Roadmap to Operational Resilience In 8 Steps

COVID-19 has been the single biggest disruption to the global economy in the last decade.

76% of firms with turnovers of $10m to $100m were unable to operate fully.[1]

It has made a lot of us review how autonomous we are, and how much our organisations rely on a smooth supply of goods and services.

Having operational resilience means your company will continue to serve customers, regardless of what the rest of the world is doing.

But it’s more than just the ability to get through this pandemic, it’s about knowing how you can continue providing for your customers, regardless of what the rest of the world is up to.

In research conducted by 3D Hubs in June 2020, the most feared disrupters were natural disasters, geopolitical events, and cyber attacks.

Here, we’ll look at:

  • The principles of resilience
  • Real-life examples of how companies have combatted threats to their operations
  • The stages of operational resilience
  • The roadmap of how to build operational resilience in 8 steps

Four Principles of Resilience

In operational resilience, you are trying to achieve:

  • Autonomy
  • Flexibility
  • Visibility
  • Continuous Learning

The first key principle of operational resilience is the autonomy of the organisation. How long could it continue to operate if it was cut off from its supply chain?

If key raw materials didn’t arrive in time, could operations continue for weeks, days, or hours?

The world has favoured a just-in-time, lean approach to supply chain management which has freed up cash from inventory. However, it has also created a lot of space for disruption to damage operations.

Just as no man is an island, neither is any organisation. There’s a limit to how autonomous a company can be. This is why the next principle is flexibility.

When the autonomy of the company expires, it needs to be flexible to find alternative routes for supply and continuous operations.

An example of this is cloud computing. When a server in a datacentre fails, there is provision for the service to seamlessly transfer to another host, with little or no disruption to operations.

To make either of these principles happen, the organisation needs visibility over two things: what drives its operations and what risks to these are.

Resilience is a circular process that requires continuous learning to keep up to date with changes in the supply chain, economy and its own operations.

Real Examples of Creating Operational Resilience

It’s easier to understand these principles when we look at them in practise.

Co-Op Insurance, a UK insurance company, completed a category review of their car repairers before the pandemic. This made the shortcomings in certain areas visible. They identified areas where increased flexibility was required to make the services more robust. This meant that when 35% of their supply base closed due to the pandemic, they were still able to continue fulfilling customer demands.

“Even though there were less cars on the road, we still had to provide a service to our customers so we called on the contingency repair network and worked with them to try and physically get repairers in the places where we need them... Through agility and speed, we've managed to maintain the capacity all the way through.” Andy Johnson, General Manager of Supply Chain, Co-Op insurance.[2]

This is a service operation, but a lot of companies who rely on products have undertaken ‘lean’ operations. According to RapidRatings, 59% of companies in the US only had enough inventory to continue operations for two weeks or less.

When there’s a shortage of supply, there are two options available:

  1. Assume supply will get back to normal before it affects operations
  2. Find an alternative route to manufacture
Several cell phones. Android, Nokia and more.
Photo by Eirik Solheim / Unsplash

Cast your mind back to the year 2000, when the Nokia 3310 was released. Nokia and Ericsson were fierce rivals in a market that was growing by up to 40% per year. Mobile phone and computing components would sell as quickly as manufacturers could produce them.

In March of that year, lightning struck a Philips factory in New Mexico. Nokia and Ericsson were the main customers of the chips that were produced there. Philips informed them that the fire, smoke and water from the sprinklers had caused damage, but it would be back up in running within a week.

Nokia acted by checking in with Philips daily. After it was determined that they wouldn’t be manufacturing within a week, they set up three teams to look at alternative options:

  • One team continued working with Philips to get the original factory producing again
  • Another team investigated a redesign of the chips so they could be produced at other Philips’ sites
  • The final team found alternative suppliers

Ericsson took Philips at their word and took no action until it was too late. Nokia had secured the capacity left in the market.

By the end of the financial year, Nokia had increased its market share to 30%, with a 42% rise in profits. Ericsson reported a second-quarter loss of $200m because of the fire and component shortages. By the end of the year, it had outsourced its mobile manufacturing and cut thousands of jobs.

A fire that lasted 10 minutes changed the shape of the mobile phone industry.

Nokia identified where its autonomy ended: at the manufacture of chips. It reacted quickly to provide flexibility and continue operations. The constant communication with Philips made further issues with manufacture visible, allowing them to prepare alternative options.

How would your organisation react to this scenario? Next we’ll look at what stages of operational resilience your organisation could be at.

Stages of Operational Resilience

There are five levels of operational resilience.

  1. Starting Point

The business is operational and running smoothly and senior management and operational staff are anecdotally aware of risks to operations and the supply chain.

If there’s a shock, the organisation would need to rally round to come up with solutions based on general working practises and industry knowledge.

  1. Critical customers and their needs have been identified

At this stage, the organisation is aware of which customers would be a priority should anything disrupt operations.

It’s important to know what their critical needs are. It could be that certain products are in more demand than others, or are more critical to the customer’s operations.

  1. Risks to the products and services have been mapped

There’s a difference between verbally acknowledging risks to operations and mapping them.

Mapping risks involves assessing the likelihood of an event against the impact it would have. It helps the organisation to prioritise its mitigation measures.

  1. A governance structure is in place to mitigate risks

This will have a similar format to the business continuity plan.

The policy will identify key risks. From there, it will state what actions would need to be taken to continue operations and who is responsible for these steps.

A simple example is moving to a secondary source of supply if there’s a closure of a plant supplying key raw materials.

  1. Cross functional knowledge management

Knowledge of the governance structure should be shared within the organisation. Not just as a written policy but as a genuine understanding of the roles and actions that will take place.

Aligning the cyber security, business continuity and operational resilience teams breaks down siloes and promotes leadership.

Additionally, it should be updated regularly with market changes.

Roadmap to Operational Resilience

Detail of a stepwell in India.
Photo by Wim Arys / Unsplash

It’s important to be honest about what stage your organisation is currently at. Otherwise, you risk missing steps in the roadmap and leaving holes in your operational resilience.

But, whether you’re right at the start of your resilience journey or halfway there, this roadmap will help you build your operational security.

  1. Map your value chain

The value chain is a visualisation of all the steps required to turn raw materials into delivered goods to your customers. Understanding all the steps involved and who is required for each is the process of mapping.

Thinking back to our four principles, mapping the value chain increases your visibility. This includes visibility of:

  • Your key products and services for customers
  • The key elements sourced in the supply chain
  • Critical supply chain partners

This step will also demonstrate how autonomous your organisation is.

2. Identify the key employees and infrastructure needed

This stage is about continuous learning. Are you dependent on a few individuals, and can their knowledge be shared throughout the organisation?

What infrastructure do they need to continue operations?

Infrastructure, in this sense, can mean physical infrastructure for a manufacturing company and IT hardware and software.

3. Identify the potential adverse scenarios

The previous two stages will have identified what is critical to deliver to customers. Now, you can look at what could affect them.

Are any suppliers concentrated in a particular location? An earthquake, tsunami, or pandemic in that place could stop all those suppliers at the same time.

If you’re reliant on IT infrastructure, as most of us are these days, cyber security is a huge risk to operations. Travelex, the foreign currency exchange company, paid $2.3m to hackers following a ransomware attack. On top of this, it took from New Year’s Eve until mid-February for them to be operating fully again.

4. Understand impact tolerance

On any risk matrix, the probability of the event is weighed against the impact this would have on the organisation.

If an event occurred that wasn’t managed, what impact would it have on the ability to continue operations?

How much, in terms of time, could the organisation tolerate before it disrupted customers?

This gives a baseline to understand how resilient the organisation is and what mitigation steps will need to be implemented.

5. Increase the visibility of risk events

Now you’ve identified what could happen, you need to ask yourself how quickly you would find out if a risk event did occur.

Consider the Nokia and Ericsson example from earlier. Both companies were initially told of the event directly from the supplier, but Nokia increased communications to ensure that new information was brought to light as quickly as possible.

Another way is to join a sector-wide organisation to build resilience. For example, The Cross Market Operational Resilience Group (CMORG) unites the UK Financial Services sector.

Keep in mind that we want to improve continuous learning, so resilience teams need to communicate out to the organisation. This isn’t something just for the senior leadership team to manage in full.

6. Identify the risk mitigation steps

Through the previous steps, you’ve understood the level of autonomy the company has, and where it relies on third parties.

With risk mitigation, you want to focus on flexibility for operational resilience.

Again, in the Nokia example, when it became clear that Philips wouldn’t be able to supply, they looked for alternative options. This flexibility allowed Nokia to continue producing mobile phones for customers. Ultimately, they focussed on what customers required, most of whom probably couldn’t say who had made the processor inside!

7. Implement a governance structure

The learning journey that the organisation has been on to identify, understand and mitigate risks needs to be recorded.

Risk events naturally touch all parts of an organisation, so all the key people in the areas affected will need to understand the steps they need to take if a risk event happens.

Some risk mitigation will be ongoing, such as maintaining cyber security, whereas others will only kick in if particular events occur, such as a loss of a key supplier.

A governance structure should include:

  • Who needs to be involved
  • What the identified risks are, and how they will affect the organisation
  • What the ongoing mitigation steps are
  • The steps that need to be taken if particular risk events occur

8. Review it regularly

Organisations, supply chains and our globally-connected world are constantly changing.

The operational resilience governance will need to be reviewed on a cyclical basis to ensure it’s up to date and that everyone fully understands it.

Your policy could also include scenario testing. Some industries have laid out scenarios that can be used to test the operational resilience of your organisation. For example, in financial services the Basel III scenario testing can be used.

Conclusion | Why Create Operational Resilience?

The coronavirus pandemic has brought operational resilience to the front of our minds, but it won’t be the last shock to any organisation’s operations.

We have seen how Co-Op Insurance improved their resilience and were therefore ready for the pandemic. Other events can be more localised and only affect one aspect of your products, such as the chips in Nokia and Ericsson’s phones.

Counting how many events could affect your operations can be overwhelming, but there’s one reason why it matters: building resilience means securing supply to your customers.

It’s simple in principle but it needs to be treated with the same level of care as you would treat any other aspect of your operations.





Expert Insights

Delivered straight to your inbox.

background graphics
background graphics
background graphics
background graphics
background graphics