By Ralph Mulder
There are two main schools of thought on the definition of resilience:
- One is the bouncing back from adverse events – the engineering definition
- Second is adaptability, an organisation that can deal with any type of change
The first definition is what we usually think of in terms of business continuity. The second is an enterprise approach. This was the subject of a roundtable discussion at the FERMA Seminar 2016. Under either definition, resilience should be the outcome of good risk management.
Building enterprise resilience, especially in the face of today’s disruptive technologies and business models, requires a solid foundation of business continuity preparation, but it has to go beyond this and prepare for unexpected, even unknown risks. Just because something has not happened in the past, does not mean it will never happen.
How do you measure whether an organisation is resilient? We can recognise a comparatively resilient organisation when we see one which has come through a major disruption successfully, perhaps even strengthened. Articulating the value proposition for spending on measures for something which is less tangible, such as building greater trust in the organisation, is more difficult in advance.
Good governance involves building agility into the organisation. There are plenty of examples of organisations that are not been able to respond quickly enough to changing circumstances. The head of risk can play a more important strategic role in working out what makes an organisation resilient. It clearly has to be a comprehensive process.
The risk manager can be the facilitator in this thanks to his or her understanding of the organisation and of risk. Here are some important steps:
- Make sure the basics – good crisis management, business continuity and IT recovery – are in place and robust. It is difficult to go further without them.
- Have a comprehensive knowledge of the organisation’s risk profile coupled with a proper understanding of how the organisation works – what are the dependences, the networks and relationships? Without this understanding, the temptation will be to be more prescriptive and so more rigid.
- Include project teams that can make timely decisions. They are likely to be a key part of this response, along with risk communication from shop floor to the board.
- You need information. Today’s mantra is data, data and more data, but within that deluge of data, the risk manager needs to be able to identify key signals that show where the business has or is developing weaknesses.
- Consider using scenarios to test responses and create an impact report for senior management and the board.
- Do not neglect social capital. Acting as a good corporate citizen with regulators, suppliers, customers and other stakeholders means they are likely to work collaboratively. In this way, you protect the company’s ‘licence to operate’.
- Challenge yourself to measure the “un-measurable”. Much of what contributes to resilience can seem intangible, but with careful thought measures can be developed that provide a more accurate assessment of resilience than just knowing that a business continuity plan is in place.
Measuring success is difficult. However, resilient organisations are likely to see sustainable improvements in business performance. Future proofing is not guaranteed, but they are much more likely to be able to respond to shocks and disruptions.
Ralph Mulder is a board member of FERMA and of NARIM. He works at Uniper as an Insurance and Subsidy Manager.
A comment from another roundtable facilitator
“Challenge yourself to measure the ‘un-measurable’. Much of what contributes to resilience can seem intangible, but with careful thought measures can be developed that provide a more accurate assessment of resilience than just knowing that a business continuity plan is in place.”
James Crask, Senior Manager Enterprise Resilience, of PwC
Some comments from participants
“I would add the “agility factor” under the ‘important steps’ as timing is crucial in ensuring continuous sustainability and minimisation or maximisation of the impact / opportunities.”
Sean Agius, General Manager, Reed Insurance Limited & Reed Insurance Brokerage
“Increasing political and macro-economical risks should lead to a critical review of the resilience of organisations, especially in an international environment.”
Jeroen Baart, Corporate Risk and Insurance Manager, Riwal Holding Group
“Risk profiles are changing faster than ever, and more new and interconnected risks are emerging. The risk management profession can help tremendously our respective organisations to cope with this. The challenge is to ensure they remain entrepreneurial and profitable while ensuring sustainability and resilience.”
Franck Baron, Group General Manager Risk Management & Insurance – International SOS and Chairman – Pan-Asia Risk & Insurance Management Association (PARIMA)
“Just because something has not happened in the past, does not mean it will never happen in the future. And something that has happened in the past – no matter how strange it seems – will surely happen again if you do not actively manage that risk.
“I think curiosity is the key for most things, even for risk management. By staying curious and asking questions, you get a bigger and better toolbox to use. The danger of not raising questions is that more or less obvious risks are neglected.”
Anders Esbjörnsson, Group Risk Manager, NCC and member of the board of FERMA