Martin Caddick heads the Enterprise Resilience practice at PwC. Enterprise Resilience is about understanding what really keeps organisations fit and healthy, capable of surviving not just sudden shocks, but also long term change.
PwC needs little introduction within the world of Finance, but people are often surprised by the breadth of services on offer. Enterprise Resilience is a case in point, going well beyond assurance over well-understood protective disciplines such as risk management and business continuity.
Martin was headhunted by PwC seven years ago to establish and lead the Business Continuity service that is now the market leader. But he has taken the team further, on a journey that has seen them help define new standards on Organisational Resilience such as BS65000, and change how businesses look at protecting their futures.
Resilience seems to have become a hot topic. Why do you think that is?
It’s down to the difficulty in guessing what will happen next. The increasing complexity of business networks means that many more things are unpredictable, either in terms of likelihood or impact, or both. Recent political events bear witness to this.
Conventional risk management approaches don’t cope well enough. In fact, it can seem that however much you spend, it is never enough – something you hadn’t foreseen still catches you out. Resilience helps you make sense of a wider range of factors that are not often measured or managed by traditional risk management. People are hoping that Resilience will provide an answer by changing the focus from specific risks to trying to make business proof against a wide range of risks. It’s like focusing on general health and fitness rather than specific illnesses.
Is this really a new concept? Don’t many businesses already invest very large sums in risk and continuity?
I’m not sure if anything is truly new in this world! I think that rather we go in cycles. We start off with the right idea, and then we lose sight of our goals as we get lost in the detail – we can no longer see the wood for the trees.
Many businesses fail to invest anywhere near enough in basic protective disciplines, and are incredibly vulnerable to risks like cyber-attacks, IT failure or staff behavioural risks.
But simply ramping up expenditure to protect yourself against such risks doesn’t always solve the problem – as often as not you are treating symptoms rather than causes. Indeed, your efforts may unintentionally result in bad consequences in other areas. I particularly worry that by introducing more and more compliance requirements we rob businesses of their agility.
Even businesses that take this seriously often over-invest in the wrong areas, and delegate responsibility down to operations without enough board oversight and understanding. So, while many of the concepts that underpin resilience are not new, what is different is that for the first time these building blocks are being put together, ordered and assessed to provide a collective and comprehensive view of resilience. The sum of its parts rings true here.
What should businesses do then?
I think that the leadership in business needs to start by stepping back, and crystallising what really matters to their business – define the attributes their business needs to have to make it stronger, rather than jumping straight to the things they do to protect it.
We have identified six ‘Resilience outcomes’ (on the right) – and it’s about understanding how important each of these attributes is to your organisation. All will matter of course, but for example, for a Utility, trust and reliability will be paramount. Then you can judge what level of investment you need to make in activities aligned to each of these attributes, which are not limited to traditional protective disciplines.
You need to be able to map the actions to take (on the left) to the outcomes you are seeking. This also means that you need the ability to measure cause and effect – giving executive management a dashboard relating investment to outcomes.
Isn’t there a danger that you are creating a new cottage industry, adding one more thing for management to worry about?
On the contrary, this takes cost out. Doing this well will help break down any overlaps and gaps between silos. Even more importantly, having a consistent view of priorities and goals across the business will enable better decision making.
Making someone fit and healthy doesn’t just help them fend off illness, but also live life better, and it is just the same with businesses.
You’ve been an advocate of this thinking for a number of years now. Do you feel you have made a difference and what are you hoping for in the future?
We’ve worked with key individuals from both the cabinet office and regulators to develop this thinking. This has also been captured in the British Standard BS65000 on Organisational Resilience, and will shortly be followed by an ISO standard. I’ve seen the topic debated at conferences held by industry groups such as the Business Continuity Institute, London First, and AIRMIC. If we were to stop here I feel we will have made a difference to how people think about resilience. But of course, I don’t want to stop here – I want to continue this dialogue and hear business leaders telling us how this thinking has made a difference to their organisations.