Resilience Is the Core Risk Discipline

Resilience is a buzzword. But it’s also real and true: it is the core discipline of risk management. For example, cybersecurity’s entire goal—all its efforts to achieve the triad of confidentiality, integrity, and availability—is to ensure an organization remains a going concern. Similarly, recovery planning aims to increase the chance that regulated financial institutions will survive. Capital stress testing for banks? Same basic goal. 

Effectiveness of these various measures can be debated, but the goal is always to increase resilience.

In praise of business continuity departments

One of the long-time champions of resilience is the humble business continuity department. Business continuity and disaster recovery teams have been practicing resilience for decades, not just by testing IT system failover and recovery, but also by conducting business impact analyses. Carrying out tabletop run-throughs for scenarios ranging from pandemics to natural disasters to terrorism. Physically moving traders, executives, and other key personnel to recovery locations and performing tasks from those locations, finding out in the process what small wrenches in the works could derail best-laid plans in a true emergency. 

So, business continuity departments have much to share. Yet when organizations draft financial recovery plans or capital scenario analyses, business continuity departments may sometimes be overlooked or relegated to a tangential role, losing the opportunity to serve as a fertile source of lessons learned. 

Resilience is cross-disciplinary

This isn’t to say business continuity teams should lead all resilience efforts. The right approach to operational resilience is cross-disciplinary, considering areas such as: 

• Strategic resilience (developing alternative lines of business in case core businesses or markets fail)

• Financial resilience (shoring up capital against high-impact shocks) 

• People resilience (succession planning, cross-training, and diversity of perspectives) 

• Supplier resilience (lining up alternatives for key vendors) 

• Process resilience (practicing alternate paths for accomplishing key tasks) 

• Geographic resilience (recovery sites for people and datacenters) 

• Cyber resilience (defending against internal and external attacks and incidents) 

• Systems resilience (performance management and good old disaster recovery) 

Another point in favor of stakeholders working together: companies that can assemble their data bottom-up, putting together the big picture and then analyzing it top-down, are more likely to survive shocks and respond rapidly to changing market and business conditions. That’s because resilience itself, in nature, tends to emerge bottom-up. 

The emergent nature of resilience

Think about the brain. It is essentially a network of countless bottom-up interactions among molecules that have no higher view or goal of why they’re doing what they’re doing. They operate according to simple principles, such as maintaining homeostasis. But the end result, the sum of all their processes, is an emergent big picture and the ability to generate innovative solutions to problems as they arise. 

In essence, resilience is an emergent property. Planning is only one ingredient, and over-planning can kill resilience, because resilience is a combination of adaptability and persistence. It doesn’t mean perfection; it’s often messy. It doesn’t mean streamlined; resilience is often boosted by redundancy and diversity.

A hypothesis on customer diversity and bank runs

A brief example with a nod to today’s headlines: one possible factor in the failure of Silicon Valley Bank—the second largest bank failure in US history—may be customer diversity or lack thereof. Most of SVB’s customers were startups, whose executives tend to read similar news sources, tune in to similar pundits, share some of the same investors, and possibly rushed to withdraw their funds more or less at the same moment.¹ 

Could banks with more diverse customer bases—more geographically diverse, more professionally and economically diverse, as just a few examples—be less prone to bank runs? Time will tell, but a 2008 National Bureau of Economic Research (NBER) paper by two Duke University and University of Amsterdam professors found that customers’ social networks can spread bank runs. We’re in uncertain waters, since the fallout from SVB’s failure hasn’t fully ricocheted through the system yet. The asset-liability mismatch underlying recent financial stress² isn’t limited to banks with concentrated customer bases, but so far that’s where the risk has manifested. 

Resilience—or the perception of it—will determine what happens next.

1

More broadly, there is something to be said about the dangers of a monoculture of viewpoints in any space, and the importance of encouraging a diversity of views to flourish and then listening to that broad range of views, but it’s late and I’m tired and this will be another article sometime.

2

Banks have customers who can demand their money back at any time, but back when interest rates were low, many banks invested in long-dated bonds that won’t mature for years, in an effort to make some kind of return. Now, if too many of a bank’s customers ask for their money back at once, the bank has to sell those long-dated bonds at a loss since those relatively low-interest-rate bonds’ value went down as interest rates rose. That may leave the bank undercapitalized.