In his famous work, The Art of War, Sun Tzu lays out a few basic principles for winning a conflict. He notes time and again that a fed- and equipped army is an effective army, so look after supply lines.
This is the basic idea of Operational Resiliency, a concept gaining traction among businesses. It was already on the radar of risk pundits, such as enterprise risk management (ERM) guru Michael Rasmussen, who wrote in 2018, “Today’s organisation is complex and chaotic—in a constant state of metamorphosis. Keeping complexity and change in sync is a significant challenge for operational risk management functions.”
The answer is to establish operational resiliency through an integrated risk approach, says Riaan Bekker, Force Solutions Manager at thryve:
“You can’t create resilience without understanding risk in a business, specifically how it all relates to each other. If your risks and responses sit in silos, you can’t analyse and anticipate knock-on effects. That’s where the big disruptions start to appear.”
Stop patching problems
The supply chain problems that emerged from the pandemic illustrate the point. Companies struggled through under and over-supply scenarios, causing ripples across their operations.
“You can patch the immediate problems and then things stumble along,” says Neer Rama, thryve’s Force Solutions Product Manager. “It’s not efficient, but it’ll make do. Yet when multiple scenarios happen at once, they start a cascade that you might not fully recover from. The business world made a big transition to remote working, but will all companies survive that change? Even if you get up from falling, hobbling along won’t keep you with the pack.”
The pandemic drew attention on operational resiliency, but the concept already had momentum. A few years ago, the UK released a discussion paper, Building the UK Financial Sector’s Operational Resilience, that will inform regulation. It’s quite likely other countries will follow suit because operational resilience looks increasingly like a must-have for organisations.
Resilience and Risk
Creating operational resiliency is achievable through advances in risk management. You can’t establish resiliency without an integrated risk view. Integrated risk, in turn, is made possible by modern risk management technologies typically referred to as Enterprise Risk Management (ERM) and Integrated Risk Management (IRM).
These are technology platforms and practices that gather risk data from silos and provide risk management tools to all company corners. Such platforms, such as Riskonnect, break down the walls around risk silos and extend risk responsibilities beyond risk managers and risk registers. IRM/ERM creates proactive risk management that informs strategy and identifies opportunities. And it creates understanding of risk’s impact on people, processes or systems.
“Without integrated risk management, you can’t achieve operational resiliency,” says Rama. “Certainly, it’s much easier and more feasible today thanks to digital platforms that integrate with the business at different levels and minimal disturbances.”
Best practice recommends three steps to build operational resiliency:
- A holistic view of risk: connect internal and external factors, looking for how they are interconnected and interdependent with processes, people, assets, systems, lines and such.
- Design comprehensive risk assessment: don’t leave risk to risk managers – develop a risk language everyone can understand and use to participate and collaborate. Make it possible for a line manager to use risk to do their job and illustrate their competencies.
- Built robust systems and flexible processes: Strong businesses aren’t made overnight, so don’t expect processes and systems to just adapt resiliency. Often they are too rigid to do this effectively. Use identified risks and workarounds to evaluate these and redesign them to be more accommodating.
These practices are where ERM/IRM platforms shine. They attach to different parts of the business, adapting to how those areas respectively handle risk. For example, if some quantify risk at a different scale than other departments, the software should balance the findings. Instead of forcing employees to change, the right risk management platform changes to accommodate employees.
This difference is why operational resiliency is now within reach for most companies, says Bekker, “People used to largely ignore resiliency because it was very hard and expensive to get right. Now you can roll out a software platform to focus on specific areas, and scale it up as you grow comfortable with your new risk management culture.”