The Agile (Not Just Resilient) Organization

Written by The GRC Pundit

Published on2021-03-25Updated on2021-03-25Discussion1 Comment on The Agile (Not Just Resilient) Organization

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing. A few years back I was doing a lot of Spartan races. Myself, that was not agility but the more of an awkward ox doing obstacles, but others it was amazing what they could do in the environment given to them.

When I think of agility, my mind immediately goes to Legolas, the elf, in Lord of the Rings. Though I prefer the books, the films were amazing and the agility of Legolas in the midst of battle was amazing. How he can move about the threats and enemies around him and seize opportunities for victory. Gimli, the dwarf, in Lord of the Rings is the embodiment of resiliency. He is built like a tank and simply can withstand the beating and hits as he pummels forward to victory. 

There is a lot of focus right now on business and operational resiliency. Resiliency is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resiliency program. Business continuity management as a separate function in the organization is a thing of the past and over the next two to three years we will see a mass migration to an integrated operational risk and resiliency program.

However, there is more that needs to happen. Organizations also need to be agile. Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives. It reminds me of a blog I wrote 11 years back,Everything I Need to Know About Risk Management I Learned in Drivers Education in the IPDE Model (Interpret, Predict, Decide, Execute). Though looking back on this I would add more emphasis on IPDE for opportunities.

In a blog last month, What is Business and Operational Resiliency?, I reviewed the financial services definitions of operational resiliency from the United Kingdom, European Union, United States, and the Basel Committee on Banking Supervision. In that article, I referenced how the United Kingdom’s FCA definition of operational resiliency was superior to the others. Particularly because it was the one that is proactive as it discusses the ability to prevent events. The other definitions were very reactive as the focus is all on the ability to recover from an event. The FCA definition has an element of agility that goes beyond resiliency.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

So today’s modern organization needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organizations need to develop in today’s dynamic, distributed, and disrupted business. This is all how GRC – governance, risk management, and compliance – has been officially defined for over 15 years in the OCEG view of Principled Performance and the GRC Capability Model. This is a capability to reliablY achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].