How do global leaders bolster risk resilience? Ten best practices.

Author: Ed Simmons

What can you learn from how other organisations are strengthening their risk resilience? How often do you seek to capture the upside of risk and turn it into something valuable?

Best practices may not be where you expect them. They might come from other sectors, regions or organisational types. PwC collaborated with the World Economic Forum to identify and share the experiences of foremost experts and global leaders — primarily around anti-corruption, catastrophic risks, cyber risks and supply chain risks.

Take time to consider how these 10 best practices might also strengthen your organisation’s resilience:

  1. Educate continuously to instil organisational values. It takes only one part of an organisation to damage the whole, so a strong common culture and set of values are vital to support your organisation’s resilience. To mitigate corruption-related risk, Royal HaskoningDHV (RHDHV) introduced a comprehensive and continuous education system to embed business integrity at all levels.

    “Business integrity goes beyond corruption, collusion and fraud; it also encompasses the personal attitudes and individual behaviour of all […] people.”
    (Anti-corruption Practice 2)
  2. Collaborate to spur transparent information. In complex and vast global networks, transparency of information from individual actors to decision makers enhances risk-resilient decisions. Barrick Gold Corporation elevated the effectiveness of its anti-corruption and supply chain due diligence — and improved trust in third-party information — by collaborating with globally networked non-profit organisations.

    “A collective action approach [is recommended] to transparency and due diligence as a means of mitigating risks, particularly those associated with corruption.”
    (Anti-corruption Practice 4)
  3. Show zero tolerance to critical risk breaches. Some risk events should be unacceptable to organisations — and seen to be so. To mitigate the threat of corruption, Skanska introduced an internal “five-zero” policy to govern operations. The five pillars of the policy are: zero loss projects, zero environmental incidents, zero workplace accidents, zero ethical breaches and zero quality defects.

    “The three-pronged approach of prequalification, performance evaluation and supplier development helps […] weed out problematic suppliers.”
    (Anti-corruption Practice 7)
  4. Challenge assumptions constantly. As the speed of global change accelerates, the assumptions that form the basis for risk-resilient decisions no longer remain valid. The World Health Organisation (WHO) continuously questions core assumptions to advance influenza vaccine manufacturing. In 2009, the fallout from the H1N1 pandemic caused WHO to challenge the assumption that multinational pharmaceuticals could accelerate production for developing markets. As a result, WHO initiated schemes to promote domestic vaccine manufacturing capabilities in developing countries and increase their access to vaccines.

    “Processes must exist to monitor and challenge the validity of the assumptions underlying safeguards.”
    (Catastrophic Risk Practice 2)
  5. Support your employees, and they’ll support your organisation. Without a resilient workforce, your organisation will not be able to be resilient during and after crises. In the early 1990s, after Hurricane Andrew hit the US state of Florida, local businesses took a variety of approaches, supported by pre-event planning, to help the local workforce get back on their feet. These businesses saw that in supporting their employees, their employees were able to support their business and maintain a resilient local economy.

    “It may seem counter-intuitive for businesses already suffering disaster losses to take on further risk or spend additional capital on behalf of their employees. However, the evidence shows that without the prompt return of employees who are fully committed to restoring the capacities of business, it is likely that companies will face a longer recovery period and may fail altogether.”
    (Catastrophic Risk Practice 4)
  6. Take decisions based on independent and reliable data. During a crisis, when data can be compromised and unreliable, accurate and trusted data is crucial to make the right, informed decisions. Deutsche Bank’s Japanese operations were able to make the right decisions in the midst of the Fukushima Daiichi disaster on the back of independently gathered risk data, at a time when other information sources were conflicted.

    “It is critical for organisations to provide informed and accurate appraisals of their own for effective crisis management decision-making.”
    (Catastrophic Risk Practice 5)
  7. Rehearse: crisis practice makes perfect. Crises rarely strike organisations, but when they do, senior management and risk managers must be ready and prepared to act. Again, Deutsche Bank has initiated a global programme to train managers in real-life crisis simulations so that when a catastrophe does occur, the organisation is set to respond with speed and confidence.

    “Specific plans are of less use than an ability to develop an impromptu plan. While catastrophic risks are increasingly global by virtue of greater degrees of interconnectedness, local response is also vital.”
    (Catastrophic Risk Practice 15)
  8. Set up early-alert systems to allow for decisive action. In most crises, speed counts. Having in place information and systems that can detect nascent threats helps your organisation rapidly quash and combat these before they impact. In defending themselves against the growing danger of cyber-attacks, the United States government has set up an agency that detects emerging cyberthreats and delivers alerts, along with mitigation strategies, to critical infrastructure organisations.

    “Governments should set up agencies to provide alerts on emerging cyberthreats and mitigation strategies for critical infrastructure organisations.”
    (Cyber Risk Practice 1)
  9. Place responsibility for resilience at the top. Resilient organisations are able to identify trends, adjust to changing environments and collaborate throughout the organisation. Only with senior involvement is this possible. With increasing cyber-risks, many financial organisations have elevated responsibility for cybersecurity from IT departments to group divisions, and ensured board-level oversight.

    “Resilient cyber strategies should be developed at the board level within each organisation to enable effective identification of trends, adaptation to changing business contexts, efficient response to systemic shocks and continuity of business operations.”
    (Cyber Risk Practice 2)
  10. Share knowledge in trusted networks. Global supply chains, critical dependencies and systemic threats mean that individual organisations rely on the resilience of a much wider network of which they are a part. In sharing sometimes-sensitive information and knowledge with a trusted network, the resilience — not only of individual organisations, but of the wider network — can be improved. In combatting cyber-threats to critical infrastructure, the Australian government has set up a trusted network of organisations to share critical information and security strategies that allow for rapid response and resilient defences.

    “Trusted knowledge sharing between public and private stakeholders improves understanding of and response to cyberthreats that can affect critical infrastructure.”
    (Cyber Risk Practice 5)

Access the World Economic Forum’s full report here: Leading Practices Exchange: Managing Risk and Building Resilience