01 Global Resilience Report October 2022 WC

Toward True
Organizational Resilience
Deloitte’s Global Resilience Report
October 2022
Toward True Organizational Resilience
02
Deloitte’s Global Resilience Report | October 2022
https://www2.deloitte.com/us/en/pages/risk/articles/global-resilience-report.html | 03
04
Contents
Introduction 06
Executive Summary 12
01. Organizations need to Accelerate their 16

Journey to Organizational Resilience
02. Organizational Resilience must 22

become a True Strategic Priority
03. Geopolitical Threats should be 26

Addressed within Resilience
04. Organizations Welcome the Role 30

of Regulators in Resilience
05. Environmental, Social, and Governance 38

(ESG) Risks Warrant Greater Attention
06. Reputational Risks Demand 44

more Proactive Management
07. Digitalization can Enable Resilience 48
08. Barriers to Achieving Greater 52

Resilience can be Overcome
The Future, and How to Get There 54
Authors 59
Introduction
06
Deloitte’s Global Resilience Report:

Senior executives Therefore, traditional approaches to This differs from thinking of resilience as
resilience—thinking of it as “bouncing positioning the organization to recover
recognize the need back,” mistaking it for crisis management, from risks and resume its former shape.
for more proactive, or delegating it to siloed functions— It encompasses capabilities needed to
need to be expanded as quickly identify, anticipate, and respond to the
forward-looking, and as possible. opportunities for growth that disruption
strategic approaches to always presents. It aims to develop an
Yet the fundamental goal of resilience organization that can evolve rapidly and
resilience, but they are remains the same—to enable the adapt repeatedly to new conditions.
struggling to develop and organization to serve the needs and meet
the expectations of its stakeholders Our view encompasses capabilities within
operationalize them in
regardless of condition. This stands and apart from risk functions. Therefore,
their organizations. among the primary responsibilities of we surveyed not only leaders of risk
senior executives and the board. Given functions but also those leading non-risk
That is the overarching finding of the risks that organizations now face, functions; where useful, we present the
Deloitte’s 2022 worldwide, cross-industry an approach that generates end-to- data for each set of respondents.
survey of almost 700 executives, end organizational resilience has
directors, and senior leaders with become essential. The survey findings chart a path
accountability or responsibility for toward organizational resilience
resilience or crisis management In this report we convey the views that developed and maintained through
within their organization (see page 8, our survey respondents provided on the more integrated approaches to
‘A Robust and Representative Sample’). status and future direction of resilience, achieve this strategic objective.
together with our point of view on the These approaches recognize the role
The survey findings indicate that most results and on the need for true and value of resilience in each function
organizations need to broaden out from organizational resilience, expanding and along every dimension (see page 10,
their predominant focus on operational from just operational resilience. ‘The Five Capitals of Organizational
resilience, and build resilience more Resilience’). These approaches also
equitably across other ‘capitals’ (Financial, engage every function, consider
Reputation, People and Environmental) We also offer our definition geopolitical risks, work effectively with
to build true organizational resilience. of resilience1: regulators, leverage digital capabilities,
This entails broadening practices and Organizational resilience is the and position the organization to thrive
capabilities related to resilience while capability of an organization to not only despite business conditions
retaining and enhancing those that be prepared for disruption and but because of them.
currently serve the organization and its to adapt and thrive in a changing
stakeholders well. The survey findings environment. It isn’t purely
also point to steps leaders can take to defensive in orientation. It is
transform their approaches to resilience. also progressive, building the
capacity for agility, adaptation,
Organizations across sectors and learning, and regeneration to
geographies now operate in an ensure that organizations are
environment of constant change able to deal with more complex 1 Adapted from definitions included in BS
and unpredictable risks. The breadth and severe events and be fit 65000:2022 Organizational Resilience.
and potential severity of that change Code of Practice, 31 August 2022 and Resilience
for the future.
Reimagined: A practical guide for organizations,
and those risks are new. 2021 Deloitte LLP and Cranfield University.
A Robust and
Representative Sample
Our survey respondents comprise a Key sample 24% Americas

worldwide sample of 695 executives characteristics Europe
in a range of industries. Respondents
APAC
have crisis management or resilience
as part of their accountabilities or
responsibilities and include CEOs
and CXOs as well as board members.
Included are heads of risk functions
such as operational risk and cyber
security, among others, as well as
chief risk officers. In this report,
these respondents are those in the
“risk functions” sample segment as
opposed to the “non-risk functions”
segment. The latter includes senior
executives and board members 36%
whose responsibilities include resilience Global region
(such as the CFO or CCO) but who do
not manage actual risk functions.
9% 6%
10%
40%
17% Industry
Consumer & retail

Energy, resources & industrial
Financial services
Technology, media & telecommunications
Life sciences & healthcare
37%
Government & public services
20%
08
1,000-4,000 people 22% Risk function

500-999 people Non-risk function 27%
5000+ people
34%
Organization Role
size 73%
22%
44%
36%
Seniority
Direct reports into CxO/board-level management

CEO or other CxO/board-level management
Head of department
42%
The Five Capitals of

Organizational Resilience
1 2
Organizational resilience The five capitals of organizational resilience are:
encompasses resilience
along five capitals—
human, social, built,
financial, and natural—
that comprise the
ecosystem in which
organizations operate.2
People resilience Reputational resilience

People resilience relates to the way Reputational resilience is about being
in which organizations support their responsive to external perceptions,
own people. It is also about fostering scrutinising self-limiting behaviors,
creativity and engineering growth building brand capital and reserves,
by instilling personal resilience and and maintaining a foundation of
instituting the right cultural norms, trust and dependability.
conduct, and behaviors.
2 Resilience Reimagined: A practical guide

for organizations, 2021 Deloitte LLP and
Cranfield University.
10
3 4 5
Operational resilience
Operational resilience refers to the way
an organisation uses its non-financial
Financial resilience
Financial resilience describes the ability
of an organization to withstand events
Environmental resilience
Environmental resilience refers to the
way in which an organization works to
resources to withstand, absorb, recover that impact its liquidity, income, or achieve homeostasis with the natural
from, adapt to, or regenerate from the assets. These events may include world, making strategic choices that
impacts caused by shocks and stresses routine or severe but plausible are both good for the environment
affecting its products and services, data, shocks and stresses. and sustainable for the organization.
technology, cyber security, facilities,
and supply and demand.
A deficiency in any single one of the five capitals can

put the organization in jeopardy and even bring it
down. Organizational resilience therefore consists
of robust capabilities in each of these five domains.
While the emphasis on a given capital will differ across
industries and companies, superior capabilities in one
domain will not make up for deficiencies in another.
Therefore, each organization needs an individualized
way of addressing and balancing investments in
each domain.
Executive
Summary
12
The following are the key findings

of our 2022 Global Resilience Survey:
Until recently, Organizations need to achieve Geopolitical threats

true organizational resilience should be addressed
organizations around In most organizations, resilience Until recently, organizations around the
the world could rely on capabilities remain siloed in ways that world could rely on certain domestic
potentially hamper organizational and global institutions and conditions
certain domestic and resilience. Yet the prevailing business to remain stable over traditional
global institutions and environment and the interrelatedness investment and planning horizons.
of risks demand robust resilience at the That no longer holds true, even as those
conditions to remain organizational level. That points to the horizons have shortened. This instability
stable over traditional need for a more holistic approach which resembles tectonic shifts which at best
investment and planning expands beyond operational or financial generate deep uncertainty and at worst
resilience. However, well over half of destroy large and complex structures.
horizons. That no longer respondents indicate that resilience sits While no single private, or even public,
holds true. within the risk function (or a specific entity can address these threats,
risk function, such as operational risk). each organization must plan for them.
While risk functions play an irreplaceable This means that organizational leaders
role in resilience, the need to address should acknowledge that geopolitical
a broader range of threats to the value forces such as income inequality,
and viability of the organization calls for a political opportunism, nationalism,
new approach. In addition, organizations and degradation of institutions threaten
remain heavily focused on operational economic and cultural structures that
resilience at a time when they need to have long been taken for granted, and
expand resilience capabilities. that those realities should be factored
into strategies, plans, and capabilities
Organizational resilience must related to resilience. Geopolitical threats
become a strategic priority also support the decision to elevate
When resilience sits in the risk function resilience as a strategic priority.
and specialized risk or crisis management
functions, it may fail to focus broadly
enough. It may also receive insufficient
senior leadership attention. This can
be remedied by elevating resilience
to a strategic, enterprise-wide issue
to be continually addressed by
senior executives and the board.
Placing organizational resilience on
senior executive and board agendas
fosters the attention—and funding—
that it now warrants. In addition,
a strong majority of organizations
favor having a chief resilience officer,
which could accomplish this goal.
Organizations welcome the role Environmental, social, and Reputational risks demand
of regulators in resilience governance (ESG) warrant proactive management
Regulators have proven that they can greater attention Trust in an organization, as reflected in
play an essential role in resilience, ESG encompasses many issues, each of its reputation in general and among
particularly during crises that impact which can differ significantly for a given specific stakeholder groups, stands
financial and economic systems, organization. Regarding environmental among its most valuable forms of
industry segments, or the public. resilience, organizations must both capital. Reputation impacts brand equity,
Executives recognize and respect that defend and enhance value in the face of customer loyalty, investor sentiment,
role. Moreover, they welcome regulators environmental changes. From the social and value. If reputational capital is not
playing an even greater role in resilience perspective, they must understand and proactively managed, it can be rapidly
going forward and can be expected monitor their reputations, stakeholders’ destroyed. So, executives need to
to do so across a broader range of expectations, and the impact of social consider the reputational impact of
industries. Yet certain caveats regarding change on their business. In terms potential risks and build corresponding
over-reliance on regulators are in order. of governance, organizations often capabilities. Relative to operational,
For example, regulators tend to look need more robust board practices, financial, and cyber resilience,
backward and aim to avoid or mitigate governance mechanisms, and education organizations lag in this area. Although
crises that resemble the last one. of the board and its committees to reputational risks usually stem from
Organizations need to be more forward- achieve organizational resilience. operational, financial, cyber, geopolitical,
looking and proactive, while continually The broad nature of ESG may partly and ESG risks, reputation itself must be
engaging with regulators. explain why less than one-fifth of proactively managed, with appropriate
organizations cite the ESG function investments in monitoring and
as having an active role in resilience. communication capabilities.
That said, they understand the role of Those specific capabilities enable
social responsibility in their organization measurement of stakeholders’
and plan to hire talent in this area. current perceptions and, critically,
the constantly shifting expectations
stakeholders place on organizations.
Regulators have proven that they can play an essential

role in resilience, particularly during crises that impact
financial and economic systems, industry segments,
or the public.
14
Digitalization can enable resilience Barriers to achieving greater

In addition to siloed functions and resilience can be overcome
structural and leadership issues, The three most cited barriers to
organizations seeking greater resilience achieving greater resilience were scarcity
face a shortage of talent as well as of talent (59 percent), closely followed
competing investment demands. When by competing strategic priorities and
properly selected and deployed, digital lack of organizational understanding of
technologies can enable enterprise-wide resilience (tied at 57 percent). Lack of
capabilities that support organizational funding came next at 44 percent. While
resilience despite talent shortages and lack of talent involves the challenges
cost pressures. Digital technologies of hiring and retaining people in a
have a proven record of cost-effectively highly competitive marketplace, it can
performing activities such as risk be mitigated through rotational and
monitoring, data analytics, and risk cross-training programs, alternative
reporting, thus freeing up talent and talent models (such as co-sourcing and
funding for tasks requiring human managed services), and, as noted, digital
intelligence and intervention. Digital technologies. Strategic priorities and
tools can also bridge silos and enhance lack of organizational understanding of
communications and visibility into resilience can be addressed through
processes. Organizational resilience senior leadership initiatives and
is further supported by advances increased funding of resilience plans,
in scenario modelling, situational programs, and capabilities.
awareness, and digital twins. (The latter
being virtual representations, entities or Each of the following sections provides
processes used to gauge the impact of greater detail on the survey findings as
risks on those entities or processes.) well as our observations on the findings.
In addition, the digital version of this
report provides ways of digging deeper
into the survey data along industry
sector and regional lines.
01
16
Organizations need to
Accelerate their Journey
to Organizational Resilience
In an environment of potentially existential threats A total of one-quarter
leaders need to develop organizational resilience and to one-third describe
corresponding capabilities. To a large extent, this remains resilience as a new
aspirational or absent in many organizations. concept and focus only
on limited aspects or
Despite the presence of sound Only about one-third of organizations
capabilities in specific resilience (36 percent of respondents in risk some components
programs, particularly those related functions and 31 percent in others) of resilience.
to operational resilience, organizations describe resilience as a strategic priority
should accelerate the expansion and with executive sponsorship and end-
coordination of capabilities to achieve to-end capabilities. Almost another
the kind of resilience they now need. 20 percent note that resilience is well-
understood and cross-functional.
Silos are still a problem
Approaches to resilience remain This means that the remainder—
siloed to a degree that can undermine almost half of organizations—do not
cross-functional responses to risks treat resilience as a strategic priority
and opportunities. While many leaders or lack cross-functional resilience.
understand the need to respond in a
concerted manner, many may not. A total of one-quarter to one-third
describe resilience as a new concept and
focus only on limited aspects or some
components of resilience. This points to a
need for greater integration of resilience
capabilities in many organizations.
In your opinion, which statement best describes

your organization’s current resilience capability?
40%
36%
31%
30%
22%
21%
20% 19% 19%
17%
14%
11% 11%
10%
0%
Organizational Organizational Key components Resilience is well Resilience is a
resilience is a resilience is a of organizational understood ascross strategic priority
new concept to new concept to resilience in place, the organization and for the organization
the organization. the organization. with routine has cross-function and has executive-
Some basic Some key investment engagement. level sponsorship.
components in components year-on-year. It considers end-to-
place which focus in place. end resilience (incl.
on limited aspects people, operations,
of resilience. environment, finance
and reputation).
Non-risk Risk
(e.g. Finance, Strategy, (e.g. Cyber Security,
Communications) Risk management,
Business Continuity)
18
Organizations lack a common Is there a common understanding/definition

understanding of resilience of resilience within your organization?
Organizational resilience begins
with a common understanding 48%
and definition of resilience within
the enterprise. Only about half
of all respondents believe their
organizations have these basics
in place. Total
Observations
Developing organizational resilience
calls for defining what resilience means
to the enterprise as a whole, prioritizing 52%
investments in resilience accordingly,
bridging silos that restrict information
66%
flows, and coordinating end-to-end
capabilities. Only about one-third of
organizations seem to be there. Senior
leaders can begin by promulgating a
clear, enterprise-wide understanding
Non-risk
and definition of resilience. The goal
should be to lift resilience out of
siloed functions, which clearly have
their unique roles in addressing risks
and opportunities, and to support
34%
more coordinated, forward-looking
approaches. Deloitte has identified
several ways of accomplishing this 41%
(see Page 21, ‘Identify Essential
Outcomes’).
Risk
59%
Yes No
Collaboration can be enhanced by shifting

the view of resilience from its being a cost to being
an investment, from its being an administrative
burden to a driver of innovation.
Resilience may be limited by its For example, rationalizing and competitors—while enhancing
strong association with risk. integrating siloed processes in resilience. It does this by rationalizing
Respondents outside the risk function are operations, technology, cybersecurity, reporting, providing visibility into
much more likely to identify competencies compliance, and the supply chain not processes and outcomes, generating
such as strategy, issues management, only saves costs but also positions the insights, and freeing headcount
reputation management, communication, organization to streamline operations, for high-value activities.
and procurement as part of resilience. seize opportunities, and outpace
This may imply that the full potential of
resilience may be held back by people
What competencies are currently considered
focusing on traditional risk management
as part of resilience within your organization?
and not fully recognizing the need for
broader competencies. 52%
Observations Strategy
Organizational resilience, which
32%
rests upon the five capitals—people,
reputational, operational, financial, and
environmental—extends well beyond 36%
risk and crisis management. Interestingly, Issues

people outside risk functions appear to management
recognize this more often than those 21%
within them. It’s possible that, given
the range of threats, their far-reaching 33%
impacts, and the need for coordination, Reputation
resilience may be limited by being in management
and associated with the risk function.
21%
That’s because organizational resilience
requires strong collaboration across
26%
operational, financial, cyber, ESG, and
other risk (and non-risk) functions. Communication
Establishing that collaboration is a
senior leadership responsibility. 14%
Collaboration can be enhanced by 23%

shifting the view of resilience from its
Procurement
being a cost to being an investment,
from its being an administrative 10%
burden to a driver of innovation.
0% 20% 40% 60%
Non-risk Risk
(e.g. Finance, Strategy, (e.g. Cyber Security, Risk management,
Communications) Business Continuity)
20
Identify Essential
Outcomes
As explained in a Broadly, an essential outcome
is one that, if disrupted would:
special Deloitte report3 • Harm a key stakeholder or
an organization can a stakeholder group
enhance enterprise-wide • Breach a legal or contractual

resilience—and break requirement or destroy trust in
the organization
down silos—by identifying
essential outcomes • Put the financial viability or existence
of the organization at risk
and working to develop
the capability to deliver • Create an adverse or irreversible
on them regardless of impact on the natural environment
changing conditions. • Fail to provide what stakeholders

need in a crisis, or hamper their
Essential outcomes are those that the ability to recover
organization must create for customers,
employees, suppliers, investors, the Focusing on essential outcomes creates
community, and other stakeholder an outside-in perspective on resilience.
groups. They are not internal functions, It also focuses leaders on identifying
processes, assets, resources, or goals. broader methods of delivering those
They are what stakeholders want, outcomes rather than on capabilities.
need, and expect the organization Once those outcomes are identified
and its leadership to deliver. and agreed upon, leaders can look
to the external as well as internal
capabilities needed to deliver them,
regardless of silos or functions.
3 Resilience Reimagined: A practical guide

for organizations, 2021 Deloitte LLP and
Cranfield University.
02
22
Organizational Resilience must

become a True Strategic Priority
Although risk management Provide executive-level sponsorship Managers heading specific functions
Lack of organizational resilience may be may see resilience as comprising more
and crisis response remain traced to resilience not being considered traditional operational disciplines, such
essential elements in a strategic priority. Elevating it to that as cyber, data, and physical security.
level extends resilience beyond cyber, This may be reflected in only 16
resilience, organizational operational, and financial matters to percent of them seeing resilience as a
resilience must be given encompass environmental, social, strategic priority (although they may be
and governance (ESG), geopolitical, questioning executive-level sponsorship).
the highest strategic reputational, and similar concerns. Senior executives and their direct
priority. This resembles Although resilience is indeed a strategic reports more often cite the importance
the approach that many priority, our survey revealed that less of resilience as a strategic priority.
than 50 percent of CXOs agree that it is
organizations have taken considered as such in their organizations.
to risk itself.
Particularly after the 2008-2010 financial In your opinion, which statement best describes
crises, they elevated risk management to your organization’s current resilience capabilities?
a strategic priority. How? By appointing
chief risk officers, putting risk on the 50%
senior executive and board agendas, 46%
bolstering specific risk functions, and
investing in risk management and
40%
governance capabilities. Resilience
now warrants a similar approach. 34%
30%
20%
16%
10%
0%
Resilience is a strategic priority for the organization and
has executive-level sponsorship
CxO Direct report to CxO Head of department
Observations Consider appointing a chief

Senior leaders should be aware that resilience officer
organizational resilience may be limited A persuasive four-fifths of respondents
by seating resilience primarily in risk believe their organization should
functions, and address any resulting create a chief resilience officer role.
silo effects and disconnections. Belief in the potential value of a chief
Most organizations—at least half resilience officer held for a significant
according to this survey—need to majority of organizations across all
make resilience a strategic priority. industry sectors. Even in sectors that
This begins with the senior leadership less frequently cited the need for that
team, who are responsible for role, at least 70 percent supported
performance and growth and for the idea.
translating strategic priorities into
actionable initiatives. 6%
15%
Ways in which senior leaders can
accomplish this include building a
“culture of resilience” by translating
strategies for organizational resilience
into actionable mandates, creating
incentives and accountability for cross-
functional communication and resilience
initiatives, and integrating responsibility
for resilience into job descriptions and
performance reviews. Just as many 79%
organizations have driven responsibility
for risk management into activities and
In your opinion,
accountabilities for employees at all
should your organization
levels, a similarly intentional effort is
create a chief resilience
now needed for organizational resilience.
officer role in the
next five years?
Yes
No
Don’t know
24
Observations In your opinion, should your organization create

As was seen with the creation of the a chief resilience officer role in the next five years?
chief risk officer role over the past fifteen
years, executives may realize that one 84% 5%
way to elevate resilience as a strategic Life Sciences
priority would be to place a senior & Healthcare
executive in charge of it. An alternative
would be to extend the role of the chief 11%
strategy officer, where the responsibility
might best encompass responsibility 81% 5%
for organizational resilience. Another
option would be to extend the role Consumer & Retail
of chief risk officer in this direction,
although that could reinforce the
15%
association of resilience with risk
functions. While not a necessarily
81% 7%
a negative, that option may fail to
sufficiently differentiate resilience and Technology, Media
elevate it to a distinct strategic priority. & Telecommunications
13%
80% 8%
Energy, Resources
& Industrial
13%
74% 3%
Government
& Public Services
23%
74% 7%
Financial Services
20%
03
26
Geopolitical Threats should be

Addressed within Resilience
Trade wars and tariffs, These phenomena—along with Geopolitical incidents came next. Note
failures of public and private institutions that the percentage citing geopolitical
financial and economic to address them—create not only events (25 percent) was close to the
sanctions, mass migration widespread crises, but also an ongoing percentages citing natural disaster,
sense of instability, as if tectonic plates economic/financial, reputation, and
driven by climate are shifting beneath us. The potential extreme weather events.
change, disintegration for those crises and the reality of that
instability should be addressed in Organizations tend to have response
of international pacts, resilience plans and programs. teams dedicated to data and cyber
income inequality, energy- breaches as well as teams (including
Geopolitical forces warrant external resources) to mobilize for
market disruption, and
greater consideration natural disasters. They also have
war exemplify geopolitical Such forces fuel terrorism, mass a chief financial officer and staff
events that impact migration, protectionism, hot and to address economic/financial
cold war, political and economic incidents, and in-house and
organizations. disruption, and social unrest. In turn, external communication teams to
those developments foment strategic, respond to reputational incidents.
operational, financial, environmental,
people and reputational risk events Yet either with or, more usually,
that can impact the entire organization without dedicated resources, a quarter
and multiple stakeholders. of organizations had to respond to
geopolitical events.
Respondents were asked which
types of risk events (excluding Covid-19)
their organizations addressed with
dedicated response teams over the past
24 months. As expected, they most often
cited data security and cyber events,
followed by natural disaster, economic/
financial, reputation, and extreme
weather events.
Which scenarios did you mobilize for? Organizations are being

impacted by geopolitical events
Respondents’ rankings of these
scenarios for their impact were
59%
equally revealing. As with frequency,
Data security they ranked data and cyber security
events first and second, respectively.
38% However, geopolitical events ranked
Cyber fourth and for good reason—they
generate immeasurable uncertainty,
particularly as the pace and extremity
28%
of these events intensify.
Natural disaster
This underscores the effect that
27% geopolitical forces can have on today’s
organizations. In addition, political
Economic/financial
issues, and institutional degradation
within nations, driven by elected officials,
26% activists, state-sponsored entities,
Reputation or combinations of these parties,
are increasingly putting individual
organizations at risk.
26%
Extreme weather
25%
Geopolitical
21%
Health
(apart from COVID 19)
18%
Employee/welfare
14%
Terrorism
0% 10% 20% 30% 40% 50% 60%
28
Rank the scenarios from the most impactful at Observations

the top to the least impactful at the bottom. Until recently, executives in the
developed world and in much of
48% 35% 12% the developing world could assume
Data security that certain national and international
institutional conditions would remain
stable over investment and operational
44% 30% 17%
planning horizons. That assumption
Cyber is no longer be valid, even as
planning horizons have shortened.
Organizational leaders must
33% 30% 24%
acknowledge that geopolitical
Extreme weather forces such as income inequality,
political opportunism, nationalism,
and degradation of institutions
37% 30% 19%
threaten economic and cultural
Geopolitical structures that have long been taken
for granted. Those realities should
be factored into strategies, plans,
28% 32% 25%
and capabilities related to
Reputation organizational resilience.
33% 24% 29% Organizational leaders

Terrorism must acknowledge
that geopolitical forces
23% 33% 30%
have long been taken
Natural disaster
for granted.
31% 25% 26%
Economic/financial
24% 27% 27%
Major event
3 2 1
04
30
Organizations Welcome
the Role of Regulators
in Resilience
Executives with Two-thirds (67 percent)
responsibility for of organizations have
resilience recognize and been impacted by
respect the role that regulatory involvement
regulators play in resilience. in resilience, while
They understand that the 31 percent have not.
types of events that now
frequently occur and the
existential threats that they
pose are too large and
widespread for any single
organization to address.
Given the crucial role that regulators
played in the financial crisis of 2008-
2010 and during the Covid-19 pandemic
for, respectively, the financial services
and life sciences industries (and financial
and health care systems), that is as it
should be. However, some might argue
that regulators and the industry could
have done more to prevent those
events, particularly in the case of
the financial crisis. Nonetheless,
executives welcome regulatory
involvement in resilience.
31%
2%
Most organizations have experienced
regulatory impact on resilience
Two-thirds (67 percent) of organizations
have been impacted by regulatory
involvement in resilience, while 31
percent have not. Responses varied by
region and industry, yet as geopolitical
and ESG risk events become more
prevalent, regulators and governments
working through various agencies can be
expected to exert broader influence.
Has resilience in
your organization
been impacted by
regulatory change
in your industry?
67%
Yes No Don’t know
32
Has resilience in your organization been impacted by regulatory change in your industry?
92%
Nordics
8%
81% 2%
Southern Europe
17%
81%
Middle East
19%
74% 6%
South America
21%
71% 1%
Asia-Pacific
28%
67%
Belgium,
Netherlands &
Luxembourg
33%
64% 2%
North America
33%
56% 3%
Europe-other
42%
55%
Germany,
Austria &
Switzerland
45%
Organizations report positive 4%

experiences with regulators
In the context of resilience, organizations 3%
see regulation positively, quite likely
because it helps to clarify priorities 55%
by setting forth specific areas of focus,
objective goals, and clear reporting
requirements. Overall, more than 90
percent of organizations impacted by
regulatory change report that the
impact on resilience has been very
or somewhat positive. Only 3 percent
report negative impact.
What has been

the impact of this
regulatory change on
resilience in your
organization?
38%
Very positive Somewhat positive No impact Somewhat negative
34
What has been the impact of this regulatory change on resilience in your organization?
61%
India
39%
50% 8%
UAE
42%
46% 3%
US
50% 1%
46% 4%
Australia
46% 4%
45% 9%
Nordics
45%
44%
Saudi Arabia
56%
44%
Brazil
56%
44% 11%
Chile
44%
43%
Switzerland
57%
39% 11%
Italy
44% 6%
38% 4%
Canada
58%
36% 2%
China
60% 2%
30% 5%
France
65%
30% 10%
Germany
60%
Organizations use regulatory How have you aligned this regulatory

guidance in resilience change with your internal operations?
Organizations are not simply
giving regulators recognition; they 60% 57%
incorporate their guidance into their
internal operations. A total of about
three-quarters either align regulatory 40%
change with their internal operations
centrally (57 percent) or adopt guidance 23%
20% 19%
centrally and apply it incrementally
(19 percent).
Regardless of whether specific 0%

regulations have been designed for Adopted centrally and Adopted centrally Only applied at
their industry, organizations appear rolled out across all and being applied operations in
to be learning from other and adopting operations incrementally country/countries
and adapting practices emanating from where regulation
the regulatory community, either to plug applied
gaps or to achieve greater resilience.
Organizations welcome future Is there an appetite for this future

regulatory engagement in resilience regulatory involvement in your industry?
Across industries, a total of more than
34% 51%
80 percent of organizations indicate a Life Sciences
significant appetite or some appetite & Healthcare
for regulatory involvement. Again,
clear priorities, goals, and reporting 37% 58%
Energy, Resources
requirements enable organizations & Industrials
to focus and structure their resilience
investments and initiatives. Executives 39% 52%
also recognize that regulators possess Government
industry- and economy-wide views of & Public Services
threats and potential ways of
42% 41%
enhancing resilience.
Financial Services
43% 46%
Technology, Media &
Telecommunications
46% 46%
Consumer & Retail
Significant appetite Some appetite

36
Observations
Given their external perspective,
broad concerns, and deep expertise,
regulators should play a key role in
resilience. However, caveats are in order.
Traditionally, regulators focus mainly
on historical events and measurable
risks. They aim to prevent crises of a
known nature and to promulgate useful
standards and metrics. While their role in
resilience is essential, it is not sufficient.
Therefore, leaders might take regulatory

guidance as a starting point—or aim
to stay ahead of it, for example, as
companies do through voluntary carbon
emission goals and product safety
features—and never mistake compliance
for preparation. That said, organizations
and their industry groups should bear in
mind the value that regulators provided
to the financial services industry during
the 2008-2010 crisis and to life sciences
during the Covid-19 pandemic.
They should also look to previous crises,

and to failures in regulated markets for
lessons that may be applicable to future
crises in other industries. More broadly,
regulators can perhaps learn from each
other, as well as from previous crises
and failures.
05
38
Environmental, Social,
and Governance (ESG) Risks
Warrant Greater Attention
ESG encompasses a From the social perspective, they must
continually assess where they stand in
range of issues and, terms of their reputations, stakeholders’
with regard to resilience, expectations, and the impact of social
phenomena—ranging from changing
each issue can differ customer tastes to migration patterns
across organizations. to political issues—on the business
and its stakeholders. In terms of
Regarding environmental governance, organizations often face
issues, organizations challenges related to board composition,
must both defend and refreshment, and diversity and to
maintaining governance mechanisms
enhance value in the face robust enough to address the
of climate changes and complexity of the organization
and the risks posed to it.
resource constraints that
can affect their business Additionally, organizations should
consider both their role in generating
models, operations, and environmental and social changes and
stakeholders. the need to be resilient to those changes.
Only 18 percent of
organizations cite the ESG
function as having an active
role in resilience.
Elevate environmental, social, Do any other functions have an active role in contributing to resilience
and governance (ESG) concerns in your organization? Proportion of those selecting ESG, by sector.
Only 18 percent of organizations cite the
ESG function as having an active role in 15%
resilience. This calls into question the Technology, Media &
ability of the organization to identify, Telecommunications
monitor, respond to, and recover from
ESG risks and to preserve and build
reputational capital.
21%
Across industry sectors, only about Life Sciences
one-fifth of respondents (or less) & Healthcare
cite ESG as having an active role in
contributing to resilience. This translates
to ESG lacking sufficient representation
in discussions and decisions regarding
21%
resilience, certainly relative to operational, Government
financial, and cyber functions. However, & Public Services
ESG risks can have profound impact
on the operational, financial, cyber, and
reputational domains of the organization.
22%
Financial Services
17%
Energy, Resources
& Industrials
16%
Consumer & Retail
0% 5% 10% 15% 20% 25%
40
ESG will rise in importance but should do so quickly

Respondents expect ESG to rise in importance over the next five years, with some
seeing a good possibility that ESG could own resilience in their organizations within
that timeframe. This is reflected in ESG jumping from last place to eighth place in
having responsibility for resilience. While this will not likely be a broad trend, it is,
along with growing demand for ESG competencies (next subsection), an indicator of
the importance of ESG to resilience. However, that importance should be recognized
and acted upon much sooner rather than later within that five-year horizon.
Which function do you expect to own resilience

in your organization in five years time?
Resilience 01 01
CEO 02 02
Risk 03 03
CIO/CISO (Information Security) 04 04
COO 05 05
Crisis Management 06 06
Operations 07 07
Strategy 08 08
Corporate Affairs 08 09
Governance 10 10
Other 11 11
No overall owner 11 12
ESG 13 13
Responsible now Responsible in five years
Organizations will be Which resilience competencies do you expect to be

seeking ESG competencies seeking out in your resilience hires in two years time?
A good number of organizations
51%
intend to emphasize ESG in resilience. Risk Management
For example, about one-fifth (21 percent)
will be seeking ESG competencies in 37%
Cyber Security
their new hires over the next two years.
Note that these competencies edge 27%
Asset Management
out those related to disaster recovery,
crisis management, and operational 25%
Information Security
resilience—each of which fall within more
traditional definitions of and approaches 21%
to resilience. Those are also areas in Environ, Soc & Corp Gov
which organizations generally have
19%
stronger capabilities in place. Disaster Recovery
19%
Social responsibility can Crisis Management
severely impact reputation
In a related finding, organizations 19%
Operational Resilience
most often cited “social responsibility”
(which includes diversity, equity, and 0% 20% 40% 60%
inclusiveness, or DEI) as their chief
reputational concern—on par with the
quality of their services. This evidences Which reputational considerations do you expect
high awareness of the potential impact to be the most important in five years time?
of ESG practices on reputation and,
by extension, on stakeholders and, 48%
Social Responsibility
ultimately, on trust in the organization
and its leaders.
Quality of Services 46%
Vision & Leadership 33%
30%
Financial Performance
0% 10% 20% 30% 40% 50%
42
Observations
Different industries face different ESG
concerns, depending on the business
(such as energy and resources versus
financial services), key stakeholder
groups (social impact investors versus
private owners), and scope of operations
(domestic versus global). ESG also covers
a lot of ground—green practices within
the company and its supply chain, DEI
in the workforce and other stakeholder
groups, and executives’ public statements
and behavior. Moreover, a change in
stakeholder expectations can arise
quickly in any ESG area, amplified by
a highly charged media and political
environment; therefore, organizational
resilience strategies and capabilities
need to include ESG considerations.
When establishing resilience to ESG-

driven risks, organizations should
also take all reasonable steps to avoid
contributing to those events. A good
number of organizations are taking those
steps, for example through voluntary
commitments and proactive efforts. The
challenges of governance under these
circumstances support the notion of the
chief resilience officer. Also, organizations
can benefit by analyzing cause and effect
in these areas, which is seldom explicitly
conducted even though a substantial
number of ESG incidents enable that
kind of analysis.
06
44
Reputational Risks Demand

more Proactive Management
Particularly in an Reputational risks and Reputation management capabilities

communication capabilities are considered part of resilience by
atmosphere of widespread warrant higher priority only about one-fifth of respondents
uncertainty, institutional Organizations can lose sight of the broad in risk functions and one-third of those
expectations that stakeholders place on in non-risk functions. Those respective
instability, and ongoing them. Those expectations are continually percentages are even lower for
risk events, reputational shifting, often on very short notice and communication capabilities. We find
not uniformly across stakeholder groups, this concerning given that most
capital stands among so they need to be monitored and organizations are aware of the damage
an organization’s understood and responded to (or not) that reputational risks can do. This
most valuable assets. as needed. Note that most, although not finding indicates an often inwardly
all, reputational risks arise from the ways focused view of resilience and an
Therefore, reputation in which operational, financial, cyber, or underappreciation of the value of
and brand equity must other risks are handled (or not handled). reputation—and of communication
Therefore, senior leaders must gauge to stakeholders—during risk events.
be managed as such. and monitor the potential reputational Meanwhile, the reputational capital
impact of all potential risks for their of organizational resilience must be
Most organizations realize the impact on reputation. as strong as the other four.
importance of reputational capital,
but relatively few have been able to
address reputational risks in a fully
integrated manner. What competencies are currently considered
as part of resilience within your organization?
40%
33%
30%
26%
21%
20%
14%
10%
0%
Reputational management Communication
Risk Non-risk
(e.g. Cyber Security, (e.g. Finance, Strategy,
Risk management, Communications)
Business Continuity)
Reputational resilience should be Is "reputational resilience" a consideration

integrated into resilience planning of your resilience planning?
Only one-third of organizations
(32 percent) have specific activities Yes, there are specific 32%
underway to address reputation; activities/projects
29 percent have specific roles underway to address
encompassing this responsibility. some/all areas
That leaves a majority of organizations
not making that commitment—
with only 14 percent allocating 29%
related budget. Yes, specific roles
encompass this
Organizations expect investment responsibility
in reputation to increase
Despite the relatively low percentage
of organizations now allocating
14%
budget to reputational resilience,
an impressive majority—82 percent— Yes, specific budget
intends to do so over the next five years. is assigned
This raises issues of how they intend to
invest those funds, particularly given
that most are not currently investing
in reputational resilience. Useful 13%
investments generally include ongoing No, but anticipate
reputation monitoring and mechanisms inclusion in the future
that support proactive, meaningful
engagement with stakeholders
10%
No plans to include
resilience planning
2%
Don’t know
0% 10% 20% 30% 40%
46
15%
3%
Observations
Customers, employees, suppliers, and
investors have become highly sensitive
82% to the reputations of the organizations
they hold a stake in. This sensitivity
is reflected in the rapidly changing
Do you expect expectations that various stakeholder
your organization's groups bring to organizations.
investment in As many leadership teams have found,
reputational resilience reputation can change on very short
to increase over the notice, particularly given our media
next five years? (including social media) environment.
Therefore, reputational resilience
should be considered integral to
organizational resilience.
Proactive monitoring of stakeholder

100% expectations and management
Nordics of reputation, along with effective
communication plans and capabilities,
87% 2%
are needed to support resilience.
Asia-Pacific
Ongoing reputation management and
11%
86% consistent communications enable an
Germany, Austria organization to build reputational capital,
& Switzerland which tends to retain stakeholders’
14%
84% support at times when they might
Middle East otherwise seek alternatives.
16% Reputation reinforces resilience.
84% 8%
Southern Europe
8%
83% 4%
South America
13%
80% 6%
Europe-other
14%
77% 3%
North America
20%
Belgium, 67%
Netherlands Yes No Don’t know
& Luxembourg 33%
07
48
Digitalization can
Enable Resilience
As business models, Digitalization already plays a strong role in resilience

Digitalization has found its way into resilience, with more than two-thirds of
relationships, and executives citing usage of technology solutions across a broad range of related
transactions become ever activities. Specifically, two-thirds to about four-fifths of organizations have used
specialized technology solutions to support their responses to incidents in
more digitally based— the past 24 months.
and as the technologies
continue to advance— Did you utilize any specialist technology solutions
to support your response to these incidents?
digitalization will play an 69%
increasing role in resilience. Terrorism
75%
This stands to reason as data analytics,
Reputation
AI, and similar capabilities now
applied to operations can be naturally 74%
extended to resilience. Indeed, this has
Natural Disaster
already occurred. A strong majority
of organizations have used digital 79%
technologies in resilience, with most Major Event
either actively using or intending to
use them within the next three years. 73%
Health
The level of digital information within
(apart from COVID-19)
the organization combined with
74%
that available in the virtual world
can enhance the organization’s Geopolitical
understanding, preparation, 76%
monitoring, response, and recovery
Extreme Weather
related to crises. Given this, we see
digitalization as “the great enabler” of 66%
end-to-end organizational resilience. Employee/Welfare
72%
Economic/Financial
73%
Data Security
66%
Cyber
0% 20% 40% 60% 80%
Digitalization holds promises What digitization opportunities exist across

and perils your organization’s resilience strategy?
Almost all organizations currently use
or plan in the next three years to use 66% 6%
digital technologies to support resilience. Information
Note that most intend to implement Management
28%
even the three least-cited applications—
scenario modelling, situational 64% 5%
Employee
awareness, and digital twins. (The latter
Safety/Security
are virtual representations of entities or 31%
processes which can be used to more
64% 5%
accurately gauge the impact of incidents Mass Employee
on those entities or processes and of Communication
various preparations and responses.) 31%
Yet it is how an organization uses digital 60% 7%
capabilities to support resilience that will Supply Chain
impact its performance and success. Modeling
34%
54% 8%
Decision-making
Tools
38%
53% 8%
Asset Integrity
39%
50% 10%
Scenario
Modeling
41%
49% 8%
Situational
Awareness
43%
43% 14%
Digital Twin
43%
Currently in use
Not currently in use, but expected to be introduced within the next three years
Not currently in use, and don’t know about future use
50
Observations
These rates of adoption and applications
are promising. The perils lay in the
ways in which digital capabilities are
applied and whether they reinforce
siloed approaches and point-specific
solutions to the exclusion of facilitating
more integrated ones. When enhancing
approaches and capabilities,
organizations need to find ways to
clean and use the data they have rather
await “perfect” data. Digital technologies
can themselves be used in these efforts.
They can also be used to overcome the
persistent barriers to data integration
and distribution posed by the legacy
systems and myriad platforms prevalent
in most organizations. And they can
efficiently communicate and escalate
issues—all of which can be addressed
with the right resources.
08
52
Barriers to Achieving Greater

Resilience can be Overcome
Respondents (all of Observations Among those capabilities might

Most of the cited barriers to achieving be solutions to address the talent
whom were CXOs for this resilience lay within the organization. issue. For example, co-sourcing and
question) most often cited That’s good news. It is within managed services arrangements can
management’s—and the board’s— enable an organization to increase
scarcity of talent as the purview to elevate resilience as a or decrease capabilities as needed.
key barrier to achieving priority and to promulgate greater Those arrangements can also optimize
awareness of the discipline. Doing so investments in capabilities while
resilience. would likely lead to increased funding tapping the best available risk
for resilience capabilities. monitoring, advanced analytics,
This was closely followed by alternative
and rapid response technologies.
priorities being deemed more important,
and lack of organizational understanding
of resilience.
Lack of funding is a leadership issue What are the three biggest barriers to achieving organizational
The lack of funding cited by 44 percent resilience for your organization? CxO responses.
of respondents could very well stem
from lack of organizational awareness 60% 59%
57% 57%
and understanding of resilience. This lack
may even extend to senior executives
(the respondents to this question). If
so, it may be attributable more to the
44%
need for a new view of and approach
to resilience than to ignorance of the 40%
subject on their part. 36%
20%
0%
Scarcity Alternative Lack of Lack of Lack of senior
of resilience strategic organizational funding sponsorship /
talent priorities awareness / engagement
deemed more understanding
important / maturity
The Future,
and How to
Get There
Based on the findings of
this survey of executives with
responsibility for resilience,
we can chart a broad path
toward the goal of expanding
beyond operational resilience,
to organizational resilience.
54
In general, organizational
resilience will be:
Integrated Geopolitically aware Engaged with regulators

Organizations increasingly face risks A good number of organizations Industries facing challenges too massive
that can affect multiple functions and have been impacted by geopolitical for any single company to address (such
stakeholders as well as existential threats events, and we believe those issues as the automotive, financial services,
than can significantly impact value and warrant greater consideration. Very few life sciences, and healthcare industries),
the future ability to create value. To organizations relish political involvement, have turned to government agencies for
effectively address these events and nor do we recommend it; however, it’s assistance. Understanding regulators’
their impact, resilience can no longer be extremely useful to gauge the potential views of resilience, readiness, and
planned, resourced, and implemented impacts of geopolitical events on the resourcing requirements—as well as
in siloed functions. Also, in a very real organization and to prepare for them. where they see a need for action—
sense, resilience is, like risk management, can be extremely useful, as can
everyone’s job. Attuned to ESG cultivating mutually productive
Organizations expect to be focusing relationships with regulators. Also,
Strategic more on ESG as it relates to resilience. regulators of specific industries
Thinking of resilience strategically This calls for clarifying ESG policies and should be aware that organizations
places it on senior executive and board practices from the standpoint of the not only need but welcome clear,
agendas, where it belongs. This signals organization’s values, business, and current, forward-looking guidance
that resilience is not focused on playing stakeholder expectations, on the one regarding resilience.
defense and being reactive but on hand, and, on the other, ascertaining that
being agile and innovative enough to the organization maintains resilience in
profit from whatever comes next. This the face of ESG-related risks and events.
also helps to elevate resilience as an Given the nature of ESG—particularly
investment priority and to transform the environmental and social elements,
it into a more coordinated, forward- which can appear to lack immediacy—
looking, and proactive set of initiatives. the time to act is now rather than
It’s essential, however, for senior leaders “sometime” in the future.
to ensure that those initiatives drive
accountability for outcomes related
to resilience into the organization.
Very few organizations relish political
Outwardly focused involvement, nor do we recommend it;
While organizations currently look however, it’s essential to gauge the potential
outward to assess and monitor the
risk landscape and emerging risks, impacts of geopolitical events on the
they need to do so with greater organization and to prepare for them.
consistency and cross-functionality
when it comes to resilience. Many
incidents are in fact localized, but as
many organizations have found, given
today’s stakeholder views and media
atmosphere, even those can have far-
reaching impact.
The following specific capabilities can

assist a leadership team seeking
organizational resilience:
Enhanced risk monitoring Proactive reputation management Chief resilience officer
Risk monitoring capabilities should be Reputational capital is accumulated over We see four-fifths of respondents saying
extended beyond the usual types of years, but can be destroyed in days, their organizations should create a chief
risks and impacts that the organization or even hours. Proactive reputation resilience officer role as quite significant.
considers. Risk sensing capabilities management carefully monitors social It speaks to the need for senior executive
should be deployed to identify and media, the internet, and other sources engagement in resilience, elevation of
monitor emerging risks in areas outside to continuously gauge the organization’s resilience as a strategic priority, and,
as well as inside the organization’s usual reputation in the face of constantly quite possibly, greater visibility into
scope of operations. changing stakeholder expectations and resilience by the board.
emerging risks. Reputational resilience,
Extended scenario planning which is a capital equal in importance Co-sourcing and managed services
Scenario planning should be extended to people, operational, financial, and Enterprise-wide resilience has not
in similar ways. In addition, it should environmental resilience, must be been considered a core competency by
go beyond tabletop exercises limited actively developed across all most organizations. Depending on the
to specific functions to model a broad stakeholder groups. organization and its industry, aspects of
array of events and potential responses, resilience, such as operational, financial,
with the latter including actual dry runs. Rapid response capabilities or cyber resilience may have been
Scenario planning should also include Many organizations have developed considered core competencies, but
senior leaders rather than only risk rapid response capabilities for specific today’s needs are broader. Thus, they call
function leaders. functions to address specific risks, such for broader solutions delivered by people
as risks to IT infrastructure, operating with deeper skill sets using continually
Digital technologies facilities, and financial portfolios. updated processes and technologies.
Data mining, analytics, and visualization However, end-to-end, enterprise-wide Few organizations find it economical to
technologies can power risk monitoring capabilities, perhaps supported by a maintain those resources, which means
and reporting while digitalization, AI, dedicated response center or a project that co-sourcing solutions and managed
and digital twins can also be harnessed management office that can be quickly services arrangements can be worth
to provide predictive insights, coordinate stood up, are far less common. But those considering from both the talent and
responses, and execute communications capabilities have become essential to technology perspectives.
across silos, supply chains, and organizational resilience.
stakeholder groups.
Reputational resilience, which is a capital equal

in importance to people, operational, financial,
and environmental resilience, must be actively
developed across all stakeholder groups.
56
Opportunities Abound
Times of widespread That is also why organizations An environment of

developed resilience capabilities.
cultural, technological, Yet those capabilities have traditionally unpredictability and
geopolitical, and been geared to known risks limited widespread impact
by geography, industry, or resource
environmental disruption scarcity. Today, however, an environment
prevails. Senior executives
present as many of unpredictability and widespread and the board are
impact prevails. In addition, innovation in
opportunities as they technologies and business models can
responsible for enabling
do risks. However, most now present risks in that it can render both the organization
organizations plan for an organization—or an entire industry—
and its stakeholders to
woefully outmoded or even obsolete.
and thrive under The flip side is that resilient organizations thrive in the face of
stable conditions. can not only prevail but generate new these threats.
value in this environment.
Yet even during times of stability,
investing in technology, facilities, Senior executives and the board are
equipment, and talent presents responsible for enabling both the
tremendous uncertainty. That is why organization and its stakeholders to
the management sciences developed thrive in the face of these threats. The
so many methods of mitigating risk— time to enable them to do so is now.
insurance, hedging, diversification,
and so on.
58
Authors
Nathan Spitse
Eddie Chiu
Global Crisis & Resilience Lead,
Partner and Report Contact,
Partner and Report Author,
Risk Advisory, Deloitte China
Risk Advisory, Deloitte Canada
eddchiu@deloitte.com.cn
nspitse@deloitte.ca
+86 108 520 7110
+1 416 874 3338
Tim Johnson
Jean-Francois Allard
NSE Crisis & Resilience Lead,
Partner and Report Contact,
Partner and Report Author,
Risk Advisory, Deloitte Canada
Risk Advisory, Deloitte United Kingdom
jeallard@deloitte.ca
timjohnson@deloitte.co.uk
+1 514 393 7147
+44 207 303 0746
Abigail Worsfold Jose Maria Fernandez Lachica

Director and Report Author, Director and Report Contact,
Risk Advisory, Deloitte United Kingdom Risk Advisory, Deloitte Spain
aworsfold@deloitte.co.uk jfernandezlachica@deloitte.es
+44 207 007 4663 +34 912 926 914
Damian Walch
Managing Director and Report Contact,
Risk Advisory, Deloitte United States
dwalch@deloitte.com
+1 312 486 4123
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its
network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent
entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to
learn more about our global network of member firms.
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private
clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 ® companies through a globally connected
network of member firms in more than 150 countries and territories bringing world‑class capabilities, insights and service to
address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 264,000 professionals
make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or
their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or
services. Before making any decision or taking any action that may affect your finances or your business, you should consult
a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any
person who relies on this communication.
© 2022. Deloitte Global Risk Advisory
Designed and produced by Doublelix. 05045

01 Global Resilience Report October 2022 WC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 Global Resilience Report October 2022 WC

Uploaded by

Copyright:

Available Formats

Toward True

01. Organizations need to Accelerate their 16

02. Organizational Resilience must 22

03. Geopolitical Threats should be 26

04. Organizations Welcome the Role 30

05. Environmental, Social, and Governance 38

06. Reputational Risks Demand 44

07. Digitalization can Enable Resilience 48

08. Barriers to Achieving Greater 52

The Future, and How to Get There 54

Deloitte’s Global Resilience Report:

Our survey respondents comprise a Key sample 24% Americas

Consumer & retail

1,000-4,000 people 22% Risk function

Direct reports into CxO/board-level management

The Five Capitals of

People resilience Reputational resilience

2 Resilience Reimagined: A practical guide

A deficiency in any single one of the five capitals can

The following are the key findings

Until recently, Organizations need to achieve Geopolitical threats

Regulators have proven that they can play an essential

Digitalization can enable resilience Barriers to achieving greater

In your opinion, which statement best describes

Organizations lack a common Is there a common understanding/deﬁnition

Collaboration can be enhanced by shifting

risk and crisis management. Interestingly, Issues

Collaboration can be enhanced by 23%

enhance enterprise-wide • Breach a legal or contractual

changing conditions. • Fail to provide what stakeholders

3 Resilience Reimagined: A practical guide

Organizational Resilience must

CxO Direct report to CxO Head of department

Observations Consider appointing a chief

Observations In your opinion, should your organization create

Geopolitical Threats should be

Which scenarios did you mobilize for? Organizations are being

0% 10% 20% 30% 40% 50% 60%

Rank the scenarios from the most impactful at Observations

33% 24% 29% Organizational leaders

24% 27% 27%

Yes No Don’t know

Organizations report positive 4%

What has been

Very positive Somewhat positive No impact Somewhat negative

Organizations use regulatory How have you aligned this regulatory

Regardless of whether specific 0%

Organizations welcome future Is there an appetite for this future

Signiﬁcant appetite Some appetite

Therefore, leaders might take regulatory

They should also look to previous crises,

0% 5% 10% 15% 20% 25%

ESG will rise in importance but should do so quickly

Which function do you expect to own resilience

CIO/CISO (Information Security) 04 04

Responsible now Responsible in ﬁve years

Organizations will be Which resilience competencies do you expect to be

Vision & Leadership 33%

0% 10% 20% 30% 40% 50%

When establishing resilience to ESG-

Reputational Risks Demand

Particularly in an Reputational risks and Reputation management capabilities

Reputational resilience should be Is "reputational resilience" a consideration

01. Organizations need to Accelerate their 16

02. Organizational Resilience must 22

03. Geopolitical Threats should be 26

04. Organizations Welcome the Role 30

05. Environmental, Social, and Governance 38

06. Reputational Risks Demand 44

07. Digitalization can Enable Resilience 48

08. Barriers to Achieving Greater 52

2 Resilience Reimagined: A practical guide

3 Resilience Reimagined: A practical guide