact the company. When talent needs are linked to identified risks, companies may be better able to retain talent in the right areas as well as acquire evolving talent in those areas. As a result, the company may be more likely to disrupt rather than to be disrupted.

Tactically, the board can review the company’s risk management function and guide management toward a more proactive enterprise risk management (ERM) organization, enhancing crisis preparedness and resilience. Among other things, boards might consider whether the company’s ERM is a check-the-box, static heatmap that doesn’t evolve with the company or a more dynamic process; whether the board is receiving the right information about the company’s most critical risks and the ability to mitigate those risks; and whether the company is optimally organized around risk management.

Cultural resilience

Oversight of company culture has become a significant issue for boards in recent years, both to mitigate culture risk and to reap the benefits of a strong positive culture. In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization. [3] Culture impacts workforce conduct, which in turn can impact the nature and extent of risks to critical business elements and the company’s brand and reputation.

A truly resilient company fosters a culture that responds quickly and effectively to crises. Accordingly, the board should encourage management to train the workforce on likely crisis scenarios and appropriate responses. These scenarios can be drawn from internal and external sources and should cover a variety of crises ranging from data leakage or being held hostage by cybercriminals, to workplace violence, to a brand or reputation crisis, and others. Boards should also ask whether appropriate company-wide stakeholders are involved and whether management is appropriately connected with and utilizing crisis management resources across all applicable local, regional, and national levels. Through these resources, the company can have a better understanding of the risks it faces, leading practices in responses to numerous crisis—both natural and man-made—and have relationships established with appropriate crisis responders prior to an actual event.

Additionally, a culturally resilient company should engage in effective scenario planning and develop detailed crisis response plans across the spectrum of the hypothetical—from natural disasters to cyber breaches and beyond. These plans can help take the emotion out of a crisis, as can war-gaming exercises that stress-test the company’s response plans, processes, and procedures at all applicable levels—including the board—so that the first time these plans are practiced is not during a crisis. Crises may not happen when it is convenient; practiced agility can help leaders become more confident in the unexpected.

Technological resilience

Similar to culture oversight, boards are increasingly monitoring company technology activities, from cyber risk to disruption risk to digital transformation. Directors are asking management the tough questions about technologies that are vital to the business and whether they are truly protected from the most likely and impactful risks. Beyond protecting data, the board should understand whether management is incorporating resilience into their information technology (IT) and cybersecurity strategies.

To do so, directors may seek to understand how the most critical data—or that which is most vital to the business’s success—is backed up and protected, both physically and logically. Directors should understand, at a high level, what the most critical data asset sets or capabilities are to the company and the risks posed to them. Additionally, directors should ask management whether it is considering innovative technologies to both protect assets and enable quick recovery in the event of potential loss.

Furthermore, while many leaders think about risk posed by third party access or software, it’s also useful to consider third-party solutions that can build resilience in areas a company may otherwise not have expertise or capabilities.

Questions for board members to consider:

  1. What is the company’s incident response plan?
  2. Has the company performed crisis simulations to test key processes and build agility in its response?
  3. Does the company have a proactive and holistic plan in place to prevent and detect potential threats to people, material, information and facilities?
  4. Should the company consider third party partners to increase resilience?
  5. What is the board’s role during a crisis?
  6. How does the company build resilience against the unknown?
  7. What education can board directors get to cultivate resilience at the board level?

Conclusion

In addition to understanding the company’s risks and response capabilities, directors can endeavor to learn about leading practices around proactive risk management, crisis management, cyber risk, physical security, succession planning, and culture risk. Doing so can not only enable directors and management to enhance their company’s own resilience, but also provide a level of comfort with the risks posed to the company and a degree of confidence in the company’s ability to mitigate and respond to the corresponding crises.

Today’s risks and crises are rapid, dynamic, and disruptive. Directors can no longer assume that the company’s static risk management techniques and un-tested, years old response plans will keep the company running in the age of exponential change. As such, boards should oversee and, as appropriate, be involved in management’s resilience building efforts that prepare the company for both the knowns and unknowns. The more a company prepares, the more capable it is to be agile and resistant to disruptive crises as they unfold.

Endnotes

1Peter Dent, Rhoda Woo, Rick Cudworth. “Stronger, fitter, better: Crisis management for the resilient enterprise.” June 18, 2018. https://www2.deloitte.com/insights/us/en/topics/risk-management/crisis-management-plan-resilient-enterprise.html?id=us:2em:3pa:risk-management:eng:di:062018(go back)

2Id.(go back)

3Carey Oven, Bob Lamm. “On the board’s agenda: Corporate culture risk and the board.” April 2018. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/center-for-board-effectiveness/us-cbe-corporate-culture-risk-and-the-board.pdf(go back)

Both comments and trackbacks are currently closed.