The speed with which the crisis unfolded meant companies had to improvise, because their crisis-response plans were too rigid and slow - Arthur D Little

When COVID-19 escalated earlier this year, many companies quickly realised that they were not well prepared. The breathtaking speed with which the crisis unfolded meant companies had to improvise, because the processes set out in their crisis-response plans were simply too rigid and slow.

A new report by Arthur D Little, considers the underlying causes of this poor preparedness and set out the key elements of a new business resilience approach suitable for the post- COVID-19 world.

Among other things, it finds that companies in general are still reluctant to invest in controls for catastrophic events that are already recognised but may or may not happen in the medium term.

Short termism is one reason. ”Governments and business leaders alike tend to be judged over timescales of a few years at most,” notes the report. ”The average tenure of a CEO has been falling steadily over the last 20 years to no more than five or six years, and governments stand or fall based on their performances between elections.”

”Catastrophic risks tend to be infrequent (high impact, low likelihood), and it is therefore often attractive to park or postpone preparations for them, especially given more pressing short-term priorities and the demands of shareholders or the electorate.”

The ‘can-do’ mentality trap is another issue. Traits such as caution, attention to detail, and concern for what could go wrong are not valued as leadership traits and are even sometimes discouraged in top leaders.

”Although consideration of what could go wrong and how to respond should be an integral part of any strategy, in practice these are often perceived as negative or pessimistic topics,” states the report. ”Consequently, they are often passed down to risk management functions and treated more as unavoidable red tape and overhead than as value-adding activities for the business.”

To make matters worse, the vulnerability of the world to global crises has increased significantly due to increased global connectivity. For example, Nassim Nicholas Taleb, the originator of the Black Swan concept, is quoted in a recent interview with the New Yorker as saying, “The great danger has always been too much connectivity.”

The interview goes on to highlight that “proliferating global networks, both physical and virtual, inevitably incorporate more fat-tail risks into a more interdependent and ‘fragile’ system…” The COVID-19 crisis is an all-too-real illustration of the problem. So, in the post-COVID-19 world it is also reasonable to assume that there will be:

  • Greater likelihood of local risks escalating globally.
  • Higher velocity of escalation of those risks.
  • More interconnections between risks – for example, COVID-19 has already led to an increase in cyber-attacks due to the numbers of people working at home.

The report argues that a major shift in risk management philosophy is needed, including more ‘forward-facing prediction’.

”An effective forward-facing approach also requires an effective horizon-scanning or foresighting capability to identify emerging risks,” finds the report. ”Often these capabilities are present in companies, but focused on innovation or new product development, and therefore disconnected from corporate risk or business resilience functions.”

Even when the global economy eventually manages to recover, it will be vulnerable to further shocks. Organisations will need to adopt better strategies and tactics to become what Taleb called “anti-fragile”.

These will include measures such as reducing supply-chain vulnerability, ensuring adequate backup systems and reducing the dependence of operational continuity on people physically working together, according to the report. Moving towards an integrated sense-and respond business resilience system should be a key part of the response. Making this happen requires more than just deploying new digital tools.

Organisations should take a true “transformational” approach, argues Arthur D Little, for which there are some key priorities:

  1. Readiness for change: Reinforce the need to embrace, and commit to, new ways of working around risk. This means, for example, recognising that the past is not a good playbook for the future, adopting agile work methods, and being willing to experiment and learn.
  2. Data strategy: Regard data as the “new currency” and invest in strong data governance to secure a robust single source of truth, both external and internal.
  3. Capabilities: Get access to the required capabilities you need to build a dynamic business resilience system, including the best capabilities you can find in data analytics and AI/ML. These may not be in-house.
  4. Start with a proof of concept: Start with a “stand back” executive-level workshop to take a fresh look at key risk areas and risk drivers, without being constrained by the current corporate risk register. Consider the whole ecosystem, including suppliers, partners, government, regulators, employees and customers. Following this, select a specific, but strategically important, use case on which to conduct an initial proof of concept before moving towards broader implementation.