Insights |Risk Management

31st May 2022

The road from risk management to resilience in the age of crisis

Strategic business resilience is increasingly prized but myriad hurdles make for uneven progress.

Broadly speaking, risk management is about identifying, evaluating and mitigating risks to reduce the likelihood and impact of those risks being realised.

Resilience is also about handling risk, but focuses instead on maintaining business continuity amid adverse events, bolstering an organisation’s ability to rapidly adapt to disruptions, and protecting its people, assets and reputation.

Resilience First, a non-profit founded in 2018 to foster greater business resilience across UK industry and critical infrastructure, has therefore described risk and resilience as “opposite sides of the same coin”.

Both concepts remain fundamental to enterprise strategy, but operational resilience in particular has grown more important in an increasingly unpredictable world where businesses have in recent years been hit by a series of unforeseen dislocations.

Risks motivating the rush to resilience

Threats include growing geopolitical instability, with the ongoing war in Ukraine demonstrating the risks of operating in authoritarian or politically unstable jurisdictions.

Brexit and the rise of populist leaders in several countries, meanwhile, have both threatened to make the trading environment less hospitable through protectionism, trading barriers and immigration restrictions.

And Covid-19 forced organisations, almost overnight, to enable their workforce to work from home and adapt to severe restrictions, such as the food service sector’s sudden reliance on food delivery. The pandemic is still disrupting supply chains and causing industry to question the wisdom of globalisation and the just-in-time (JIT) manufacturing model.

Other threats include rampant inflation, cyber attacks, rapid digitisation and the worsening climate crisis.

The merits of business resilience

In a Resilience First webinar on the topic, Lord Toby Harris has said risk assessments alone leave organisations unprepared “for not only the ‘black swan’ event (previously unobserved, hard to predict, high-impact) but also those ‘black jellyfish’ (known but more complex that may have a sting) and ‘black elephants’ (known and in plain sight but with which no one wants to deal)”.

While risk assessments often centre on a small number of easily understood risks, resilience offers a holistic approach involving scanning the horizon for a variety of threats and modelling crisis scenarios against which to stress-test an organisation.

Far from merely mitigating risk, resilience can therefore inform strategic thinking and give birth to business models more suited to volatile environments.

Barriers to resilience

There’s sometimes a tension between instilling organisational resilience and the imperative to build value and revenues. For instance, abandoning JIT models and building redundancy in supply chains can foster strategic resilience but higher costs are surely unavoidable.

Another barrier to embedding and maintaining operational resilience relates to human psychology. With disruptive crises being rare, it’s all too easy for leaders to lapse into complacency as short-term operational goals consume organisational focus. Moreover, crises typically trigger changes after the fact that mitigate a recurrence of similar adverse events, whereas it’s harder to argue for investments geared to preventing perhaps similarly likely, but more novel, outcomes.

Like many business objectives, achieving resilience is also undermined by business units operating in silos, as well as a lack of collaboration between government, industry and other stakeholders. This is where organisations like the Resilience Rising consortium, which brings organisations including Resilience First and communities together to promote resilience and share best practices, can come in useful. They can help stakeholders solve complex challenges that are difficult to solve on their own.

Finally, as with ESG reporting, targeting strategic resilience is undermined by a lack of universal frameworks for measuring performance quantitatively.

The route to business resilience

The Business Continuity Institute recently predicted that cyber attacks, natural disasters, the mental health crisis and – fuelled by ongoing Covid-19 restrictions in China in particular – supply chain disruptions including a global computer chip shortage, will pose the biggest challenges to strategic resilience in the coming months.

Bolstering your organisation against such threats is an undertaking that encompasses people, processes and technology. Organisations must evolve their culture, training, practices, business models and technical infrastructure accordingly.

Resilience must be organisation-wide, underpinning strategic decisions around risk, finance, operations, technology, human resources, product development and so on.

To give one example, technological and operational resilience was tested by the sudden need to equip employees to work from home at the outset of the pandemic.

Experts advise enterprises to consider not just the immediate impacts of crises but consequences further downstream, too.

It’s also important not to merely ‘fight the last war’ – to prepare for novel or long-forgotten threats as well as recurrences of recent crises.

Covid-19 offers a salutary lesson here. While the pandemic took businesses by surprise it was foreseeable – pandemics are guaranteed to happen, however rarely.

Resilience First also talks of moving beyond a “traditional linear approach to risk management” to a resilience management model that focuses on “preparing for the consequences of dangers in a generic sense rather than the causes of specific dangers which we cannot foretell”.

And, as well as preparing for these “generic dangers”, businesses must have early-warning systems in place to spot their initial signs.

Build your operational resilience

For advice and support on business resilience strategy, contact Mike Wright, Risk Management Consultant at mike.wright@esarisk.com, on +44 (0)843 8686 or via our contact form.

contact us online or by phone

Get the advice you need

Our expert consultants are on hand to give you the support you need.

What are you looking for?

Get the advice you need

Deep dive for the answers you need
Or contact us on +44 (0)843 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name it, we help them find the answers
they need. Ready to discover how we can help you?