What do the UK’s hottest day ever, the National Grid failure and the collapse of Thomas Cook all have in common? They all took place over three months during the summer of 2019 for one thing and they all left thousands of people stranded.
2019 seemed particularly bad for large-scale disruptive events. And it was, until 2020 and Covid-19 came along and made it seem like a walk in the park. But the bigger picture is that, like climate change and severe weather patterns, the frequency of disruptive events is increasing.
These events can be magnified because our society is quite interconnected, partly driven by our increasing reliance on the internet. Even small businesses now have supply chains that include ISPs, software as a service accountancy packages, cloud-based storage of business documents and customer-facing websites. These supply chains now extend worldwide and have often been designed to be lowest cost and ‘just in time’ rather than resilient.
The Covid-19 pandemic has underlined the inherent risk in single source, lengthy supply chains across international borders which can now apparently, against all previous expectations, be shut down at a few hours’ notice.
But there is more. The threat of most concern to the C-suite is that of cyber-attack. According to the Business Continuity Institute, 37 per cent of businesses are hit by a successful cyber-attack each year and the impact is likely to be greater and more sustained than most other forms of disruption. With potential data breach, reputational loss and massive regulatory fines, this is surely the costliest risk faced by businesses of every size.
Sir John Armitt, Chair of the National Infrastructure Commission, says that the UK must face the uncomfortable truth that a large-scale cyber incident and its knock-on effects could cause overwhelming disruption to our society.
We have all become familiar with black swan events. A ‘black sky’ event would be an extension of the National Grid outage that we saw recently into a national failure of the power network. Such an event could require the National Grid to be restarted from a total power down, which could take around seven days before parts of the country saw their power return.
Drone attacks on airports and oil refineries, cyber-attacks on critical national infrastructure, Extinction Rebellion, Brexit, the list of new and emerging threats seems to grow almost daily. According to the National Infrastructure Commission, resilience is about the ability to face future challenges effectively and a truly resilient system can respond to as yet unknown or unpredictable challenges.
Scary? Of course. But as we rebuild the economy and explore some wonderful business opportunities, the uncomfortable truth is that Covid-19 is not the only risk factor. If we focus on that alone we risk missing other threats that are also present and growing.
As part of the leadership of businesses it is our moral and legal responsibility to consider the major risks and to do something about them to protect our employees, customers and society from their impact.
My main concern in writing this article is that in my experience many companies fail to spend sufficient time and energy on risk and resilience matters until too late, when they are in the middle of a major disruptive event. Risk and resilience planning needs to be far higher up the Board agenda and non-executive directors must play a vital role here in holding executive teams to account on this subject.
In recent years resilience has moved on from the concept of business continuity, in other words just getting back to business as usual as quickly as possible, to the wider concept of agility and preparedness. Resilience is the ability to anticipate, absorb and adapt to the challenges and changes that can destabilise a business, and is akin to an ongoing process of training a muscle as well as planning for discrete events.
Covid-19 has forced us to focus on disruption and risk planning. It has also provided an impetus for businesses to make bold and rapid changes to their business operating models. At Resilience First we have taken a hard look at the way ahead in A Resilience Guide to Our New World. We detail the structural change in the business landscape and the need for businesses to reset to survive and thrive. Today’s resilience needs to increase our competitiveness and improve sustainability in the longer term.
The Resilience First approach is based on community, enabling business communities to respond positively to both recurring and unexpected challenges. This is a bottom-up approach that creates a solid base of local resilience for national strategies to build on, so that whether through flood, terrorism, cyber-attack or pandemic, local business communities will be ready to pull their weight in any national response.
Simon Collins, Chair, Resilience First