Threat resilience or vulnerability resilience

Last week I was asked to recommend a well-established private sector, business continuity process that focuses on all-hazards instead of specific threats. I was surprised — chagrined — that nothing immediately came to mind. If you have suggestions, please let me know…

In response I did send along two recent studies:

PwC has published a 2023 Global Crisis and Resilience Survey that found, “It is no longer sufficient for organisations to be in silos as they address today’s complex and interconnected risks. Enterprises are actively moving to an integrated approach to resilience, centrally governing and aligning multiple resilience capabilities around what matters most to the business, and embedding the programme into operations and the corporate culture.” Only one in five respondents self-assess they have a sufficiently integrated approach.

Accenture has recently published a similar analysis entitled Resiliency in the Making. Here’s one of several findings:

The turbulence of the last few years has forced many businesses to address the vulnerabilities in their highly globalized supply and production networks. Our research shows companies are reducing their dependency on sole sourcing strategic commodities in the next three years. Regional sourcing is also bouncing back. Numbers are set to leap from 38% of respondents today mostly sourcing regionally to 65% in the next three years. Leaders are also prioritizing proximity-based hubs that concentrate production facilities and sales within the same region to streamline logistics, improve inventory management and accelerate response to market demand. We found that the manufacturing of products across multiple plants is expected to rise from 41% today to 78% in three years’ time. 

McKinsey research has produced similar findings and related recommendations. Boston Consulting Group has a business resilience practice.

Many more consultancies seek to minimize commercial losses and seize comparative advantage through resilience practices. The consultancies are interested in generating new business. Consultants generate new business by persuasively articulating problems and offering plausible solutions to the problems articulated.

Increased attention to resilience reflects the after-effects of pandemic problems, climate change, increasing geopolitical risks, social-civil conflict, political gridlock, and related economic volatility. Surveys of current and potential clients also suggest unfulfilled demand. Please notice the anticipatory nature of the quotes above. The PwC survey found that only about one-fifth of respondents have “implemented initiatives to protect their workforce or physical assets from the impacts of climate risk.” Even implemented is not completed. Lots of need, lots of consulting opportunities.

The business enterprise that asked about an all-hazards approach currently takes a threat-specific approach. In other words: here’s what we should do in case of this kind of impact to this kind of asset. Were our lives ever that simple? With some rare exceptions, yes — for many firms operating in many places this sort of limited, rather linear risk management (perhaps emergency management) was mostly sufficient.

What has changed over the last thirty-plus years is that scale — both population and wealth — has exploded. As both effect and cause of this increased scale, speed (really velocity, both speed and direction) has dramatically accelerated (more). Given the capital costs required to serve this scale with speed there has been much more intense concentration of productive assets, both in terms of physical places and corporate ownership. As as result, for our most capable firms, risk profiles are much more complicated and extended — increasing the likelihood of experiencing hard hits someplace, sometime. Then, given increasingly tight concentration of capacity, a hard hit in any one place is much more likely to escalate, accelerate, and cascade consequences across the entire networked system.

The same systems that speed fulfillment of high-volume demand will also speed the effects of high-impact hits. Depending on context, our greatest strength can become our greatest weakness.

How do we imagine and prepare for our greatest strength failing?

Vulnerability assessment is hardly new, see Sun-Tzu, Thucydides, Sophocles, and Genesis among many more. The distinction between threat-based and capability-based planning has become common in the post-Cold War era. The now venerable SWOT method even offers the chance to consider potential relationships between strengths and weaknesses before taking up threats. But it is my experience that threats are more inherently motivating of change than any other factor. Fear of losing even trumps the opportunity to win. Some psychological studies find that most humans feel the pain of loss twice as intensively as the equivalent pleasure of gain (here and here). We can blame several thousand years of evolution under quite urgent threat conditions — and our reluctance to really, seriously, self-critically think — especially about variably emerging futures.

Given the scope and scale of our most capable enterprises and the complexity of our most serious threats, a vulnerability focus absolutely makes sense. Many threats are beyond prediction or even much influence, but our vulnerabilities are almost always self-created. We can engage and reshape vulnerabilities to reduce hazards — if we can gin-up the honest self-awareness, courage, key relationships, and practical sustained commitment this requires.

Focusing on all-hazards does not ignore threats. Considering weaknesses or vulnerabilities begs the question: vulnerable to what? Effective risk reduction involves both threats and vulnerabilities. But leading with our vulnerabilities while giving primacy to alleviating vulnerabilities (to typically uncertain threats) requires an uncommon sort of institutional culture.

I appreciate the request. I regret the insufficient response. Look for more on this topic over the next few weeks.