Risk and resilience: are we speaking the same language?

This is the second blog in our series exploring the opportunities to bring risk management and resilience functions closer together.

In our first blog, we explored the similarities and differences of risk and resilience functions and how they can support each other. Now we will examine how risk and resilience teams use similar concepts and methodologies but are not speaking the same language.  This disconnect hinders effective collaboration and can lead to siloed decision-making, potentially undermining both risk mitigation and resilience efforts.

It is essential that there is alignment between both worlds to avoid duplication of activity and to achieve consensus on strategic priorities. There are several key opportunities to align conversations:

1. Evaluating risks

Risk teams will typically only use impact and likelihood criteria to prioritise risks. However, for many organisations, risk impact assessments include categories which overlap with the five resilience capitals (Financial, Operational, Reputational, Environmental and Human). ¹ Explicitly using these capitals to structure impact evaluation can provide a practical way to drive alignment between risk and resilience to ‘speak the same language’.

Focusing on what is really critical to us will enable us to prioritise the risks that would be most impactful if they materialise. So, once we've determined our enterprise risks, we're really interested in how these might impact the essential outcomes that we're trying to deliver. Essential outcomes are the most important services, products, or functions that the organisation delivers to its customers, end user, or other stakeholders. 

Risk teams tend to use between three to five criteria to evaluate likelihood and this is often the area that risk teams and risk owners find most challenging to assess. Without the use of modelling techniques, evaluating risk likelihood relies heavily on experience, which is a partial view of how likely a risk is to materialise. In contrast, resilience practitioners focus on the plausibility of scenarios. Adopting this plausibility assessment, which considers whether a scenario is conceivable and credible, even in the absence of historical data is a useful simplification for risk teams and owners to ensure that appropriate challenge is given to risks that are outside either individuals’ or collective experience. Whilst likelihood assesses the chance of an event occurring, plausibility focuses on whether the event is believable or credible. Plausibility is a useful tool when assessing unprecedented events or those where historical data is unavailable within the organisation.

2. Aligning risk appetites and impact tolerances

Impact tolerance is a term that was introduced to the financial sector by UK PRA ², and FCA ³ regulation on operational resilience, but in other industries may be described as a Maximum Tolerable Period of Disruption (MTPOD). The impact tolerance concept refers to a level of disruption or impact that an organisation is not willing to exceed as it may result in an intolerable level of harm to customers, clients, end users, the organisations own safety and soundness, or the wider markets in which that organisation operates.

Frequently we see risk and resilience teams considering these concepts in isolation. However, to foster a unified approach, both risk and resilience teams should collaborate to ensure risk appetites reflect impact tolerances. In other words, how much impact can our organisation withstand before causing 'intolerable harm' to the delivery of essential outcomes? These considerations are particularly pertinent for organisations who will be required to disclose material controls (as outlined in the forthcoming requirements of Provision 29 of the UK Corporate Governance code). A robust appreciation of both risk appetite and impact tolerances will support the assessment of which controls really are material.

3. Getting the most out of scenario analysis

A frequent challenge for risk professionals is that risks rarely occur in isolation. Therefore, evaluating them without considering the wider risk landscape is often unrealistic. The use of scenarios and exploration of impact by resilience practitioners is a useful way to improve understanding of how risks are interrelated. 

For example, using scenarios to explore how the materialisation of geopolitical risks may impact supply chains is a tool to consider how ‘resilient by design’ these supply chains are. Resilient by design is the deliberate, transparent, and strategic construction and operation of a business in way that enables it to absorb shock and disruption. Scenario planning, and considering multiple future scenario outlooks, or performing ‘pre-mortems,’ is a useful way to engage colleagues across functions and ask the ‘what if’ and ‘what next’ questions which are of value to both risk and resilience teams.

Adopting this mindset requires a proactive re-education of the workforce, from Board and senior management to operational practitioners, to condition the right mentality around both disciplines. Doing this well means establishing a positive risk and resilience culture that encourages open and willing provocation of potential scenarios that truly exhausts all options and potential outcomes. Scenario analysis can then be used to inform proportionate planning that is based on identified impacts. Challenging control and mitigation assumptions through scenario analysis can also challenge likelihood assumptions. 

4. Becoming ‘resilient by design’

Ensuring that risk considerations are brought into resilience initiatives is necessary to ensure that measures are not counterproductive and do not introduce a ‘ripple effect’. Every tactical or strategic choice has the potential to present some downside risk. Consider an organisation which is seeking to become ‘resilient by design.’ It decides to utilise cloud outsourcing and assumes inherent resilience due to geographically distant infrastructure, thereby assuming sufficient redundancy and modularity. However, a risk assessment might reveal that this infrastructure remains exposed to the same severe weather patterns or has similar vulnerabilities to a cyber-attack. 

Recognising upside 

In many organisations, risk management has taken a role of conservation and caution, where it can quickly become fixated on downside risk. This can also be true of resilience where the impact of that downside risk is expressed as ‘harm.’ However, both risk and resilience have the potential for upsides, and we think that many organisations would benefit from finding the opportunities in risk and resilience to support and inform organisational strategy. 

To achieve this, it requires Boards and senior management teams to clearly define and articulate their strategy and to develop a common understanding of the strategic and existential risks (and opportunities) facing their organisation. This means horizon scanning, considering risks more broadly, and using that knowledge to inform operational planning. This allows for conscious and informed risk and resilience decisions to be taken at all levels and in a way that supports the organisation’s overall direction. 

It is important that organisations then establish monitoring and reporting mechanisms that will demonstrate the return on investment (in other words, how their resilience to risks is increasing over time thereby neutralising or reducing their exposure to loss). For example, most organisations now have a degree of skills and talent risk with a workforce that is not necessarily well-prepared to deal with emerging technologies like quantum computing and Artificial Intelligence. An inability to respond to these technologies will present an existential threat to some organisations. By educating and empowering operational and Human Resource teams to make better and more strategic hiring choices, organisations can see incremental improvements in their exposure over time.

Aligning risk and resilience teams undoubtably creates operating model efficiencies, but there are also broader advantages:

• For risk: it introduces more practical and operational considerations which arise from resilience thinking, and enhances clarity established from acknowledging essential outcomes.
• For resilience: it brings a strategic focus to enrich scenarios to be more comprehensive and enable due consideration of the ‘meta’ strategic choices of the organisation.

Key questions all organisations should be asking:

• Do we have enterprise risk and intelligence initiatives that enable us to look around corners and pre-empt any ‘perfect storms’ that may interrupt or derail us?
• Do we use our risk and resilience planning to make adjustments to our organisational strategy (e.g. changing our hiring strategy to accommodate observed talent or skills risks)?
• Do we capture the costs associated with our operational as well as financial losses and do we know and understand the reasons why these losses occurred?

Deloitte’s Reputation, Risk, Crisis, and Resilience team.We support clients to help them better plan for, and build resilience to, strategic risks, issues and incidents, and crises. 

_________________________________________________________________

References

¹ Resilience Reimagined: A practical guide for organisations | Deloitte UK

² SS1/21 – Operational resilience: Impact tolerances for important business services | Prudential Regulation Authority Handbook & Rulebook

³ SYSC 15A.2 Operational resilience requirements - FCA Handbook