Companies need to be resilient in today’s dynamic and uncertain environment, where rapid, more frequent, and more complex change is the norm. That means they need to manage risk, see business opportunities in adverse situations, and have a workforce that can adapt and learn from mistakes.
Management accountants can contribute to building their companies’ resilience. Rodrigo Silva De Souza, Ph.D., the author of the CIMA-sponsored research, Building and Enhancing Organisational Resilience: Before and After COVID-19, explains how in the Q&A below.
De Souza is a senior lecturer at the University of Roehampton in the UK, with a research focus on resilience and enterprise risk management. He is also a co-chair of the Institute of Risk Management’s (IRM’s) Innovation Special Interest Group, which in 2021 published a risk manager’s guide to organisational resilience.
His responses have been edited for length and clarity.
How do you define business resilience?
De Souza: According to the BSI (British Standards Institute), organisational resilience is “the ability of an organisation to anticipate, prepare for, respond, and adapt to incremental change and sudden disruptions in order to survive and prosper”. I would add “recover and learn” to this definition.
The IRM proposed a distinction between two areas of organisational resilience: operational resilience and strategic resilience. Operational resilience refers to the activities performed by each control function, traditional risk management techniques such as risk analysis, assessment, monitoring, and reporting, which alone are not sufficient.
To achieve long-term resilience, functions must work together to enhance strategic resilience capabilities, which are obtained by (1) focusing on activities that add value to the company’s functions and strategy, (2) creating a culture that enhances resilience capabilities, balancing threats and opportunities, and financial and nonfinancial goals, and (3) enhancing the communication throughout the company by drawing on the wisdom of the crowds and/or real-time data analysis. This framework enables companies to jump from a compliance to a value-add mindset.
What steps can companies take to achieve a strategic approach to resilience?
De Souza: Organisations must define what they want to be resilient against and know that there’s no such thing as full resilience. For example, companies may have been resilient against fires, floods, and system failures for years, but climate change and badly executed digital transformations can knock them down.
To be strategic in their approach towards building and enhancing resilience, companies must:
- Understand the maturity of their current resilience capabilities.
- If the company has already developed some level of resilience and is comfortable with it, it is important to continuously monitor the level of preparedness and ability to respond to crises. War games and stress tests can support companies in this task, enabling control functions to assess if the current resilience capabilities are in accordance with the board’s expectations and risk appetite.
- Resilience is not only about anticipating and preparing for disruptions. Despite managers’ best attempts, failures will happen, and events may cascade into crises that exceed business contingency capabilities. Thus, although proactive resilience is desirable and ideal, reactive resilience is necessary.
- After the turmoil, it is time to reflect, act according to lessons learned, and create metrics that are “crisis-specific” to monitor ripple effects from the original shock.
By sharing information across the business, teams can map system interdependencies and enhance supply chain (strategic) resilience. Companies should break down the silo mentality permeating their operations and understand the multidimensionality of events. Cross-functional and hierarchical teams operating with the same goal, but using different skills and experiences, tools, and techniques to tackle a problem, enhances strategic resilience capabilities.
In what three ways can management accountants contribute to building their business’s resilience?
De Souza: Management accountants need to establish ways to measure resilience. For instance, there has been a huge emphasis on financial and operational resilience recently. Thus, liquidity ratios and Monte Carlo simulations, which are complex quantitative data analyses that model potential outcomes from a random chain of events, can be used to stress-test parameters and evaluate how companies would perform under extreme operational or economic conditions.
Some abrupt or continuous disruptions may impact organisational resilience, such as the collapse of a supplier, poor communication, or toxic work environments. Management accountants should create metrics to monitor and assess current and emerging risks and find blind spots in current measurements against resilience frameworks such as ISO (International Organization for Standardization) 22316 and BSI 65000.
Management accountants should also assess performance evaluation systems to improve collaboration across functions and hierarchies. The siloed mentality is still an issue, which leads to double work and a lack of communication and collaboration between the first, second, and third lines of defence made up of management, risk and control monitoring, and independent assurance by the internal audit function.
Performance measurement systems can be put in place to facilitate this interaction and knowledge sharing. They include risk-based performance metrics and socially based feedback systems, such as 360-degree reviews, employee surveys, and peer reviews.
Finally, management accountants may need to go beyond reliance on past performance and create and monitor real-time data regarding internal, sector-wide, and world trends. This can be done using the wisdom of the crowds, horizon scanning, scenario analysis, and war games. That would enable companies to assess their level of preparedness to perform under new extreme economic conditions created by, for example, high inflation and sociopolitical instability, and meet stakeholder demands for, among other things, low emissions, fair trade, and remote work.
For both operational and strategic resilience, what role does culture play?
De Souza: The right culture means all have the responsibility to quickly report and work on incidents. This collaboration across hierarchies and functions increases the speed of communication and enhances knowledge sharing, enabling companies to anticipate, prepare for, respond to, adapt, recover, and learn from shocks and crises.
During the COVID-19 pandemic, for example, most companies that succeeded did so through collaboration and a sense of purpose — thus, people and culture are key. In moments of crisis, these factors will enable companies to find alternatives and an escape route; after crises, to learn from what has happened; and before crises, they can anticipate threats and opportunities, scanning the horizon and testing capabilities to see what can be done better. To do that, we should rely on the power of real-time data analysis.
And what is the role of governance?
De Souza: Boards need to support an organisational resilience proposition. Effective collaboration across control functions, from top management to different hierarchies, is crucial.
This enhances the understanding of what challenges and/or opportunities are coming next and provides resources to test capabilities and envision and quantify scenarios. Without support from the board, there is a danger that resilience becomes a tick-box exercise only.
Our CIMA-sponsored research shows that exposure to previous crises and regulatory requirements can work as triggers to enhance awareness and move organisations beyond inertia. Regulation may prompt companies to adopt minimum standard requirements, but also to proactively visualise other potential disruptions. Thus, even if it is compliancedriven, regulation may still enhance organisational resilience. Additionally, when crises or disruptions occur at a time or place with great impact on a company, they can enhance awareness. Surprisingly, a global systemic crisis, such as COVID-19, may also create laissez-faire among parties and a false sense of security. In times of crisis, organisations can become reliant on external factors such as government support, financial aid, or industry-wide relief measures and relax standards and compliance.
However, companies do not need to wait for crises or regulations to build up resilience capabilities. The senior management team can set the direction, and an extended enterprise risk management framework may enhance the understanding of interconnections, which is essential to manage resilience proactively and strategically.
Which risks should be current investment priorities?
De Souza: Currently, I would focus at least on the following areas: generative AI, sustainability, and sociopolitical instability.
- ChatGPT is only the tip of the generative AI iceberg. Many solutions (with their potential risks) are being created. They will impact areas such as automation and remote work, individuals’ privacy, medicine, technological developments, finance, and accounting. These changes will develop exponentially as technological developments are running in parallel and are decentralised. Thus, the magnitude and speed of changes may reach your company earlier than expected.
- Sustainability is no longer simply an issue but an imperative. Is your company prepared to deal with more frequent and worse climate scenarios? What about your suppliers? What have been your/their values and priorities? Companies will face increasing scrutiny regarding climate resilience, which encompasses operational, financial, and strategic aspects of organisational resilience.
- The underlying assumptions of our decision-making and risk assessment models may make them inaccurate when answers are most needed (such as in times of uncertainty, instability, or crisis). The problem with geopolitical conflicts, for example, is that they trigger many other risks, such as high inflation, social insecurity, and socioeconomic uncertainty. During instability, this network of events needs to be more closely scrutinised and monitored, as it may radically change investment and other decisions.
Raluca Stroe is research and development manager at AICPA & CIMA, together as the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
LEARNING RESOURCES
Business Continuity Management
This course covers the steps needed to implement a comprehensive business continuity plan — including business impact analysis — to ensure resilience, even during a crisis such as a global pandemic.
COURSE
The Future-Ready Finance & Accounting Professional — Welcome to the Fast Future
This session will show how to anticipate trends and move from being a crisis manager to an opportunity manager.
COURSE
AICPA & CIMA RESOURCES
Articles
“Managing Cyber Risks to Build Resilience”, FM magazine, 20 November 2023
“People-Centric Leadership Can Improve Resilience, Report Finds”, FM magazine, 19 September 2023
“Expect the Unexpected: Risk Assessment Using Monte Carlo Simulations”, Journal of Accountancy, 1 November 2017