Real-world operational resilience examples
Learn from these real-world examples of operational resilience, including Nokia, Shopify and Maersk.
What is operational resilience?
Organisations all over the world have faced increasingly complex GRC challenges over the last decade. This includes threats to cybersecurity, supply chain disruptions, a lack of highly-skilled human resources, and regulatory upheavals, among many others. The ability of organisations within all industries to adapt to, manage, respond, and recover from these challenges is a vital part of successful outcomes into the future.
​
Reviewing real-world operational resilience examples can help us to understand where risks may arise and how companies are responding to those both successfully and unsuccessfully.
Definition of operational resilience
When discussing operational resilience the key definition is simple. It’s an organisation’s ability to withstand and recover from disruptions and shocks. In practice, it also encompasses the ability to prepare for, prevent, detect, respond to, recover from, and learn from disruptions to organisational operations.
How is this being accomplished by organisations operating in the real world and facing real-world challenges? We’ll now look at three examples – Nokia, Shopify, and Maersk.
Read more: Operational Resilience
Real-world operational resilience example: Nokia
1. Nokia
Our first operational resilience example is Nokia, which demonstrates the negative results of not having a strong operational resilience framework. Before 2007, Nokia was the top mobile phone manufacturer in the world. As an organisation it was creating affordable, functional mobile phones that helped it to be wildly successful, outstripping even its own targets in terms of market share and revenue. However, Nokia was highly reliant on its hardware positioning. It was reluctant to adapt to market forces that were demonstrating the importance of smartphone software.
​
In 2007, iOS and Android were introduced to the market, which gave stiff competition to Nokia. Yet, Nokia failed to respond despite seeing a gradual decline in their sales over the following three-year period. In fact, the lack of adaptability to external pressures, and the inability to innovate, led to a free fall in terms of capabilities and market share. Eventually, Nokia was sold to Microsoft in 2013, a short five years after being the dominant mobile company in the world.
​​
A lack of operational resilience
​Operational resilience is the ability to anticipate, plan, and manage these kinds of external pressures, and it was this lack of resilience that led to the collapse of Nokia. As an organisation, they were unable to identify changing market forces in a timely fashion. When they did finally recognise these pressures, and the impact that market disruption was having on its ability to deliver key products and services, the disruption had gone beyond what Nokia was able to tolerate. Ultimately, it was unable to recover.
​
If, in the alternative, Nokia had implemented a full operational resilience framework, they would have been better positioned to recognise the disruption and act quickly with steps that would mitigate the negative impacts of that disruption. Because it wasn’t able to quickly adapt, it saw big losses that ultimately led to its failure within a very short time frame.
Real-world operational resilience example: Shopify
2. Shopify
In contrast to Nokia, Shopify is a shining example of operational resilience. The COVID-19 experience has shown organisations around the world the need to update their day-to-day operating models. One of the most prevalent is the remote and hybrid working environment.
​
While a disruption of the COVID-19 magnitude was unprecedented, smaller disruptions that could require working from home capabilities have a great deal of precedence, and firms that took this ‘rare-but-plausible’ risk seriously were better able to weather the pandemic disruption. Shopify was an excellent example of this risk management and operational resilience strategy.
Digital by default
​In May 2020, the Canada-based company announced that it would be “digital by default” going forward. Shopify’s CEO, Tobias Lütke, stated that it would be taking on a remote-first hybrid setup that allowed the majority of its workforce to undertake the requirements of their roles from home. This change is widely lauded as being smooth and nearly seamless for Shopify. The reason for this is that the elements were primarily in place already.
Shopify had already faced a similar disruption, when they began to service more international merchants in wide-spreading time zones. Because of this, many of their customer support representatives found themselves having to work alternative shifts in order to cover all the different time zones. However, the company found that working these graveyard shifts, for example, in an office environment was having a negative impact on their workforce. Importantly, attrition was on the rise within that segment of its employee base. So, they adapted to that pressure and implemented remote and hybrid working arrangements.
Small disruptions prepared them from large ones
Shopify had a risk management framework in place that allowed it to identify the human resource risk associated with working the graveyard shift. Therefore, they were able to change their operations to become a more resilient company.
This same adaptability came into play when they faced the much larger and widespread COVID-19 disruption, which they were then able to manage with skill and ease. Today most of their employees permanently work remotely, and will likely continue to do so.
Real-world operational resilience example: Maersk
3. Maersk
Maersk is an operational resilience example that both failed initially but succeeded ultimately and had the added benefit of identifying key learnings for the future. In 2017, Maersk, the Danish transport and logistics company best known for its shipping containers, faced a catastrophic malware attack. This attack compromised or destroyed nearly all of the company’s systems and applications while also wiping out access to almost all of its data.
​
This was a disruption for which the company was not prepared. The NotPetya malware, as it’s been named, took hold through the ubiquitous Ukrainian tax software, MeDoc. In the end it destroyed all end-user devices, including 49,000 laptops, all 1,200 applications were inaccessible and 80% fully destroyed, and while data was preserved on backups it couldn’t be restored because it would have been immediately reinfected. It also wiped out all communications and contacts which hampered management of the disruption and took out the networks, directories, and all the technology that controlled cloud access and services.
​
Like many asset-based businesses, Maersk did not have a risk management strategy in place to deal with a cyber attack on this scale. Their recovery plans simply didn’t account for the global destruction of all operations.
Initial recovery
Maersk was able to recover due to the frameworks they did have in place and a lucky break. This included its trend towards open communication that saw it sharing the reversed-engineered malware as soon as it became available. This open communication and sharing allowed it to build trust with partners and, when the time came, they were able to utilise these partner networks to bring systems back online. It also had the agility to bring on 3,000 additional staff to support the rebuild. Finally, it had a lucky break in that it was able to retrieve an undamaged copy of its directory from the Maersk office in Nigeria that had been protected from NotPetya by a timely power outage in Lagos.
​
Ultimately, relying on its own capabilities and those of its network, helped Maersk to recover quickly. But the cost was still between $250-300 million.
Operational resilience lessons
Maersk today runs its operational resilience framework quite differently. It now assumes that organisational-level attacks are going to be 100% successful, and that prevention alone is not an effective enough strategy. Instead, Maersk has updated its operational resilience framework to include automated detection and response elements and a more integrated partnership between management, IT, and cybersecurity generally. It also drives initiatives to educate all 88,000 employees to be more cyber-aware, from those manning the ports to those creating the firewalls.
Elements of a forward-facing
operational resilience platform
Operational resilience begins and ends with understanding and managing risk, and a risk management platform like Drova helps you do that. As Maersk discovered, disruptions will occur, and prevention is no longer good enough. Having an automated detection and response system and a well-trained, communicative workforce is vital. Nokia learned that having access to consistent data, and a strong analysis process to detail and understand market changes is the key to being prepared. And as Shopify showed us, a flexible, responsive system is essential in times of limited disruption to be better prepared for times of wide-spread disturbance.
​
As an organisation you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation, compliance, and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organisational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today. And you must accept that disruptions will happen, and understand your own tolerances to that disruption.
​
Read more: Impact Tolerance Operational Resilience
Drova can help by:
-
Significantly improving the way GRC data is gathered, stored, curated and linked
-
Creating a single source of GRC data and processes for the entire organisation
-
Connecting data points within the entire organisation to eliminate risk silos and improve organisation-wide understanding
-
Enhancing GRC data flows to ensure fast and accurate reactions
-
Automating GRC processes to reduce compliance and operational risks
-
Managing GRC workflow
-
Identifying and tracking regulation and emerging risks
-
Embedding operational resilience processes within GRC, including assessments, tracking, linking risks and controls and more
-
Enhancing overall control effectiveness
-
Providing timely and accurate information to stakeholders, including reporting and financial information
-
Undergoing scenarios analysis to test ‘what if’ events