Practical considerations – what can organisations do to help risk and resilience work effectively?

This is the final blog in our three-part series presenting the case to bring risk management and resilience functions closer together.

In our first blog, we spoke about the similarities and differences of risk and resilience functions, and in our second blog we explored how the two functions use similar concepts and methodologies but do not speak exactly the same language. 

This time we consider the practical considerations for aligning the two disciplines.

Establishing resilience priorities

A key initial step to align risk and resilience is to ensure that the risk team is supporting the foundation of resilience activities, which is to establish an understanding of essential outcomes – i.e. the services, products, or functions which the organisation delivers to its customers, end user or other stakeholders. We propose asking four key questions to focus attention on resilience priorities:

1. Our organisation: what do we want to make resilient now and in the future?
2. Our known vulnerabilities: how resilient are we now and will we be in the future?
3. Our appetite for significant and prolonged disruption: how resilient do we want to be now and in the future?
4. Our commitment to resilience: how are we building, maintaining and demonstrating resilience?

The risk team will provide valuable insights into these resilience questions both in their understanding of the organisation’s strategic vision, but also in the identification of vulnerabilities and characterisation of tolerances for disruption.

Widening the aperture of resilience

In order to genuinely build and maintain organisational resilience, resilience functions need to ensure perspectives are not constrained to only consider operational impacts but rather have a ‘whole of system’ view and understand the interconnected impacts of the loss arising from  disruptive events across the five resilience capitals  (Financial, Operational, Reputational, Environmental and Human).¹ As acknowledged in our second blog, there are often overlaps between the risk assessments that most risk functions perform and the five resilience capitals. Typically risk assessments will consider impact criteria spanning financial, operational, reputational and human considerations, these considerations are very similar to the frame of reference outlined in the five resilience capitals.  Consequently, risk functions are well versed in considering a wider aperture of impacts. This practical experience from risk management is a useful asset to support and evolve resilience thinking. The opportunity to willingly and visibly collaborate at a peer-to-peer level embraces a mentality of collective strength, rather than competition, between functions.

ERM as the conductor for coordinating efforts

Risk functions in many organisations are well established with roles and responsibilities clearly articulated, as well as having risk governance bodies embedded in the cadence of decision-making in the organisation. Utilising the risk function’s skills, capabilities, and established networks to co-ordinate resilience initiatives is a logical and efficient step for resilience functions. Aligning resilience initiatives to established risk activities provides the opportunity to:

• (Re-)educate the workforce from the Board to operational levels on the benefits of good risk and resilience management to overall growth; and
• Ensure that the Board has sufficient understanding of risk and resilience to effectively challenge senior management’s comfort levels regarding risk and vulnerability remediation

Moving closer to strategy and business model

Both risk and resilience functions have the need to ensure a deep understanding of strategy and the ability to forge an alignment with the organisation’s strategic direction. The suggestions below outline key questions to drive an integrated and transparent perspective between both the risk and resilience functions and with strategy:

1. Define future vision and growth across short-, medium- and long-term planning horizons.
2. Establish both a strategic and operational understanding of the risks associated with these planning horizons balancing both the positive (reward) with the downside (harm).
3. Cascade strategic risk awareness through the organisation so that operational resilience planning does not  become fixated on near-term operational risks, but adopts a longer term, more strategic view.
4. Maximise value and learning by ensuring that risk and resilience functions are jointly performing post-event reviews following business changes. These help to embed lessons learned - not just when things go badly but also when they go well - and train the organisation to avoid its historic mistakes and emulate its past successes.
5. Ensuring aligned risk and resilience reporting to monitor, measure and report to key strategic stakeholders including investors to demonstrate how better risk awareness and resilience interventions are impactful.

To achieve these practical considerations will require close alignment between risk and resilience teams, and this alignment then needs to be reflected in the organisational operating model. To address this need, we are now seeing some organisations establishing a Chief Risk and Resilience Officer role to bring both areas much closer together, and most are now purposefully ensuring that there is risk representation in resilience programmes and vice-versa. This is consistent with our view that the opportunity and efficiencies of bringing risk and resilience discussions closer together is a logical step forward, as both approaches evolve to meet the demands of what is, for most organisations, a more complex and uncertain world.

Deloitte’s Reputation, Risk, Crisis and Resilience team. We support clients to help them better plan for, and build resilience to, strategic risks, issues and incidents, and crises.

______________________________________________________________________________

References

1. Resilience Reimagined: A practical guide for organisations | Deloitte UK