Building organisational resilience
Organisational resilience is about more than just learning how to respond should the worst happen. It is about learning from historical events and forecasting future outcomes to build in safeguards that protect an organisation, and anticipating emerging opportunities earlier and faster than your competitors.
To operate in a world with a rapidly changing risk landscape, organisations must ensure they have the information needed to make optimal decisions quickly, even when facing crises and extreme scenarios. Here, we introduce a risk and resilience model* that delivers the insight and tools needed to boost organisational resilience.
What is resilience?
There is no real definition of best practice for resilience, so building a risk and resilience model from scratch can be a daunting process.
The model we use at ERM International, however, is based on examples we have seen working in practice. It works by balancing and complementing risk and resilience within an organisation.
It was born out of us being asked to build a resilience model for a global mining firm. Within that, we incorporated a maturity assessment process that allowed us to take this model to other organisations, assess their risk and resilience, and create a prioritised roadmap for improving resilience within their business.
Then, of course, we can also work with the organisation to help deliver those improvements and create a business that has resilience ingrained into its organisational structure.
As we have learned from COVID-19, we are living in an increasingly connected and disrupted world. Organisations that are able to learn from this experience and ‘bounce-forward’ to a higher state of resilience will be the ones that succeed. Those that look to simply ‘bounce-back’ to how things were before COVID-19 could face some rude shocks.
Assessing inherent risk and resilience in an organisation
Strategy and appetite is at the heart of our model, and the first stage of the process involves considering those factors to assess the inherent resiliency of an organisation’s business strategy.
As an example, BP both sells and produces oil. This means its business model and strategy is inherently resilient to oil prices fluctuation. If the price of oil is very high, it will make a lot of money on the production side. But if the price of oil is very low, it will make a lot of money at the bowser. This strategy, however, is not resilient against the main disruption looming for the oil and gas sector – being the transition away from fossil fuels to clean energy.
When it comes to appetite, we are looking at how much risk an organisation is willing to take and its ability to innovate. This is important because if an organisation’s risk appetite is too low, it will likely be too conservative in its approach. This could mean it becomes too brittle and isn't able to respond and innovate in the face of unexpected developments in the market.
It is all about being able to take the right risks, in the right amount and in the right way, and that is why understanding strategy, appetite and the resilience built into that is an important part of the model we have built.
Preparing an organisation for the risks it faces
Once the inherent risk and resilience of an organisation has been assessed, we then look to improve on that by building in four key management system layers: prepare, prevent, respond, and recover. See these in the model below.
We look at these different layers through two primary lenses. The first lens is all about the individual components – how good they are, how they compare to best practice and are they what you actually need to have in place?
The second lens is about how those different components all work together. Is the integration between all these components right? We like to think of this as a wheel, and you need to get that wheel and all the different components moving and working together for resilience to work properly.
So, looking at those four layers, the first is around preparation, and a good example of this is risk identification.
Obviously, testing that individually is all about how well an organisation has identified its risks, and how well it really understands its risk environment. You then have to look at how well that feeds into your assurance programme and whether that aligns with the risks you have identified.
What we have seen in lots of organisations is that these are often thought about separately, and when you look at the different individual components, you find gaps in the systems you have in place, and this means they do not work together properly as a unified system.
A risk radar is a helpful tool in plugging these gaps, as it allows you to assess your entire risk universe by breaking the organisation's value chain down into its component parts and determining the top risks each part of the value chain faces.
These risks can then be assigned sub-categories of risk to fully describe the risk landscape, and by plotting these different categories of risk against the time horizon in which they might occur. The most important thing to look for here, is not just where you have concentration of risks, but where you have gaps. The gaps are most likely showing you where you have blind spots, and it is these areas you need to do more digging to better understand what risks you face, and what you haven’t already thought of.
Bringing this back to an example of how organisations need to get the components of the wheel working together – the concentration of risks in your risk radar also help you to reassign resources and levels of assurance in proportion to the risk exposure. Too often we see organisations have disproportionate control relative to the risk exposure – aiming to have a best practice control environment for every risk they face – and this is where bureaucracy can creep in, and it can become really hard for the real risks to bubble to the surface.
It is this type of flow of information between all the components in the risk and resilience model that is key to success, something we like to call 'lubricating the wheel'.
This is important, because this flow of information will become the foundation for the prevention phase, which is built around control, intervention, and assurance.
Preventing risks from happening
Control is all about the internal control processes an organisation has, but while that is important, intervention is the most vital point here. That is because when most organisations think about managing risk, they tend to focus on preventing risks through compliance with the internal control environment only, whereas organisational resilience should also enable you to respond to external disruptions, too.
The internal control environment was never going to help an organisation manage something like the COVID-19 pandemic, because that is not within the control of the organisation.
Intervention is all about asking things like: how good is the organisation at being able to anticipate and detect these disruptions that are coming? How good are they at being able to intervene, and prevent them from escalating to a crisis?
Signposts and risk indicators are particularly important tools for anticipating risks and putting measures in place to help mitigate their effects. Such data is also an important way of monitoring how a situation is developing, and then creating intelligent ways to respond.
While these signposts are important, they are of no use if the organisation has not created a culture in which people feel safe to speak up and share potentially bad news, because without this sharing of information, organisations are unable to put the necessary measures in place.
Another mitigative tool to be used is assurance, and this is about having proportionate levels of protection in place and making sure that the organisation has the right checks and balances in place that are proportionate to the level of risk being faced.
To get this right, you need to prioritise resources, so you have them in the right place, and give yourself the confidence that the biggest risks the organisation faces have the highest levels of assurance. Then it is a sliding scale so that the smaller the risk, the less assurance an organisation implements.
This, however, is rarely the case, with many organisations having disproportionate levels of assurance that are either not adequate for the risk they are covering or are too high so that effort and resources are being wasted and not used in an efficient manner.
Responding to incidents
The next part of our resilience model is about how organisations respond to a risk incident, even if it is something they haven’t anticipated.
And this response is all around how an organisation responds strategically, tactically and/or operationally to a threat, risk, event, disruption, incident, or crisis.
An effective and mature strategic response is flexible and adaptable to the specific threat/risk to an organisation and is capable of responding strategically to known and unknown threats/risks. It encompasses crisis management to coordinate and manage enterprise critical incidents, where the impacts of an event may be broad, complex and/or significant.
It also includes crisis communications, and how an organisation is able to manage and coordinate effective stakeholder engagement and communications, both internal and external.
A tactical response should include both location and function specific capabilities. A location specific tactical response may include those specific to a site (such as an emergency management team) or wider at a country/region level (such as a country response team). A function specific tactical response has the ability to respond to specific threats/risks that, while they may impact a single location or multiple locations, are not limited/specific to these locations (this may include an organisation’s computer emergency response team).
An operational response is about enabling an organisation’s business continuity to continue the delivery of operations, products and/or services safely and within acceptable timeframes to predefined targets during a disruption.
One of the most efficient and effective ways of developing an organisation’s response capabilities is to have a required level of training and proficiency within your response teams. That is more about the methodology of your response approach, instead of following a script or checklist – because a response rarely goes to plan.
If there are then specific things that you know might be fundamentally applicable to your operating and/or threat environments, then we will also develop a response plan that helps to guide and inform that response but does not go as far as dictating the actual steps.
While it is important to have certain response plans in place, having too many can actually hamper an organisation’s response. An essential part of resilience is being able to respond to unforeseen disruptions and things you hadn't planned for. So, you need to be able to respond to those.
In order to be most effective, any strategic, tactical, or operational response needs to remain flexible and adaptable to any unanticipated developments.
Recovering and learning from risk events
Just as important as any response, however, is how the organisation recovers from a risk event, and what it can learn to make itself more resilient in the future.
The first part of this recovery phase is about efficiently building a roadmap to transition from response, to business as usual, and then to a position where you have enhanced resilience for the future.
Part of this is looking at how a response played out in the face of a real event, but equally important is looking at why the event occurred in the first palace, and what could have been done to prevent it from happening.
Post-event reviews (an enhancement on traditional post-incident reviews) are an important part of this process and enable an organisation to look externally to see what they can learn from how other organisations have responded to incidents they have faced.
That outward looking review process is vital because that allows you to improve resilience for events you haven’t previously faced but may be on the horizon.
This can then be proactively fed into the prepare phase, meaning that you can prevent risks from materialising, or at least mitigate the effects should an event occur.
It is not just about bouncing back from a crisis; it is about bouncing forward and becoming a more resilient organisation as a result of coming through the crisis.
Reporting the findings
Off the back of all this analysis, we are able to create a report that provides in-depth insight into the risks facing an organisation and how to build organisational resilience in the face of those risks.
The report is also a useful way of sharing these insights with the various different stakeholders within an organisation in a succinct and impactful manner in order to get buy-in for projects that are needed to improve resilience and help drive the organisation forward.
Key results from this analysis include, but are not limited to:
An organisation being able to build a fully defined risk taxonomy that incorporates all of the different risks the business is facing
Identifying appropriate measures and controls that are needed to properly prepare for the risks materialising, while also acting to mitigate or prevent the impact of any such risk event
Aligning an organisation's significant threats/risks, including to people, environment, assets, information, operations, reputation, and livelihood, with established or required response components and/or teams
Determining the priorities of an intelligence model within an organisation to identify indicators from internal and external sources, to act accordingly to both counter threats and maximise opportunities.
Fundamentally, the organisation is presented with a roadmap that sets out the steps needed to improve organisational resilience, and, just as importantly, how to learn from future risk events not just within their organisation, but also outside the business in the wider marketplace.
As we look forward after COVID-19, have you asked yourself what could come next? Have you considered what other risks (be those threats or opportunities) are coming over the horizon? And how do you anticipate these to get out of the way of threats or jump in the way of opportunities – faster and better than your competitors? And how do you do this without jumping at shadows?
While COVID-19 is an ongoing risk, it is now an event that has triggered (and continues to trigger) a series of second and third order impacts, such as potentially a looming spike in insolvencies and global supply-chain disruption.
Wider than this, how have you assessed the risk to your organisation from a global recession, a growing divide between the rich and the poor, climate change, disinformation– the list can go on.
If you are not sure how to consider these, a systematic approach to improve your risk and resilience is a good place to start.
*Originally developed in collaboration with Intactile Global
This article was first published in March 2021 by Risk Leadership Network, a global membership network for risk professionals.