Toward True Organizational Resilience Deloitte's Global Resilience Report October 2022
Introduction Senior executives recognize the need for more proactive, forward-looking, and strategic approaches to resilience, but they are struggling to develop and operationalize them in their organizations. That is the overarching finding of Deloitte's 2022 worldwide, cross-industry survey of almost 700 executives, directors, and senior leaders with accountability or responsibility for resilience or crisis management within their organization.
The survey findings indicate that most organizations need to broaden out from their predominant focus on operational resilience, and build resilience more equitably across other 'capitals' (Financial, Reputation, People and Environmental) to build true organizational resilience. This entails broadening practices and capabilities related to resilience while retaining and enhancing those that currently serve the organization and its stakeholders well. The survey findings also point to steps leaders can take to transform their approaches to resilience. Organizations across sectors and geographies now operate in an environment of constant change and unpredictable risks. The breadth and potential severity of that change and those risks are new. Therefore, traditional approaches to resilience—thinking of it as “bouncing back,” mistaking it for crisis management, or delegating it to siloed functions— need to be expanded as quickly as possible. Yet the fundamental goal of resilience remains the same—to enable the organization to serve the needs and meet the expectations of its stakeholders regardless of condition. This stands among the primary responsibilities of senior executives and the board. Given the risks that organizations now face, an approach that generates end-to-end organizational resilience has become essential. In this report we convey the views that our survey respondents provided on the status and future direction of resilience, together with our point of view on the results and on the need for true organizational resilience, expanding from just operational resilience. We also offer our definition of resilience: Organizational resilience is the capability of an organization to be prepared for disruption and to adapt and thrive in a changing environment. It isn't purely defensive in orientation. It is also progressive, building the capacity for agility, adaptation, learning, and regeneration to ensure that organizations are able to deal with more complex and severe events and be fit for the future. Adapted from definitions included in BS 65000:2022 Organizational Resilience. Code of Practice, 31 August 2022 and Resilience Reimagined: A practical guide for organizations, 2021 Deloitte LLP and Cranfield University. This differs from thinking of resilience as positioning the organization to recover from risks and resume its former shape. It encompasses capabilities needed to identify, anticipate, and respond to the opportunities for growth that disruption always presents. It aims to develop an organization that can evolve rapidly and adapt repeatedly to new conditions. Our view encompasses capabilities within and apart from risk functions. Therefore, we surveyed not only leaders of risk functions but also those leading non-risk functions; where useful, we present the data for each set of respondents. The survey findings chart a path toward organizational resilience developed and maintained through more integrated approaches to achieve this strategic objective. These approaches recognize the role and value of resilience in each function and along every dimension (see opposite, 'The Five Capitals of Organizational Resilience'). These approaches also engage every function, consider geopolitical risks, work effectively with regulators, leverage digital capabilities, and position the organization to thrive not only despite business conditions but because of them.
The Five Capitals of Organizational Resilience Organizational resilience encompasses resilience along five capitals—human, social, built, financial, and natural — that comprise the ecosystem in which organizations operate.* The five capitals of organizational resilience are: People resilience: People resilience relates to the way in which organizations support their own people. It is also about fostering creativity and engineering growth by instilling personal resilience and instituting the right cultural norms, conduct, and behaviors. Reputational resilience: Reputational resilience is about being responsive to external perceptions, scrutinising self-limiting behaviors, building brand capital and reserves, and maintaining a foundation of trust and dependability. Operational resilience: Operational resilience refers to the way an organisation uses its non-financial resources to withstand, absorb, recover from, adapt to, or regenerate from the impacts caused by shocks and stresses affecting its products and services, data, technology, cyber security, facilities, and supply and demand. Financial resilience: Financial resilience describes the ability of an organization to withstand events that impact its liquidity, income, or assets. These events may include routine or severe but plausible shocks and stresses. Environmental resilience: Environmental resilience refers to the way in which an organization works to achieve homeostasis with the natural world, making strategic choices that are both good for the environment and sustainable for the organization. A deficiency in any single one of the five capitals can put the organization in jeopardy and even bring it down. Organizational resilience therefore consists of robust capabilities in each of these five domains. While the emphasis on a given capital will differ across industries and companies, superior capabilities in one domain will not make up for deficiencies in another. Therefore, each organization needs an individualized way of addressing and balancing investments in each domain. *Resilience Reimagined: A practical guide for organizations, 2021 Deloitte LLP and Cranfield University.
Explore the report
01 - Organizations need to Accelerate their Journey to Organizational Resilience In an environment of potentially existential threats leaders need to develop organizational resilience and corresponding capabilities. To a large extent, this remains aspirational or absent in many organizations.
In an environment of potentially existential threats leaders need to develop organizational resilience and corresponding capabilities. To a large extent, this remains aspirational or absent in many organizations. Despite the presence of sound capabilities in specific resilience programs, particularly those related to operational resilience, organizations should accelerate the expansion and coordination of capabilities to achieve the kind of resilience they now need. Silos are still a problem Approaches to resilience remain siloed to a degree that can undermine cross-functional responses to risks and opportunities. While many leaders understand the need to respond in a concerted manner, many may not. Only about one-third of organizations (36 percent of respondents in risk functions and 31 percent in others) describe resilience as a strategic priority with executive sponsorship and end-to-end capabilities. Almost another 20 percent note that resilience is well-understood and cross-functional. This means that the remainder—almost half of organizations—do not treat resilience as a strategic priority or lack cross-functional resilience. A total of one-quarter to one-third describe resilience as a new concept and focus only on limited aspects or some components of resilience. This points to a need for greater integration of resilience capabilities in many organizations. In your opinion, which statement best describes your organization's current resilience capability? Organizations lack a common understanding of resilience Organizational resilience begins with a common understanding and definition of resilience within the enterprise. Only about half of all respondents believe their organizations have these basics in place. Developing organizational resilience calls for defining what resilience means to the enterprise as a whole, prioritizing investments in resilience accordingly, bridging silos that restrict information flows, and coordinating end-to-end capabilities. Only about one-third of organizations seem to be there. Senior leaders can begin by promulgating a clear, enterprise-wide understanding and definition of resilience. The goal should be to lift resilience out of siloed functions, which clearly have their unique roles in addressing risks and opportunities, and to support more coordinated, forward-looking approaches. Deloitte has identified several ways of accomplishing this. Is there a common understanding/definition of resilience within your organization? Resilience may be limited by its strong association with risk Respondents outside the risk function are much more likely to identify competencies such as strategy, issues management, reputation management, communication, and procurement as part of resilience. This may imply that the full potential of resilience may be held back by people focusing on traditional risk management and not fully recognizing the need for broader competencies. Organizational resilience, which rests upon the five capitals—people, reputational, operational, financial, and environmental—extends well beyond risk and crisis management. Interestingly, people outside risk functions appear to recognize this more often than those within them. It's possible that, given the range of threats, their far-reaching impacts, and the need for coordination, resilience may be limited by being in and associated with the risk function. That's because organizational resilience requires strong collaboration across operational, financial, cyber, ESG, and other risk (and non-risk) functions. Establishing that collaboration is a senior leadership responsibility. Collaboration can be enhanced by shifting the view of resilience from its being a cost to being an investment, from its being an administrative burden to a driver of innovation. For example, rationalizing and integrating siloed processes in operations, technology, cybersecurity, compliance, and the supply chain not only saves costs but also positions the organization to streamline operations, seize opportunities, and outpace competitors—while enhancing resilience. It does this by rationalizing reporting, providing visibility into processes and outcomes, generating insights, and freeing headcount for high-value activities. What competencies are currently considered as part of resilience within your organization?
02 - Organizational Resilience must become a True Strategic Priority. Although risk management and crisis response remain essential elements in resilience, organizational resilience must be given the highest strategic priority. This resembles the approach that many organizations have taken to risk itself.
Although risk management and crisis response remain essential elements in resilience, organizational resilience must be given the highest strategic priority. This resembles the approach that many organizations have taken to risk itself. Particularly after the 2008-2010 financial crises, they elevated risk management to a strategic priority. How? By appointing chief risk officers, putting risk on the senior executive and board agendas, bolstering specific risk functions, and investing in risk management and governance capabilities. Resilience now warrants a similar approach. Provide executive-level sponsorship Lack of organizational resilience may be traced to resilience not being considered a strategic priority. Elevating it to that level extends resilience beyond cyber, operational, and financial matters to encompass environmental, social, and governance (ESG), geopolitical, reputational, and similar concerns. Although resilience is indeed a strategic priority, our survey revealed that less than 50 percent of CXOs agree that it is considered as such in their organizations. Managers heading specific functions may see resilience as comprising more traditional operational disciplines, such as cyber, data, and physical security. This may be reflected in only 16 percent of them seeing resilience as a strategic priority (although they may be questioning executive-level sponsorship). Senior executives and their direct reports more often cite the importance of resilience as a strategic priority. In your opinion, which statement best describes your organization's current resilience capabilities? Senior leaders should be aware that organizational resilience may be limited by seating resilience primarily in risk functions, and address any resulting silo effects and disconnections. Most organizations—at least half according to this survey—need to make resilience a strategic priority. This begins with the senior leadership team, who are responsible for performance and growth and for translating strategic priorities into actionable initiatives. Ways in which senior leaders can accomplish this include building a “culture of resilience” by translating strategies for organizational resilience into actionable mandates, creating incentives and accountability for cross-functional communication and resilience initiatives, and integrating responsibility for resilience into job descriptions and performance reviews. Just as many organizations have driven responsibility for risk management into activities and accountabilities for employees at all levels, a similarly intentional effort is now needed for organizational resilience. Consider appointing a chief resilience officer A persuasive four-fifths of respondents believe their organization should create a chief resilience officer role. Belief in the potential value of a chief resilience officer held for a significant majority of organizations across all industry sectors. Even in sectors that less frequently cited the need for that role, at least 70 percent supported the idea. As was seen with the creation of the chief risk officer role over the past fifteen years, executives may realize that one way to elevate resilience as a strategic priority would be to place a senior executive in charge of it. An alternative would be to extend the role of the chief strategy officer, where the responsibility might best encompass responsibility for organizational resilience. Another option would be to extend the role of chief risk officer in this direction, although that could reinforce the association of resilience with risk functions. While not a necessarily a negative, that option may fail to sufficiently differentiate resilience and elevate it to a distinct strategic priority. In your opinion, should your organization create a chief resilience officer role in the next five years?
03 - Geopolitical Threats should be Addressed within Resilience Trade wars and tariffs, financial and economic sanctions, mass migration driven by climate change, disintegration of international pacts, income inequality, energy-market disruption, and war exemplify geopolitical events that impact organizations.
Trade wars and tariffs, financial and economic sanctions, mass migration driven by climate change, disintegration of international pacts, income inequality, energy-market disruption, and war exemplify geopolitical events that impact organizations. These phenomena—along with failures of public and private institutions to address them—create not only widespread crises, but also an ongoing sense of instability, as if tectonic plates are shifting beneath us. The potential for those crises and the reality of that instability should be addressed in resilience plans and programs. Geopolitical forces warrant greater consideration Such forces fuel terrorism, mass migration, protectionism, hot and cold war, political and economic disruption, and social unrest. In turn, those developments foment strategic, operational, financial, environmental, people and reputational risk events that can impact the entire organization and multiple stakeholders. Respondents were asked which types of risk events (excluding Covid-19) their organizations addressed with dedicated response teams over the past 24 months. As expected, they most often cited data security and cyber events, followed by natural disaster, economic/financial, reputation, and extreme weather events. Geopolitical incidents came next. Note that the percentage citing geopolitical events (25 percent) was close to the percentages citing natural disaster, economic/financial, reputation, and extreme weather events. Organizations tend to have response teams dedicated to data and cyber breaches as well as teams (including external resources) to mobilize for natural disasters. They also have a chief financial officer and staff to address economic/financial incidents, and in-house and external communication teams to respond to reputational incidents. Yet either with or, more usually, without dedicated resources, a quarter of organizations had to respond to geopolitical events. Which scenarios did you mobilize for? Organizations are being impacted by geopolitical events Respondents' rankings of these scenarios for their impact were equally revealing. As with frequency, they ranked data and cyber security events first and second, respectively. However, geopolitical events ranked fourth and for good reason—they generate immeasurable uncertainty, particularly as the pace and extremity of these events intensify. This underscores the effect that geopolitical forces can have on today's organizations. In addition, political issues, and institutional degradation within nations, driven by elected officials, activists, state-sponsored entities, or combinations of these parties, are increasingly putting individual organizations at risk. Until recently, executives in the developed world and in much of the developing world could assume that certain national and international institutional conditions would remain stable over investment and operational planning horizons. That assumption is no longer be valid, even as planning horizons have shortened. Organizational leaders must acknowledge that geopolitical forces such as income inequality, political opportunism, nationalism, and degradation of institutions threaten economic and cultural structures that have long been taken for granted. Those realities should be factored into strategies, plans, and capabilities related to organizational resilience. Rank the scenarios from the most impactful at the top to the least impactful at the bottom
04 - Organizations Welcome the Role of Regulators in Resilience Executives with responsibility for resilience recognize and respect the role that regulators play in resilience. They understand that the types of events that now frequently occur and the existential threats that they pose are too large and widespread for any single organization to address.
Executives with responsibility for resilience recognize and respect the role that regulators play in resilience. They understand that the types of events that now frequently occur and the existential threats that they pose are too large and widespread for any single organization to address. Given the crucial role that regulators played in the financial crisis of 2008-2010 and during the Covid-19 pandemic for, respectively, the financial services and life sciences industries (and financial and health care systems), that is as it should be. However, some might argue that regulators and the industry could have done more to prevent those events, particularly in the case of the financial crisis. Nonetheless, executives welcome regulatory involvement in resilience. Most organizations have experienced regulatory impact on resilience. Two-thirds (67 percent) of organizations have been impacted by regulatory involvement in resilience, while 31 percent have not. Responses varied by region and industry, yet as geopolitical and ESG risk events become more prevalent, regulators and governments working through various agencies can be expected to exert broader influence. What has been the impact of this regulatory change on resilience in your organization? What has been the impact of this regulatory change on resilience in your organization? Organizations report positive experiences with regulators. In the context of resilience, organizations see regulation positively, quite likely because it helps to clarify priorities by setting forth specific areas of focus, objective goals, and clear reporting requirements. Overall, more than 90 percent of organizations impacted by regulatory change report that the impact on resilience has been very or somewhat positive. Only 3 percent report negative impact. What has been the impact of this regulatory change on resilience in your organization? What has been the impact of this regulatory change on resilience in your organization? Organizations use regulatory guidance in resilience Organizations are not simply giving regulators recognition; they incorporate their guidance into their internal operations. A total of about three-quarters either align regulatory change with their internal operations centrally (57 percent) or adopt guidance centrally and apply it incrementally (19 percent). Regardless of whether specific regulations have been designed for their industry, organizations appear to be learning from other and adopting and adapting practices emanating from the regulatory community, either to plug gaps or to achieve greater resilience. How have you aligned this regulatory change with your internal operations? Organizations welcome future regulatory engagement in resilience Across industries, a total of more than 80 percent of organizations indicate a significant appetite or some appetite for regulatory involvement. Again, clear priorities, goals, and reporting requirements enable organizations to focus and structure their resilience investments and initiatives. Executives also recognize that regulators possess industry- and economy-wide views of threats and potential ways of enhancing resilience. Is there an appetite for this future regulatory involvement in your industry? Given their external perspective, broad concerns, and deep expertise, regulators should play a key role in resilience. However, caveats are in order. Traditionally, regulators focus mainly on historical events and measurable risks. They aim to prevent crises of a known nature and to promulgate useful standards and metrics. While their role in resilience is essential, it is not sufficient. Therefore, leaders might take regulatory guidance as a starting point—or aim to stay ahead of it, for example, as companies do through voluntary carbon emission goals and product safety features—and never mistake compliance for preparation. That said, organizations and their industry groups should bear in mind the value that regulators provided to the financial services industry during the 2008-2010 crisis and to life sciences during the Covid-19 pandemic. They should also look to previous crises, and to failures in regulated markets for lessons that may be applicable to future crises in other industries. More broadly, regulators can perhaps learn from each other, as well as from previous crises and failures.
05 - Environmental, Social, and Governance (ESG) Risks Warrant Greater Attention ESG encompasses a range of issues and, with regard to resilience, each issue can differ across organizations. Regarding environmental issues, organizations must both defend and enhance value in the face of climate changes and resource constraints that can affect their business models, operations, and stakeholders.
ESG encompasses a range of issues and, with regard to resilience, each issue can differ across organizations. Regarding environmental issues, organizations must both defend and enhance value in the face of climate changes and resource constraints that can affect their business models, operations, and stakeholders. From the social perspective, they must continually assess where they stand in terms of their reputations, stakeholders' expectations, and the impact of social phenomena—ranging from changing customer tastes to migration patterns to political issues—on the business and its stakeholders. In terms of governance, organizations often face challenges related to board composition, refreshment, and diversity and to maintaining governance mechanisms robust enough to address the complexity of the organization and the risks posed to it. Additionally, organizations should consider both their role in generating environmental and social changes and the need to be resilient to those changes. Elevate environmental, social, and governance (ESG) concerns Only 18 percent of organizations cite the ESG function as having an active role in resilience. This calls into question the ability of the organization to identify, monitor, respond to, and recover from ESG risks and to preserve and build reputational capital. Across industry sectors, only about one-fifth of respondents (or less) cite ESG as having an active role in contributing to resilience. This translates to ESG lacking sufficient representation in discussions and decisions regarding resilience, certainly relative to operational, financial, and cyber functions. However, ESG risks can have profound impact on the operational, financial, cyber, and reputational domains of the organization. Do any other functions have an active role in contributing to resilience in your organization? Proportion of those selecting ESG, by sector. ESG will rise in importance but should do so quickly Respondents expect ESG to rise in importance over the next five years, with some seeing a good possibility that ESG could own resilience in their organizations within that timeframe. This is reflected in ESG jumping from last place to eighth place in having responsibility for resilience. While this will not likely be a broad trend, it is, along with growing demand for ESG competencies (next subsection), an indicator of the importance of ESG to resilience. However, that importance should be recognized and acted upon much sooner rather than later within that five-year horizon. Which function do you expect to own resilience in your organization in five years time? Organizations will be seeking ESG competencies A good number of organizations intend to emphasize ESG in resilience. For example, about one-fifth (21 percent) will be seeking ESG competencies in their new hires over the next two years. Note that these competencies edge out those related to disaster recovery, crisis management, and operational resilience—each of which fall within more traditional definitions of and approaches to resilience. Those are also areas in which organizations generally have stronger capabilities in place. Which resilience competencies do you expect to be seeking out in your resilience hires in two years time? Social responsibility can severely impact reputation In a related finding, organizations most often cited “social responsibility” (which includes diversity, equity, and inclusiveness, or DEI) as their chief reputational concern—on par with the quality of their services. This evidences high awareness of the potential impact of ESG practices on reputation and, by extension, on stakeholders and, ultimately, on trust in the organization and its leaders. Which reputational considerations do you expect to be the most important in five years time? Different industries face different ESG concerns, depending on the business (such as energy and resources versus financial services), key stakeholder groups (social impact investors versus private owners), and scope of operations (domestic versus global). ESG also covers a lot of ground—green practices within the company and its supply chain, DEI in the workforce and other stakeholder groups, and executives' public statements and behavior. Moreover, a change in stakeholder expectations can arise quickly in any ESG area, amplified by a highly charged media and political environment; therefore, organizational resilience strategies and capabilities need to include ESG considerations. When establishing resilience to ESG-driven risks, organizations should also take all reasonable steps to avoid contributing to those events. A good number of organizations are taking those steps, for example through voluntary commitments and proactive efforts. The challenges of governance under these circumstances support the notion of the chief resilience officer. Also, organizations can benefit by analyzing cause and effect in these areas, which is seldom explicitly conducted even though a substantial number of ESG incidents enable that kind of analysis.
06 - Reputational Risks Demand more Proactive Management Particularly in an atmosphere of widespread uncertainty, institutional instability, and ongoing risk events, reputational capital stands among an organization’s most valuable assets. Therefore, reputation and brand equity must be managed as such.
Particularly in an atmosphere of widespread uncertainty, institutional instability, and ongoing risk events, reputational capital stands among an organization’s most valuable assets. Therefore, reputation and brand equity must be managed as such. Most organizations realize the importance of reputational capital, but relatively few have been able to address reputational risks in a fully integrated manner. Reputational risks and communication capabilities warrant higher priority Organizations can lose sight of the broad expectations that stakeholders place on them. Those expectations are continually shifting, often on very short notice and not uniformly across stakeholder groups, so they need to be monitored and understood and responded to (or not) as needed. Note that most, although not all, reputational risks arise from the ways in which operational, financial, cyber, or other risks are handled (or not handled). Therefore, senior leaders must gauge and monitor the potential reputational impact of all potential risks for their impact on reputation. Reputation management capabilities are considered part of resilience by only about one-fifth of respondents in risk functions and one-third of those in non-risk functions. Those respective percentages are even lower for communication capabilities. We find this concerning given that most organizations are aware of the damage that reputational risks can do. This finding indicates an often inwardly focused view of resilience and an underappreciation of the value of reputation—and of communication to stakeholders—during risk events. Meanwhile, the reputational capital of organizational resilience must be as strong as the other four. Reputational resilience should be integrated into resilience planning Only one-third of organizations (32 percent) have specific activities underway to address reputation; 29 percent have specific roles encompassing this responsibility. That leaves a majority of organizations not making that commitment — with only 14 percent allocating related budget. What competencies are currently considered as part of resilience within your organizations? Is "reputational resilience" a consideration of your resilience planning? Organizations expect investment in reputation to increase Despite the relatively low percentage of organizations now allocating budget to reputational resilience, an impressive majority—82 percent—intends to do so over the next five years. This raises issues of how they intend to invest those funds, particularly given that most are not currently investing in reputational resilience. Useful investments generally include ongoing reputation monitoring and mechanisms that support proactive, meaningful engagement with stakeholders Customers, employees, suppliers, and investors have become highly sensitive to the reputations of the organizations they hold a stake in. This sensitivity is reflected in the rapidly changing expectations that various stakeholder groups bring to organizations. As many leadership teams have found, reputation can change on very short notice, particularly given our media (including social media) environment. Therefore, reputational resilience should be considered integral to organizational resilience. Proactive monitoring of stakeholder expectations and management of reputation, along with effective communication plans and capabilities, are needed to support resilience. Ongoing reputation management and consistent communications enable an organization to build reputational capital, which tends to retain stakeholders’ support at times when they might otherwise seek alternatives. Reputation reinforces resilience. Do you expect your organization's investment in reputational resilience to increase over the next five years?
07 - Digitalization can Enable Resilience As business models, relationships, and transactions become ever more digitally based—and as the technologies continue to advance—digitalization will play an increasing role in resilience.
As business models, relationships, and transactions become ever more digitally based—and as the technologies continue to advance—digitalization will play an increasing role in resilience. This stands to reason as data analytics, AI, and similar capabilities now applied to operations can be naturally extended to resilience. Indeed, this has already occurred. A strong majority of organizations have used digital technologies in resilience, with most either actively using or intending to use them within the next three years. The level of digital information within the organization combined with that available in the virtual world can enhance the organization’s understanding, preparation, monitoring, response, and recovery related to crises. Given this, we see digitalization as “the great enabler” of end-to-end organizational resilience. Digitalization already plays a strong role in resilience Digitalization has found its way into resilience, with more than two-thirds of executives citing usage of technology solutions across a broad range of related activities. Specifically, two-thirds to about four-fifths of organizations have used specialized technology solutions to support their responses to incidents in the past 24 months. Did you utilize any specialist technology solutions to support your response to these incidents? Digitalization holds promises and perils Almost all organizations currently use or plan in the next three years to use digital technologies to support resilience. Note that most intend to implement even the three least-used applications—scenario modelling, situational awareness, and digital twins. (The latter are virtual representations of entities or processes which can be used to more accurately gauge the impact of incidents on those entities or processes and of various preparations and responses.) Yet it is how an organization uses digital capabilities to support resilience that will impact its performance and success. These rates of adoption and applications are promising. The perils lay in the ways in which digital capabilities are applied and whether they reinforce siloed approaches and point-specific solutions to the exclusion of facilitating more integrated ones. When enhancing approaches and capabilities, organizations need to find ways to clean and use the data they have rather await “perfect” data. Digital technologies can themselves be used in these efforts. They can also be used to overcome the persistent barriers to data integration and distribution posed by the legacy systems and myriad platforms prevalent in most organizations. And they can efficiently communicate and escalate issues—all of which can be addressed with the right resources. What digitization opportunities exist across your organization's resilience strategy?
08 - Barriers to Achieving Greater Resilience can be Overcome Respondents (all of whom were CXOs for this question) most often cited scarcity of talent as the key barrier to achieving resilience.
Respondents (all of whom were CXOs for this question) most often cited scarcity of talent as the key barrier to achieving resilience. This was closely followed by alternative priorities being deemed more important, and lack of organizational understanding of resilience. Lack of funding is a leadership issue The lack of funding cited by 44 percent of respondents could very well stem from lack of organizational awareness and understanding of resilience. This lack may even extend to senior executives (the respondents to this question). If so, it may be attributable more to the need for a new view of and approach to resilience than to ignorance of the subject on their part. Most of the cited barriers to achieving resilience lay within the organization. That’s good news. It is within management’s—and the board’s—purview to elevate resilience as a priority and to promulgate greater awareness of the discipline. Doing so would likely lead to increased funding for resilience capabilities. Among those capabilities might be solutions to address the talent issue. For example, co-sourcing and managed services arrangements can enable an organization to increase or decrease capabilities as needed. Those arrangements can also optimize investments in capabilities while tapping the best available risk monitoring, advanced analytics, and rapid response technologies. What are the three biggest barriers to achieving organizational resilience for your organization? CxO responses.
09 - The Future, and How to Get There Based on the findings of this survey of executives with responsibility for resilience, we can chart a broad path toward the goal of expanding beyond operational resilience, to organizational resilience.
Based on the findings of this survey of executives with responsibility for resilience, we can chart a broad path toward the goal of expanding beyond operational resilience, to organizational resilience. In general, organizational resilience will be: Integrated Organizations increasingly face risks that can affect multiple functions and stakeholders as well as existential threats than can significantly impact value and the future ability to create value. To effectively address these events and their impact, resilience can no longer be planned, resourced, and implemented in siloed functions. Also, in a very real sense, resilience is, like risk management, everyone's job. Strategic Thinking of resilience strategically places it on senior executive and board agendas, where it belongs. This signals that resilience is not focused on playing defense and being reactive but on being agile and innovative enough to profit from whatever comes next. This also helps to elevate resilience as an investment priority and to transform it into a more coordinated, forward-looking, and proactive set of initiatives. It's essential, however, for senior leaders to ensure that those initiatives drive accountability for outcomes related to resilience into the organization. Outwardly focused While organizations currently look outward to assess and monitor the risk landscape and emerging risks, they need to do so with greater consistency and cross-functionality when it comes to resilience. Many incidents are in fact localized, but as many organizations have found, given today's stakeholder views and media atmosphere, even those can have far-reaching impact. Geopolitically aware A good number of organizations have been impacted by geopolitical events, and we believe those issues warrant greater consideration. Very few organizations relish political involvement, nor do we recommend it; however, it's extremely useful to gauge the potential impacts of geopolitical events on the organization and to prepare for them. Attuned to ESG Organizations expect to be focusing more on ESG as it relates to resilience. This calls for clarifying ESG policies and practices from the standpoint of the organization's values, business, and stakeholder expectations, on the one hand, and, on the other, ascertaining that the organization maintains resilience in the face of ESG-related risks and events. Given the nature of ESG—particularly the environmental and social elements, which can appear to lack immediacy—the time to act is now rather than “sometime” in the future. Engaged with regulators Industries facing challenges too massive for any single company to address (such as the automotive, financial services, life sciences, and healthcare industries), have turned to government agencies for assistance. Understanding regulators' views of resilience, readiness, and resourcing requirements—as well as where they see a need for action — can be extremely useful, as can cultivating mutually productive relationships with regulators. Also, regulators of specific industries should be aware that organizations not only need but welcome clear, current, forward-looking guidance regarding resilience. The following specific capabilities can assist a leadership team seeking organizational resilience: Enhanced risk monitoring Risk monitoring capabilities should be extended beyond the usual types of risks and impacts that the organization considers. Risk sensing capabilities should be deployed to identify and monitor emerging risks in areas outside as well as inside the organization's usual scope of operations. Extended scenario planning Scenario planning should be extended in similar ways. In addition, it should go beyond tabletop exercises limited to specific functions to model a broad array of events and potential responses, with the latter including actual dry runs. Scenario planning should also include senior leaders rather than only risk function leaders. Digital technologies Data mining, analytics, and visualization technologies can power risk monitoring and reporting while digitalization, AI, and digital twins can also be harnessed to provide predictive insights, coordinate responses, and execute communications across silos, supply chains, and stakeholder groups. Proactive reputation management Reputational capital is accumulated over years, but can be destroyed in days, or even hours. Proactive reputation management carefully monitors social media, the internet, and other sources to continuously gauge the organization's reputation in the face of constantly changing stakeholder expectations and emerging risks. Reputational resilience, which is a capital equal in importance to people, operational, financial, and environmental resilience, must be actively developed across all stakeholder groups. Rapid response capabilities Many organizations have developed rapid response capabilities for specific functions to address specific risks, such as risks to IT infrastructure, operating facilities, and financial portfolios. However, end-to-end, enterprise-wide capabilities, perhaps supported by a dedicated response center or a project management office that can be quickly stood up, are far less common. But those capabilities have become essential to organizational resilience. Chief resilience officer We see four-fifths of respondents saying their organizations should create a chief resilience officer role as quite significant. It speaks to the need for senior executive engagement in resilience, elevation of resilience as a strategic priority, and, quite possibly, greater visibility into resilience by the board. Co-sourcing and managed services Enterprise-wide resilience has not been considered a core competency by most organizations. Depending on the organization and its industry, aspects of resilience, such as operational, financial, or cyber resilience may have been considered core competencies, but today's needs are broader. Thus, they call for broader solutions delivered by people with deeper skill sets using continually updated processes and technologies. Few organizations find it economical to maintain those resources, which means that co-sourcing solutions and managed services arrangements can be worth considering from both the talent and technology perspectives. Opportunities Abound Times of widespread cultural, technological, geopolitical, and environmental disruption present as many opportunities as they do risks. However, most organizations plan for and thrive under stable conditions. Yet even during times of stability, investing in technology, facilities, equipment, and talent presents tremendous uncertainty. That is why the management sciences developed so many methods of mitigating risk—insurance, hedging, diversification, and so on. That is also why organizations developed resilience capabilities. Yet those capabilities have traditionally been geared to known risks limited by geography, industry, or resource scarcity. Today, however, an environment of unpredictability and widespread impact prevails. In addition, innovation in technologies and business models can now present risks in that it can render an organization—or an entire industry—woefully outmoded or even obsolete. The flip side is that resilient organizations can not only prevail but generate new value in this environment. Senior executives and the board are responsible for enabling both the organization and its stakeholders to thrive in the face of these threats. The time to enable them to do so is now.
Explore the data Click on one of the headings below to explore the data:
Executive Summary Until recently, organizations around the world could rely on certain domestic and global institutions and conditions to remain stable over traditional investment and planning horizons. That no longer holds true. The following are the key findings of our 2022 Global Resilience Report:
Organizations need to achieve true organizational resilience In most organizations, resilience capabilities remain siloed in ways that potentially hamper organizational resilience. Yet the prevailing business environment and the interrelatedness of risks demand robust resilience at the organizational level. That points to the need for a more holistic approach which expands beyond operational or financial resilience. However, well over half of respondents indicate that resilience sits within the risk function (or a specific risk function, such as operational risk). While risk functions play an irreplaceable role in resilience, the need to address a broader range of threats to the value and viability of the organization calls for a new approach. In addition, organizations remain heavily focused on operational resilience at a time when they need to expand resilience capabilities. Organizational resilience must become a strategic priority. When resilience sits in the risk function and specialized risk or crisis management functions, it may fail to focus broadly enough. It may also receive insufficient senior leadership attention. This can be remedied by elevating resilience to a strategic, enterprise-wide issue to be continually addressed by senior executives and the board. Placing organizational resilience on senior executive and board agendas fosters the attention—and funding — that it now warrants. In addition, a strong majority of organizations favor having a chief resilience officer, which could accomplish this goal. Geopolitical threats should be addressed. Until recently, organizations around the world could rely on certain domestic and global institutions and conditions to remain stable over traditional investment and planning horizons. That no longer holds true, even as those horizons have shortened. This instability resembles tectonic shifts which at best generate deep uncertainty and at worst destroy large and complex structures. While no single private, or even public, entity can address these threats, each organization must plan for them. This means that organizational leaders should acknowledge that geopolitical forces such as income inequality, political opportunism, nationalism, and degradation of institutions threaten economic and cultural structures that have long been taken for granted, and that those realities should be factored into strategies, plans, and capabilities related to resilience. Geopolitical threats also support the decision to elevate resilience as a strategic priority. Organizations welcome the role of regulators in resilience. Regulators have proven that they can play an essential role in resilience, particularly during crises that impact financial and economic systems, industry segments, or the public. Executives recognize and respect that role. Moreover, they welcome regulators playing an even greater role in resilience going forward and can be expected to do so across a broader range of industries. Yet certain caveats regarding over-reliance on regulators are in order. For example, regulators tend to look backward and aim to avoid or mitigate crises that resemble the last one. Organizations need to be more forward-looking and proactive, while continually engaging with regulators. Environmental, social, and governance (ESG) warrant greater attention. ESG encompasses many issues, each of which can differ significantly for a given organization. Regarding environmental resilience, organizations must both defend and enhance value in the face of environmental changes. From the social perspective, they must understand and monitor their reputations, stakeholders’ expectations, and the impact of social change on their business. In terms of governance, organizations often need more robust board practices, governance mechanisms, and education of the board and its committees to achieve organizational resilience. The broad nature of ESG may partly explain why less than one-fifth of organizations cite the ESG function as having an active role in resilience. That said, they understand the role of social responsibility in their organization and plan to hire talent in this area. Reputational risks demand proactive management. Trust in an organization, as reflected in its reputation in general and among specific stakeholder groups, stands among its most valuable forms of capital. Reputation impacts brand equity, customer loyalty, investor sentiment, and value. If reputational capital is not proactively managed, it can be rapidly destroyed. So, executives need to consider the reputational impact of potential risks and build corresponding capabilities. Relative to operational, financial, and cyber resilience, organizations lag in this area. Although reputational risks usually stem from operational, financial, cyber, geopolitical, and ESG risks, reputation itself must be proactively managed, with appropriate investments in monitoring and communication capabilities. Those specific capabilities enable measurement of stakeholders’ current perceptions and, critically, the constantly shifting expectations stakeholders place on organizations. Digitalization can enable resilience. In addition to siloed functions and structural and leadership issues, organizations seeking greater resilience face a shortage of talent as well as competing investment demands. When properly selected and deployed, digital technologies can enable enterprise-wide capabilities that support organizational resilience despite talent shortages and cost pressures. Digital technologies have a proven record of cost-effectively performing activities such as risk monitoring, data analytics, and risk reporting, thus freeing up talent and funding for tasks requiring human intelligence and intervention. Digital tools can also bridge silos and enhance communications and visibility into processes. Organizational resilience is further supported by advances in scenario modelling, situational awareness, and digital twins. (The latter being virtual representations, entities or processes used to gauge the impact of risks on those entities or processes.) Barriers to achieving greater resilience can be overcome. The three most cited barriers to achieving greater resilience were scarcity of talent (59 percent), closely followed by competing strategic priorities and lack of organizational understanding of resilience (tied at 57 percent). Lack of funding came next at 44 percent. While lack of talent involves the challenges of hiring and retaining people in a highly competitive marketplace, it can be mitigated through rotational and cross-training programs, alternative talent models (such as co-sourcing and managed services), and, as noted, digital technologies. Strategic priorities and lack of organizational understanding of resilience can be addressed through senior leadership initiatives and increased funding of resilience plans, programs, and capabilities. Get in touch To discuss the Resilience Report findings and learn more about how we can help, please connect with us. Get in touch
A Robust and Representative Sample Our survey respondents comprise a worldwide sample of 695 executives `in a range of industries. Respondents have crisis management or resilience as part of their accountabilities or responsibilities and include CEOs and CXOs as well as board members. Included are heads of risk functions such as operational risk and cyber security, among others, as well as chief risk officers. In this report, these respondents are those in the "risk functions" sample segment as opposed to the “non-risk functions” segment. The latter includes senior executives and board members whose responsibilities include resilience (such as the CFO or CCO) but who do not manage actual risk functions. Key sample characteristics
Global region
Industry
Organization size
Role
Seniority
The Five Capitals of Organizational Resilience Organizational resilience encompasses resilience along five capitals—human, social, built, financial, and natural — that comprise the ecosystem in which organizations operate.* The five capitals of organizational resilience are: People resilience: People resilience relates to the way in which organizations support their own people. It is also about fostering creativity and engineering growth by instilling personal resilience and instituting the right cultural norms, conduct, and behaviors. Reputational resilience: Reputational resilience is about being responsive to external perceptions, scrutinising self-limiting behaviors, building brand capital and reserves, and maintaining a foundation of trust and dependability. Operational resilience: Operational resilience refers to the way an organisation uses its non-financial resources to withstand, absorb, recover from, adapt to, or regenerate from the impacts caused by shocks and stresses affecting its products and services, data, technology, cyber security, facilities, and supply and demand. Financial resilience: Financial resilience describes the ability of an organization to withstand events that impact its liquidity, income, or assets. These events may include routine or severe but plausible shocks and stresses. Environmental resilience: Environmental resilience refers to the way in which an organization works to achieve homeostasis with the natural world, making strategic choices that are both good for the environment and sustainable for the organization. A deficiency in any single one of the five capitals can put the organization in jeopardy and even bring it down. Organizational resilience therefore consists of robust capabilities in each of these five domains. While the emphasis on a given capital will differ across industries and companies, superior capabilities in one domain will not make up for deficiencies in another. Therefore, each organization needs an individualized way of addressing and balancing investments in each domain. *Resilience Reimagined: A practical guide for organizations, 2021 Deloitte LLP and Cranfield University.
z
Identify Essential Outcomes As explained in a special Deloitte report* an organization can enhance enterprise-wide resilience—and break down silos—by identifying essential outcomes and working to develop the capability to deliver on them regardless of changing conditions. Essential outcomes are those that the organization must create for customers, employees, suppliers, investors, the community, and other stakeholder groups. They are not internal functions, processes, assets, resources, or goals. They are what stakeholders want, need, and expect the organization and its leadership to deliver. Broadly, an essential outcome is one that, if disrupted would: Harm a key stakeholder or a stakeholder group Breach a legal or contractual requirement or destroy trust in the organization Put the financial viability or existence of the organization at risk Create an adverse or irreversible impact on the natural environment Fail to provide what stakeholders need in a crisis, or hamper their ability to recover Focusing on essential outcomes creates an outside-in perspective on resilience. It also focuses leaders on identifying broader methods of delivering those outcomes rather than on capabilities. Once those outcomes are identified and agreed upon, leaders can look to the external as well as internal capabilities needed to deliver them, regardless of silos or functions. *Resilience Reimagined: A practical guide for organizations, 2021 Deloitte LLP and Cranfield University.

Please use a modern browser to access
Deloitte's Global Resilience Report or
download the PDF

Insert Custom HTML fragment. Do not delete! This box/component contains code that is needed on this page. This message will not be visible when page is activated.
+++ DO NOT USE THIS FRAGMENT WITHOUT EXPLICIT APPROVAL FROM THE CREATIVE STUDIO DEVELOPMENT TEAM +++