The value proposition for organisational

resilience
Corporate Cyber Security Summit
Mike Trovato
Asia Pacific Security Leader
13 November 2013

Agenda

Introducing our research

Why Organisational Resilience (OR) has emerged
Relationship of OR and management strategies
Principal concepts and attributes of OR
Cyber security and resilience
Value of resilience for cyber security
Summarising

Page 2

Introducing our research

Critical Infrastructure Resilience Strategy (2010) led by

the Commonwealth Attorney-Generals Department

Strategic Imperative #2 Develop an Organisational Resilience

Body of Knowledge
Research paper 1: CEO perspectives on organisational resilience
(2012)

Value proposition for OR for business and society needed

2012-13 research with the Commonwealth AttorneyGenerals Department - Organisational Resilience: The
relationship with risk related corporate strategies (2013)

Page 3

Global Practice insights

Extensive literature review

Why Organisational Resilience has emerged

Volatility

of the economic and

demographic environment

Velocity

of innovation and information

Visibility

into everything that

organisations do

Page 4

Why Organisational Resilience has emerged

Economic & demographic volatility
Financial uncertainty and instability
Emerging middle class in developing markets

Complexity of networks

Scarcity / imbalance of resources / political instability

Intensification of global competition

Plans need to be aggressive but risk adjusted

Page 5

Why Organisational Resilience has emerged

Velocity of innovation and information
Market awareness and
responsiveness is crucial

Speed to market

Virtual world with access to

information anywhere anytime
Innovation is expected
Brand movement
60% of global population with
access to smart devices by 2030
Knowledge of alternatives

Need to be able to move quickly and carefully

Page 6

Why Organisational Resilience has emerged

Visibility into everything
Unprecedented access to information

Unrestricted global boundaries

Global village causing blurred lines

Visibility is global

For the informed customer everything

is contextual
Sustainability
Need to be authentic

Accountability

Reputation needs to be real and managed

Page 7

Why Organisational Resilience has emerged

The opportunity

These forces creates enormous opportunities and daunting

challenges for government and business

Risk and opportunities must be carefully balanced.

Grow and profit/manage costs
Protect performance
Innovate continuously
Optimise performance

All these elements are uniquely combined in the organisational

resilience approach.
Unlike traditional approaches, OR balances these protect and
perform focused approaches and strategies

Page 8

Why Organisational Resilience has emerged

The opportunity

There are many

strategies and
approaches to select
from which align with and
support organisational
resilience

Selection of perform
and protect focused
strategies and
approaches consistent
with the organisational
context internal and
external
Figure 1: The Perform / Protect Matrix

Page 9

Relationship of OR and corporate strategies

Figure 2

Figure 2: The domain of risks includes foreseeable and unforseeable risks

Figure 3: The Ernst & Young BCM Model

Page 10

Figure 3

Principal Concepts of OR

Figure 4: Principal concepts of resilience (identified through research commissioned by the Commonwealth Attorney-Generals Department).

Page 11

Principal Concepts of OR

Figure 5

Resist disruptive influences to Business As Usual

React effectively when threats materialise
Reshape internal and external environments for growth

Figure 5: Resist, React, Reshape core components of OR.

Page 12

Value of OR in practice

Figure 6: Four key attributes of OR.

Page 13

2013 EY Global Information Security Survey

Clients are moving in the right direction
Know

Reactive

Awareness

Proactive

Improving their
defences for cyber attack
Expanding taking
bolder steps
Innovating
continuously review,
rethink and potentially
redesign their security
framework

Behavior

Page 14

EY Global Information Security Survey 2013

Dont know

Cybersecurity and resilience

Awareness of cyber threats propels improvements.
The leaps that organizations are making

The steps that organizations still need to take

Organizations are investing more in

information security

Information security departments are still

feeling the pinch

Organizations are shifting their focus from

operations and maintenance to improving
and innovating

Despite the security improvements

organizations have made, many remain
exposed

Page 15

EYs Global Information Security Survey 2013

Cybersecurity and resilience

Threats continue to increase, driving bolder actions
The leaps that organizations are making

The steps that organizations still need to take

Organizations demonstrate alignment

among strategies and drivers

A lack of alignment in other critical areas

is still too common

Efforts to improve cyber security programs

are growing

Threats are growing too, often at a faster

pace

Page 16

EYs Global Information Security Survey 2013

Value of OR in practice
Resilience & Cybersecurity bringing it together
Business As Usual
Resilience leadership
Commits to continuous
improvement and resilient
practices for BAU
Resilience culture
Commitment to excellence
and efficient operations at
the micro level. Mindful
work
Change readiness
Avoids shortcuts, adapts to
minor changes and failures
of process, detects
anomalies
Page 17

Change and adapt

Resilience leadership
Continuous, visible top-level
non-routine crisis
management
Resilience culture
Motivated actions by
committed individuals
Resilience partnerships
Collaboration to solve
technical problems and
respond to disaster

Shape the environment

Resilience leadership
Long term adaption /
complex adaptive systems
Resilience culture
One-in, all-in enthusiasm
for challenge, innovation
and risk taking
Change readiness
People who innovate
through trust and teaming.

Summarising

Organisational Resilience meets the needs

of businesses that must :

Organisational Resilience is an outcome

not a system. This means:

Page 18

Focus on taking risks intelligently in a world of increasing volatility, velocity,

and visibility
Must be organisationally ambidextrous must innovate for growth while
protecting operations
Rely on the committed, focused capabilities of all team members to
achieve long term prosperity and success

It complements proven risk management methodologies

Leverages new and existing strategies to drive agile responses to threat
and opportunity, wherever it occurs.

AG Organisational Resilience
EY 2013 Global Information Security Survey

Page 19

Thank you