Addressing the Complexity of a Business Resiliency Program

Eric Bonnell, SVP, Director of Enterprise Risk Management, First Financial Bankshares

I was always good at mathematics, especially abstract mathematics. So engineering, a more practical profession, ended up not being for me. When I decided to switch majors in my sophomore year from engineering to computer science, I took a year off from Manhattan College and spent it at Westchester Community College. There, I finished my Calculus courses and took most of the humanities courses that were required to return to Manhattan under the Arts and Sciences curriculum. Upon my return, Computer Science was then under the Mathematics Department, and I took almost every course they had for my major, along with advanced mathematics courses, such as Linear Algebra, and also had some time for pleasure courses, making me just shy of a minor in Mathematics, Philosophy, and Theology.

While at the community college, I had a difficult Philosophy I (Classical Western Philosophy) professor, Dr. Stanley Behr, who in Philosophy II (Modern Western Philosophy), became a good friend (he was kinder if you made it through his Philosophy I “boot camp”). I also befriended my Statistics professor, Dr. John Loase, who I assisted in his work on what he called “sigfluence”, which he describes throughout his books as the long-term positive impact a person has on others. I matured significantly this year, and these two professors had that sigfluence on me. I attribute them to providing me in part, with the experience and wisdom that I needed to build corporate crisis management, business continuity, and even pandemic programs.

A key premise of Aristotle’s philosophical theory is that the world moves through a series of causes and effects. In short and simple terms, he identifies four causes to each effect:

1. Material Cause — the physical manifestation of the substance causing the cause (e.g., wood, metal, plastic, etc.)

2. Formal Cause — the nature or form of the substance causing the cause (e.g., chair, hammer, tree, etc.)

3. Efficient Cause — the agent, force, or energy that causes the cause (e.g., “he pushed me”, “lighting struck it”, etc.)

4. Final (or End) Cause — the intended impact of the cause (e.g., “I fell down”, “it caught fire”, etc.).

I perceive the first three above to describe the root cause of an impact (or the cause with likelihood), and the last one to describe the impact (from which you can measure the perceived level of impact).

But the world is not this simplistic. Cause and effect are subject to multivariable analyses to describe reality. We saw it in trying to model sigfluence as we discussed the variables that Dr. Loase wanted to test to see if they correlated to people with strong sigfluence (e.g., were these people in particular careers, did age, title, or salary contribute to this quality, etc.). As it turns out, this multivariable analysis is significant in understanding the different types of business impact caused by different events.

In 2023, we saw this play out as several banks were not prepared for the need to generate enough capital to cover negative events, such as not managing loan and investment concentration levels (putting all the eggs in one basket) which led to a deficiency in meeting financial responsibilities. Many banks were scrutinized for not having a sufficient level of liquidity to cover their obligations. But is putting more capital in place always the remedy? Perhaps the management of credit concentration to diversify the portfolio may be a more dynamic and risk-based response. Perhaps checking the decisions being made to generate business against risk appetite and tolerance is a prudent preventative control. While perhaps the correct answer for some banks, it has been noted by many banks that the knee-jerk reaction to generate more capital as a blanket fix, likely causes other impacts to business operations. For example, to generate capital, many banks reduced their workforce or cut other improvement initiatives as a way to quickly meet the requirements being imposed upon them. In some if not many cases, other efforts might have had less negative impact and may have even provided better advantages.

The events of 2023 are more complicated than I am even describing here, and I acknowledge that I am generalizing, but this is only meant to illustrate that more awareness, transparency, and thought are truly needed to find a good balance of risk and reward. As I often coach during crisis management planning, we are best served by assessing scenarios and addressing the probable occurrences before the plausible, and then the possible, prioritizing these by potential impact.

While real life is complex, understanding it and prioritizing actions to be resilient does not need to be daunting if you break the program down into manageable components. The prudent analysis of cause and effect and related risk-based contingency planning helps companies build business resilience.

Your Enterprise Risk Management team can help you assess potential risks and impacts of key scenarios so that you can build structure, plans, and processes to address and strengthen the company’s business resilience. A formal Business Resilience program would provide governance for the following contingency planning components:

1. Identifying threats to strategic execution and business operations, including:

• Approval of projects that do not support strategic planning or have not been fully vetted for return on investment
• Lack of capital and liquidity standards
• Potential economic changes that might impact portfolio concentration, investment performance and diversification, market risk, and pricing risk
• Operational performance issues caused by unforeseen outages (internal or third party), lack of sufficient resources, employee turnover and loss of knowledge and experience, physical and environmental impacts, and other operational outages and negative impact
• Inferior performance by third parties
• Improper decision-making due to reliability on faulty or outdated models
• External factors, such as political changes, industry changes (i.e., competition, updated regulatory requirements, etc.), pandemics, etc.

2. Establishing a Crisis Management protocol to activate the required team to assess, manage, and communicate crisis events, incidents, and operational events.

3. Building plans that address different event types (i.e., pandemic, cybersecurity events, potential privacy breaches, outages caused by weather or physical events (e.g., building or location damage, active aggressors, or other safety threats), asset and liability needs, loss of key human resources, etc.)

4. Prioritizing plan testing through probable, plausible, and possible scenarios.

5. Assessment of the program performance and incorporation of lessons learned into planning and program improvements

In business, all things are connected to some degree within the system, and everyone is a risk manager, and everyone contributes to event response in their assigned role. A Business Resiliency program demonstrates that the company acknowledges that bad things can happen and has strategies and procedures to protect company operations (i.e., its people, processes, and technology), its key stakeholders, investors, the industry, and the general public. Such a program can significantly enhance the company’s reputation as a safe and sound operation that has a culture of collaboration and competence.

In conclusion, the things I learned in college about Aristotle’s causality framework and how to apply multivariable statistical analysis works have been very relevant to my understanding of the complexities of business operations and how an event may have several impacts. Building a program for your company to identify, assess, plan for, and rehearse the response to different negative scenarios will support safe and sound business operations and enhance the company’s resiliency and reputation.