Risk and resilience: bringing risk management and resilience closer together

‘What is the relationship between risk and resilience?’

A question we are often asked by our clients. To understand the relationship between the two functions, the opportunities for alignment and the practicalities for risk and resilience, we have created a new series to explore this topic further.

In this first blog we start by highlighting some of the key differences and similarities between the risk and resilience teams, making the case for alignment and how the two can support each other.

Setting the scene

All organisations, whether public or private, are now operating in a more complex environment. Key shifts in the environment include:

• An accelerated pace of technological change
• Greater reliance on the extended enterprise
• Continuing geopolitical instability, a dynamic demographic of service consumers
• A rapidly changing workforce, skillset and working environment. These changes are set against an array of emerging UK and international regulations.

Navigating this and the pace of change means that organisations need to think more creatively and comprehensively about how they build the capability to absorb shock and exploit change. Change may be driven internally through evolving operating models (for example, adopting new processes or technologies), or by shifts in the external environmental. Change, regardless of its source, can bring stresses and disruption to the organisation, yet it also presents opportunities for adaption, organisational strategic alignment, and future growth. 

In response to increasing uncertainty and regulatory/government interventions, entities are expected to ensure they are resilient. To establish resilience many organisations have set up resilience teams to focus on preparation and response. These teams are being set up alongside already established risk functions and frameworks.

Risk and resilience: similarities and differences

Whilst resilience teams typically have responsibilities for preparing for, responding to, and helping the organisation to recover from severe but plausible disruptions, the risk team will also have deep insight into disruptive scenarios. 

The UK’s Financial Conduct Authority¹ observed that ‘the most effective operational resilience frameworks are embedded within firms' overall enterprise-wide risk frameworks, including change management and strategic planning. Operational resilience is a core consideration when assessing risks of transformation and change.’  

To better align risk and resilience disciplines, we need to start by appreciating the core differences and synergies. 

• Risk management: the systematic process for identifying, analysing, evaluating, treating, monitoring, and reviewing risk. Integral to risk management is identifying risks in the operating environment, analysing the impact and likelihood of their occurrence, before evaluating our options for managing this risk, informed by our risk appetite. Risk also focuses on identifying and managing the sources of disruption.
• Resilience: focuses on delivering ‘essential outcomes’ to customers, clients, and the broader market in which we operate. Resilience shifts the focus from the likelihood of risks occurring to the assumption that disruption will happen. This therefore requires organisations to build capability to prepare for, respond to, and recover from this disruption by adopting an ‘outside in’ mentality, rather than focussing on the internal organisation.

Examples of risk and resilience practices within an organisation

Resilience seeks to remediate vulnerabilities that organisations have created because of how they have chosen to architect and operate their services. Vulnerabilities can be strategic in nature.

For example, the emergence of a new competitor could impede our ability to be the best market innovator. Similarly, a lack of diverse skills within our talent pool could prevent us from adapting to a changing landscape of consumer preferences. Vulnerabilities can also be more tactical and operational in nature. For example, geographically concentrated physical data centres leave us exposed to location-based disasters, such as floods, and could result in an inability to recover critical operations. The key point to understand in these examples is that risk is a key input into the process of identifying internal and external vulnerabilities. 

The reach of enterprise risk management is broader than resilience as it considers threats and opportunities to the whole organisation. In contrast resilience is focused on avoiding, mitigating or exploiting impacts only to a limited subset of outcomes that the company provides for its customers, end users or other stakeholders. Resilience builds capabilities to address specific vulnerabilities that would preclude the delivery of essential outcomes.

We advocate that risk and resilience should form an ongoing virtuous cycle that supports the organisation’s overall strategy. This means:

• Agreeing the organisational strategy and identifying outcomes and services which will enable delivery of the strategy (our essential outcomes); 
• Identifying the strategic and operational risks to achieving the strategy; and
• Designing and operating services in a way enables the organisation to avoid, withstand and absorb impact when it occurs, whether that is disruption to staff or customers, finances, operations, reputation or to the environment.

The final element of this virtuous cycle, which, in our experience, is often overlooked, is demonstrating that resilience interventions are shifting the dial on risk exposure over time. This could include identifying how the resilience controls that we are introducing are reducing either the severity or likelihood of risks crystalizing thereby avoiding or reducing operational and financial losses, as highlighted in our recent blog on resilience dividends.

We see managing risk and resilience as mutually supportive objectives, with the teams that support these objectives both having a key role to play in shaping the organisation’s trajectory. 

Bringing risk and resilience teams closer together and encouraging each to learn from the other is essential to an organisation’s long-term success. In bringing teams together there are the obvious potential efficiencies but also the opportunity for both teams to see process and methodological improvements. Indeed, when surveyed, over three quarters of participants at our recent Crisis & Resilience Conference saw risk management as an active participant in building resilience.

Key questions all organisations should be asking

• Do we have tangible alignment of risk and resilience objectives (e.g. strategic focus; shared thinking on programmes; and alignment of roles, responsibilities, and management information)?
• Can we explain and demonstrate to interested parties (e.g. shareholders and regulators) how we consider resilience to risks and risks to our resilience?
• Do we have senior individuals with clear responsibility and accountability for risk and resilience and are there aligned governance forums and management information to enable a focus on risk and resilience?

In our next blog, we will explore the opportunity for risk and resilience teams to better align frameworks, terminologies, and methodologies.

_____________________________________________________________________________

References

¹ Operational resilience: insights and observations for firms | FCA