The value of lifelong learning
Recently, I had the fortune to attend a course that got me thinking about resilience and risk advantage. Amazingly, it was my first focused risk management training. Offered through Disaster Recovery Institute International (DRII), Risk Management for the Business Continuity Professional provided an opportunity to establish a knowledge base. Industry veteran Royce Harvey taught my session.
The course provides foundational instruction for business continuity professionals in a four-day format. Additionally, its design encouraged interaction between students, culminating in a mock presentation of risk recommendations to a faux leadership team. The beauty was that it helped me to see the direct correlation between risk treatments and resilient organizations.
Moving ahead with clear vision of risk
Lately, I have shared how to approach risks such as mass shootings and remote work. Striving for organizational resilience is impossible without understanding business risk. It appears to be a given, but a unified view of risk is often not fully realized across an enterprise. Instead, fragmented pieces across the company, so the understanding’s not all-inclusive.
Enterprise Risk Management, compliance, business units, cybersecurity, IT, business continuity, crisis response, and others have segmented perspectives. The challenge is that without a profound grasp of what could impact an organization, you remain blind to threats or hazards. Like the Indian parable of the Blind Men and the Elephant, the picture is incomplete without seeing the whole from the sum of the parts. Put another way, organizational resilience is not realized without an integrative approach.
Risk asessments support resilience
So, a risk assessment assists a company to thrive by mapping out, quantifying, and qualifying what threatens it. You can determine appropriate risk mitigation by determining threats, the business’ assets, and vulnerabilities—most staff work to identify exposures on an ongoing basis. However, by approaching risk from an integrated approach, there’s an increased ability to horizon scan and protect against critical vulnerabilities.
In Crisis And The Big Bad Wolf, I shared the dangers of underestimating the impacts of black swan or snow leopard events. Here, the goal is first to recognize known and likely threats to manage risk post-COVID better. In today’s environment of increased instability, it benefits practitioners to contribute to developing a more robust framework. And that effort supports increasingly resilient organizations.
Going back to the beginning
The risk management course felt like going back to square one. However, it was a good reminder of why the basics are fundamental. The terms threat, vulnerability, and risk are often mixed-up. They shouldn’t be if you plan to conduct meaningful risk assessments. In June 2012, Robert S. Kaplan and Anette Mikes made the following observation in an HBR article, “risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and ensuring that all employees follow them.”
Instead, I agree with their assertion that stress testing, scenario planning, and war gaming only prepare a company to a point. So, rules and compliance can mitigate some critical risks but not all of them. Modern risk frameworks require categorizing risk and developing approaches for each. From my experience, understanding and forecasting risk is one part of the puzzle. Risk management must be tied to a process flow for identification, mitigation, response, and recovery to develop a flexible, elastic organization.
What's risk got to do with it?
Implementing a framework leveraging risk management and resilience advantage will strengthen the business. However, Real Resilience happens with consistency, defense, flexibility, and leveraging of a progressive posture. By this, I mean that tieing the two together is only beneficial when supported by leadership.
They are related when vulnerabilities to the crisis are recognized—resilience shields the company from adverse effects of those crises. I like OECD‘s assertion that “resilience is about addressing the root causes of crises while strengthening the capacities and resources of a system in order to cope with risks, stresses and shocks.” Uncertainties always remain but reducing unpredictability increases organizational toughness and durability. When you accurately assess the likelihood of negative stressors, you can better prepare a business to protect against, react to, and survive crisis events.
Highly resilient organizations are the goal
Prioritizing joint risk assessments is foundational to laying the groundwork for resilience. If leadership does not invest resources, operations will become increasingly vulnerable in today’s market. We have all experienced the increased volatility of worldwide crises over the past few years. All signs indicate that threats’ size, velocity, and frequency are not diminishing. With this in mind, an empowered business has the tools to identify and deal with potential risks adequately.
So, the resilience and risk advantage comes from the ability to discern threats and create methodologies to address them. Doing this increases the capability of the business to withstand and overcome many threats. Even when unrealized, strengthening the relationship between the two improves outcomes. As I’ve said, the name of the game is not just to survive but to thrive. Not only can we champion risk considerations to support resilience analysis and management but also advocate for increased insights. The reality is that our organizations need to become highly resilient, not just functionally durable.
Do you agree with this assessment? Let me know your thoughts in the comments below.