Building resilient enterprises

Building resilient enterprises

We’re back to discussing books on the reading list, digging into the August pick, “The Resilient Enterprise: Overcoming vulnerability for competitive advantage” by Yossi Sheffi. With so many things going on in the world, plus the speed of change, being resilient is increasingly important.

When he discusses how businesses are vulnerable to disruptions, Sheffi mainly references supply chains for physical products. However, the advice is also useful for other systems. At its core, the book is talking about disruptions to our ability to provide or capture value. Disruptions could be caused by suppliers, issues in your own process, or changes in demand (like a client or friend who keeps changing plans). Paying attention to vulnerabilities and building in ways to adapt and recover can help you become more resilient to whatever life throws at you.

Let’s walk through some of the lessons and takeaways from the book.


1. Identify vulnerabilities

Your vulnerability is how open you are to damage from an attack, and is related to the probability of the event occurring and the severity of its consequences. A vulnerability anywhere in your product’s supply chain could cause major issues. Since most products nowadays involve supply networks rather than supply chains, identifying potential vulnerabilities is getting increasingly complex.

Step one of identifying vulnerabilities is to analyze your supply chain or network and list possible events. You could expand that out further and plot them on a model of the process, a geographical map, or other visuals of the supply chain. Don’t forget to add both internal and external events. If you’re working with a complex product, then break it down into components and map the supply chain for each part. If you’re providing services then you could go through the same process, by identifying upstream dependencies, potential process disruptions, and uncertainties in customer demand and behavior.

Step two is to plot them out by relative probability and severity on a vulnerability map. The quadrants will roughly tell you how to handle the disruptions. For example, low severity but high probability problems are in the realm of daily process management. High probability and high severity problems probably already have processes in place that could be refined and improved. It’s the low probability, high severity problems that you need to be careful of. As Sheffi shares, in a large enterprise, events that are low probability in one factory or office, are much more likely to occur somewhere in the enterprise as a whole once you aggregate activities across a country or the world.

It’s also important to recognize that the same event could have drastically different consequences between businesses or between divisions depending on the details of that business. For example, a centralized supply chain that impacts the health and safety of citizens would have worse consequences in the event of a terror attack than a decentralized clothing supply chain.

Application to daily life

Download this worksheet and brainstorm vulnerabilities related to your ability to deliver value. What could happen? What’s the probability of it happening? What are the consequences of that event? What could be done to reduce the probability of the event happening or the consequence of the event?


2. Understand the profile of a disruption

Disruptions aren’t just a single event in time. They tend to follow a standard profile (even though the duration and severity of each phase can vary). By examining each step, you can make sure that you have a plan covering each phase of the disruption.

1) Preparation: Sometimes you can foresee and prepare for the disruption but other times there’s no warning.

2) The disruptive event: The natural disaster, accident or intentional attack occurs.

3) First response: Addressing the most urgent aftereffects of the event, usually related to physical damage, bodily injuries, and safety.

4) Delayed impact: Sometimes the full impact takes some time to be realized (ex. if there’s a fire in a supplier warehouse that later impacts downstream businesses). Government responses to the disruption can also cause delayed impacts on other areas of the system.

5) Full impact: All of the impacts have occurred. This is usually the lowest point in system productivity.

6) Recovery preparations: Usually starting at the same time as first response, recovery preparation includes identifying remaining resources and looking for ways to divert supplies or make other adjustments to move forward to deliver value with minimal damage.

7) Recovery: This is the phase when the plans are put into action to restart production, shift direction, repair damaged infrastructure, essentially whatever is needed to resume normal operations.

8) Long-term impact: Sometimes the disruption can lead to long-term impacts related to customer relationships, market share, environmental impact, latent health effects, and other consequences related to behavior changes after the incident.

Application to daily life

Look back at your vulnerability map. If the event occurred, what would the disruption profile look like? What could the direct and indirect, short and long term consequences be? Do you have a first response or recovery plan? Can you anticipate how others might respond?


3. Reduce disruptions by improving security

One of the best ways to handle disruptions is to reduce their occurrence in the first place. Companies should prepare processes to reduce the probability of threats by:

a) Using layered and balanced methods: A layered approach reduces the probability of a single point of failure (ex. locks and burglar alarms). While the probability of one layer failing may be higher than acceptable, the probability of all of them failing at the same time would be much lower. Balance is also important so that threats aren’t just rerouted to the weakest link in your security infrastructure (ex. an unbalanced approach would be arming the front door but not the back door).

b) Separating threats from baseline activity: This is all about pattern recognition to identify which events are normal and which ones could be a signal of underlying issues. Methods for identifying patterns could be qualitative, case studies, or statistical models of process control. Analyzing near misses can help you avoid larger issues in the future.

c) Collaborating and building partnerships: Identification and management of threats will most likely require crossing company borders. Collaboration with other enterprises, groups, and agencies can help share information and lessons learned, as well as improve weaknesses when data or goods pass through system boundaries.

d) Building a culture of awareness and sensitivity to security: That way everyone in the organization is looking out for and escalating threats rather than one isolated security group.

e) Training and running drills: Avoid security procedures becoming routine or staff becoming complacent. Changing up processes helps keep would-be perpetrators guessing and everyone alert. Exercises and drills can help security stay front-of-mind.

Application to daily life

Review your supply chains, vulnerabilities, and current security plan. Is your approach layered and balanced? Are you analyzing activity in a way that you can identify regular patterns and deviations? Or is your organization being reactive once the damage is already done?


4. Bounce back from disruption (aka be resilient)

While organizations can be good at security, not all are great at bouncing back from disruption and restarting operations once the direct impacts have been handled. Being lean may have many advantages but just in time inventory can also increase vulnerability if you run into supplier or production issues.  Pooled inventory, redundant capacity, and delayed customization can help companies adapt to disruptions in the supply chain either upstream or downstream. Having deep relationships with a few suppliers or shallower relationships with many suppliers can also help if there’s a need to adjust quickly.

Application to daily life

If you’re dependent on working with others to deliver value, you might want to relook at how the relationship is structured. If their work was disrupted, what would happen to your production? Do you have close enough relationships to identify and address issues early? Could you quickly move to a different supplier if one had issues? Are your personnel and equipment flexible enough to switch gears? Have you identified the core of what your partners or customers need so that you can make cheaper customizations closer to the time of release?


5. Take advantage of disruptions

Disruptions don’t have to be all bad. You can take advantage of them to improve your business and customer relationships. On the other hand, the disruption could be poorly handled and difficult to recover from. How your customers respond can be a signal to other current and future customers and influence the long-term impact of the disruption on your organization.

Sheffi shares the example of Lexus vs. VW. Lexus recalled cars in 1992 for some minor brake and hydraulic issues. Lexus asked customers to leave their cars in the driveway on the designated day and left them a loaner car while the original was being fixed. Meanwhile, customers complained about Audi acceleration problems and VW, Audi’s parent company responded by releasing reports that the problem was due to American drivers, not the company. While that was proven to be true, the damage to their market share was done. Sheffi remarks that Audi thought that they had a technical problem when in reality it was a customer relationship problem.

Application to daily life

When a disruption happens, what’s your response to customers? Are you quick to “go to war” and prove them wrong? Or are you using the disruption as an opportunity to show an extra level of customer service? Or perhaps take advantage of the disruption to enter a new market?


6. Build a business case

A resilient enterprise is not the work of one person, so you’ll have to make a business case for investments in improvements. Sheffi recommends pitching security investments by highlighting the money you save by avoiding disruptions, and resilience investments by their contribution to flexibility, which can also be a competitive advantage. Cross-industry benchmarking is often a good place to start to identify the gap between your enterprise and others with similar vulnerabilities.

Building a case for security investments:

  • Compare to insurance investments
  • Track cost avoidance
  • Factor in delays if you haven’t stayed up to date with security investments (ex. due to extra regulatory hurdles)
  • Factor in the societal impact of disruptions


Building a case for resilience investments:

  • Flexibility makes it easier to adapt to uncertainty such as changes in customer demand
  • Improved partnerships can also help you respond to supplier volatility
  • Most flexibility changes also help you reduce costs, minimize disruptions, and improve customer satisfaction even before the disruption occurs
  • Being able to communicate accurate data and respond faster than your competitor is an advantage


Application to daily life

What pieces of security and resiliency is your organization missing? How would you justify the investment?


The case studies in “The Resilient Enterprise” were really interesting so I recommend that you check it out if you haven’t already. The book may have been published over ten years ago but the complexity of systems we’re trying to protect hasn’t diminished and there are a lot of timeless insights.

What did you think of the book? Do you have any other insights to add?


Share your thoughts