Senior executives at leading companies reveal their commitment to move from defensive risk management to a forward-looking stance based on strategic resilience.
In a volatile world, resilience is an increasingly critical prerequisite for corporate performance. The COVID-19 pandemic has caused a massive shock to public health, with dire human consequences. The crisis has dramatically demonstrated the sensitivity of economies to demand shocks as well as industry vulnerabilities to supply chain disruptions. Furthermore, the pandemic spread in an environment defined by accelerating climate change and the increasingly urgent demand to reduce greenhouse-gas emissions.
On top of public-health and environmental pressures, organizations are subject to many business challenges, societal uncertainties, and geopolitical tensions. The disruptive currents include accelerating digitization, cyberthreats, and inflation and price volatility. The dynamic pace of change makes disruptions hard to predict, even as they grow in severity and frequency. Companies in all industries thus need to plan for the unexpected and build up their response capabilities in advance.
The pandemic crisis also revealed the true value of resilience management to business leaders. They recognized that their crisis contingency plans were instrumental to managing through the crisis. Though the magnitude of the pandemic and its domino effects were not generally foreseen, the processes and procedures companies had in place proved themselves (or not) in very trying conditions.
McKinsey recently supported the Federation of European Risk Management Associations (FERMA) on a comprehensive survey about the pandemic’s impact on corporate resilience. The survey drew responses from more than 200 senior executives and risk and insurance professionals, reflecting a wide range of industry sectors and countries. The survey probed for views on the relevance for organizations, the capabilities for managing strategic resilience, and the importance of resilience in and across corporate functions, including strategy, operations, and risk.
The executives revealed that in the past, their risk management focus was on a small number of well-defined risks, primarily financial risks. They told us that now, risk is encompassing the broader mandate of resiliency management. It is woven into long-term strategy development at top organizations, helping companies navigate a far more dynamic operating environment.
Almost 60 percent of respondents feel their organizations have excellent or very good resilience capabilities, meaning they are well equipped to build and manage resilience overall. In part, that is a direct response to the pandemic, which broadened leaders’ view of the risk function beyond one or two specific risks. More than half of respondents acknowledge that the global pandemic has made risk and resilience significantly more important to their organizations.
Among specific areas of resilience, companies are clearly focusing on workplace safety and remote working in managing through the pandemic. More than 75 percent say implementation measures in these two areas are largely completed. Fifty-two percent of respondents said that for their organizations, the most effective capabilities are in place to manage financial resilience.
At the same time, executives reported room for improvement. Management of business operations and the supply chain emerged as weak points during the pandemic. Many companies have yet to fully implement new remedial measures. Senior executives state that risk is still mainly involved in crisis response.
“We are learning from the crisis, reviewing, for example, our evaluation process for suppliers,” said the chief risk officer at a company in Italy. “In the past, we focused mainly on financial impact but have since adopted a holistic view, looking at the geographic footprint and compliance issues, among other factors.” Survey results included these findings:
To strengthen resilience in the future, most risk managers (75 percent) believe that the most important actions will be to improve risk culture and strengthen the integration of resilience in the strategy process. Important additional areas are improved risk data aggregation and reporting and more advanced foresight capabilities. Executives also want to revisit risk governance and radiate a better understanding of the critical role the risk function plays.
The challenge now is to move out of a reactive, crisis response mode and integrate risk with other core functions on a more permanent basis. Likewise, as they guide their organizations in the transition from crisis and risk management to resilience, top managers can can emphasize risk governance and risk data aggregation to develop better reporting and foresight capabilities. Risk has a key role to play and should partner with strategy and the executive team to guide organizations in the transition from risk and crisis management to resilience.
Like many crises, the pandemic revealed hidden vulnerabilities in organizations and weaknesses in their response capabilities. Executives had to respond quickly to a variety of arising challenges in operations, including workforce discontinuities and supply chain issues involving critical shortages and logistics barriers. Decision makers learned to value timely and insightful data as they defined priorities and actions under stressed conditions. The FERMA–McKinsey survey revealed some good examples of resilient responses to the immediate pandemic-driven challenges:
Beyond these often well-executed responsive actions, however, few firms have adopted a comprehensive strategic perspective to meet the challenges of the next disruption over the horizon. Yet this is what organizations need to do if they are to pivot during crises and accelerate into the new crisis-defined environment. The needed orientation is proactive, based on a business perspective, and goes beyond a reactive, second-line-of-defense approach to uncertainty. To build resilience into their long-term strategic decision making, organizations need to develop certain cross-functional capabilities and strengthen resilience in a number of strategic areas.
The overarching capabilities include foresight skills and disruption and crisis response preparedness. To develop foresight capabilities, organizations gather and study the relevant data, develop pertinent scenarios to discover gaps in resilience, and use this method to anticipate and prepare for future crises. Appropriate crisis response capabilities can then be pursued: those that can be developed and implemented in advance, to be applied quickly and effectively in case of disruptions. These capabilities—such as strengthened financials, better security (whether for IT and software or physical assets), market flexibility, and optionality—can by design create a competitive advantage that drives superior performance through the next industry cycle.
The core resilience areas can be grouped as follows:
Resilient organizations develop business models that can adapt to significant shifts in customer demand, the competitive landscape, technological changes, and the regulatory terrain.
The holistic approach to building resilience advances the organization from a narrow focus on risk, controls, governance, and reporting to a longer-term strategic view of the total environment. Rather than hunting for blind spots in risk coverage within today’s business model, resilient organizations embrace the holistic view, in which resilience becomes a competitive advantage in times of disruption.
An important aspect of the holistic approach involves using crisis scenarios to test for resilience in a downturn. Accordingly, foresight capabilities are used to develop the scenarios; scenario-based modeling can then pressure-test strategies and business models through future volatile environments—such as those defined by economic downturns, rising geopolitical tensions, disruptions in the regulatory landscape, as well as technological disruptions. Such an approach enables leaders to move beyond resilience capability assessments to active strategic thinking to find new opportunities and shape new business models.
Companies have lately developed tools to deal with the challenges of the COVID-19 pandemic, but the “resilience muscle” must still be strengthened. Future disruptions will be different, and institutions need to plan for the primary impact and also for second- and third-order effects. Some of these knock-on effects appear only after a long delay but then suddenly accelerate; others gather momentum incrementally until an emergency tipping point is reached.
For a number of reasons, few institutions have built sufficient strategic resilience. The goal of becoming a resilient company can sometimes run counter to the more immediate objective of value creation. Building redundancy in supply chains builds resilience but it also increases costs, reduces returns on investment, and thus can make resilience a tough sell to business leaders.
Another barrier is organizational forgetfulness. Resilience is not needed every day; big disruptions are not happening all the time. The importance of resilience can be forgotten between big crises. These trigger big investments, but the next crisis will not necessarily be recognizable as a repeat of the last one. Over time, the effort to achieve strategic resilience peters out and new leaders shift priorities.
Resilience as we have been defining it cannot be achieved in a siloed approach. Yet due to inertia and biases, efforts to achieve a holistic resilience agenda can begin to veer off course, back toward familiar patterns. And siloed resilience efforts cannot collectively achieve the integrated solution.
Finally, as yet, we have no universal means of measuring resilience (we are working on it!). Consequently, the efficacy of investments in resilience tends to be based on qualitative judgements. Likewise, people are not trained in resilience, and performance evaluation is not much based on it. Managers are promoted for expertise in pattern recognition and for avoiding mistakes; however, resilience leadership requires creative thinking, first-principles problem solving for navigating through disruptions, and a predisposition to learn from and adjust to crises and downturns. A defensive stance and routinized thinking will prevent the organization from pivoting and accelerating in the next upswing.
Companies across industries have learned to successfully navigate fundamental disruptions, emerge stronger, and gain competitive advantage in tough times. The following steps briefly sketch a path to overcome pitfalls while systematically building and strengthening strategic resilience. The steps are not, of course, a simple how-to guide. Rather, each element relies upon talent, capabilities, and deep commitment to the integrated effort.
History teaches us that the conditions of future growth are often created as organizations respond to the vulnerabilities crises expose. In times of disruption, survival and the wherewithal to achieve future prosperity depend on strategic resilience, which, as the participants in the FERMA–McKinsey survey stress, importantly means adaptability and decisiveness.
Alfonso Natale is a partner in McKinsey’s Milan office; Thomas Poppensieker is a senior partner in the Munich office, where Michael Thun is a senior expert.
This article was edited by Richard Bucci, a senior editor in the New York office.