Institute of Risk Management
Organisational Resilience White Paper 2021: A Companion Summary for Risk Managers IRM Innovation Special Interest Group Report
Developing risk professionals
The future is here: the future is Organisational Resilience Setting the scene: Organisational Resilience (OR) is more embedded in life around us than you may at first think – and has been for decades. National healthcare is an OR network. So are our public, police, emergency and armed services. One can argue persuasively that the Government itself is also an incrementally evolving OR network. Perhaps the first true example of this methodology designed as such from the outset was the Chain Home radar network. It was developed in the 1930s and delivered as the world’s first integrated early warning system that connected analogue command and control with distributed tactical operations in near real-time - to protect its national host. Whether by accident or occasional design, organisational resilience has been an instinctive, historical concept that society has reached for where co-operative action can help offset disruptive risks for either those currently unfolding or perceived in the future. Today, organisational resilience - and its enterprise risk management stable-mate - should be an ultraconscious infrastructure choice. The pandemic has forced change and focuses all our eyes on the reality that the collective crisis spectrum is both broader and more threatening than ever. As we now think ahead to the post-Covid world, it genuinely holds new avenues and new opportunity – indeed, it must. Facing the future should, in itself, be an exciting prospect that we tackle energetically and on the front foot. Because events wait for no-one. The global wrestle with Covid-19 - and the potential for new pandemics - climate change, extreme weather disruptions, terrorism and cybercrime risks threaten our digitally interconnected world. That’s why the IRM’s Innovation Special Interest Group (SIG) began taking a deep dive into OR in 2019. This companion summary frames the key themes of the in-depth IRM White Paper that you can read, download or share in full. It focuses on how organisations define and develop organisational resilience strategies and how approaches could – and should – be evolving in the light of contemporary events.
Methodology > Reviewed key guidelines, professional standards, academic papers, books and consultancy reports. > Interviewed risk managers, CROs, senior board decision-makers and specialist risk consultants. > Led discussions with international, cross-sector IRM special and regional interest groups to generate a holistic view of how organisations are approaching OR and ERM resilience. Many risk and business professionals contributed their time, experience and intellect to building the White Paper. We thank you all for your valuable input right as the world began to change. The IRM Innovation SIG Team
2
Defining Organisational Resilience Covid-19 is a systemic social and public health shock not seen since the Spanish Flu pandemic a century ago. If ever the lesson of sudden and unexpected disruption needed to be learned, it’s now. The geo-political, governmental, economic, environmental and technological shifts of the last three decades have expanded the threat spectrum enormously. Becoming antifragile Mathematical statistician Nassim Nicholas Taleb catchily framed resilience as being ‘antifragile’ - but definitions and applications vary. ISO defines it as the ‘ability to absorb and adapt in a changing environment’. The key is developing the embedded processes and culture that flexibly preserve stability and optimise core functions through adversity in a way that helps us weather expected or sudden disruption. Think of organisational resilience as a software Operating System (OS) in which the functional applications are your day-to-day operations. A resilience-orientated OS means your apps run smoothly and advantageously for (all) users thanks to built-in network protection, effective security protocols, and, forgive the pun, strong anti-virus controls. The pandemic is the latest threat to test economies, governments, politicians, societies, families, health care systems, organisations, employees and individuals – and uniquely, it’s testing all of these simultaneously, at a mass scale and has revealed gaps that need patching. The Enterprise Risk Management equation
Resilience manifests itself in different ways, in different sectors and to different stakeholders. It’s something that risk managers must keep in mind as they develop elastic, best practice frameworks that different organisations can capitalise upon. These strategies should be underpinned by tools, techniques, measures and tests they can use tactically to enhance resilience in the wider context of enterprise risk management. 3
Proactive observation of market conditions is essential to delivering positive resilience outcomes. Regulation is evolving rapidly in many sectors and imposing new and diverse minimum level requirements as a result. Resilience must reflect the immediate compliance environment and move ahead of it. The consensus is that OR is best understood by distinguishing between its operational and strategic components. Think of operational resilience as the capability and strategic resilience as the culture in which it thrives. Needless to say, pro-resilience organisational cultures are best set top-down and by clear example. Protection as added business value While operational resilience is the main focus from a regulatory and compliance perspective, it’s the strategic, binding elements of resilience that add business value. There’s an intellectual debate to be had around bottling the bounce-back/bounce-forward mindset - particularly in the pandemic era. This needs to address the ‘new normals’ and sustainability that will underpin short, medium and long-term organisational performance.
4
The resilience and risk mix We’re experiencing a period of high volatility, uncertainty, complexity and ambiguity where threats come at us fast - and sometimes with little or no warning. The level of digital interconnection increases risk and amplifies these symptoms globally. Resilience is the blend of proactive ERM culture and process that focuses on maintaining continuity in a disruptive climate. It provides long-term viability within fast-moving external and internal environments. This ‘universe’ is formed by proactive and reactive components. Ideally, they are combined with cutting downside-risk and increasing upside-risk by using tools - such as strategic planning and control selfassessments – that help resilience capabilities evolve. Does risk management drive organisational resilience or vice versa? Risk management has always been part of organisational resilience, and ERM plays a vital function in cementing these various disciplines together. ERM determines risk and resilience thresholds, assesses the exposures and impacts while determining priority areas. It also integrates perspectives and ensures that resilience components generate outputs that keep actual organisational resilience capabilities within risk appetite, and tolerance. ERM ensures consistency in decisionmaking processes. It enables organisations to grasp alternatives by scanning the horizon and analysing scenarios that help define bespoke preventative and corrective controls. Breaking down silos and compartments Our discussions indicate that it’s mature and integrated risk management practices that drive and enhance organisational resilience. To work, these practices must include co-operation that breaks down, potentially damaging silo mindsets. > Risk managers must understand emerging vulnerabilities in order to create agile corporate structures and operations that are embedded in a coherent, consistent and resilient risk culture. > In many cases, complex hierarchical corporate structures should be simplified to enable an agile response Successfully resilient organisations typically demonstrate capabilities that improve over time. From our findings, we can conclude: > More mature organisational resilience practices are related to more mature ERM practices because they receive Board support and are driven proactively by CROs > Successful OR is built upon clear communication channels and collaboration across departments and hierarchies that breaks down’ silo’ mentalities > OR is developed by CROs who look beyond mere tick-box exercises to reflect upon the broader challenges and opportunities that affect the future of organisational practice and competitive advantage > Companies must continuously check their OR capabilities in a timely fashion to make sure they’re within risk appetites and tolerances. This helps avoid unpleasant surprises during turbulent periods > New technology, such as risk apps, can create globally scaleable and affordable measurements of performance. These precisely and judiciously track emerging risks to maintain OR levels optimally
5
Trips, traps and snags How are some organisations falling short? Evidence suggests it may be through a fundamental lack of maturity in risk cultures and ERM practices. Another contributory factor is a lack of clear communication - or commitment - from senior management teams regarding the value of risk management and resilience. Then there’s the common trap where thorough resilience propositions are ‘sold’ in easier after a failure or crisis. This is borne out in our discussions with a number of Chief Risk Officers. Prior to such failures, one could venture that risk management and resilience was more lip-service than in-depth preparedness. This indicates issues at the strategic cultural level that creates a false assurance from planning that’s more aspirational than practical. As a result, when push comes to shove – as it did glaringly in March 2020 - it’s well-trained people and teams operating meaningfully via connected and thorough planning that accommodate and overcome. This lack of connectivity across a meaningful resilience framework has caught out many organisations in the current climate. The result? Urgent and damaging pivots akin to re-roofing the house in a torrential downpour. Educate and Integrate It’s clear not all boardrooms fully grasp the relevance of strengthening resilience capabilities. That’s why risk managers need to: > Educate and integrate preventative practices > Enhance organisational awareness of mature risk management processes and structures > Emphasise the importance of collaboration and communication across silos and hierarchies Put simply; this indicates effective resilience is driven by sound risk management that aligns boardroom expectation with the control, processes and operation of an organisation’s ‘shop floor’.
6
Visualising organisational resilience Resilience frameworks are complex, dynamic, ambiguous and volatile. The overwhelming character trait is uncertainty. Executed well, they are an optimised, holistic blend of proactive planning and reactive defences that look like this:
Source: Adapted from Risk and Resilience Ltd In practice, the overlaps between these disciplines take different forms depending on organisational context, structure, capabilities and risk appetite. Therefore, these bubbles are dynamic controls that may merge and even overrun, based on what your organisation does and how it’s configured. Accelerate risk clock speed Some blame risk management for not preventing the commercial problems unleashed by the pandemic crisis. The truth is that the extremity of this event has reset notions of ‘clock speed’. > Most risk management frameworks and systems are only designed to manage slow clock speed risks where the identified threat and its impacts are telegraphed manageably in advance > The pandemic dictates that OR – and ERM – must be able to handle fast risk clock speed events that strike like lightning and with a thunderclap concussion that can paralyse businesses, supply chains, sectors and entire economies Value as revenue protection Internal and external debates on organisational resilience must emphasise how building resilience capabilities is a value-adding activity. Prevention really is cheaper than cure, and it’s in times of crisis that resilience investment pays off. 2020 proved that unequivocally. The trickiest hurdle is this: convincing management and the board about resilience value during calm times as such activities are usually not direct revenue-generating centres. But they are revenue-protecting. Thinking ahead and widely about how the future may look does make organisations and individuals better prepared to cope when a crisis breaks. The hard fact is that resilience should be viewed as a mission-critical cost – one that adds value by mitigating the impacts of future disruption. It’s a mindset shift where resilience ultimately becomes a reflection of an organisation’s core values, mission and sense of responsibility. 7
IRM and the collective route forward The world is transitioning to a post-Covid universe where wide-scale economic disruption from future pandemic strains can be assumed as a realistic, rolling threat. Comprehending the core components of risk has never been more important. > Aligning operational resilience with ERM is a prerequisite to achieving a true strategic resilience that enables companies to respond, recover and learn from disruptions > Integration should not be confined to risk management and resilience internally - it needs to infuse entire supply-chains > This ensures that combined systems, processes and people have a unified, resilient purpose that’s flexible and truly ‘antifragile’ Learning to swim Breaking down corporate silos and obsolete organisational power and status notions is an important first step. Resilience shows that managing risks is not only about avoiding potential threats that may (or may not) materialise but about a constant state of awareness that counters volatility, uncertainty, complexity and ambiguity. It’s about resilience as organisational and individual preparedness: we cannot wait for the next wave to reach us before we master this new stroke. We’ve been enhancing risk professional’s skills through training, certification, resources and specialist tools for more than three decades. The focus on building up organisational resilience has always been the indirect effect of the IRM’s primary goal of recognising, maintaining, enhancing and communicating ERM as an integrated and holistic value-added approach to multiple stakeholders. There’s no silver bullet, but… The complexity of the problem is immense - but there’s a range of calibres available that address organisational, corporate and operational variety. Now is the time to pool our intellectual risk capital, have the debates and build organisational resilience into the heart of the way we all identify, manage and respond to the risk multiverse.
Change is always inevitable – so let’s grasp it and realise the potential. Read or download our unabridged White Paper here. Contact us at enquiries@theirm.org to find out more and how we can help you.
8
Contributing authors Contributing Author Mark Turner Rodrigo Silva de Souza Sarah Gordon Sheila Milbourn Rupert Johnston Darius Mayhew Keith Smith Katalin Horvath Sue Falconer Peadar Duffy Martina Smyth Ross Olding
Innovation Group Role Chair (2016/19) Co-Chair (2019 -) Co-Chair (2019 -) Secretary Member Member Member Member Member Member Member Member
9
Organisation Emsity Ltd University of Roehampton Satarla Hoodgroup Risk and Resilience Ltd Financial Services SIG RiskCovered Ltd IRM Student Mind SoluxR Security MERC&CO LLP
Institute of Risk Management 2nd Floor, Sackville House 143–149 Fenchurch Street London EC3M 6BN www.theirm.org
Developing risk professionals