Four ways organisations can evolve for disruption

Rethink resilience

video background

Being resilient by design is critical for both survival and for strategic advantage in an era where disruption is the norm. From a pandemic, war and cost of living crisis to extreme weather events, supply chain challenges and cyber attacks, the threats we all face are more frequent and complex than ever before.

In this polycrisis world where risks and the ecosystems they impact are increasingly interconnected, resilience is imperative for leading organisations. The ability to adapt and respond to disruption is vital to maintaining the trust built with stakeholders at a time when the expectations of the resilience of businesses and government have never been higher.

To rethink resilience in this context, we have brought together wide-ranging insights from those with the greatest stake in the resilience of organisations across the UK. Over the course of a year, guided by our steering group, we have held 100+ conversations with business executives, investors, government and regulators and, crucially, citizens within the UK.

Their combined reflections set out the business case for why leaders need to take a more strategic approach to resilience and - by making the right investments in people, technology and data - four clear and practical ways to get there.

“What feels like a never-ending wave of high impact disruption is creating increased risk and uncertainty - for organisations, on markets, for national security and for individuals. Trying to dodge rocks isn’t a strategy for survival in this avalanche. The most resilient organisations are able to adapt quickly, unlock new opportunities and emerge stronger, whatever the nature of the disruption.”

Lord Gavin Barwell
Rethink Resilience Steering Group Member and Strategic Advisor, PwC UK

1. Upgrade your radar

Change the way you see risk and look for trouble before it finds you. Organisations most able to mitigate, withstand and recover stronger from a crisis all have exceptional radar for risk.[1]

Use that radar and imagination to get a 360 degree view that goes beyond risk registers and traditional risk management. Look forwards and don’t spend too long looking in the rearview mirror - the past is no longer a reliable indicator of future challenges.

“Organisations want a clear road map on how to build the resilience to adapt and respond to fast-changing and unpredictable risk. This starts with broadening your risk horizon through exceptional radar - using signal data to act early and prioritise what really matters. Sharp focus needs to be on the use of technology to source, bring together and make sense of that data, as well as fostering a culture where everyone is vigilant.”

Michael Wignall
Azure Business Group Lead, Microsoft UK

Upgrading your radar requires a different mindset, breaking down traditional risk and health and safety silos. Technology can provide this panoramic view by aggregating external data from a variety of sources - from weather warnings to regulatory announcements - as well as internal data to provide early warnings and show the impact on your critical business services.

Use insight and expertise combined with advanced data analytics to identify and make sense of the signals that give early warning of issues and opportunities. Mining actionable intelligence and translating business issues and needs into appropriate risk analytics is critical for resilient organisations.

Understand the breadth and depth of threats and what they mean for wider resilience across your organisation. Identifying and addressing root causes early, rather than treating symptoms, gives you the chance to move fast, adapt and turn disruption into opportunity.

When information is siloed and unable to easily cross boundaries there is a danger that a risk which looks benign to one part of the organisation but is more serious to another part does not get escalated. Building a cross-organisational information flow and enabling third parties to contribute and respond to the wider risk view is key to unlocking this capability. As is ensuring a culture that incentivises open discussion of risks in this way rather than driving them underground.

Gathering data from across silos - including supply chain, IT and disaster recovery, crisis management - into one place gives greater visibility of interdependencies so you can easily see the overall impact of the loss of specific processes or applications on the entire organisation. Use this data to build severe but plausible scenarios and assess whether the business would be able to respond in the critical time frame or not.

“Having a robust ESG strategy is at the heart of building resilience. Start from the basics, using data and insights to anchor it in reality, and bring together the right skills, resources and oversight to understand the risks and opportunities ahead. Stop using a crystal ball, start using data.”

Elisa Moscolin
Executive Vice President of Sustainability and Foundation, Sage


of UK CEOs believe their business will not be economically viable within a decade on its current course

Source: PwC UK 26th Annual CEO Survey

of UK CEOs believe their business will not be economically viable within three years on its current course

Source: PwC UK 26th Annual CEO Survey

Recovery in shareholder value of resilient organisations 250 days after a crisis

Source: PwC/Oxford Metrica

Reduction in shareholder value of less resilient organisations 250 days after a crisis

Source: PwC/Oxford Metrica

2. Build strength where you need it

Choose where you want to thrive and win and where you can’t afford to lose. Understand why you want to be resilient and prioritise investment based on what’s critical to your organisation and stakeholders. What are the things that would destroy your business fastest?

Start by identifying your most important and critical services - rather than systems - and understanding what level of vulnerability is acceptable assuming disruption will happen. When would interruption to a core business service go from being inconvenient to intolerable - from a customer, financial, reputational and operational perspective?

Focusing too narrowly on the resilience of systems - rather than service outcome - can lead to organisations falling into the ‘duplicate trap’. Applied at a system level, creating duplicates of systems as substitutes as a way to build resilience is likely to be seen as an unnecessary cost and stripped out of the organisation to improve financial performance, inadvertently leading to gaps and overconfidence in resilience.

By focusing on services and the service outcome instead, resilient organisations can better understand how that outcome could be alternatively delivered or substituted in a crisis - one example being the learnings from the pandemic and how the working environment has been reimagined. That might mean delivering the service in a way that would be considered suboptimal in normal circumstances but which avoids intolerable harm in a crisis.

Knowing what matters most, at a service level, allows the Board, the Executive and decision-makers at every level to challenge and ensure that the right resilience is in the right place.

Playback of this video is not currently available


Interview with Paul Williams

View Transcript

Aggregating data across all the underlying components of your critical business services and mapping across people, processes, technology and third party suppliers allows you to see the impact of disruption on those services and where the gaps are. Real-time dashboards and reporting can help identify vulnerabilities so you can set priority levels and develop mitigation strategies according to the risks of business disruptions.

Developing contingency plans for realistic worst case scenarios is fundamental to self-diagnosis and identification of vulnerabilities in places that could impact what the organisation cares most about. A test you fail is more important than one you pass and resilient organisations have a continous learning culture and performance incentive that promotes this thinking and way of working rather than inhibits it.

While these actions are traditionally part of an operational resilience strategy, the value of the exercises are critically important not simply to ensure business continuity but strategically - to truly understand your purpose as an organisation by appreciating what matters most to your customers. It’s not enough to want to be resilient. Organisations should understand why they want to be resilient, and for whom.

A clear sense of purpose can be achieved by bringing together human judgement and expertise with right technology and data to determine which services are at the core of your business. Everything is important to someone but, during a disruptive event, what’s really important to the organisation and its customers can be a controversial topic and requires strong leadership and mature thinking. Get it right and a clear eyed assessment of what you can - and can’t - absorb, and what you stand for as an organisation will follow.

“Fundamental is actually understanding what you are about because resilience is about protecting that. It's about protecting what you value. It is about enabling the achievement of your objectives.”

Head of resilience,public sector organisation

3. Prime your immune system

Embracing disruptive events with confidence requires building layers of resilience - from your employees and customers to your leadership and the Board - so that you’re ready for any scenario.

Playback of this video is not currently available


Interview with Poppy Jaman OBE

View Transcript

The foundation of this immunity is investing in the wellbeing and skills of your people and empowering them with the right technology. Poppy Jaman OBE, Global CEO of MindForward Alliance says: “MindForward Alliance has found that a purpose-driven, inclusive and healthy work environment creates important wellbeing capital that drives a collective responsibility for resilience across the organisation.” And providing people with the right technology and skills allows them to spend more time bringing valuable human perspective and insight to solving these complex problems.

The response of resilient organisations to disruption is built on more than just crisis exercising and business continuity planning. It’s important to be confident that employees are clear about how the organisation works, what it cares most about and the role they will play. This allows you to flex resources quickly so that people’s focus, roles and responsibilities can be adjusted to get behind the shared purpose. The resilience of the Board - personally and collectively - is also vital and this means assessing and being confident in how you would operate as a management team in a crisis.

Communication is also key and needs to be thought about and prepared ahead of any event. Public messaging should provide transparency for the customer even if it is uncomfortable and counterintuitive from a traditional risk management point of view.

Primed in this way, everyone should know their role and be prepared to act decisively in the heat of a crisis. Invest in the crisis response skills and personal resilience of your leaders and teams. The day-to-day aspects of leadership become far more complex in a crisis. Setting strategy, making decisions and managing a team is all the more challenging when a situation is rapidly unfolding, information is incomplete and internal and external pressures are mounting.

Elevate their crisis leadership skill sets, so they feel able to be strategic and directive, agile and flexible amid great uncertainty and disruption. And rehearse high impact scenarios so people are prepared and the organisation is clear who it can draw upon during a disruptive event.

“Government delivers essential services to the public and building resilience will enable government to maintain and improve the health of our public services. But purpose goes even deeper than this…societal resilience, personal resilience, community resilience is a foundation for us to be able to create a country that is healthy and safe.”

Russell Heppleston
Risk Manager, Financial Risk and Management Insights, National Audit Office

Technology such as virtual reality (VR) can allow people to really feel what it’s like to make critical decisions under pressure in a simulated situation such as a ransomware attack. These types of exercises help people see the consequences of their decisions and identify knowledge gaps.

4. Detoxify failure

Change culture and mindset to expect and accept bad things will happen. Risk management frameworks, risk appetites and business continuity plans can’t prevent bad things happening so plan for the worst. Tone from the top is a critical success factor in achieving this change.

Detoxifying failure requires a culture of openness and transparency around your vulnerabilities. Give all voices a place in the room and listen to both the foretellers of doom and the eternal optimists to encourage a mindset that expects and accepts bad things will happen, even when you hope for the best.

“With the complexity of these challenges, good judgement is all the more important and the only way to have some assurance that you're going to get good judgements is to have an open, challenging culture where people can really speak their minds about what the risks are that they see. It's about diversity of thought and openness of mind and willingness to challenge.”

Duncan MacKinnon
Executive Director for Supervisory Risk Specialists, Prudential Regulation Authority (PRA)

Being inclusive also means knowing who your experts are during a disruptive event and listening to them, without making this hierarchical. For example, when a command centre is set up, attendance shouldn’t be determined based on seniority. Accountable individuals may need to be closely informed but not necessarily at the heart of an operation and this principle has broader significance. Always be curious and ask ‘what if’. Use a combination of data and imagination to understand the potential consequences of the consequences of the consequences of disruption.

Avoid an over-reliance on inquests into past failures. While some past lessons will be useful, take a more valuable proactive approach that preempts possible causes of failure before it happens. Pre-mortem exercises that look forward and start with the assumption of a failed plan can be effective in reducing overconfidence and avoiding a toxic blame culture.

“The disruption of the past few years is a wake-up call and continuing only to address a pattern of known events is in itself a risk. The most resilient organisations have panoramic vision and the ability to flex and adapt, protecting what matters most to their stakeholders - and crucially embracing change and taking risks confidently as a result.”

Stephanie Bruce
Chief Financial Officer, abrdn

The power of a resilience rethink - for business, government, society and individuals

“There is so much exciting potential where the resilience agenda is powered by technology. Organisations are adapting, responding and unlocking value in a world where disruption and uncertainty are increasingly the norm.”

Rebecca Cooke
Partner - Risk, PwC UK

A resilience rethink will empower and incentivise people across organisations to drive resilience. However, this should not be seen as a substitution for but a reinforcement of being absolutely clear where overall accountability ultimately lies in the C-Suite, and the role of the Board. Resilience is a strategic business imperative that must be owned, promoted, driven and overseen from the very top. Accountability must not be over-delegated - or abdicated - to risk committees and business process owners.

“Our conversations show that the value of resilience - and the cost of not having it - has never been greater,” says Rebecca Cooke, Partner - Risk, at PwC UK. “People, their tenacity and their changing mindset have the ability to create resilient organisations which in turn creates important societal outcomes - economic stability, services people can rely on - and trust.”

[1] Roads to Resilience: Building Dynamic Approaches to Risk (Cranfield School of Management/Airmic/PwC, 2014)

Why we need to rethink resilience

Surviving one crisis after another isn’t a viable strategy for either short term survival or long term growth. By making the right strategic investments - boosting data capabilities and tech-enabling their people - resilient organisations are able to protect value in the face of short term challenges around inflation and macroeconomic volatility while also adapting to create value and ensure long term growth amid existential threats such as climate change and cyber attacks.

The value of resilience

Resilience is as key to value creation as it is to value protection because resilient organisations are ready to act with agility and speed to any scenario. Resilience puts organisations on the front foot to change so they can take risks with confidence, using the trust they have built with stakeholders to create sustainable growth. But many organisations overestimate their ability to deal with disruption due to risks being deemed low probability and a default optimism bias. This leads to lack of investment in resilience and misplaced confidence in their ability to handle a disruptive event.

Contact us

Rebecca Cooke

Rebecca Cooke

People Leader for Risk, PwC United Kingdom

Tel: +44 (0)7808 904147

Bobbie Ramsden-Knowles

Bobbie Ramsden-Knowles

Risk and Resilience Partner, PwC United Kingdom

Tel: +44 (0)7483 422701

Follow us