COVID-19 has been the single biggest disruption to the global economy in the last decade.

It has made a lot of us review how autonomous we are, and how much our organisations rely on a smooth supply of goods and services.

Having operational resilience means your company will continue to serve customers, regardless of what the rest of the world is doing.

Operational resilience is more than just the ability to get through this pandemic, it’s about knowing how you can continue providing for your customers, regardless of what the rest of the world is up to.

In research conducted by 3D Hubs in June 2020, the most feared disrupters were natural disasters, geopolitical events, and cyber attacks.

Here, we’ll look at:

· The principles of resilience

· Real-life examples of how companies have combatted threats to their operations

· The stages your organisation could be at

· The roadmap of how to build operational resilience in 8 steps

Four Principles of Resilience

You are trying to achieve:

· Autonomy

· Flexibility

· Visibility

· Continuous Learning

The world has grown towards a just-in-time, lean approach to supply chain management. This has operational cost savings and frees up cash from inventory. However, it also creates a lot of space for disruption to damage operations.

One key principle of operational resilience is to review the autonomy of the organisation is. How long could it continue to operate if it was cut off from its supply chain?

If key raw materials didn’t arrive in time, could operations continue for weeks, days, or hours?

An example of this is the provision of Uninterrupted Power Supplies (UPS). A key metric for specifying a UPS is how long the organisation wants to run if the outside electricity supply was cut off.

Just as no man is an island, neither is any organisation. There’s a limit to how autonomous a company can be. This is why the next principle is flexibility.

When the autonomy of the company expires, it needs to be flexible to find alternative routes for supply and continuous operations.

For example, in terms of hosting – a dependence on in-house servers compared to a cloud application, where if one data centre has an issue, processes are automatically switched to another place seamlessly, with little or no disruption to operations.

To make either of these principles happen, the organisation needs visibility over two things: what drives its operations and what risks to these are.

Resilience is a circular process that requires continuous learning to keep up to date with changes in the supply chain, economy and its own operations.

Real-world examples of firms in different stages and their past losses

Co-Op Insurance, a UK insurance company, had completed a category review of their car repairers before the pandemic. They identified areas where increased flexibility was required to make the services more robust. This meant that when 35% of their supply base closed due to the pandemic, they were still able to continue fulfilling customer demands.

“Even though there were less cars on the road, we still had to provide a service to our customers so we called on the contingency repair network and worked with them to try and physically get repairers in the places where we need them... Through agility and speed, we've managed to maintain the capacity all the way through.” Andy Johnson, General Manager of Supply Chain, Co-Op insurance.[1]

According to RapidRatings, 59% of companies in the US only had enough inventory to continue operations for two weeks or less.

When there’s a shortage of supply, there are two options available:

  1. Assume supply will get back to normal before it affects operations

  2. Find an alternative route to manufacture

Cast your mind back to the year 2000, when the Nokia 3310 was released. Nokia and Ericsson were fierce rivals in a market that was growing by up to 40% per year. Mobile phone and computing components would sell as quickly as manufacturers could produce them.

In March of that year, lightning struck a Philips factory in New Mexico. Nokia and Ericsson were the main customers of the chips that were produced there. Philips informed them that the fire, smoke and water from the sprinklers had caused damage but it would be back up in running within a week.

Nokia acted by checking in with Philips on a daily basis. After it was determined that they wouldn’t be manufacturing within a week, they set up three teams to look at alternative options:

· One team continued working with Philips to get the original factory producing again

· Another team investigated a redesign of the chips so they could be produced at other Philips’ sites

· The final team found alternative suppliers

Ericsson took Philips at their word and took no action until it was too late. Nokia had secured the capacity left in the market.

By the end of the financial year, Nokia had increased its market share to 30%, with a 42% rise in profits. Ericsson reported a second-quarter loss of $200m because of the fire and component shortages. By the end of the year, it had outsourced its mobile manufacturing and cut thousands of jobs.

A fire that lasted 10 minutes changed the shape of the mobile phone industry.

add-in that Nokia couldn’t have the autonomy, so it reacted quickly to provide flexibility and continue operations plus communication with Philips gave visibility over the supply chain

Stages of operational resilience

There are five levels of operational resilience.

1. Starting Point

The business is operational and running smoothly and senior management and operational staff are anecdotally aware of risks to operations and the supply chain.

If there’s a shock, the organisation would need to rally round to come up with solutions based on general working practises and industry knowledge.

2. Critical customers and their needs have been identified

At this stage, the organisation is aware of which customers would be a priority should anything disrupt operations.

It’s important to know what their critical needs are. It could be that certain products are in more demand than others, or are more critical to the customer’s operations than others.

3. Risks to the products and services have been mapped

There’s a difference between verbally acknowledging risks to operations and mapping them.

Mapping risks involves assessing the likelihood of an event against the impact it would have. For example…

4. A governance structure is in place to mitigate risks

This would have a similar format to the business continuity plan.

The policy would identify key risks. From there, it would state what actions would need to be taken to continue operations and who is responsible for these steps.

A simple example is moving to a secondary source of supply if there’s a closure of a plant supplying key raw materials.

5. Cross functional knowledge management

Knowledge of the governance structure should be shared within the organisation. Not just as a written policy but as a genuine understanding of the roles and actions that will take place.

Aligning the cybersecurity, business continuity and operational resilience teams to break down siloes and take leadership.

Additionally, it should be updated regularly with market changes.

Roadmap and defining success

1. Map your value chain

The value chain is a visualisation of all the steps required to turn raw materials into delivered goods to your customers. Understanding all the steps involved and who is required for each is the process of mapping.

Thinking back to our four principles, mapping the value chain increases your visibility. This includes visibility of:

· Your key products and services for customers

· The key elements sourced in the supply chain

· Critical supply chain partners

This step will also demonstrate how autonomous your organisation is.

2. Identify the key employees and infrastructure needed to deliver them

This stage is about continuous learning. Are you dependent on a few individuals, and can their knowledge be shared throughout the organisation?

What infrastructure do they need to continue operations?

Infrastructure, in this sense, can mean physical infrastructure for a manufacturing company and IT hardware and software.

3. Identify potential adverse scenarios

The previous two stages will have identified what is critical to deliver to customers. Now, you can look at what could affect them.

Are any suppliers concentrated in a particular location? An earthquake, tsunami, or pandemic in that place could stop all of those suppliers at the same time.

If you’re reliant on IT infrastructure, as most of us are these days, cyber security is a huge risk to operations. Travelex, the foreign currency exchange company, paid $2.3m to hackers following a ransomware attack. On top of this, it took from New Year’s Eve until mid-February for them to be operating fully again.

4. Understand impact tolerance

On any risk matrix, the probability of the event is weighed against the impact this would have on the organisation.

If an event occurred that wasn’t managed, what impact would it have on the ability to continue operations?

How much, in terms of time, could the organisation tolerate before it disrupted customers?

This gives a baseline to understand how resilient the organisation is and what mitigation steps will need to be implemented.

5. Increase the visibility of risk events

Now you’ve identified what could happen, you need to ask yourself how quickly you would find out if a risk event happened.

Consider Nokia and Ericsson example from earlier. Both companies were initially told of the event directly from the supplier, but Nokia increased communications to ensure that new information was brought to light as quickly as possible.

Another way is to join a sector-wide organisation to build resilience. For example, The Cross Market Operational Resilience Group (CMORG) unites the UK Financial Services sector.

Keep in mind that we want to improve continuous learning, so resilience teams need to communicate out to the organisation. This isn’t something just for the senior leadership team to manage in full.

6. Identify the risk mitigation steps

Through the previous steps, you’ve understood the level of autonomy the company has, and where it relies on third parties.

With risk mitigation, you want to focus on flexibility for operational resilience.

Again, in the Nokia example, when it became clear that Philips wouldn’t be able to supply, they looked for alternative options. This flexibility allowed Nokia to continue producing mobile phones for customers. Ultimately, they focussed on what customers required, most of whom probably couldn’t say who had made the processor inside!

7. Implement a governance structure

The learning journey that the organisation has been on to identify, understand and mitigate risks needs to be recorded.

Risk events naturally touch all parts of an organisation, so all the key people in the areas affected will need to understand the steps they need to take if a risk event happens.

Some risk mitigation will be ongoing, such as maintaining cyber security, whereas others will only kick in if particular events occur, such as a loss of a key supplier.

A governance structure should include:

· Who needs to be involved

· What the identified risks are, and how they will affect the organisation

· What the ongoing mitigation steps are

· The steps that need to be taken if particular risk events occur

8. Review regularly

Organisations, supply chains and our globally-connected world are constantly changing.

The operational resilience governance will need to be reviewed on a cyclical basis to ensure it’s up to date and that everyone fully understands it.

Your policy could also include scenario testing. Some industries have laid out scenarios that can be used to test the operational resilience of your organisation. For example, in financial services the Basel III scenario testing can be used.