What does ‘being resilient’ really mean?

To reduce the administrative burden on private sector businesses, in October 2023, the UK Department of Business and Trade withdrew draft reporting regulations (secondary legislation) related to its corporate governance reform agenda, including the requirement to publish a Resilience Statement.

Over the last 12 months there has been much discussion about how to prepare for such a requirement. Despite the withdrawal, these early explorations have been valuable for organisations. Beyond compliance, the preparations have provided an opportunity to reflect on how organisations can build greater resilience, create value and increase stakeholder confidence.

This opportunity still exists, with the broader effort to strengthen private sector resilience via primary legislation – the UK Government Resilience Framework – still underway. This article explores three steps resilience leaders should focus on now and what to include in their plans for the year ahead.

Background to the Resilience Statement

As part of its ‘Restoring trust in corporate governance and audit’ reform agenda, the UK government had proposed new reporting regulations which would have required UK incorporated companies (listed or unlisted) with 750 or more employees, and an annual turnover of £750 million or more, to provide a Resilience Statement¹.

This would have required in-scope companies to explain the steps they are taking to build or maintain their business resilience over the short, medium and long term. The aim was to improve the resilience of a significant proportion of the private sector by requiring in-scope companies to, amongst other things:

i. summarise their strategic approach to managing risk and building or maintaining business resilience, including how risk and resilience are considered within the company’s business planning and investment cycle;

ii. describe how the organisation’s Principal Risks threaten the company’s operational or financial resilience over the short to medium term, and explain how such risks are being managed²;

iii. report on an annual reverse stress test which identifies a combination of adverse circumstances that could cause the company’s business plan to become unviable, and identify any mitigating action put in place in light of the exercise; and

iv. summarise any long-term trends or factors which could threaten the company’s business model or operations, and any plans the directors of the company may have in place, or are considering, in response³.

Though the Resilience Statement is no longer required, resilience remains a strategic issue for companies, regulators and governments. The three steps below provide an effective litmus test for resilience leaders as they seek to help their organisations navigate uncertainty. The steps help consider how to build resilience for a broad range of financial and operational risks, and how to do this over a more expansive timeframe. This is an opportunity for companies to reflect on what ‘being resilient’ really means.

Three steps to review your organisation’s resilience

1. Ask four critical questions

We have set out four questions for companies to work through which, while not exhaustive, will enable leaders to better understand their organisation’s resilience:

a) Our organisation: what do we want to make resilient now and in the future? Making everything resilient is an unrealistic goal for organisations. Companies should instead establish strategic priorities for resilience that can be clearly communicated to investors and broader stakeholders. Strategic priorities could be based on ‘essential outcomes’, i.e., services, products or functions that the company provides for its customers, end users or other stakeholders, which if unavailable would likely cause significant harm or detriment that cannot be easily remedied, or could result in wider failure within the market, system, sector or organisation⁴. Considering strategic priorities in this way will help companies focus on building resilience from an outside-in perspective, recognising the company’s activities impact on a broad range of stakeholders including the wider public and the markets in which they operate.

b) Our known vulnerabilities: how resilient are we now and will we be in the future? Companies should understand what makes their strategic priorities more or less resilient based on how they have chosen to design and operate them, and the risks that threaten to disrupt their continuity. Mapping the business dependencies that deliver strategic priorities could help a company better understand their susceptibility to disruption if risks were to materialise. For example, undertaking this exercise may reveal a company’s exposure to supply chain disruption through its sourcing strategies, or if existing/planned changes in its technology estate make it more or less vulnerable to evolving cyber threats. Emerging risks should also be considered to understand if the business model and strategic priorities are resilient to longer term change and disruption (e.g., climate, market and regulatory changes). The company’s lists of Principal Risks is an obvious starting point for this, but needs to go further to understand how resilient they are to these risks based on their business model architecture and the mitigations they have or do not have in place.

c) Our appetite for significant and prolonged disruption: How resilient do we want to be now and in the future? Resilient organisations recognise that no impact during a severe and prolonged disruption is unrealistic. Companies should consider how much impact they are prepared to tolerate during disruption, which could be based on a minimum viable product or level of service needed to deliver their strategic priorities at an acceptable level so that the business model remains viable. Determining this will help companies to (a) set a benchmark against which to assess mitigations during stress testing; (b) help focus investment decisions on areas and activities where there is a significant potential to enhance resilience; and (c) where needed and appropriate, provide investors and stakeholders with transparency over how the company will perform and act in a severe and prolonged disruption.

d) Our commitment to resilience: how are we building, maintaining and demonstrating resilience? Stress testing assesses the effectiveness of mitigations and identifies weaknesses to address. Companies should start to (a) identify scenarios which could disrupt their strategic priorities and the different adverse conditions that could plausibly come together to make these scenarios more severe to the point their business model becomes unviable (e.g., duration, scope, timing); (b) consider the scenario modelling techniques they could use (including the use of digital assets) to more accurately simulate severe disruption and better understand how effective mitigations really are; (c) think through the different ‘breaking points’ they want to identify through stress testing. While the point of financial non-viability is a clear one, companies should consider where there could be significant detriment on customers, end-users and broader society before this is reached (e.g., lifesaving services provided by a medical company may be disrupted before the point of financial non viability is reached); and (d) reflect on where external assurance may be needed to validate the data, assumptions and techniques underpinning stress testing so they are fit for purpose.

2. Identify and mobilise the right team

True resilience is not the preserve of one team but requires contributions from a range of relevant experts in the organisation (e.g., risk management, finance, operations and technology, ESG, business continuity, supply chain, product development). Companies should have identified and mobilised the optimal community of skill sets required to both review and build resilience. This should include the Enterprise Risk Management function (or equivalent) given that team’s skillset and historic work to identify and disclose the company’s Principal Risks and Uncertainties.

3. Do a gap assessment and define a plan of action

Mapping ‘who’ in an organisation currently contributes ‘what’ and ‘how’ to the four questions outlined above will help to identify capabilities, gaps in current approaches to address, and whether believed coverage may be imbalanced/coincidental. It will also be beneficial for companies to identify and consolidate a single view of mitigations and vulnerabilities that make them more or less resilient to their Principal Risks.

In conclusion, there is an opportunity for leaders in the private sector to enhance the management of risk and resilience. This has both the potential to bring additional value to their organisations and, longer term, to give confidence - through investors to broader society - that the UK’s largest and most influential companies are building resilience in a responsible way.

To understand how your organisation can review its resilience, please do get in touch with one of the contacts listed below.

____________________________________________________________________________________________________________________________

References

¹The draft Resilience Statement legislation was part of a wider effort by the UK Government to strengthen the UK’s Corporate Governance, Corporate Reporting and Audit systems. The draft legislation required in-scope companies to report on six new elements including, the Resilience Statement; the Audit and Assurance Policy Statement; the Distribution Policy Statement; the Statement on Distributable Profits; the Distribution Confirmation Statement and the Material Fraud Statement. After consultation on 16th October, the Government announced its withdrawal of the legislation covering the Audit & Assurance Policy, the Resilience Statement and the Material Fraud Statement.

²Principal Risk disclosures are a requirement under the existing UK Corporate Governance Code, and in-scope companies will continue to have to report on these in their Annual Report despite the withdrawal of the Resilience Statement regulation.

³Gov.uk (2023). The Companies (Strategic Report and Directors’ Report) (Amendment) Regulations 2023. United Kingdom. Available at: The Companies (Strategic Report and Directors’ Report) (Amendment) Regulations 2023 (legislation.gov.uk); accessed 28 July 2023.

⁴BSI (2022). BS 65000: 2022 Organisational Resilience Code of Practice. United Kingdom.