Resilience in risk management blends strategy and foresight and keeps businesses thriving even when the unexpected strikes.
Understanding Resilience in Risk Management
When we talk about resilience in risk management, we’re referring to preparing for the risk and developing robust plans to bounce back quickly from an interruption. In short, we’re talking about a well-packed business resilience survival kit.
Concepts like operational risk management, resilience management, and operational resilience are included here. These concepts seek to understand exposure to risk events (opportunities and threats) and their potential impact and create mechanisms for managing the impact. Whether the risk event is a cyberattack, a natural disaster, or a glitch in a supply chain, if you can anticipate and prepare for it, then you are resilient.
The Importance of Business Continuity
At the centre of it all lies business continuity, which is the ability to continue operating when things go wrong.
Plan B is insufficient; you must also have Plans C, D…
Business continuity management is about identifying your top critical business functions and finding ways to keep them running or resuming them quickly should there be a disruption.
Building a Resilient Organisation
Creating a resilient organisation isn’t just a matter of developing the right plan; it’s also a matter of developing a risk-aware culture within the organisation. That means that employees are trained to be aware of the risks they face and actively engaged in risk identification and management. It’s much easier to play the same tune when everyone sings from the same song sheet.
The Role of Enterprise Risk Management
Enterprise Risk Management (ERM) aims to consider all risks and respond to any risk, whether operational, financial, strategic, reputational, or other risks.
Integrating risk management practices with all business parts helps firms better coordinate their risk management efforts across the enterprise, enabling them to understand and respond to emerging threats.
The Key Elements of Effective Risk Management Strategies
Effective risk management strategies involve several key elements:
- Risk Identification: this is the initial stage of risk management and involves identifying all potential risks that could impact the business. These could be as parochial as a supply chain disruption or as complex as a cyber breach
- Assessment of Risk: once the risks have been identified in the first step, the next step is assessing them to determine how severe their impact could be. This should include an analysis of the chance of risk taking place and determining the extent of the damage if it occurs
- Risk Control and Mitigation: once risks have been assessed, companies can create risk management plans to figure out how to lower the impact of those risks. They can do this by developing new technologies, altering business processes, investing in resources or requiring human intervention
- Managing Risk: risk management is an ongoing process. Businesses must continually monitor their risk environment and adjust their strategy as conditions change
- Contingency Plans: make sure that you have some contingency plans in place. Contingency plans refer to a business’s predefined actions if a particular type of risk event happens
The Importance of Supply Chain Resilience
The rise of global supply chains has made resilience an essential factor.
Any disruptions to the supply chain might lead to delivery delays, affect deadlines, and affect customer satisfaction.
Supply chain risk management is critical to the success of supply chains. It aims to prevent risks to a supply chain, detect them, and respond to them appropriately, thus decreasing their impact.
Third-Party Risk Management
Another critical pillar of risk resilience is risk management of third parties: companies rely on third parties to perform many of their functions, and a third party can disrupt the business if there are issues. It’s essential to understand the risk we take by using a third party and plan what to do if something happens to a third party.
Emerging Risks and Uncertainty
Businesses are faced with emerging risks and uncertainties. These are new risks or changes that could affect the business.
Risk management must be dynamic because these risks can change rapidly. Businesses must be observant of what is happening.
Risk Appetite and Risk Culture
An important starting point is understanding the provider’s risk appetite and the level of risk it’s willing to take to achieve its objectives in pursuit of its statutory purpose. This aligns with the broader context of the provider’s risk culture – its shared values, norms, attitudes and practices among its leaders and staff.
Evidence suggests that a healthy risk‑aware culture contributes to better long-term strategic decision-making and organisational resilience.
The Role of Governance in Risk Management
A neglected dimension of resilience is governance.
By creating clear responsibility for risk and rigorous processes to manage it, effective governance helps create organisations that are both aware of and organised for risk. When those organisations have better risk management, they will have greater resilience.
An excellent place to start to assess an organisation’s risk management capabilities is to look at the processes and documented procedures put in place to identify and monitor risks and ensure that those processes are fit for purpose as the organisation’s operations evolve. This needs to be done periodically; ideally, risk management policies and procedures must be refined.
Disaster Recovery of Data and Crisis Management
Disaster recovery is a part of resilience that pertains to data and systems recovery following a disaster, e.g., ensuring you can recover your files and systems quickly.
Crisis management is about coping with the immediate aftermath of a crisis: keeping the organisation functioning while minimising exposure to and harm to stakeholders.
Developing Control and Mitigation Strategies
Control and mitigation measures are actions that can reduce the likelihood or impact of tail risks. For example, you can reduce supply chain risk by working with various vendors, improving cybersecurity to minimise the impact of malicious hackers, or conducting a regular review of risks and threats to learn more about changing threats.
Creating a Risk-Aware Culture
Developing a risk-aware culture would require a series of employee training sessions to create a culture that consistently acknowledges risks, encourages employees to take more ownership of risks, and provides a channel for employees to ‘speak’ about risk.
Risk Management in Practice
Where does a clearer understanding of these ideas take us into practice?
A resilient organisation is one that not only survives shocks but also flourishes after them.
Even the best performance achievement systems should allow clear space for ongoing improvement and adaptation to new risks and challenges.
Effective Risk Management Efforts
Effective risk management involves a combination of risk avoidance and acceptance in proactive and reactive strategies. That is a (proactive) strategy that involves actively identifying and mitigating risk before it happens, and a (reactive) strategy that involves responding quickly and effectively to risk when it happens so you can survive and bounce back. That’s what it means to have a resilient organisation.
Risk Management Strategy and Contingency Plans
A good risk management strategy includes contingency plans for each significant risk event, which must be updated and reviewed regularly.
The plans must also be tested through regular drills and simulations: how would we respond if we faced this risk? Are there any other risks that could be prevented with a similar procedure?
For example, it’s essential to ensure every employee knows what to do if a member of staff or a customer collapses because we don’t want to risk someone’s health and safety.
Risk Awareness and Risk Profile
Risk awareness means understanding an organisation’s risks and what they mean for it and putting them into a broader context. That includes an idea of the organisation’s overall risk profile—what risks it’s vulnerable to.
With a clear picture of an organisation’s risk profile, adopting risk management strategies designed to control and mitigate it makes sense.
European Risk Management Associations
So, how exactly do the Federation of European Risk Management Associations (FERMA) view resilience in the context of risk management?
FERMA underscores the need for holistic risk management by permeating all layers of the organisation while emphasising adequate resources in risk assessment, including control and mitigation strategies, and creating a culture where risk is embedded at the top (executive level) right down to the shop floor.
For instance, a resilient organisation will better deal with unforeseen risks and become more robust on the other side. This requires building an ongoing learning culture that fosters constant adaptation and the commitment to embed that resilience throughout the business.
Final Thoughts
When it comes to risk management, resilience is about having the right tools to deal with the unexpected, having strategies that enable you to respond effectively, creating a risk-aware culture that breeds agility, and having systems in place to promote the continual improvement of those systems. Companies that focus on resilience can survive disruptions and even thrive.
There’s no way to avoid risk altogether. However, you can identify potential hazards, evaluate their probability and impact, and create effective management strategies. So, have those contingency plans ready, get active, and implement a culture of resilience. Your business will thank you when the next crisis hits.