Real-World Operational Resilience Examples

Organizations all over the world have faced increasingly complex GRC challenges over the last decade. This includes threats to cybersecurity, supply chain disruptions, a lack of highly-skilled human resources, and regulatory upheavals, among many others. The ability of organizations within all industries to adapt to, manage, respond, and recover from these challenges is a vital part of successful outcomes into the future. 

Reviewing real-world operational resilience examples can help us to understand where risks may arise and how companies are responding to those both successfully and unsuccessfully. 

What is operational resilience?

When discussing operational resilience the key definition is simple. It’s an organization’s ability to withstand and recover from disruptions and shocks. In practice, it also encompasses the ability to prepare for, prevent, detect, respond to, recover from, and learn from disruptions to organizational operations. 

How is this being accomplished by organizations operating in the real world and facing real-world challenges? We’ll now look at three examples – Nokia, Shopify, and Maersk.

Read more: Operational Resilience

Real-world operational resilience examples

1. Nokia

Our first operational resilience example is Nokia, which demonstrates the negative results of not having a strong operational resilience framework. Before 2007, Nokia was the top mobile phone manufacturer in the world. As an organization it was creating affordable, functional mobile phones that helped it to be wildly successful, outstripping even its own targets in terms of market share and revenue. However, Nokia was highly reliant on its hardware positioning. It was reluctant to adapt to market forces that were demonstrating the importance of smartphone software. 

In 2007, iOS and Android were introduced to the market, which gave stiff competition to Nokia. Yet, Nokia failed to respond despite seeing a gradual decline in their sales over the following three-year period. In fact, the lack of adaptability to external pressures, and the inability to innovate, led to a free fall in terms of capabilities and market share. Eventually, Nokia was sold to Microsoft in 2013, a short five years after being the dominant mobile company in the world.
 

A lack of operational resilience

Operational resilience is the ability to anticipate, plan, and manage these kinds of external pressures, and it was this lack of resilience that led to the collapse of Nokia. As an organization, they were unable to identify changing market forces in a timely fashion. When they did finally recognize these pressures, and the impact that market disruption was having on its ability to deliver key products and services, the disruption had gone beyond what Nokia was able to tolerate. Ultimately, it was unable to recover. 

If, in the alternative, Nokia had implemented a full operational resilience framework, they would have been better positioned to recognize the disruption and act quickly with steps that would mitigate the negative impacts of that disruption. Because it wasn’t able to quickly adapt, it saw big losses that ultimately led to its failure within a very short time frame. 

2. Shopify

In contrast to Nokia, Shopify is a shining example of operational resilience. The COVID-19 experience has shown organizations around the world the need to update their day-to-day operating models. One of the most prevalent is the remote and hybrid working environment. 

While a disruption of the COVID-19 magnitude was unprecedented, smaller disruptions that could require working from home capabilities have a great deal of precedence, and firms that took this ‘rare-but-plausible’ risk seriously were better able to weather the pandemic disruption. Shopify was an excellent example of this risk management and operational resilience strategy. 
 

Digital by default

In May 2020, the Canada-based company announced that it would be “digital by default” going forward. Shopify’s CEO, Tobias Lütke, stated that it would be taking on a remote-first hybrid setup that allowed the majority of its workforce to undertake the requirements of their roles from home. This change is widely lauded as being smooth and nearly seamless for Shopify. The reason for this is that the elements were primarily in place already.

Shopify had already faced a similar disruption, when they began to service more international merchants in wide-spreading time zones. Because of this, many of their customer support representatives found themselves having to work alternative shifts in order to cover all the different time zones. However, the company found that working these graveyard shifts, for example, in an office environment was having a negative impact on their workforce. Importantly, attrition was on the rise within that segment of its employee base. So, they adapted to that pressure and implemented remote and hybrid working arrangements.

Small disruptions prepared them for large disruptions

Shopify had a risk management framework in place that allowed it to identify the human resource risk associated with working the graveyard shift. Therefore, they were able to change their operations to become a more resilient company. This same adaptability came into play when they faced the much larger and widespread COVID-19 disruption, which they were then able to manage with skill and ease. Today most of their employees permanently work remotely, and will likely continue to do so.
 

3. Maersk

Maersk is an operational resilience example that both failed initially but succeeded ultimately and had the added benefit of identifying key learnings for the future. In 2017, Maersk, the Danish transport and logistics company best known for its shipping containers, faced a catastrophic malware attack. This attack compromised or destroyed nearly all of the company’s systems and applications while also wiping out access to almost all of its data. 

This was a disruption for which the company was not prepared. The NotPetya malware, as it’s been named, took hold through the ubiquitous Ukrainian tax software, MeDoc. In the end it destroyed all end-user devices, including 49,000 laptops, all 1,200 applications were inaccessible and 80% fully destroyed, and while data was preserved on backups it couldn’t be restored because it would have been immediately reinfected. It also wiped out all communications and contacts which hampered management of the disruption and took out the networks, directories, and all the technology that controlled cloud access and services. 

Like many asset-based businesses, Maersk did not have a risk management strategy in place to deal with a cyber attack on this scale. Their recovery plans simply didn’t account for the global destruction of all operations.

Initial recovery

Maersk was able to recover due to the frameworks they did have in place and a lucky break. This included its trend towards open communication that saw it sharing the reversed-engineered malware as soon as it became available. This open communication and sharing allowed it to build trust with partners and, when the time came, they were able to utilize these partner networks to bring systems back online. It also had the agility to bring on 3,000 additional staff to support the rebuild. Finally, it had a lucky break in that it was able to retrieve an undamaged copy of its directory from the Maersk office in Nigeria that had been protected from NotPetya by a timely power outage in Lagos. 

Ultimately, relying on its own capabilities and those of its network, helped Maersk to recover quickly. But the cost was still between $250-300 million. 

Operational resilience lessons

Maersk today runs its operational resilience framework quite differently. It now assumes that organizational-level attacks are going to be 100% successful, and that prevention alone is not an effective enough strategy. Instead, Maersk has updated its operational resilience framework to include automated detection and response elements and a more integrated partnership between management, IT, and cybersecurity generally. It also drives initiatives to educate all 88,000 employees to be more cyber-aware, from those manning the ports to those creating the firewalls.