Resilience & Vulnerability In Practice: Tata, Majid Al Futtaim, and Dow Chemical

11/17/20225 min read

Reeves and Whitaker (2020) define organisational resilience as “a company’s capacity to absorb stress, recover critical functionality, and thrive in altered circumstances”. This echoes the position adopted by the Intergovernmental Panel on Climate Change (‘IPCC’), which equates resilience with the “ability of a system and its component parts to anticipate, absorb, accommodate, or recover from the effects of a hazardous event in a timely and efficient manner, including through ensuring the preservation, restoration, or improvement of its essential basic structures and functions” (IPCC, 2011).

According to Reeves and Whitaker, therefore, a resilient organisation will not only identify and manage known risks but also deal with “unidentified risks,” and “it must consider the adaptations and transformations a company must make to absorb environmental stress and even turn it to advantage” (Reeves and Whitaker, 2020).

In the epicentre of the COVID-19 pandemic, India’s Tata Motors responded by expediting “the adoption of digital technology”. Its erstwhile CEO Guenter Butschek, speaking with McKinsey, said that “every business unit and function in Tata Motors designed and created their own virtual forums and platforms for engaging with stakeholders,” in order to “minimize physical interactions”; Tata also launched and fast-tracked “an integrated, end-to-end digital sales channel that lets customers arrange everything in a contactless way” (McKinsey, 2020). The company also “deployed a comprehensive business-continuity plan to manage the survival phase, the restart, and now the fast-track recovery” (McKinsey, 2020).

In my view, both the accelerated adoption of digital technology for interacting in a contactless or remote manner and the heightened focus on business continuity plans are highly effective resilience-building measures. Both strategies were common across industries and regions from 2019 to 2021, and have persisted to this day in various iterations. Applying Reeves and Whitaker’s elements of absorption, recovery, and thriving, both pathways possess suitability for immediate use (thereby absorbing stress and facilitating recovery), longevity for future application and modification (enabling the organisation to thrive), and the potential for new opportunities (thriving).

Shopping mall, retail, and leisure group Majid Al Futtaim closed a number of its cinemas at the height of the pandemic and redeployed 1,000 cinema workers to grocery stores. According to CEO Alain Bejjani, the group was “able to leverage our prior investments in our people infrastructure and system, and create an opportunity for them to continue working in a meaningful way that gave them a sense of purpose. People jumped at the chance to contribute to the pandemic response and support the business” (McKinsey, 2022). Majid Al Futtaim applies resilience thinking by “improving engagement with the communities in which [they] operate,” by “[bringing] hope, inspiration, and a sustainable future—with net-positive, not just net-zero, efforts to reduce greenhouse gases—to [their] communities,” by “[creating] jobs that help people build their futures, have families, and educate their kids,” and by continuing “to innovate to stay relevant to its stakeholders”.

The cinema-grocery pivot was an example of effective application of resilient thinking. Applying Reeves and Whitaker’s trifecta of elements, the decision addressed both immediate exigencies (thereby absorbing stress), and future scenarios by retaining and continue to engage with and value workers (recovery and thriving). Community engagement, emission reduction, job creation, and continual innovation are also effective long plays which reduce present tensions (absorption), ensure security of the organisation’s internal and external environment (recovery and thriving).

In their 2014 study, Fiksel, Polyviou, Croxton, and Pettit conceptualized vulnerabilities in the supply chain sector as disruptions, weaknesses, or gaps, which are in turn compensated by capabilities. The major categories of supply chain vulnerabilities are turbulence, deliberate threats, external pressures, resource limits, sensitivity and complexity of production, and connectivity within the supply chain (Fiksel et al, 2014). In this framing, and in alignment with the outcome-based approach to vulnerability as outlined by O’Brien et al (2007), vulnerability is a negative outcome which is to be mitigated and/or corrected.

Fiksel et al (2014) developed a supply resilience assessment and management (SCRAM) matrix for business use, which “represents a systems view of supply chain dynamics,” by identifying “linkages between specific vulnerabilities and capabilities, enabling [them] to suggest proactive strategies for improvement.” From 2010 to at least 2014, Dow Chemicals Co. implemented the SCRAM tool in more than 20 of its business units. The company built a simulation model to test the consequences of disruption scenarios related to certain glycol ether products, “and was able to confirm a 95% service level with its existing capabilities” (Fiksel et al, 2014). Further, the same analysis “revealed opportunities for reduction of fixed assets and working capital, resulting in $1.1 million in annual savings” (Fiksel et al, 2014).

A significant subset of vulnerability thinking in the organizational landscape is vulnerability management, specifically software vulnerabilities. According to CrowdStrike, a NASDAQ-listed cybersecurity company, vulnerability management within this meaning comprises “the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems” (CrowdStrike, 2022).

Corporate investigation and risk consulting firm Kroll worked with an undisclosed private equity client on a vulnerability assessment which highlighted the need for “stronger defensive measures” given the client's inability “to adequately protect itself against some common malware attacks” (Kroll). After delineating “16 specific vulnerabilities that were considered “high severity” as defined by potential business impact,” the proposed solution was “a layered defense strategy along with additional logging that could provide significant evidence if there was a breach” (Kroll).

Dow’s application of the concept of outcome vulnerability involved ascertaining potential vulnerabilities and avoiding future vulnerabilities, thereby mitigating underlying causes of weaknesses and correcting erroneous practices. On the assumption that one key indicator of business effectiveness is an increase in savings or profits, then the identification of the opportunity for substantial savings warrants the conclusion that Dow was indeed effective in applying vulnerability thinking in practice. Similarly, for Kroll’s private equity client, the connection between potential business impact and specific vulnerabilities could be described as an effective way of saving on (amongst others) financial, systemic, and reputational costs that would otherwise be incurred in the rectification of the damage caused by a severe malware attack.

References: