Jan 26, 2021

Bain & Company Dispels 5 Myths of Building Resiliency

riskmanagement
businessresilience
Bain&Company
supplychainresilience
Laura V. Garcia
5 min
Balloon and cactus
Bain & Company dispels five myths that stand in the way of building organisational toughness...

For years now, companies have been fixated on improving efficiencies and driving out costs. Consolidated supply chains leveraged for better pricing, just-in-time inventories, and the elimination of redundancies to drive out waste have removed any protective cushioning, increasing the likelihood that even the smallest supply chain disruptions can have large impacts on their operations.

The global pandemic has exposed vulnerabilities and garnering the attention of executives who now see the value in investing in their business resilience.

“Analysis of the Bain Resilience Index shows that while high risk can generate high rewards, more-resilient companies have nearly double the survival rate over the long run,” Bain says.

But what does ‘business resilience’ really mean? Bain believes there is a lack of clear discussion on the dynamics of business resilience, what it means for every company, and how to improve it. They challenge business leaders to consider:

  • Most of the things you’ve been worrying about are too short-term and modest.
  • Improving resilience doesn’t have to come at the expense of shareholders.
  • If you don’t get ahead of the challenge of becoming more resilient, expanding government regulations or restrictions―such as forgoing dividends or stock buybacks in return for bailouts―may further limit your options.

Business heads will need to recognise the trade-offs involved and make choices around their revenue portfolio and their operations Bain & Company says. They go on to explain that although executives have come to recognise the criticality of improving resilience, they believe there are five prevalent myths to be dispelled.

Bain & Company’s five myths that must be debunked:

Myth 1: Resilience eliminates volatility

Volatility must be distinguished from risk, and that it is unrealistic to believe resilience will help eliminate earnings and share price volatility. Bain describes volatility as “predictable fluctuations in every business over time,” whereas risk is “exposure to a lasting adverse change in trajectory.”F

Failure to define risk appetite is a rampant issue. Rather than attempting to improve on earnings certainties, management teams and boards should look to identify and mitigate their most prominent adversaries, whether it be bankruptcy, a hostile takeover or activist investors.

Myth 2: It’s all about the balance sheet

Increasing resilience is about more than examining leverage and liquidity. Risk may lay in five distinct areas: strategic, financial, operational, technological and organisational. 

Adopting a realistic, holistic approach to resilience building that acknowledges all of the areas of exposure, and their impacts to your organisation allows business leaders to make better informed, smarter decisions on where best to invest resources.

A simplistic and transparent business model makes for a more resilient business. Complex and opaque supply chains can make risk assessment nearly impossible, leaving organisations exposed to operational risk due to unforeseen disruptions such as shortages of critical parts that lay beyond their visibility.

Myth 3: Past resilience guarantees future resilience

Building business resilience is about looking forward to what may happen in the future that could have significant deleterious effects on your business, not about looking back. Although Covid-19 may have you better prepared to withstand the same type of disruptions, executives must evaluate the likelihood of all areas of risk.

As we continue on the trend of digitisation and industry 4.0, cybersecurity should remain of the utmost concern. Although identifying all potential risk sources is an impossible task, executives must build the ability to evaluate the likelihood and impacts of risk scenarios, and mitigate their most significant threats.

Myth 4: Resilience should be handled by the risk function

“Too often, risk gets treated as an obligatory but unfortunate box-checking exercise, then relegated to a corner of the business. Accepting this more limited scope, risk functions may fall into the trap of becoming overly tactical and blinkered in their identification of risks.”

“This approach falls short in a world of greater turbulence. The combinatorial nature of many risks demands that companies identify and mitigate risks for the entire business… Moreover, many future risks will emerge from the ecosystem of partners outside the firm, and traditional risk-management functions are ill-suited for this challenge.”

Preferably, organisations should incorporate risk management into their existing channels and processes for critical decision-making at the C-suite and board levels. Leaders at all levels in the organisation should adopt a risk ownership mindset considering potential impacts on the company across the entire business and over the long term.

Myth 5: Resilience doesn’t require difficult trade-offs

Business leaders must openly discuss the need to balance both short and long term gains. “For their part, many investors are trying to balance the desire for responsible stewardship of capital over the long term with the need to avoid allocating funds to systematic underperformers.”

Agreeing on the metrics to be used can be a sticking point. To help create fact-based discussion, Bain has constructed the Bain Resilience Index, “a 100-point scale that assesses a company’s resilience based on the statistical relationship between performance during a crisis and a wide range of readily observable metrics including scale, growth, margin, asset intensity, leverage, liquidity, and geographic and product concentration.”

Bain & Company goes on to explain that “once you get past these five myths, it’s clear that there’s no single solution or quick fix, no binary black-or-white choices, but rather a series of decisions in the grey areas of marginal risk. Developing the right level and type of resilience demands a combination of long-term vision, a deep understanding of company and industry economics, and a significant dose of creativity.”

Getting Business Resilience Right offers a three-step approach to setting the wheels to resilience building in motion, as well as excellent examples of the successful business resilience strategies of Nissan and Southwest airlines. For more on that, click here

Share article

May 10, 2021

Biden’s Supply Chain Intentions Depend on Cybersecurity

Supplychain
Cybersecurity
EO14017
digitisation
Oliver Freeman
6 min
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cybersecurity leaders in recent years but will he take note?
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cyber security leaders in recent years but will he take...

In recent years, the United States’ supply chain network has faced an onslaught of cyberattacks. The attacks have left the global superpower a shaking nation with a whole portfolio of challenges, risks, and vulnerabilities exposed to the masses. From the SolarWinds attack to the dependency confusion attack that breached companies like Apple, Microsoft, Uber, and Tesla, to the most recent US pipeline ransomware hit, it’s evident that, in an increasingly digital age, cybercriminals fear no traditional governmental powers, and supply chain networks need to hunker down on cybersecurity. 

Looking back at the height of the COVID-19 pandemic, western nations found themselves ill-equipped to deal with the novel Coronavirus; not due to lack of knowledge or medical inability but because supply chains were in a chokehold and supplies like personal protective equipment (PPE) for frontline workers weren’t being manufactured fast enough. 

To address this problem and mitigate future risks, Biden signed Executive Order 14017, aptly titled “America’s Supply Chains”, in February 2021. 

The Executive Order (EO) called for a comprehensive review of US supply chains to figure out exactly where the vulnerabilities and risks are, to help institutions and organisations manage any future disruption caused by COVID-like events. 

The EO focuses on six primary sectors:

  • Agriculture
  • Communications and information technology
  • Defence industrial base (DIB)
  • Energy and power
  • Public health
  • Transportation

The listed sectors, as you might expect, are increasingly dependent on digital products and services to maintain daily operations, which increases their vulnerability to potential attacks ─ so they need cybersecurity. In fact, cybersecurity should be front-and-centre as a critical facet of the EO if the federal government truly intends to create a more robust and resilient supply chain in the face of rising criminal adversity.

Digitisation Dangers The Nation

When it comes to a globally interconnected supply chain, the ambitions of Biden’s administration are potentially a little far-fetched and off-the-mark, in reality. I say that because an overwhelming number of industry-leading organisations ─ even in the tech realm ─ still do not feel confident in their ability to deal with the vulnerabilities in their supply chain. Most of which come not from internal operations but from externals ones in the form of third parties and suppliers that they collaborate with. 

According to the dated but increasingly relevant Marsh Microsoft 2019 Global Cyber Risk Perception Survey introduction, “cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector. The hard truth organisations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.” 

Taking a look at the survey results reveals a telling tale: that third-party providers and supply chain operations external to an organisation are most likely to be the victim of cyberattacks and potential infiltration. 

The survey found a wide discrepancy in many organisations’ view of the cyber risk faced by supply chain partners, compared to the level of perceived risk they themselves pose:

undefined

This variance is consistent across industry sectors and geographic regions, and the largest organisations exhibited the largest dissonance: 61% of companies with revenues of US$5bn or more suggested that their supply chain partners pose a risk, whereas only 19% say they themselves pose a risk to the third-parties involved:

undefined

Low Confidence in 3rd-Party Risk Mitigation Capabilities

The above paints a pretty poor picture of the overall supply chain security ─ a disconnect between large organisations and their suppliers, which could be driven by companies’ low confidence in their ability to mitigate cyber risks posed by their commercial partners. The number of companies that considered themselves “highly confident” in that area is few and far between, with only 5-15% of respondents feeling prepared to deal with the cyber risks caused by certain types of third-party providers. 

undefined

So due to the very obvious lack of knowledge, it’s clear that supply chain professionals and organisations, as well as the Biden administration, should call upon their cybersecurity industry peers ─ white hat professionals ─ to take the fight to black hat cybercriminals.

How Cybersecurity Professionals Can Help

According to Padraic O’Reilly, CPO and Co-Founder of CyberSaint, the success of Biden’s Executive Order is heavily dependent on its stakeholders taking note of lessons from cybersecurity’s supply chain risk management initiatives, including: 

  1. Identifying the main weaknesses along the chain of production before determining which ones can be fixed cost-effectively. Then, compare that with the cost of the potential impact ─ discover where the holes are and what’s worth prioritising. 
  2. Thinking about the supply chain as a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple data sources, and supply chain risk is the same. Don’t think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis. 
  3. Standardisation across the globally interconnected supply chain is hard, and communication is key. Cyber experts are hot on the topic, as managing risk is exactly what they do. Vulnerabilities and risk is the language that they speak in. They’ve been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about. 

Cross-sector collaboration with a strong focus on communication across hierarchical levels is at the very core of the cybersecurity function. If Biden hopes to see his supply chain initiative reign triumphant, his administration must ensure that efforts are coordinated across agencies, public entities, and the private sector industry. The administration must also carefully consider the potential impact of increased regulation that should be put in place following the year-long project ─ it could make or break the initiative across various sectors. 

According to O’Reilly: 

“The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach.

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.”

Adapting To The Unknown 

The fact of the matter is, when it comes to the US supply chain, we mostly haven’t got a clue. It’s a massively interconnected network that represents an ecosystem ─ one with risks coming from all angles and multiple points of failure. It’d be almost impossible to figure out all of the potential risks, as Biden’s initiative intends, so, according to O’Reilly, it’d be beneficial to focus not on sniffing out every single supply chain vulnerability but on advanced persistent threat (APT) incentives:

  • What are the low-hanging targets?
  • What do criminals want?
  • What are they capable of? 

“Doing some scenario modelling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going”, O’Reilly adds. 

So the final point to the Biden administration and organisations that are working on Executive Order 14017 is clear: cybersecurity professionals have an advantage over their peers because they already live to standardise data; they view risk through a lense of complexity and costliness of failure, and if the two parties can collaborate effectively, there’s a chance that security professionals can finally understand the full extent of the supply chain ecosystem and, with any luck, secure it from future attacks. 

Share article