“That which does not kill us makes us stronger.”

— Friedrich Nietzsche

“When we are no longer able to change a situation, we are challenged to change ourselves.”

― Viktor Frankl

“There will be interruptions, and I don’t know when they will occur, and I don’t how deep they will occur, I do know they will occur from time to time, and I also know that we’ll come out better on the other end.”

— Warren Buffet

“A good plan today is better than a perfect plan tomorrow.”

— General George Patton

“Expect the best, plan for the worst, and prepare to be surprised.”

— Denis Waitley

“If anything is certain, it is that change is certain. The world we are planning for today will not exist in this form tomorrow.”

— Philip Crosby

“Resilience or hardiness is the ability to adapt to new circumstances when life presents the unpredictable.”

— Salvatore Maddi, Psychologist

“Our greatest glory is not in never falling, but in rising every time we fall.”

— Confucius

“You have power over your mind – not outside events. Realize this, and you will find strength.”

— Marcus Aurelius

For virtually everybody, the recent (post-June 2021) relief from over a year of turmoil and struggle appears to be here. Traffic is heavy. Stores are full. Just like normal used to be. No more than the usual hassles and worries. Life is good again.

What just happened is very unlikely to repeat in any form, is it? But isn’t that just what we thought pre-2020? When stability, predictability, prosperity, … ruled?

Unless your business was one of the few favored by COVID days, the impact you sustained and hopefully recovered from was not pleasant to say the least. Never again, right?

But what if again does occur? Can you take another hit of the COVID kind? What if the next hit is similar in magnitude but very different in nature?

We are still in mostly unpredictable, fast-changing, difficult times. We can hope for the best but hope is not a strategy. It is denial at best.

Do you know how resilient your business is?

Business resilience is extremely important in these unpredictable and black-swan-flock times. Unlike the past, resilience is getting tested in real time quite frequently. Businesses are learning about their actual resilience the hard waythrough experience.

Business resilience is the ability not just to survive a major adverse impact but also to return to successful operations thereafter. This goes beyond both disaster recovery (survival) and business continuity (operations continue).

The obvious question, to me at least, is that learning about resilience after the fact seems a bit risky as well as frequently painful. There has to be a better way to learn.

Resilience is the opposite of fragility – sort of

A while back, I took a look at business fragility. This post noted that businesses are organisms, unlike glass vases, so that fragility in practice is response-dependent. It depends upon its people and their management strengths and weaknesses. Two identical businesses can have very different fragility – and resilience – because they have different people.

Fragility measures how likely your business is to break (fail or major damage) under a variety of impacts. Resilience explicitly adds the recovery-response component to complete the picture. The fragility post included responses in its definition, making fragility and resilience opposites for practical purposes.

But not quite. Fragility covers people-dependent impact responses but does not reach very far into the vital matter of making these responses effective in recovery and even in subsequent success.

Fragility aims at survival and damage mitigation.
Resilience extends the effort toward ensuring recovery and success.

A fine point maybe, but very important when your business or organization is on the line. You need to minimize impact damage to become less fragile but you also want to build in a set of responses that support the vital resilience extension.

Risk management and mitigation practices today

Risk management and mitigation practices are fairly well established in larger organizations today. Below is an example of how major organizations are going about this today. As you read it, think about how well this approach would be able to deal effectively with COVID days, should such an unlikely black swan situation ever occur again.

Business technology publisher TechTarget outlines the current approach to risk management:

“Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies’ processes for identifying and controlling threats to its digital assets, including proprietary corporate data, a customer’s personally identifiable information (PII) and intellectual property.”

“Every business and organization faces the risk of unexpected, harmful events that can cost the company money or cause it to permanently close. Risk management allows organizations to attempt to prepare for the unexpected by minimizing risks and extra costs before they happen.”

For the rest of this excerpt, see Related Reading below.

Resilience and risk in a new world of constant change

This is not to argue that risk management practices today are of little use. They have their place, mostly in a well-behaved world where changes are constrained by the folks in charge of change and where black swan events definitely do not occur except as fantasy. In the world as it used to be and never will be again.

These current practices simply do not deal with a world in which COVID occurs and in which global responses are largely chaotic. We’ll never have another COVID, will we? Depending on what you are looking at today, you may even hear the flapping of wings and see a flock of something moving in from the horizon.

Another black swan (or flock thereof) is almost certainly on the way. Unforeseen and unpredictable in timing and nature. Just what we need, since we are still cleaning up the mess left by the COVID swan gang.

Risks, as you know, are identifiable situations and events that have some quantifiable probability of occurring. We can describe them well enough to develop scenarios and effective responses. Planning for the past?

A recent post “Predicting the Unpredictable” addressed a major problem: planning for an unforeseeable and unpredictable (in nature, magnitude, and timing) future. Finding out about the future in real time is painful and too often fatal. So, what to do?

Organize and manage for agility, adaptability, and resilience

This has been an underlying theme of several recent posts because it is so important today and going forward. Past organizational structures and management practices simply will not work any longer. Postponing recognition of this reality exposes your business or organization to the next unforeseeable and unpredictable event or situation. And to learning – perhaps – the hard way.

McKinsey & Company in late 2020 offered a useful overview of the situation all businesses and organizations face today but came up a bit light in my view on actual solutions or approaches:

“Due to the severity of this crisis, many organizations are in a struggle for their existence. An existential crisis puts at stake the organization’s survival in recognizable form. Readers can probably call to mind numerous individual companies that faced such crises in the recent past. The crises may have been touched off by single catastrophic incidents or by series of failures; the sources are familiar—cyber breaches, financial malfeasance, improper business practices, safety failures, and natural or human-caused disasters. Effective action saved many; others spiraled downward.”

“Existential crises subject organizations to both extreme uncertainty and severe material consequences; they are often new and unfamiliar and can unfold quickly. In business terms, the present crisis more closely resembles economic crises of the past. In the financial crisis of 2008–09, for example, many organizations were simultaneously affected. Qualitatively, however, the present crisis is far more severe.”

“The COVID-19 crisis has undermined most of the assumptions of the traditional planning cycle. Existing management operating models are no longer supporting managers effectively in addressing the challenges this crisis presents. The revenue assumptions managers relied on for 2020, often worked out to two decimal points, are not relevant in an economy suddenly expected to suffer a historic contraction. Meticulously prepared status reports are now outdated before they reach senior managers. Managers seeking more up-to-date information discover that existing processes are too rigid for a timely response [emphasis added].”

“Managers thus find themselves working in ways unsuited to a highly uncertain environment. They know what they need: flexibility, the capability to act collectively, quickly, and across the whole organization as challenges arise. They need also to be able to work in this way over an extended period. Some organizations have therefore begun to experiment with new operating models that allow managers to work together. Some of the changes have been successful and others have failed. [emphasis added]

The details on how exactly one might go about this high-level prescription seem hard to find. Credible ones, at least (my view). I have tried to address each of these in practical ways that may help a bit. Why “a bit”?

Because this is a complex, fundamental change in organizational structure, culture, and management practices.

Here is where I have gotten to in the effort to drive toward specifics:

Agility. Adaptability. Resilience. (AAR).

What is needed in an extended period of major change is an entirely different way of leading and managing. This has three primary components:

  • Agility – the ability to move quickly and change direction quickly. It involves very close attention to current conditions. It requires a very different kind of organization and culture. See this post.

  • Adaptability – the ability to function effectively in a wide variety of situations and events. It means an absence of rigidity and presence of operational flexibility. See this post.

  • Resilience – the ability to recover from almost any kind of adverse impact or situation. It goes beyond survival and extends to success post-recovery. See this post and this post.

All three AAR components are essential for successful continuing.

Achieving agility and adaptability almost always require long-term efforts. The mechanics will be different for every organization because – well – every organization is different.

Resilience is a challenge of another kind. It can be tackled in the short-term and it buys some valuable time while agility and adaptability are being developed. It provides protection in case another black swan (or six) shows up unexpectedly. Which it almost certainly will.

Building resilience should be your top immediate priority

There is no lack of wise counsel on building business resilience. See Related Reading below for some examples.

McKinsey & Company addresses resilience at a quite high level but provides a few places to begin grabbing hold of your resilience critter: “The resilience imperative: Succeeding in uncertain times”:

“Strengthening institutional resilience has never been more important. 2020 was a wake-up call. To thrive in the coming decade, companies must develop resilience—the ability to withstand unpredictable threat or change and then to emerge stronger. This perspective piece introduces our approach to resilience. ‘Develop resilience’ is easy to say but hard to define, and yet harder to do. In this article, we reiterate the imperative, define the components of resilience, and introduce the approaches companies can take to become more resilient. In the coming months, we will publish a series of more detailed articles on the topic, focused on the actions that institutions of different types can take to measure and improve their resilience.”

The resilience imperative. The world is undergoing increasingly rapid, unpredictable, and unprecedented change. But across industries, most companies have remained persistently focused on near- and medium-term earnings, typically assuming ongoing smooth business conditions. The COVID-19 pandemic heralds the need for a new approach. Catastrophic events will grow more frequent but less predictable. They will unfold faster but in more varied ways. The digital and technology revolution, climate change, and geopolitical uncertainty will all play major roles …”

Okay, yet again: Just how do you go about this resilience-thing?

Details, details. Always the details that derail us. Here we have this great-sounding resilience-thing to strive for but not much if any useful guidance on what we should actually do.

One immediate obstacle is to assess your current “resilience”, whatever this may mean in the real world. Maybe you are already resilient enough to survive and prosper through anything short of a Yucatan asteroid hit. Maybe you are very strong in some areas but distressingly weak in others. In which areas are you “weak”, and what does “weak” mean in practice. For you?

Questions, questions – always more questions. How about some answers?

Answer #1: Assess your current resilience

This is a very smart first step in my view but it is yet another question-generator. Just how do you assess “resilience”?

One very popular way to assess your resilience is to do nothing, or very little plus not much, and see how you make out in the next black swan hit or other regularly scheduled catastrophe or major inconvenience. Kind of a painful way to learn, and possibly even a business-fatal lesson.

Well, it just so happens that there is an answer if you first address “resilience” as “business continuity”, as BMC, an enterprise software and services provider, explains in: “Business Continuity vs Business Resiliency: What’s The Difference?”:

“The ISO 22300:2018 standard defines business continuity as: ‘The capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption’.”

“The ISO 22316:2017 standard defines organizational resilience as: ’The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.’”

That’s it?

Well, no. There’s more – a lot more – along with a helpful acronym: “The Plan Do Check Act (PDCA) cycle”, which is shown graphically below. I don’t know about you but I immediately got hung up on the “Plan” step starting point. “Assess risk”? For unforeseeable and unpredictable events and situations? Good luck with that one. Fortunately, the second bullet point upper-left really has the right answer: “Business impact analysis”.

Source: https://www.bmc.com/blogs/business-continuity-vs-resiliency/#

Resilience (which BMC sees as happening after you get continuity nailed) means your ability to bounce back – all the way back vs. just surviving (continuity) – following a set of impacts from whatever just happened or may still be happening. Causes unknown and largely irrelevant.

We can get very specific and quantitative about impacts. Sales drops suddenly by 50% as the result of a new government regulation. Such as lockdowns, which of course could never happen, as we have seen. Almost no onsite employees, as occupancy restrictions impact you. Could never happen, right? But you sure can figure out in detail and precision what such impacts mean for your organization or business. Pre-impact from whatever cause, which is a preferable practice.

How big an impact to your set of most vulnerable points can you not just survive but ultimately recover solidly from?

This is a resilience assessment in reality and practicality. Do you have yours ready to go today? I thought not. Almost nobody does.

Answer #2: Strengthen the greatest points of weakness

If you don’t know where your points of greatest weakness are located, then figuring out a set of strengthening remedies is pretty tough. The resilience assessment – routinely updated – is your starting point for developing fixes.

Because every organization and business is different, each will have its own set of impact vulnerabilities. This means that each will have to develop and implements its own particular set of strengthening actions. There is no one-size-fits-all here.

Bottom line:

At long last things are getting back to normal. Masks mostly gone. Distancing mostly gone. Occupancy limits mostly gone. Huge numbers vaccinated. We are back on the road to serious recovery, yes? Well, such hope is nice but reality is rarely nice. What if reality is still in charge? How vulnerable is your business to the next black swan or lesser hits? How much might not knowing cost you? Resilience assessment is the starting point.

Related Reading

McKinsey & Company offers a “Six Dimensions of Resilience” set that digs deeper into practical issues organizationally:

Go to McKinsey article to access links.

PWC UK adds another layer of things to worry about in its 2012 rather prophetic “Black swans turn grey. The transformation of risk”:

“By their nature, black swan events should only occur at unpredictable intervals. Yet recent experience suggest events that fit the definition of black swans are happening more and more frequently. So, are black swans actually turning grey? Rather than being infrequent ‘outlier’ events, are they now just part of a fast-changing and more uncertain world? These questions inspired the title for this paper.”

PWC UK continues with several more recent pieces on “Operational resilience, crisis and continuity”:

“As the business environment becomes more complex, resilience continues to climb the agenda of organisations. There has been countless examples of businesses brought to their knees by a lack of foresight or poor crisis management. These events highlight the shortcomings of traditional risk management and lack of capabilities, tools and approach in organisations needed to survive and prosper in an age of uncertainty.”

“A common management error in black swan times is to focus on identifiable events and situations – by definition not black swans – rather than on impacts. There are only a limited number of points of impact of whatever comes along. Shifting to a focus on these gets away from causal speculation and, worse yet, probability assessments, which is largely futile except in very broad terms. “

Arthur D. Little Global wrote about the resilience planning efforts of businesses in the early days of COVID: “Risk: Strengthening business resilience after COVID-19”:

“When COVID-19 suddenly escalated from a regional crisis in China to a pandemic, in companies around the world executives rapidly started double-clicking on their crisis management and emergency-response plans. For some, especially those with significant Asian operations, there was already a plan to respond, while for others, the term “pandemic” returned a blank. So began an intensive period of almost continuous back-to-back virtual meetings as leadership teams attempted to regain control of their business operations. Their immediate priorities were securing employee and customer safety and health, followed by maintaining operational continuity, managing cash, helping suppliers, coordinating with governments, engaging with communities, looking towards the recovery phase and, through all of this, continuous intensive communications.”

“Most companies, as well as governments, quickly realized that they were not well prepared. The breathtaking speed with which the crisis unfolded meant companies had to improvise, because the processes set out in their crisis response plans were simply too rigid and slow [emphasis added].”

Bain & Company has an interesting article on “Getting Business Resilience Right:”

“Five myths stand in the way of allowing a company to hedge against, absorb and recover from the inevitable shocks to its system.”

“Business resilience is all the rage, and no wonder. The Covid-19 pandemic, while horrific on a social and economic level, is just the latest in a long series of convulsions that expose the vulnerabilities or brittle characteristics of unprepared companies. Recent years have brought major shocks, including international trade wars, a plunge in oil prices and a financial crisis―each of which pulled the rug out from exposed companies. An increased march of government interventions have started to limit the options of technology giants as varied as Ant Financial, Google and Huawei.”

“Now, of course, companies are buffeted by the coronavirus outbreak and subsequent economic crash. The pandemic squeezed off critical supplies of drug components from Asia, which exposed the dependency of pharma companies on far-flung supply chains. For more than a decade, pharma companies sought to lower costs by relocating a significant share of their manufacturing capacities to China and India. That directly affected supply chain reliability in 2020, with manufacturing site closures and impaired transportation routes immobilizing supply chains, leading to significant drug shortages in many countries while demand surged.”

“Resilience clearly has become more important for companies in all sectors. And the turbulence looks set to continue as globalization unwinds, inequality rises, new technological risks emerge, and the effects of climate change manifest themselves more regularly and severely. Yet the dynamics of resilience aren’t always well understood by senior executives and boards of directors. “

Business technology publisher TechTarget outlines the current approach to risk management (continued from main text above):

Importance: By implementing a risk management plan and considering the various potential risks or events before they occur, an organization can save money and protect their future. This is because a robust risk management plan will help a company establish procedures to avoid potential threats, minimize their impact should they occur and cope with the results. This ability to understand and control risk enables organizations to be more confident in their business decisions. Furthermore, strong corporate governance principles that focus specifically on risk management can help a company reach their goals.”

Risk management strategies and processes: All risk management plans follow the same steps that combine to make up the overall risk management process:”

Establish context. Understand the circumstances in which the rest of the process will take place. The criteria that will be used to evaluate risk should also be established and the structure of the analysis should be defined.”

Risk identification. The company identifies and defines potential risks that may negatively influence a specific company process or project.”

Risk analysis. Once specific types of risk are identified, the company then determines the odds of them occurring, as well as their consequences. The goal of risk analysis is to further understand each specific instance of risk, and how it could influence the company’s projects and objectives.”

Risk assessment and evaluation. The risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence. The company can then make decisions on whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.”

Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.”

Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.”

Communicate and consult. Internal and external shareholders should be included in communication and consultation at each appropriate step of the risk management process and in regards to the process as a whole.”

Risk happening in reality