Resilience practices: One-year follow-up analysis on Global Risks 2012 cases authored by the World Economic Forum, in collaboration with PwC

Authors: The World Economic Forum, in collaboration with PwC

Building resilience against highly uncertain and unpredictable external risks can complement traditional risk management, especially in today’s interdependent and interconnected world.

As noted in the Special Report in the World Economic Forum’s Global Risks 2013 report, a working definition of resilience for a country (or an organisation) is its capability to adapt to changing contexts, withstand shocks and recover to a desired equilibrium while preserving the continuity of its operations. Resilience implies the capacity for both speedy recovery after a shock (such as a market crash or natural disaster) and timely adaptation in response to a changing environment (such as a demo-graphic transition or climate change).

Resilience must be achieved in balance with other objectives, such as efficiency – for example, investing in operational redundancy may enhance resilience but constrain short-term efficiency. To further the debate on the importance of resilience and the best ways to build it, the World Economic Forum has collaborated with PwC to develop a one-year follow-up analysis of the three risk cases presented in the Global Risks 2012 report: The Seeds of Dystopia, How Safe Are Our Safeguards?, and The Dark Side of Connectivity, focusing on what resilience practices might be relevant in each case. The examples are drawn from practices that have already proved their efficacy as well as practices that are currently being tried and, though unproven, seem promising.

Project leads

Case No. 1: The Seeds of Dystopia

Description of the case

Case 1

Mismanagement of population ageing and sustained high levels of youth unemployment remain pressing challenges across developed and emerging markets. ‘Seeds of Dystopia’ case highlighted the potential for fiscal and demographic trends to prompt the emergence of a new class of fragile states with widespread social instability and discontent. The case asserts that dystopia will ensue if the social contract is no longer believed in by wide segments of the population. As youth see a lack of opportunities and the aged are concerned about smaller or nonexistent benefits after a lifetime of work, social pressures increase. These phenomena are closely linked to each other as well as to political and policy reform, productivity, education, and other macro-trends. To address them, innovative and sustainable solutions are needed.

Resilience practices

These practices for understanding, measuring and ultimately improving resilience are drawn from research of numerous case studies from around the world. While most relate directly to governments as the primary enabler of the social contract and, therefore, societal and economic stability, the cases also reflect the critical role stakeholders from across society will necessarily play.

Resilience practice 1: Seek holistic insights and involve a range

of stakeholders

Any approach to building resilience must draw upon holistic insights related to ageing, youth unemployment, inequality, fiscal imbalances and the social contract. Collaboration among the private sector, civil society, local and national governments, and multilateral organisations in creating a modern and sustainable social contract is crucial.

For example, SELCO is a social enterprise in India that makes solar panels and lights. Through multi-stakeholder partnerships with international institutions and rural state-owned banks, SELCO provides loans to rural Indian households and institutions such as schools to purchase solar lighting systems, which enables them to obtain energy and internet connectivity. These in turn provide an improved working environment for young entrepreneurs and offer greater opportunities to earn income and educate children. Social resilience could be enhanced through such efforts, which create create educational and employment opportunities, addressing the growing resentment about inequality between rural and urban areas in India.

Because it is based on a holistic understanding of the socioeconomic context, this multi-stakeholder collaboration allows for competing interests to be appropriately represented and managed, minimising the risk that solutions will prove unfavourable to any group of stakeholders.

Resilience practice 2: Monitor trends and revisit assumptions

Monitoring and analysis – including forecasting and scenario planning – of trends in ageing, technology, labour and youth engagement enables stakeholders to regularly reassess assumptions and risks and correct strategies as needed. These processes improve responsiveness of policies and strategies to changing environments and to potential crises.

The UN Millennium Development Goals demonstrate the use of highly successful adaptive strategies based on continuous monitoring and analysis. The economists who manage the UN Millennium Development Goals constantly gather data to enable them to identify best practices and negative trends which need to be rectified. For example, UNICEF and UNESCO Institute of Statistics established a global initiative to gather data and analyses about out-of-school children. The initiative, which involves 26 countries from seven regions, aims to develop “context-appropriate policies and strategies for increasing enrolment and attendance of excluded and marginalized children.” More data-driven, targeted education policies could improve countries’ prospects of achieving the millennium development goal of universal primary education. Such initiatives are essential to fostering socioeconomic resilience because education boosts citizen engagement and the skill level of the labour force.

This example illustrates that continuous monitoring of trends and revisiting assumptions allows for routine evaluation of what truly enhances resilience over the short-, mid- and long-term. It also enables stakeholders to challenge assumptions that may no longer be valid.

Resilience practice 3: Promote inclusive and open attitudes toward immigrants

Countries with flexible immigration policies often have more resilient labour markets, as migrants are more able to fill the gaps left by retiring workers. The strong growth of the Canadian economy in recent years (particularly in the natural resources sector in the western provinces), coupled with the increasing retirement rate of its ageing workforce has led to a shortage of skilled workers in the country. The government has taken advantage of its society’s openness to immigrants through the Federal Skilled Workers Program, which in 2011 admitted more than 57,000 skilled immigrants to Canada. These immigrants helped meet the Canadian economy’s growing demand for labour.

Over the course of 2011, full-time employment increased by 190,000 jobs while the unemployment rate fell slightly from 7.6% to 7.5% – outperforming the OECD average of 8.2%. Based on data from the Gallup World Poll, the OECD calculates an index of its members’ community tolerance of minority groups and migrants. Canada topped this index.

The Canadian example illustrates that the efficacy of immigration policies is influenced by social norms, as more tolerant and accepting societies make it easier for migrants to be economically active and civically engaged. These norms also foster greater social resilience.

Resilience practice 4: Diversify risk through innovative financing

Innovative financing can increase resilience by providing additional resources from alternative sources such as the private sector and individual donors, to foster vital projects and initiatives despite economic shocks which may reduce or redirect limited state resources. Impact investing, an example of an innovative financing tool, marries state funding with private investment. These initiatives to diversify sources of financial support allow governments to leverage private capital to meet social needs and ensure continuity of services by diversifying sources of finance.

For example, the US Government has committed US$1 billion over five years to the Small Business Association (SBA) Impact Investment Initiative, which will provide capital to invest with the private sector in companies in underserved and vulnerable communities. The first SBA initiative was the InvestMichigan! Mezzanine Fund, launched in 2011 in partnership with the State of Michigan Retirement Systems and Dow Chemical Company, which contributed US$35 million and US$15 million, respectively. The InvestMichigan! Mezzanine Fund aims to provide stable funding, which has historically been hard to find for job-creating start-up and early-stage companies in Michigan. Stability comes from a diversity of funding sources, combining the private sector funding and Michigan’s pension fund. The fund targets high-growth enterprises that can accelerate job creation, which is vital as Michigan’s economy suffers from a relatively high unemployment rate of 9.1%. In partnering with the private sector, impact investing also seeks to leverage efficient management, provide social benefits and promote knowledge sharing. The Invest Michgan! Mezzanine Fund, for instance, connects local private-sector leaders with businesses that benefit from the fund’s investments to enable individuals to share knowledge.

The investor diversity enabled by initiatives such as the InvestMichigan! Mezzanine Fund can provide funding stability during crises. Additionally, impact investing typically provides for outcome-dependent returns, so it is in investors’ interest to ensure that projects are successfully designed to meet social needs and are sustainable and efficient. Overall, such successful programmes can strengthen a country’s socioeconomic resilience.

(This Seeds of Dystopia One-Year Follow-Up analysis has been produced in collaboration with PwC and Eurasia Group.)

Resilience in action: Tracking trends to challenge assumptions and steer the right course

By Mena Cammett and Marissa O. Michel

Given today’s dynamic global environment, the contours of our most pressing strategic challenges are constantly changing. Our approaches to tackling these problems must also be flexible and responsive to circumstances, as solutions that were once a perfect fit for the problem at hand lose their relevance, and once-effective approaches become stale.

Monitoring and analysis, to include forecasting and scenario planning, enable governments, corporations and others to regularly reassess assumptions and risks, change course as needed and develop new opportunities for sustained growth. The ability to anticipate and adjust to future scenarios is a key facet of resilience. Routinely evaluating strategic and policy initiatives enhances resilience over the near-, mid- and long-term by allowing stakeholders to challenge assumptions that may have been correct at a point in time, but become invalid over time. Additionally, regular analysis allows for the identification of risks and opportunities. Stakeholders can use data and information gathered through monitoring to develop likely scenarios to forecast how key risks and strategic challenges will play out in the medium- to long-term. Continuous monitoring and analysis of trends can be applied across sectors to provide a check on the appropriateness, sustainability, relevance and costs of different approaches to tackling strategic challenges. Organisations that do this well can weather the challenges ahead, while those that fail to revisit their own approaches and assumptions may be left behind.

Righting demographic imbalances

Demographic imbalances, particularly rapidly ageing populations with low replacement birth rates, provide a perfect example of global strategic challenges that are best addressed by the consistent monitoring and evaluation of trends.

Analysis of China’s population initiatives highlights the importance of continuous monitoring and evaluation in crafting policy interventions to address demographic imbalances. Facing overpopulation that had the potential to outstrip national food supplies and cause environmental stresses in the 1950s, the Chinese government instituted a series of practices over 20 years aimed at introducing the concept of family planning to curb birth rates. The government researched and tested policies, practices and campaigns across urban and rural areas, culminating in the family planning policy now known as ‘one child’.

While estimates vary considerably, the Chinese government claims to have prevented 400 million births and kept the country’s population growth relatively low. However, in the intervening 30 years, the policy, combined with a cultural preference for boys, has created a severe gender imbalance – the 2010 census revealed that there are at least 20 million more men than women, presenting a social and domestic security challenge. State officials are focusing closely on how to improve employment opportunities for young men, a move that in part stems from concerns over potential delinquency and social unrest, while also attempting to manage a significant elder dependency problem.

The government maintains that the policy will largely remain in place for at least the next ten years, despite it becoming clear in the mid-1990s that gender imbalances and an ageing population had the potential to impact the labour markets and employment rates across the country as soon as 2015. While the potential for overpopulation will remain a concern for a country of China’s size, underlying assumptions about the long-term demographic health of China and the ongoing viability of the one child policy may have shifted, and a reassessment of the policy may be in order to enhance China’s long-term societal resilience.

Indications are that the government is engaging in some level of review, as evidenced by the publication of a report by a government-backed think tank urging a re-examination of the policy to reverse China’s ‘ageing crisis’. Re-evaluation of the policy has begun to show itself in the regulatory sphere as well; in some cases the government has been gradually easing regulations, including allowing couples comprised of two only-children to have more than one child. This is to alleviate what is known as the “4-2-1” issue, or the possibility that an only child will shoulder the burden of care for two parents and four grandparents. Some experts who have analysed this issue advocate implementing a uniform two-child rule as a means of easing enforcement and rebalancing the population. Continued analysis and input from academic circles may be swaying those in a position to make policy changes; in 2011, an official in the Chinese government’s National Committee of Population, Resources and Environment indicated that officials were studying proposals for a two-child policy, and predicted that urban couples with a female child might be permitted to have a second child as early as 2015. The continuous transformation of China’s one-child policy reflects the importance of continuous monitoring and evaluation, and the government’s continued ability to revise its sweeping policy initiatives taking into account feedback and trend analysis from other stakeholders will be vital to maintaining social resilience moving forward.

Case No. 2: How Safe Are Our Safeguards?

Description of the case

Case 2

Societal safeguards need to be reinvented on an ongoing basis, given the ever-changing nature of global risks. With rapid global change, safeguards can become imbalanced where they do not provide adequate protection, or otherwise stifle innovation.

The ‘How Safe Are Our Safeguards?’ case explored whether current processes for developing societal safeguards can effectively build resilience against cross-border risks in a complex and interdependent world marked by uncertainty, innovation and rapidly changing conditions.

Resilience practices

Comparable practices that may foster resilience in the face of cross-border risks in a complex and interdependent world can be found in two very different areas: financial system stability and the prevention of pandemic influenza. Safeguards in both areas have been challenged and continue to evolve in ways that are expected to foster more effective responses to future crises.

Resilience practice 1: Question the validity of assumptions underlying safeguards

In an ever-changing world, it is likely that key assumptions underlying a safeguard will ultimately become invalid, and responses to crises based on flawed assumptions will compromise rapid recovery and adaptation. Therefore, processes must exist to monitor and challenge the validity of the assumptions underlying safeguards.

Financial system stability

The financial crisis of 2007–2009 demonstrated that the assumption that a ‘microprudential’ approach, one focused on the health of individual financial institutions, would safeguard financial stability was no longer valid. In response, regulators adopted a ‘macroprudential’ approach, which addresses the whole financial system, and regulators enhanced their ability to question the validity of assumptions underlying this new approach. For example, the United States established the Financial Stability Oversight Council (FSOC), which identifies “risks that could arise outside the financial services marketplace.” The FSOC monitors risks to the stability of the US financial system that may arise outside of the existing regulatory structure.

Pandemic influenza preparedness

Questioning the underlying assumptions behind pandemic influenza vaccine manufacturing is a continuing part of World Health Organization (WHO) strategies. For example, the 2009 H1N1 pandemic led WHO to challenge the assumption that large multinational pharmaceutical companies could ramp up production fast enough for all affected populations. The pandemic demonstrated that low-income nations would be supplied only after the wealthy nations had ensured adequate coverage for their own populations. As a result of challenging the assumption, a new vaccine manufacturing schema was created to enable developing nations to establish domestic vaccine manufacturing capabilities and ultimately to reduce their dependence on wealthier nations.

The output of the microprudential approach and the potential speed of flu vaccine production are both examples of assumptions which needed to be questioned in order to make financial and health systems more resilient to future crises.

Resilience practice 2: Monitor trends and revisit assumptions

Monitoring and analysis – including forecasting and scenario planning – of trends in ageing, technology, labour and youth engagement enables stakeholders to regularly reassess assumptions and risks and correct strategies as needed. These processes improve responsiveness of policies and strategies to changing environments and to potential crises.

The UN Millennium Development Goals demonstrate the use of highly successful adaptive strategies based on continuous monitoring and analysis. The economists who manage the UN Millennium Development Goals constantly gather data to enable them to identify best practices and negative trends which need to be rectified. For example, UNICEF and UNESCO Institute of Statistics established a global initiative to gather data and analyses about out-of-school children. The initiative, which involves 26 countries from seven regions, aims to develop “context-appropriate policies and strategies for increasing enrolment and attendance of excluded and marginalized children.” More data-driven, targeted education policies could improve countries’ prospects of achieving the millennium development goal of universal primary education. Such initiatives are essential to fostering socioeconomic resilience because education boosts citizen engagement and the skill level of the labour force.

This example illustrates that continuous monitoring of trends and revisiting assumptions allows for routine evaluation of what truly enhances resilience over the short-, mid- and long-term. It also enables stakeholders to challenge assumptions that may no longer be valid.

Resilience practice 2: Build forward-looking elements into safeguards

For a safeguard to strengthen resilience in the face of a dynamic and evolving risk, regulators must look over the horizon to be able to recognise issues early and mobilise quickly to recover from crises.

Financial system stability

The financial crisis of 2007–2009 arose in part because traditional regulatory safeguards such as capital ratios did not capture evolving risks of systemic impacts. In response, regulators incorporated forward-looking elements into their regulatory frameworks. For example, both the European Banking Authority and the US Federal Reserve conduct stress tests using scenario methodologies, to better understand the variety of possible future developments in order to prevent future crises and mitigate the impacts of crises, by enabling early detection and intervention.

Pandemic influenza preparedness

Safeguards against pandemic influenza also employ forward-looking elements, consistent with the dynamic nature of the risk. Because new strains of the flu virus evolve quickly, WHO’s Global Influenza Surveillance Network meets twice each year to analyse monitoring data and to project which influenza strains are most likely to infect populations in 6–12 months. Based on those projections, the Network recommends suitable strains to be included in the influenza vaccines for each new flu season.

Forward-looking safeguard elements, from stress-testing in finance to projections in vaccine planning, help to identify areas of emerging risk in the respective systems, and enhance resilience by enabling early response to emerging risks.

Resilience practice 3: Leverage market and other incentives

To foster resilience, safeguards should strike a balance between protecting society from risk, such as by enhancing the ability to recover from crises, and enabling society to benefit from risk-taking. This can often best be achieved by using incentives when feasible rather than restricting or directing activities.

Financial system stability

The financial crisis of 2007–2009 highlighted systemic risks posed by creditors’ assumptions that large financial institutions are ‘too big to fail’ and will always be rescued by government – given that government rescues are an inefficient way of facilitating crisis recovery. To enhance market discipline on risk-taking, the US Federal Deposit Insurance Corporation now has the authority to liquidate large non-bank financial institutions and impose losses on investors including shareholders and creditors. Larger banking institutions must submit plans for orderly liquidation and make enhanced public disclosures of risk information. These measures provide the information and incentives for investors to demand management action to shore up the stability of financial institutions.

Pandemic influenza preparedness

Separate funding from the US government increased economic incentives for the pharmaceutical firm Novartis to make additional long-term investments in seasonal influenza vaccine programmes. Without this government support, the private sector alone lacks clear incentives to make such long-term investments. This funding initiative provided a cost-effective means to ensure domestic vaccine production capacity in the event of a pandemic flu outbreak, and it provided mutual benefits to both the US Government and Novartis.

In both cases, action to adjust incentives – by requiring information disclosure in finance and providing economic incentives to invest in vaccine production – increased the resilience of systems without the need for restricting or directing activities.

Resilience practice 4: Coordinate actions across borders and organisations

Safeguards to protect global systems are beyond the capability of any one country to put into place; therefore, governance structures must coordinate action across borders to identify, prevent and respond to crises.

Financial system stability

Recognising the interconnectedness of global financial markets and institutions, G20 countries established the Financial Stability Board (FSB) to coordinate financial services regulators and international standard-setting bodies. In November 2011, the FSB collaborated with financial regulators from numerous countries to develop Key Attributes of Effective Resolution Regimes for Financial Institutions, which provides guidelines for recovery and resolution planning for banks and financial institutions. As a result of that international coordination, these leading practice guidelines are being implemented globally with the aim of better equipping the global financial system to respond to future disturbances.

Pandemic influenza preparedness

Influenza and other infectious diseases are inherently cross-border challenges in today’s globalised world. Accordingly, stakeholders leverage WHO, which works closely with other multilateral organisations, government agencies and key laboratories to coordinate and manage the surveillance of, and response to, global public health threats. For example, leverage WHO plays an integral role in coordinating activities under the Global Action Plan for Influenza Vaccines, a comprehensive strategy to promote the production of influenza vaccines. A coordinated global response to a pandemic would be difficult without this level of organisation.

Having cross-border organisations such as the FSB and WHO in place prior to the onset of a crisis can improve responses and enable stakeholders to adapt more nimbly and effectively to future cross-border crises.

Resilience in action: Taking advantage of windows of opportunity

By Bruce Oliver

Short-term objectives tend to get in the way of long-term objectives. Safeguards known to be outdated and ineffective can remain in place where change would be difficult, expensive and/or unpopular. Those barriers can, however, weaken from time to time as crises or shifts in the balance of power temporarily increase stakeholder appetite to bear short-term pain for long-term gain. The ability of an organisation, country, or society to thrive in the face of change, therefore, may depend on its ability to identify and take advantage of windows of opportunity to make the changes necessary to meet long-term objectives.

Clearly, maintaining the status quo while waiting for a window of opportunity is a terrible strategy for achieving long-term objectives. Windows of opportunity seldom open wide enough or at the right time. And actions taken during windows of opportunity tend to include unhelpful overreaction and opportunistic overreaching. On the other hand, where necessary changes are otherwise impossible to accomplish, waiting to pounce upon an imperfect but available opportunity may be the only strategy – terrible though it may be. Organisations, countries and societies can ill afford to miss such openings.

Climate change

Climate change is a clear example of an issue where short-term objectives have impaired the ability to meet long-term objectives. As Lord Stern, a leading climate scientist said, “Although climate changes challenges are clear, public policy is moving slowly. Its progress must be unblocked.”

Unfortunately, climate change also illustrates that it may be easier to recognise windows of opportunity only after they have begun to close. The period of 2006–2008 may have been such a window. During that period, the case for responding to climate change was made in many influential ways: the government of the UK released the 2006 Stern Review on the Economics of Climate Change; the United Nations Intergovernmental Panel on Climate Change issued its Fourth Assessment Report; ‘An Inconvenient Truth’ was awarded the Oscar for Best Documentary of 2007; Al Gore and the Intergovernmental Panel on Climate Change were co-awardees of the 2007 Nobel Peace Prize; and climate change was on the World Economic Forums Annual Meeting agenda. While there was no universal agreement about specific causes and solutions, public consciousness about climate change was high; the economic and political case for action was relatively strong; and many organisations were spurred to action. Yet no significant actions were taken.

Since that time, the urgency of mitigating the pace and impacts of climate change has dropped precipitously, a decline highlighted in PwC’s annual CEO Surveys between 2008 and 2012. Currently, climate change is struggling for sufficient attention and resources. Moreover, there remains a strong push to question the underlying science of whether human activity has had any meaningful impact on climate. In retrospect, the period of 2006–2008 might have been a missed, imperfect but workable, opportunity for even more effective action on climate change.

Case No. 3: The Dark Side of Connectivity

Description of the case

Case 3

The Dark Side of Connectivity case explored the online security risks associated with the critical infrastructure that underpins our daily lives and depends increasingly on hyperconnected online systems. The case highlighted the need for public–private cooperation to secure a healthy cyberspace.

Over two billion people worldwide now have direct access to the internet. Consumer devices, social media and networked connections could drive change faster than businesses and governments can keep up. In addition, criminal abusers of cyber networks have been quick to exploit the growing opportunities presented by society’s reliance on these technologies, with ever-growing sophistication.

Resilience practices

Resilience in cyberspace means more than preventing future cyber attacks: it means reducing recovery times following such attacks. The resilience of our cyberspace depends on strong leadership, capable of keeping up with the pace of change. This leadership must come from the top of government and business, not just technology management. Improving resilience also requires investing in infrastructure that builds and sustains trust among systems and users.

Resilience practice 1: Assign top-level responsibility for cyber resilience

Resilient cyber strategies should be developed at no lower than the board level within each organisation to enable effective identification of trends, adaptation to changing business contexts, efficient response to systemic shocks and continuity of business operations.

Many large banks have transferred responsibility for cybersecurity from IT divisions to group security, along with crisis management, and have provided board-level oversight. Fortune 500 corporations have created chief information security officer positions, not only in their chief information office, but in their general counsel offices, reflecting the need for top-level accountability and the consideration of a variety of key corporate functions: contract review, enterprise risk management, assurance and compliance, human resources and workforce management, and regulatory reporting. These shifts reflect the degree to which cyber-security decisions involve much more than technology management – they also include risk and liability management.

These trends highlight the importance of strategic perspectives and cross-functional collaboration at the most senior levels. Such collaborative decision-making can guide corporate-wide investments and capabilities – not just technology investments – to anticipate and adapt to emerging trends, respond to shocks and decrease recovery time. These strategies improve corporations’ abilities to respond to crisis by marshalling enterprise-wide resources and strengthening collaborative, cross-functional processes.

Resilience practice 2: Monitor trends and revisit assumptions

Monitoring and analysis – including forecasting and scenario planning – of trends in ageing, technology, labour and youth engagement enables stakeholders to regularly reassess assumptions and risks and correct strategies as needed. These processes improve responsiveness of policies and strategies to changing environments and to potential crises.

The UN Millennium Development Goals demonstrate the use of highly successful adaptive strategies based on continuous monitoring and analysis. The economists who manage the UN Millennium Development Goals constantly gather data to enable them to identify best practices and negative trends which need to be rectified. For example, UNICEF and UNESCO Institute of Statistics established a global initiative to gather data and analyses about out-of-school children. The initiative, which involves 26 countries from seven regions, aims to develop “context-appropriate policies and strategies for increasing enrolment and attendance of excluded and marginalized children.” More data-driven, targeted education policies could improve countries’ prospects of achieving the millennium development goal of universal primary education. Such initiatives are essential to fostering socioeconomic resilience because education boosts citizen engagement and the skill level of the labour force.

This example illustrates that continuous monitoring of trends and revisiting assumptions allows for routine evaluation of what truly enhances resilience over the short-, mid- and long-term. It also enables stakeholders to challenge assumptions that may no longer be valid.

Resilience practice 2: Share cyber knowledge in trusted public-private forums

Trusted knowledge sharing between public and private stakeholders improves understanding of, and response to, cyber threats that can affect critical infrastructure.

For instance, the Australian government has established the Trusted Information Sharing Network (TISN), a network of government representatives, business stakeholders and cyber experts, to address the risks of cyber threats to critical infrastructure that could severely damage Australia’s economy, social systems, or national security. It aims to use the network to increase awareness of cyber risks to critical infrastructure, share strategies to reduce cyber risk, and provide a feedback mechanism to highlight private sector cyber issues to the government. It allows for resilience practices to be shared across the supply chain so that there is mutual benefit in avoiding the failure of a key link in the chain. The TISN enables critical infrastructure organisations to improve understanding of risks and provides a platform for responding quickly when cyber threats do materialise.

Due to the rapidly changing nature of cyber threats, governments and the private sector need to have mechanisms to share knowledge in trusted networks, so that critical organisations have the latest information to respond quickly and effectively to cyber attacks. Such responsiveness to shocks is at the heart of cyber resilience.

Resilience practice 3: Coordinate among governments during crises

Formalised bilateral procedures between governments, which could be used in the event of a cyber crisis, are important to facilitating fast, decisive action and limiting damage from cyber attacks.

In light of this recognition, the UK held formative talks with China and Russia in 2012 to establish cyber crisis communication channels. The proposed communication channels could help identify the sources of cyber attacks and limit misunder-standing that may lead to escalation. Such channels are becoming ever more important with the increased ability of cyber attackers to use proxy servers to mask their identities online as ‘agents of the state’.

Similarly, South Korea has also entered into bilateral cyber cooperation agreements with other nations including China, Japan and the US. These bilateral agreements include procedures that provide for formal cyber crisis coordination, realistic bilateral cyber-attack testing and the ability to share technical information between government agencies in the event of a cyber attack. Such elements allow for advanced preparation and the ability to share crucial information to identify attack sources and coordinate responses quickly across national borders.

Documented success stories of these strategies are scarce, due in part to the confidentiality surrounding both testing exercises and real cyber attacks. Nonetheless, established formal communication channels between governments in a crisis are crucial to enable quick and clear collaboration to avoid damage and prevent escalation through miscommunication.

Resilience practice 4: Design-resilient electronic devices and online systems

Encryption is a crucial element of resilient information sharing. Design and use of properly encrypted devices and online systems will improve the resilience of information-sharing against malicious attacks or simple human error when systems’ protection fails.

BlackBerry® devices, for example, provide secure, encrypted communication, and Apple’s latest products include similar security technology. Half of businesses that have outsourced processes over the internet ensure that their data is encrypted. Furthermore, Trusted Platform Modules (TPMs) provide both device encryption and device authentication, embedded in the hardware of the device. This assures data protection as well as device authentication even when software-based digital certificates are compromised or forged. TPM chips are used by nearly all personal computer and notebook manu-facturers, yet relatively few corporations take advantage of these chips to authenticate devices on corporate networks throughout the enterprise, for example.

Tools such as encrypted communication and enterprise-wide TPM strengthen resilience by protecting data as it moves across systems, irrespective of uneven system security. Such trust infrastructure, crucial for information-sharing resilience, enables corporate enterprises to adapt over successive generations to emerging consumer technology, which can change as rapidly as the next trend in smart phones. It also fosters resilience by ensuring a general level of reliability by minimising disruptions if one link in the chain fails.

Resilience in action: New behaviours for a new world

By Martin Caddick and Neal Pollard

Cyber systems are already recognised as being as important as physical assets for our critical infrastructure. But they are more than this. Cyberspace is a virtual extension to our physical world which mirrors our cities by facilitating communication, trade, culture and social activity. It has become an integral part of how the developed world lives, and with a low cost of entry, it could become even more important in the developing world. But, unlike our physical society, which has matured over many thousands of years into a complex structure of behaviours, customs and rules, cyberspace is new. It has not developed mature patterns of behaviour and customs. The speed of development has left a generation gap where the average teenager has a better understanding of cyberspace than most of our leaders.

The implications of all this are not well-understood, and tried and tested approaches, based on generations of experience of the physical world, may or may not work. Potential risks are not matched by appropriate caution and behaviour (for example, our willingness to share information on Facebook or to manage what we say on Twitter).

Not only does cyberspace lack the natural and instinctive resilience of our physical society, but we have not had the chance to design our systems to reduce risk in a way that takes human behaviours into account. In high-risk occupations (health, air and nuclear industries, for example) systems are carefully designed, taking into account how people behave naturally to minimise the risk this poses.

We need to learn new ways to behave and new ways to cope with human behaviour to create a safe cyber world.

Some disconnects between the physical and cyber worlds

Physical Cyber
Risks and likely consequences relatively visible, and can be kept in perspective Working online in comparative safety gives a false sense of security, and the risks and consequences are not realised. Illustrated by teenage hackers.
Seventy percent of communication is non-verbal, and this can be seen in the physical world, reducing misunderstanding. Without non-verbal communication, there are more misunderstandings and less empathy, leading to ill-judged posts. Illustrated by celebrity use of Twitter.
Cause and effect is constrained by physical limitations, giving the opportunity to react to and mitigate materialising risks. Effect is often almost immediate due to speed of communications, meaning you can face a crisis situation before you are even aware of the cause. Illustrated by the speed at which ill-judged communications go viral.
Boundaries and association is primarily defined by geography and occupation, making regulation relatively straightforward. People associate across the world in line with their interests cutting across national boundaries. New loyalties are being established. Illustrated by people’s identification with Wiki leaks.