A Twelve Step Program to Achieve Business Resilience

“Our best bet as business leaders is to continue to become ever better: to develop agile organisations able to adapt to change.”

Hyper focus on compliance and risk management has blossomed since the world financial crisis in 2008. As regulators and legislators struggle to define, design and implement new regulations to be sure that never again will we face such calamity, what must the leaders of business large and small do to cope?

First, some guiding principles:

Business is good. Business exists to serve customer needs. By taking various types of risks to transform capital into product, the business seeks to generate a return for its owners that the owners feel justifies the risk involved. It is too easy in the current environment to perceive that not only risk but business itself is bad, and compliance and risk management csars are required to discipline the bad and eliminate risk, including non-compliance risk. There can be no innovation without risk, and innovation drives progress.

Change is constant. It is hard to ignore the seeming increase of unexpected events. As a Harvard Business Review article put it, “Surprises are the New Normal; Resilience is the New Norm”.

Business resilience is a term for a collection of steps that enable a business to endure and recover rapidly from these unplanned events. IBM defines it as “The ability of business operations to rapidly adapt or respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”

Regulators are behind the curve. Their job is to react. Their effort to address their embarrassment for having overseen a system that went astray is understandable. Like having more security at airports, new rules create the comforting impression that Something Is Being Done. In many cases, they are, however, looking backward, which is not something business can afford to do.

Business must model best practices. Our best bet as business leaders is to continue to become ever better: to develop agile organisations able to adapt to change.

So how does company leadership handle ever more demanding customer markets, more volatile supply issues, ever shorter product life spans, various cross-border and cross-cultural issues, increased shareholder and even employee activism, and also comply with a constantly growing burden of regulations that are so numerous that the regulators and legislators that created them cannot yet fully define them?

Playing on defence will suck the life out of your enterprise. Instead, embrace the new rules, a number of which have not yet been formulated five years later, as a chance to move beyond a static compliance focused organisation toward one that is engaged and resilient.

Here are some suggested steps to become resilient and disaster resistant:

Move forward. Focus on risk and compliance matters as an opportunity to move your company forward. Find the gift. Avoid getting lost in the myriad rules being promulgated. Never believe that compliance and risk management are the most important items on the corporate agenda. The delightful and demanding process of improving robust business organisations incorporates such activities, but cannot be ruled by the notion of creating perfect report cards. We do not want to create a world in which we look to rules to tell us what to do.

Focus on execution. Listen to Lou Gerstner, former Chairman and CEO of IBM: “Success is 5% strategy and 95% execution” or consider Dilbert’s pronouncement: “Ideas are worthless. Execution is everything”. Poor execution has been the cause of most business failures. Use the current emphasis on compliance and risk management to reinforce a strong framework to execute sound strategy.

Revisit strategy. Prove and reprove that your strategy for serving your customers profitably is current. Do not stop there but be sure that the entire company, including your risk management system and your compliance team, is organised to support achieving the results envisioned by that strategy, and knows how you measure success.

Understand your resources. Can your resources successfully support execution of your strategy? Are they arrayed in the most effective manner for both offence and defensive needs? Define resources broadly: intellectual, leadership, human, technological, financial, production, innovation, and whatever other capacity matters to you.

Make decision-making processes explicit. “Stronger governance” is a repeated phrase in the new rules. What does this mean? To my mind, while adding professionals capable of credibly challenging management to every board of directors might be valuable, a broader definition is more useful. Governance is the system by which an enterprise makes decisions. Review the hierarchy of decisions your company needs to make by type and magnitude and ensure that the ability to make a decision is lodged at the right place to support the strategy. While some organisations drive decision-making authority up, many successful organisations create an environment in which expectations of behaviour are understood, and thus decisions can be made at a ‘low’ level.

Review your systems. Are the systems involved in revenue generation, production, human resource, results measurement and so on, sufficient to support the strategy? Are the right people in the right place, with access to the right information? Do systems speak to each other so decision makers can evaluate the impact of choices they make?

Make risk analysis your constant companion. Looking at risk and its measurement and management possibilities through the lens of business resilience provides important context. If the organisation takes a certain risk, what does it mean to the resilience of the business? What if it does not accept that risk? If multiple risks identified present themselves at one time, as they tend to do, how will our company be affected, what does it mean to how we array our resources, and how might we or should we adjust our strategy to allow us to succeed in such adverse conditions? Strive for a broad risk assessment process that includes both quantitative and qualitative aspects of risk, with a habit of positing ‘what if’ scenarios from a variety of perspectives.

Treasure and cultivate feedback. Learn from all around you: employees, customers, suppliers, regulators. What works? What does not? What needs fixing? Are appropriate feedback loops in place to support continuous refinement as strategy implementation proceeds?

Make policies clear. Policies are codifications of expected behaviour that help maintain consistent quality of execution. Ensure that corporate policies are current, complete and appropriate, indexed centrally and harmonised with the company’s strategy and risk appetite. Importantly, they also need to be tested for broad understanding and compliance and exceptions analysed to determine whether these ‘living’ documents need updating. Over time, these policies become the description of what the company values; the codification not just of rules but of culture, so approach them with care.

Make strategy universally understood. Can every individual in the company describe the company’s strategy, the level of acceptable risk, and their active responsibility for both implementing the strategy and safeguarding the enterprise? Does each person know where to go with suggested improvements, with identified risk factors that need attention, so that the whole organisation can continuously improve?

Compensate people mindfully. Easier said than done, but given repeated ravaging of corporate balance sheets by unexpected but predictable individual behaviour driven by a desire to earn available incentives, it must be done, throughout the enterprise. Though teasing out how to do this can be difficult, incentive compensation must be aligned with corporate objectives and time horizons.

Model values. Remember that truth is rarely hidden in a spreadsheet. Truth becomes what human beings do as a result of looking at the spreadsheet.

While formal processes are very important, they cannot substitute for sound judgment and experience and an environment in which every person feels equally accountable for the company’s success. Such a culture forms the foundation on which to sustain the spirit of a resilient business able to meet the expectations of customers and continually to improve as a business enterprise.

Lloyd Blankfein of Goldman Sachs provides an excellent conclusion to the above steps: There must be an “ongoing commitment by the entire organization to be self-aware, to be open to change and to learn the right lessons from recent experiences. Going forward, we know we will inevitably make mistakes, but we commit to learn from them and respond in a way that meets the high expectations of our clients, shareholders, other stakeholders, regulators and the broader public”.

And a final comment on resilience from Dean Becker, CEO of Adaptiv Learning Systems: “More than education, more than experience, more than training, a person’s level of resilience will determine who succeeds and who fails. That’s true in the cancer ward, it’s true in the Olympics, and it’s true in the boardroom.” That is what we must strive to become.

Deborah Hicks Midanek, Chairman & CEO, Solon Group, Inc.