Roads to Resilience

The levels of risk to be considered have also changed. Often risk management has focused exclusively on the operational level and the development of operational risk appetite positions or statements. This approach overlooks the two other levels: strategy and tactics. At the strategic level, the decisions made by boards involve commercial risks that are considerable. Strategic decisions will be influenced by the attitude of the board to risk. When strategy has been established, tactics have to be developed to implement the strategy and this will involve management of projects and/or programmes of work. Almost all organisations have major projects that are often not adequately analysed from a risk perspective. If major projects are not managed correctly, reputation and financial performance can be endangered and resources incorrectly allocated. Therefore, risk professionals and boards need to: • manage risk across their full range of assets, from products, people and operations, through to the customer experience, brand and reputation • ensure that risk management is considered not only at the operational level but also at the tactical (or project) and strategic levels. Recognising that the scope of risk management has changed is the first step towards making an organisation more resilient. However, achieving resilience is complex and, as the plural in the title of this report ‘ Roads to Resilience’ implies, the research found that there are multiple ways in which resilience can be attained. Nonetheless, the organisations studied do exhibit common traits that can help other organisations identify, plan and implement their own specific road to resilience.

Key findings of the research

Based on the extensive data collected at the case study organisations, Figure 1.1 is a model illustrating the relationship between the key findings of the research. Organisations that have succeeded in placing resilience at the centre of their performance achieve the resilience outcomes. They have common characteristics, described in this report as the five principles of resilience. Together, these principles make an organisation better able to prevent adverse events, protect resources and assets , as well as prepare for adverse circumstances. Achieving the five principles of resilience will also enhance the reputation of the organisation, facilitate more innovative approaches and ultimately secure greater success. Resilient organisations also plan how to respond and recover from unexpected adverse events, and how to review the events and learn for the future. They build risk awareness throughout the organisation as part of avoiding the risk information ‘glass ceiling’ already mentioned. Risk awareness throughout the organisation also ensures that departments and functions liaise effectively and avoid risk information ‘glass walls’ between functions. This enhanced risk awareness throughout the organisation helps to build resilience based on the confidence to seize business opportunities by understanding risk. This approach is often referred to as the ‘upside of risk’ and this mature attitude to risk-taking is found in the case study organisations.

Figure 1.1 Resilience outcomes, principles of resilience and the business enablers

P e o p l e a n d C u l t u r e

Risk Radar

L e a d e r s h i p a n d G o v e r n a n c e

B u s i n e s s S t r u c t u r e

P r e v e n t , P r o t e c t a n d P r e p a r e

R e s p o n d , R e c o v e r a n d R e v i e w

Resilience Outcomes

Review and Adapt

Resources and Assets

Resilience Principles

RESILIENCE

Business Enablers

Relationships and Networks

Rapid Response

S t r a t e g y , T a c t i c s a n d O p e r a t i o n s

18

Section 1: Introduction to ‘Resilience’