Enterprise Resilience: Managing Risk in the Networked Economyby Randy Starr, Jim Newfrock, and Michael Delurey

from strategy+business issue30, spring 2003

strategy+business

strategy+business magazine is published by Booz Allen Hamilton Inc.To subscribe, visit www.strategy-business.com or call 1-877-829-9108

stra

tegy

+bu

sine

ssis

sue

30

Two companies; same crisis; vastly differentresponses and outcomes.

A Nordic telecommunications company and its pri-mary competitor, another European telecom manufac-turer, both depended on the same Koninklijke PhilipsElectronics NV semiconductor plant in New Mexico forchips to power their mobile phones. But when a firebroke out at the factory in March 2000, the supplychain was disrupted.

The Nordic company’s officials noticed the prob-lem even before being told that a plant had gone down.Its chief supply troubleshooter immediately put togeth-er a team of 30 supply chain experts to fan out acrossEurope, Asia, and the U.S. to patch together a solution.They redesigned chips, accelerated a project to boost

production, and used the company’s clout to obtainmore chips from other suppliers. The other company,with fewer fail-safe and troubleshooting systems builtinto its supply network, came up millions of chips shortof the supply needed to launch a critical new product.

The result, according to the Wall Street Journal: TheNordic company’s market share grew by 3 percent; thecompetitor’s dropped by the same amount. Before long,the other company withdrew from the handset market.

This stark tale of gain and loss underscores a newoperating reality confronting companies everywhere:Drivers of earnings, definitions of risk, underlying riskinterdependencies, and ways to manage them havechanged. Firms generally have thought of risk as thedownside hazard to their financial portfolios and have

Illus

trat

ion

by D

avid

Plu

nker

t

Understanding interdependencies and planning for discontinuities is

the path to corporate agility.

contentm

anagement

1by Randy Starr, Jim Newfrock, and Michael Delurey

Enterprise Resilience::Managing Risk in theNetworked Economy

contentm

anagement

71

contentm

anagement

3

stra

tegy

+bu

sine

ssis

sue

30

concentrated their risk management efforts on hedgingtheir portfolios against loss. But the Nordic company’ssuccess in weathering a potentially debilitating disrup-tion to its supply chain, and ultimately gaining compet-itive advantage from its efforts, shows that companiescan profit by adopting a broader understanding of andmore comprehensive processes for managing risk acrossthe extended enterprise in an increasingly complex glob-al economy. In doing so, they establish greater enterpriseresilience (ER).

In this article, we detail the differences betweenconventional enterprise risk management and enterpriseresilience, and explain why a keen understanding of thedistinction is essential today, when the boundaries ofevery major corporation have expanded, increasing acompany’s vulnerabilities and its potential for competi-tive advantage. We also identify how senior executivescan assess their organization’s resilience profile and riskmanagement approach. And we explain how corporatemanagers can align risk mitigation strategies with themost significant earnings-driver risks, and close danger-ous gaps in their company’s resilience profile.

The Adaptation ImperativeEnterprise resilience is the ability and capacity to with-stand systemic discontinuities and adapt to new riskenvironments. A resilient organization effectively alignsits strategy, operations, management systems, gover-nance structure, and decision-support capabilities sothat it can uncover and adjust to continually changingrisks, endure disruptions to its primary earnings drivers,and create advantages over less adaptive competitors.

A resilient organization establishes transparency andputs in place controls for CEOs and boards to address

Randy Starr(starr_randy@bah.com) is aprincipal in Booz AllenHamilton’s New York office. Hespecializes in combining busi-ness and technology strategywith market insights to imple-ment growth strategies andnew business models.

Jim Newfrock(newfrock_jim@bah.com) is asenior director and treasurerwith Booz Allen Hamilton inNew Jersey. He is responsiblefor global risk management atthe firm and specializes in theinterplay of business strategyand enterprise risk.

Michael Delurey(delurey_mike@bah.com) is aprincipal with Booz AllenHamilton in Virginia. He spe-cializes in strategic planning,policy analysis, and policydevelopment for governmentclients with a focus on com-plex network analysis and crit-ical infrastructure protection.

risks across the extended enterprise. It can withstandimproper or fraudulent employee behavior, IT infra-structure failures, disruptions of interdependent supplychains or customer channels, intellectual property theft,adverse economic conditions across markets, and themyriad other discontinuities companies face today.

Establishing greater resilience is especially necessaryin the current economic and security environment,which poses a new set of challenges to executives andboards. The openness and complexity of today’s extend-ed enterprise increases the firm’s dependence on a glob-al financial, operational, and trade infrastructure.Although that provides for greater efficiency and effec-tiveness, it also exposes most companies to risks thatwere unfamiliar during the era of national markets andthe vertically integrated enterprise — and compoundsthe effect of conventional business risks.

What’s more, the legal and regulatory landscape hasundergone significant change since the September 11,2001, terrorist attacks and the accounting and gover-nance scandals in the United States, raising the level ofdiligence stakeholders expect from senior executives,boards of directors, and board audit committees inensuring the safety and continuity of the enterprise. The July 2002 United States’ National Strategy forHomeland Security recommends that industry sectorsand corresponding government agencies responsible forcritical infrastructure protection develop national infra-structure assurance plans that bridge the public and private sectors. The Sarbanes-Oxley Act of 2002 has tightened boards of directors’ audit committeeresponsibilities, imposed new CEO and CFO certifica-tion requirements, and raised the “standard of care” obli-gations on management dramatically. The Basel II

Accord commits financial-services institutions to setaside larger capital reserves against possible future oper-ational disruptions.

Guided by these and other requirements, under-writers of risk, such as insurance, equity, and debt mar-kets, will more aggressively distinguish between thosebusinesses that are resilient and those that are not. Tomaintain earnings consistency and preserve and growshareholder value, chief executives and board membersneed the capacity to sense and respond effectively toincreasingly complicated levels of risk — risks that can-not necessarily be transferred through conventionalmeans, such as insurance.

Interdependence RiskOur emphasis on the importance of earnings consisten-cy matches that of the capital markets. A company’s fateis determined by its ability to generate a reliable patternof earnings growth. Companies that reduce earningsvolatility and lower the probability of large losses arerewarded by financial markets with less expensive andbetter access to capital. What’s more, markets place“consistency premiums” on the stock valuations of com-panies that both promise and produce a steady patternof increasing profits.

The business activities that enable the firm to gaina competitive advantage and sustain growth vary acrossboth industries and companies. For some, manufactur-ing facilities represent the core earnings driver; for oth-ers, IT networks, customer support operations, supplychains, intellectual property, or a combination thereofpower earnings. Traditionally, risks have not been per-ceived in the context of key earnings drivers, but ratherin broad categories, each of which was managed in afunctionally isolated way. Thus, financial risk becamethe province of the CFO, operations risk the responsi-bility of the COO, and network security the task of theCIO. Rarely do they or their business continuity orsecurity programs link together in support of strategicobjectives.

Senior executives have understandably renewedtheir attention to conventional risk mitigation pro-grams. Seventy-five percent of Fortune 1000 CEOs sur-veyed by RoperASW on behalf of Booz Allen Hamiltonin late 2001 expressed increased concern about suchday-to-day activities as mail processing, travel, protec-tion of employees, and protection of infrastructure. Butby defining risk and security narrowly as the protectionof personnel, plant, data, and financial position, CEOs

and boards overlook the more prevalent perils they faceconducting business in a networked global economy.

Networks are one of the great advances in industri-al organization. Over the course of the last half century,the vertically integrated company has given way to thenetworked enterprise, an organizational structure char-acterized by greater agility and adaptability. Successfulfirms today must deal with intertwined layers of infor-mation, raw materials, analytical data, customer com-munication and service, and network infrastructure —at unprecedented speed — while maintaining countlesssecure relationships with third-party organizations, suchas suppliers, technology outsourcers, and governmentregulators. “The diversity of networks in business andthe economy is mind-boggling,” writes Albert-LászlóBarabási, the physicist and author of Linked: The NewScience of Networks (Perseus Publishing, 2002). “Thereare policy networks, ownership networks, collaborationnetworks, organizational networks, network marketing— you name it.”

Diagnose Your Enterprise Resilience:Eight Fundamental Questions

Are the complexity of the extended enterprise and

major earnings drivers across it transparent?

Are interdependencies understood and interdepend-

ence risks identified?

What programs are in place to ensure the viability of

earnings drivers?

Are these programs fully aligned with corporate

strategy and objectives, and do we understand the

trade-offs within these programs?

Do we know what we spend on resilience?

How good is our situational awareness — that is, do

we have enough business intelligence, internal and

external, and is it directed to the appropriate parties?

Do we distill such intelligence properly and in a time-

ly enough fashion to react to it?

Who is accountable for resilience, and how do we

make decisions and measure progress?

1

2

3

4

5

6

7

8

contentm

anagement

5

stra

tegy

+bu

sine

ssis

sue

30

Yet while the organizational and economic impactof networks is well known, their vulnerabilities remainlargely unexplored by businesses. The reliance on openborders, transnational alliances, and global markets forcapital, goods, and services has generated a “just in time”economy, which, although remarkably cost-efficient,leaves companies open to a range of discontinuities thatcan affect operations, reputation, customer habits, legalstanding, regulatory compliance, earnings performance,and ultimately shareholder value. We call these new vul-nerabilities, collectively, interdependence risk, anddefine it as unanticipated risk exposure across theextended enterprise that is beyond an individual organi-zation’s direct control. Examples of interdependence riskinclude supply chain disruption, government interven-tion, and public infrastructure destruction.

The scale and impact of a disruptive event is a func-tion of the relative importance of the dislocated entityand the degree of its integration into a broader extend-ed enterprise. A problem that appears localized couldripple across an extended enterprise, an industry sector,or even a national or multinational economy. The capac-ity to withstand such disruptions is a function of a firm’ssystemic resilience — its ability to understand its inter-dependencies, and to foresee and plan around disconti-nuities that can occur within them.

Interdependencies have grown not only within theprivate sector. Governments and industries are increas-ingly dependent on each other at a level of intricacy notseen — in the United States, at least — since World WarII. The National Strategy for Homeland Security callsfor the development of protection plans in 14 “criticalinfrastructure sectors” (such as energy, telecommunica-tions, defense industrial base, and banking and finance);although private industry overwhelmingly owns andoperates these sectors, government and business mustcollaborate to develop and implement the assuranceplans. One current public–private sector partnershipmodel is the National Security TelecommunicationsAdvisory Committee (NSTAC), which supports theOffice of the President in addressing telecommunica-tions issues vital to U.S. national security and emergencypreparedness needs. The stakes in such collaboration canbe enormous. A war game, cosponsored by Booz Allenwith the Council for Excellence in Government inDecember 2001, and designed to model the effects of anintentional release of pneumonic plague in multiplemetropolitan locations, found that casualties would bedramatically reduced by cross-sector knowledge-sharingmechanisms.

Interdependence risk — within the private sector oracross the public and private spheres — underlies manyrecent reports of operating loss. Consider what hap-pened in September 2002 when a labor dispute shutdown West Coast ports for several weeks. As critical sup-ply chains stopped functioning normally, severely con-straining manufacturing and product replenishment,U.S. companies lost an estimated $1 billion per day. Theevents highlighted the interdependencies among ship-ping companies, supply chain–intensive industries, con-tract logistics providers, and government agencies.

ER vs. ERMRisk management models have not kept pace with theshift from centralized to networked organizations. Inmilitary terminology, most enterprise risk management(ERM) programs rely on “point solutions,” whichattempt to moderate risks by “hardening” potentiallyvulnerable spots against attacks, a futile exercise in a net-worked enterprise. An organization cannot simultane-ously harden all the nodes within its network; threatswill just migrate from a hardened node to more vulner-able points. Military strategy has long since adapted tothis new understanding. In the early 1990s, when theU.S. Department of Defense recognized that its war-

Exhibit 1: Companies Are Not Prepared to Recover from Major Disruptions

• More than 75% of respondents say a major disruption to theirtop earnings driver would either cause sustained damage totheir firm’s earnings or threaten its continuity of operations.

• Fewer than 25% of respondents believe their current risk management efforts sufficiently address key areas of contingency planning.

• More than 33% of respondents say their company’s senior management lacks a thorough understanding of the impact a major disruption would have on their company and the firm’s level of preparation for a major disruption.

• Many senior executives still fail to recognize risk management as a priority.

• Improved communication among key stakeholders about risks and contingency planning is needed.

Source: Protecting Value Study, 2002. A survey of 199 financial executives and risk managers at Fortune 1000 firms in a variety of industries, sponsored by FM Global, the National Association of Corporate Treasurers, and Sherbrooke Partners. www.protectingvalue.com

contentm

anagement

6

fighting doctrine of “information superiority” increasedits dependence on networked communications systems,it transitioned from the traditional risk managementtechnique of hardening every node to a “defense indepth” model, which uses a layered approach to security.

Directors and senior managers, many of whom arefaced with analogous challenges, have not followed suit.In a recent survey of Fortune 1000 CFOs, treasurers,and risk managers by the National Association ofCorporate Treasurers and other organizations, three-quarters of respondents agreed that a major disruptionto their top earnings driver would either cause sustaineddamage to their company’s earnings or threaten businesscontinuity. Yet fewer than one-quarter of respondentssaid their current risk management efforts sufficientlyanticipate a wide variety of potential large-loss events.(See Exhibit 1.)

In pursuing strategic objectives, boards and CEOsmust factor into their decision making the trade-offsinvolved in selecting one risk alternative over another.Conventional ERM programs certainly help focus exec-utives and directors on the nature of specific vulnerabil-ities, and they can provide partial frameworks to helpfirms protect potentially weak links from low-probabili-ty catastrophic risks. But they do not fully prepare com-panies for the discontinuities that can jeopardize earn-ings drivers. Conventional enterprise risk managementfails to account for interdependencies across vertical andhorizontal corporate operations and thus tends tounderestimate the range and severity of risks faced bythe firm. Such network discontinuities can accumulateexponentially and often spiral out of control, subjectinga company to levels of loss without modern precedent. SoBarings Bank learned when the actions of a single trad-

er in Singapore destroyed the centuries-old institution.In sharp contrast to traditional ERM, enterprise

resilience planning advances a company’s speed and flex-ibility by crafting an integrated first line of defense andan offensive strategy to guard the entire extended enter-prise against new, unavoidable risks that are the by-products of interdependent operations. ER results froma planned series of safeguards against discontinuities —encompassing everything from logistics, inventory con-trol, and distribution channels to relations with govern-ment agencies, customers, and suppliers. Unlike enter-prise risk management programs, which tend to focusonly on how major categories of corporate risk interactat a tactical level, ER planning better aligns risk man-agement activity and spending with the most funda-mental components of corporate strategy and perform-ance: corporate growth and profit drivers, earnings con-sistency, and shareholder value. Resilient organizationsare sensing, agile, networked, and prepared. They thinkahead to even the most outrageous possibilities, trainingthemselves, as the Harvard Business Review put it, “howto survive before the fact.” (See “Diagnose YourEnterprise Resilience: Eight Fundamental Questions,”page 4.)

ER planning begins with the identification of thegreatest risks across the enterprise, including interdepen-dencies, and then generates a targeted program, inte-grated with overall corporate strategy, for mitigatingthese risks. ER is a continuous process that creates theability to adjust readily to new risks and opportunities,based on the strategic priorities and operational tempoof the business. It enables executives and managers tomake educated trade-off decisions when they develop arisk mitigation strategy, balancing the costs and benefits

Network discontinuities accumulate exponentially and often spiral out

of control, subjecting companies to levels of loss without precedent.

War-Gaming and Resilience Planning

Frequently conducted in conjunction

with an enterprise resilience audit,

war-gaming is an effective tool for

understanding a company’s or an

industry’s resilience posture. These

strategic simulations use mock crises

to gauge how well executives and staff

are prepared to face serious business

discontinuities.

The most effective war games occur

over two days and involve a series of

crisis simulations in which critical

components of a company’s or an

industry’s resilience are tested with

players from different, yet related,

stakeholder groups. Through a real-

time simulation — with one group

making a move, and others respond-

ing, action by action — vulnerabilities

can be exposed and mitigation strate-

gies developed.

For example, Booz Allen Hamilton

and the Conference Board sponsored

a port security war game in October

2002, just after West Coast ports in the

U.S. were shut by a labor action.

Participants included representatives

from government agencies, supply

chain–intensive industries, and con-

tract logistics providers. The war

game simulated an unanticipated clo-

sure of shipping ports after several

“dirty bombs” were found in contain-

ers shipped to U.S. ports. The exercise

found that companies reliant on the

ports would likely have to sacrifice

just-in-time efficiency to some

degree, and replace it with a more

robust “just-in-case” supply pipeline.

With such insights, companies can

attempt to find the necessary balance

between just-in-time production and

just-in-case resilience, and to answer

crucial questions: What would be the

effect on earnings if we stockpiled

three weeks of supply? Are there

innovative ways to create these

reserves besides paying for them out-

right? What loss would insurance

cover? What are the projected costs of

alternative shipping versus stock-

piling? How well do we understand

whom to call and what to do during

such an event? How prepared are we

to communicate mediation steps?

War-gaming’s greatest value is that

it exposes ideas that participants

don’t realize they have and uncovers

solutions that are not apparent.

Additionally, war-gaming forces

organizations to think differently, to

examine the validity of their assump-

tions about systemic risks. For exam-

ple, the port security war game uncov-

ered the critical fact that companies

must consider security a strategic and

necessary element of global trade

resilience. Another insight was that

local and national public–private part-

nerships are essential to finding an

effective global port security solution.

When war games include participants

from interdependent companies or

involve a mix of private-sector and

public-sector players, consensus can

be forged on the need for collective

action, and the action plan itself can

take shape. — R.S., J.N., and M.D.

stra

tegy

+bu

sine

ssis

sue

30

to meet overall risk management targets and improveearnings consistency.

There are three essential steps to becoming aresilient enterprise:

Diagnose enterprise-wide risk and interdependencies.A company must first define its extended enterprise anddetermine its earnings drivers. Once this is achieved, atransparent and consolidated view of risks across theextended enterprise can be developed, helping execu-tives to understand the company’s network interdepen-dencies. After the enterprise is mapped, a baseline viewof risk mitigation plans and spending can be developedto identify gaps and prioritize risk mitigation objectives.The resilience diagnostic should yield quick-hit oppor-tunities associated with critical risks that managementmust address in the near term.

Adapt corporate strategy and operating model. Theenterprise should use cost-benefit analysis that links

cross-functional risk mitigation planning to corporatestrategy. Equally important, the CEO and board mustadopt a common risk management and resiliency vocab-ulary that is comprehensible and intuitive to all,enabling executives and directors to understand a com-pany’s risk exposure and to make trade-off decisions inimplementing risk mitigation strategies while pursuingstrategic objectives.

Endure increased risk and complexity. This stepinvolves developing an organizational structure thatoversees and integrates business intelligence and riskmonitoring for the extended enterprise; has the analyti-cal tools and support capabilities to improve decisionmaking and responses to risk as it changes; can measurerisk mitigation with clearly defined benchmarks; canmonitor the organization’s resilience profile; and canimplement best-practice risk mitigation solutions. Theresilient organization, through an enhanced sensing

contentm

anagement

7

contentm

anagement

8

capability, integrates business intelligence to improve sit-uational awareness.

The ER AuditAs an initial step to building enterprise resilience, com-panies can apply a comprehensive, three-phase ER auditprocedure that can aid senior management teams indeveloping integrated risk mitigation programs ground-ed in a company’s real needs and built around its actualearnings drivers.

Step One: Enterprise Topology and Earnings-Driver

Classification. In the diagnostic’s first stage, the firmshould identify its key earnings drivers and their associ-ated risks. (See Exhibit 2.)

This should be done by mapping the extendedenterprise and drawing a consolidated and transparentpicture of how the company organizes systems, process-es, and relationships inside and outside its walls to generate revenue and profits. The company must distin-guish the earnings drivers themselves; the businessprocesses, capabilities, and technologies that supportthem; and their vulnerabilities. To accomplish this,interviews are held with corporate decision makers andkey management staff in all functional domains.Relationships among customers, partners, and suppliersare explored; IT network safeguards inventoried; andassets charted.

Step Two: Resilience Profiling and Baselining. Afterplotting the earnings drivers, the firm should use mod-eling tools and best practices in enterprise design to produce initial snapshots of an enterprise’s “resilienceprofile” for each essential aspect of a company: financial,operations, technology, personnel, and security. Thenthe company’s existing profile should be compared with

an optimal level of resilience — a “to be” state — in eachof these operations.

The firm’s current risk mitigation plans, procedures,and costs, including business continuity and securityprograms, are examined in this phase. The intent is todetermine how the current programs and the spendingon them align with the earnings drivers identified inphase one. Both explicit and implicit risk mitigationspending must be baselined. Such spending includescosts associated with known security, business continu-ity, and disaster recovery programs, as well as costs asso-ciated with security, continuity, and recovery that areburied in budgets for departments or functions, such asIT or marketing. War-gaming is a particularly usefulexercise in doing such advanced resilience profiling. (See“War-Gaming and Resilience Planning,” page 7.)

A vital part of this phase is the development of an“interdependency map” to identify interdependencerisks across the extended enterprise — hazards to earn-ings drivers that may result from unanticipated regula-tory action, changes in supplier relationships, problemsat clients, or other externalities. The baselining exercisealso seeks to understand how market trends and corpo-rate strategies will influence earnings drivers in thefuture. For example, a consumer goods manufacturermight discover that the business unit managing logisticsbetween the factory and retailers for the company’s flag-ship Product A is unaware of a new distribution chaindeveloped by the team overseeing up-and-comingProduct B. These redundant distribution channels couldleave the manufacturer vulnerable because the deliveryof two critical products would be interrupted simultane-ously if the supply chain network sustained a disruption.

Such profiling and baselining helps identify gapsbetween existing risk mitigation programs and identifi-able needs, allowing management to visualize at a glanceweaknesses and strengths in the firm’s current risk expo-sure and resilience posture. This impact analysis canidentify areas for new investment and disinvestment.For example, a major retailer with state-of-the-art just-in-time inventory systems that require continual datainflows to determine how to stock shelves could befinancially crippled if a disruption were to temporarilyshut down its network grid.

By contrast, even the largest advertising agencycould get by without too much damage if it lost its com-puters for a day or longer. However, an ad agency mustprotect the safety of its key personnel because its humanassets are its most significant earnings driver.

stra

tegy

+bu

sine

ssis

sue

30

Consequently, during the diagnostic’s analysis stage, theto-be resilience state for the retailer would establish thatthe safeguarding of technology infrastructure is its high-est target for investment, and personnel security is alower investment target; the ad agency might have theopposite resilience profile. This rating does not implythat the retailer has a lower regard for personnel safety;it simply recognizes that the retailer’s investments needto be focused on the technology infrastructure becausethat infrastructure is one of its primary earnings drivers.

Step Three: Resilience Strategy. The final phase ofan enterprise resilience audit aims to develop a newresilience program based on the analyses of the firm’searnings-related risk mitigation needs. The most criticalgaps between existing risk management programs andthe to-be profile are isolated. After the financial com-mitment needed to close these gaps is determined, acost-benefit analysis helps rationalize investment needs,finding the optimal balance among components of therisk mitigation effort.

Exhibit 3: Corporate Strategy and Risk Integration

• Factors earnings-driver risks• Adapts to new risks environments

• Extended enterprise view• Factors risk interdependencies

• Transparency• Insight• Accountability

• Decision making• Execution• Measurement

Boards of Directors and CEOs

CorporateStrategy

RiskStrategy

Enterprise Resilience

Exhibit 2: Determining Earnings-Driver Priorities: A Service Company Example

• Superb delivery and execution

• Compliance (regulatory and client confidentiality)

• Market position/distinctiveness of offering

• Maintenance of client relationships

• Intellectual property

• Sales effectiveness

• Ability to attract, develop, and retain top staff

• Global footprint

• Infrastructure protection

Priority Earnings Drivers

• Capacity management

• Research and development

• Market conditions

Immediate: ”Life-Threatening”

Low

Hig

h

Longer-Term: ”More Insidious”

Immediacy of Impact on Earnings Drivers

Deg

ree

of C

ontr

ol

contentm

anagement

9

contentm

anagement

10

The cost assessment examines business resiliencefrom three perspectives: people, operations (process andtechnology), and interdependencies. As an example, anestablished meat products company might learn that,overall, it has well-protected supply and distributionnetworks, moderate operations risk thanks to maturecrisis and disaster management plans, but weak person-nel security because its hiring and management proce-dures at international subsidiaries are inadequate. Onthe basis of this evaluation, the company could decide toreduce resources earmarked for disaster management andnetwork oversight and redirect them to improve itsrecruitment, training, and inspection practices. Other-wise, it increases the risk that a devastating incident willoccur (e.g., poor inspection practices could allow taintedmeat to reach consumers and cause them to become ill).

After setting the gap-closing priorities and develop-ing the full risk mitigation strategy, the executive teamshould agree on a migration path and gain the board’sagreement on a timetable for the institution of near-termand longer-term resilience goals. Over time, enhancedbusiness intelligence and information sharing should bedeveloped to promote greater situational awareness.

Risk Is RealityWe believe that companies need to adopt a more inte-grated approach to risk management — one that linksbusiness strategy to enterprise resilience and businesscontinuity planning. Using diagnostic tools, war-gaming, and decision-support capabilities, companiescan establish a more effective, continuous, and consis-tent methodology for protecting the enterprise frominternal and external risks.

The establishment of enterprise resilience should

involve not only those routinely responsible for riskmanagement and security, such as the CFO, CIO, andchief security officer, but also the CEO, the businessunit general managers, the board of directors, and theboard’s audit committee. With their collaboration, anew risk management approach can be developed toprovide a steady stream of information to the organiza-tion’s top decision makers about the vulnerability ofearnings drivers. (See Exhibit 3.) Done this way, ERplanning will improve corporate governance andenhance decision making within a company.

Businesses have always faced risks, but recent eventshave provided dramatic evidence that, in today’s econo-my, risk is reality. Not all risks can be anticipated, butthey can be managed, by senior executives, boards, andstakeholders working together to create a resilient enter-prise. Stakeholder expectations are higher than ever, andenterprises that are more resilient will experience morerewards — from increased customer and partner loyaltyto the realization of premiums for improved earningsconsistency. + Reprint No. 03107

Shareholder expectations are higher than ever. Resilient companies will reap rewards,

from increased partner and customer loyalty to improved earnings consistency.

Resources

Mark Gerencser and DeAnne Aguirre, “Security Grounds the CEOAgenda,” s+b, Second Quarter 2002; www.strategy-business.com/press/article/?art=313296&pg=0

Ralph W. Shrader and Mike McConnell, “Security and Strategy in theAge of Discontinuity: A Management Framework for the Post-9/11World,” s+b, First Quarter 2002; www.strategy-business.com/press/article/?art=228408&pg=0

Diane L. Coutu, “How Resilience Works,” Harvard Business Review, May 2002; www.hbsp.harvard.edu

Gary Fields, “An Ominous War Game,” Wall Street Journal, December 4,2002

Booz Allen Hamilton has been at the forefront of management consulting for businesses and governments for more than 80 years. Booz Allen combines strategy with technology and insight with action, working with clients to deliver results today that endure tomorrow.

With over 11,000 employees on six continents, the firm generates annual sales of $2 billion. Booz Allen provides services in strategy, organization, operations, systems, and technology to the world’s leading corporations, government and other public agencies, emerging growth companies, and institutions.

To learn more about the firm, visit the Booz Allen Web site at www.boozallen.com. To learn more about the best ideas in business, visit www.strategy-business.com, the Web site for strategy+business, a quarterly journal sponsored by Booz Allen.

Booz Allen Global Assurance Campaign

Our nation is profoundly dependent on the critical infrastructures that are predominantly owned and operated by the private sector. Government and business leaders have an obligation to create new public-private partnerships to protect our economy and our industries. Resilient organizations align their strategy, operations, management systems, and decision support capabilities to enable them to uncover, adapt to, and improve their responsiveness to disruptions—for the government, the issue is mission; for industry, the issue is earnings consistency. As this war game showed, together, government and industry can enhance the resilience of global trade. The Global Assurance Team provides enterprise resilience services to businesses, and homeland security consulting services to the U.S. federal and local governments.

What Booz Allen Brings

Mark Gerencser is a Senior Vice President of Booz Allen Hamilton, specializing in helping clients achieve enterprise resilience to gain a competitive advantage, maintain business continuity, and protect and increase shareholder value. In his 20 years with the fi rm, he has worked with the Department of Defense, the U.S. intelligence community, and such private sector industries as health care, aerospace and defense, high technology, and media. He can be reached at gerencser_mark@bah.com.

Jim Weinberg is a Senior Vice President of Booz Allen Hamilton in our Chicago offi ce and assists companies in step-change improvement in operations performance through implementing new operating models and technologies. Mr. Weinberg is a co-leader of Booz Allen Hamilton’s Enterprise Resilience practice which is forging new frameworks for managing risk in today’s dynamic and network-centric business environment. He can be reached at weinberg_jim@bah.com.

Abu DhabiCharles El-Hage971-2-6-270882

AmsterdamPeter Mensing31-20-504-1900

AtlantaJoe GarnerJoe Garner404-659-3600

BangkokTim JacksonTim Jackson66-2-653-2255

BeirutCharles El-Hage961-1-336433

BerlinRene Perillieux49-30-88705-0

BogotáJaime MaldonadoJaime Maldonado57-1-313-0202

BostonJohn HarrisJohn Harris617-428-4400

BrisbaneTim JacksonTim Jackson61-7-3230-6400

Buenos AiresAlejandro Stengel 54-1-14-131-0400

CaracasJosé Gregorio Baquero58-212-285-3522

ChicagoGary Ahlquist312-346-1900

ClevelandLes Moeller216-696-1900

Colorado SpringsGlen Bruels719-597-8005

CopenhagenKenny Palmberg45-3393-36-73

DallasTim Blansett214-746-6500

DüsseldorfThomas Kuenstner49-211-38900

FrankfurtRainer Bernnat 49-69-97167-0

GöteborgBengt Johannesson46-31-725-93-00

HelsinkiKari Iloranta358-9-61-54-600

Hong KongReg Boudinot852-2634-1878

HoustonJoe Quoyeser713-650-4100

JakartaIan Buchanan6221-577-0077

Lexington ParkNeil Gillespie301-862-3110

LondonPeter Bertone44-20-7393-3333

Los AngelesTom Hansson310-297-2100

MadridMercedes Mostajo34-91-5220606

MalmöIngemar Bengtson46-40-690-31-00

McLeanMartin J. Bollinger703-902-3800

MelbourneTim Jackson61-3-9221-1900

Mexico CityAlonso Martinez52-55-9178-4200

MiamiAlonso Martinez305-670-8050

MilanEnrico Strada390-2-72-50-91

MunichRichard Hauser49-89-54525-0

New YorkDavid Knott212-697-1900

OsloHaakon Bjertnaes47-23-11-39-00

ParisPanos Cavoulacos33-1-44-34-3131

PhiladelphiaMolly Finn267-330-7900

Rio de JaneiroPaolo Pigorini55-21-2237-8400

RomeFernando Napolitano39-06-69-20-73-1

San DiegoFoster Rich619-725-6500

San FranciscoBruce Pasternack415-391-1900

SantiagoAlejandro Stengel562-445-5100

São PauloLetícia Costa55-11-5501-6200

SeoulJong Chang82-2-2170-7500

StockholmKenny Palmberg46-8-506-190-00

SydneyTim Jackson61-2-9321-1900

TampaJoe Garner813-281-4900

TokyoEric Spiegel81-3-3436-8600

ViennaHelmut Meier43-1-518-22-900

WarsawReg Boudinot48-22-630-6301

WellingtonTim Jackson64-4-915-7777

ZurichJens Schäedler41-1-20-64-05-0

©2003 Booz Allen Hamilton Inc.

Worldwide Offices