The Alchemy of Resilience Alchemy is an influential philosophical tradition whose early practitioners’ claims to profound powers were known from antiquity. The defining objectives of alchemy are varied; these include the creation of the fabled philosopher’s stone possessing powers including the capability of turning base metals into the noble metals gold or silver, as well as an elixir of life conferring youth and longevity.
In the past decade companies fighting to compete in a competitive global market place are forced to evaluate their critical processes and ensure they have the resilience to perform to international standards. Indian companies compete in price and technical expertise, however their greatest challenge is to prove the quality, resilience and maturity of their products and services. To prove competency and capabilities, adopting international standards, such as the ISO frameworks, is key success.
As companies mature, declining growth often gives way to inertia. In order to achieve consistent levels of growth, companies must attend and defend existing businesses. The three horizons framework – featured in the ‘Alchemy of Growth’ provides a structure for companies to assess potential opportunities for growth without neglecting performance in the present.
• Horizon One: Represents those core businesses most readily identified with the company name and those that provide the greatest profits and cash flow. Here the focus must be improving performance to maximize value, defending against preventable threats and ensuring the organisation can withstand the impact of an incident or crisis through a rigorous corporate resilience management system.
• Horizon Two: Encompasses emerging opportunities including rising entrepreneurial ventures likely to generate substantial profits in the future but may require considerable investment. This is achieved by organisations taking strategic risks to achieve their business objectives. • Horizon Three: Contains strategies for profitable growth in the future – for instance, small ventures such as research projects, pilot programs, or minority stakes in new businesses.
Time, as noted on the X- axis (see graph), should not be interpreted as a prompt for when to pay attention now, later, or much later. Companies must manage businesses along all three horizons concurrently with a robust and continuity tested risk management plan. Rather it suggests the cycle by which businesses and ventures move, over time, from horizon two to horizon one, or from horizon three to horizon two.
The Y-axis represents the growth in value that companies may achieve by attending to all three horizons simultaneously. The framework continues to be especially useful in uncertain times. With every Horizon comes greater risk. Some risks a company can prepare for, some they cannot. There are many companies that have failed to survive the perfect storm also known as the black swan scenario.
Nassim Taleb, author of the best seller, The Black Swan:
The Impact of the highly improbable has stated that “we lack knowledge when it comes to rare events with serious consequences. The effect of a single observation, event or element plays a disproportionate role in decisionmaking creating estimation errors when projecting the severity of the consequences of the event. The depth of consequence and the breadth of consequence are underestimated resulting in surprise at the impact of the event.”
Preparing For the Unknown A company and its shareholders may be satisfied that its core business is protected. However at some point the company’s risk appetite will increase in order to compete in the ever changing world. For organisational growth and sustainability the company will have to touch other horizons and try to predict the unknown. With every venture comes new risk, these risks must be considered, evaluated and planned for so that there is a level of protection against that risk, but when taking these risks the core business is protected.
The only thing that is constant in the world is CHANGE. To enable growth and retain the competitive advantage, organisations must increase their risk appetite and tolerance. By doing so they must expose their organisation to greater risk. To best protect the organisation, a strong and robust resilience management system is key. The organization must accept change, whether it is planned, organic or forced. A single event can be the catalyst to change. To survive any change the organisation must have sustainability and resilience to operate whilst dealing with the unknown.
Risk is simply ‘the impact of uncertainty on your business objectives’ CRQMS is the discipline of managing corporate resilience in order to tolerably protect the interest of the stakeholders and therefore increasing an organisations risk appetite whilst realising its strategic objectives. The system requires a proactive approach to co-coordinating and integrating a range of defensive disciplines measured through international standards (ISO) which collectively will anticipate, detect, prevent, evaluate and react to potential threats and exposures, thereby protecting an organisation from potential hazards and creating a competitive advantage.
Resilience is not just about getting through a crisis; a truly resilient organisation has two other important capabilities – the foresight to develop new horizons and situation awareness to prevent potential crises emerging; and an ability to turn crises into a source of strategic and competitive opportunity. The planning processes which contribute to resilience center on an organisation’s adaptive capacity to respond to changing circumstances. The process starts with anticipating change and/or disruptive events through effective but realistic risk management. Dr Norman Chorn argues the importance of developing robust situational awareness practices, whilst maintaining the flexibility and agility to anticipate and react to rapidly evolving, opportunities and/or risks.
Knowledge dispels fear – Three categories of risk; the new framework: Global risks do not fit neatly into existing conceptual frameworks. The Harvard Business Review recently published a concise and practical taxonomy that may also be used to consider global risks. There are three types of risks as categorised by Professors Kaplan and Mikes:
“It is about giving an organisation the foresight and resilience to achieve it’s business objectives in a calculated and structured paradigm when assessing the risk universe. That the treatment of any risks needs to have a planned countermeasure which is achievable at the initiation of an event.” First are “preventable” risks, such as breakdowns in processes and mistakes by employees.
The New PAS on Crisis Management suggests how crises incubate within organisations. Crises can be incubated within organisations by the steady accumulation of faults and bad practice. These may either cause a crisis or compromise the organisation’s ability to deal with one that is imposed upon it. They are sometimes called “latent errors”, because they lie dormant until a triggering event exposes them. Causes may include the following:
a) Gradual and incremental slippages in quality or safety standards that go unchecked and become accepted as a normal way of working. b) Convenient, but unofficial and suboptimal, “workaround” strategies that become the normal routine. Overcomplicated processes, unrealistic schedules, chronic personnel shortages, under-trained staff and lax supervision all contribute to this. c) Flaws in supervision and process monitoring, which promote an expectation of “getting away with” undesirable behaviors or being able to survive minor failures without reporting them. d) Blame cultures that encourage cover-ups and the lack of a shared sense of mission and purpose, which generate a defensive (if not actually hostile) “them and us” attitude between staff and management. e) Poor training and development of staff and managers, or incremental loss of skills and knowledge. False or complacent assumptions about an organisation may mask the signals that would indicate a systematic vulnerability. Organisations tend to promote a set of core beliefs, values and behavioral norms. It can be difficult to expose issues that seem to challenge this worldview and its underlying assumptions about the organisation and its capabilities. Analysis of organisations’ vulnerabilities may expose staff to a level of scrutiny that might be considered intimidating and invasive, but it is essential. Insider threats cost US companies over $ 44 Billion a year.
Duleep Thomas – the Growing Risk of Fraud and Corruption: “Senior management needs to acknowledge that fraud can occur anywhere, at any time, and at any company. It is not okay to say, ‘We operate in an environment of trust.’ Once you accept this reality, then you need to understand where fraud could be perpetrated — both internally and externally — with respect to the business.”
Second are “strategic” risks, which a company undertakes voluntarily, having weighed them against the potential rewards.
Third are “external” risks, which this report calls “global risks”; they are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature) The CRQMS program has been established to respond to any potential disruption to critical activities and is essential for all organisations. Establishing, implementing and testing a holistic Corporate Resilience Quality Management System ( CRQMS), will not only help organisations recover from disasters; it will also prevent reputation damage that can arise from any operational outages; it makes an organisation more attractive to clients and gives a competitive advantage.
Certification against the requirements of Corporate Resilience encompass a suite of ISO’s including ISO 31000 Risk Management and ISO 22301 Business Continuity Management enabling a business to improve its risk management by implementing effective business continuity management systems, developing increasingly skillful internal talent and ensuring consistent and compliant supply chains are in place. By testing how an organisation can operate in a crisis a business will identify potential areas for greater efficiency.
For more information on CRQMS contact Indianeye Security at 011 4955 6600 The author is the Chief Resilience Officer, Dark Star . He served for 12 years in the HM Forces specialising in installation and asset protection. In 1994, he joined a UK police force, serving on numerous specialist surveillance units at both Regional and national level. He was an operational commander of covert investigations into serious and organised crime. He lead specialist surveillance teams on counter terrorist operations during his time on The National Crime Squad (NCS) and was a covert operational planner on the new technical collection division of the Serious Organised Crime Agency (SOCA). Lee Hibbert was also a member of numerous National working groups and was national police trainer in various skill sets