The Need for Contextual Awareness of Risk & Resilience
Dynamic, Disrupted & Distributed Business is Difficult to Control
Organizations take risks but fail to monitor and manage these risks effectively in an environment that demands risk agility and resilience. Too often, risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. A cavalier approach to risk-taking results in the inevitable failure of risk management, providing case studies for future generations on how poor risk management leads to the demise of organizations – even those with strong brands.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping these changes and their impact on business strategy, operations, and processes in sync is a significant challenge. Organizations must see the intricate relationships and impacts of risks on objectives and processes. They need full contextual awareness of risk and resilience.
The complexity of business—combined with the intricacy and interconnectedness of risk and business objectives—necessitates implementing a strategic and integrated approach to risk and resilience management. This includes a top-down enterprise view of risk aligned with objectives and a bottom-up operational understanding of risk within the organization’s processes and relationships.
Over the past few years, organizations have seen lots of disruption to objectives. It has been a risk and resilience rollercoaster. Some industries and organizations have failed, while others held firm and navigated risk events with agility. But there are lessons to be learned. These include:
- Interconnected risk. Organizations face an interconnected risk environment; risk and resilience cannot be managed in isolation. The organization needs to see across silos of risk management to see complex relationships of risk on objectives.
- Dynamic and agile business. The organization needs to be agile in a changing risk environment. It must adapt objectives and seize opportunities while ensuring risk is managed within limits to those objectives. The organization needs to react quickly to stay in business. Organizations are constantly in flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor spans strategic, regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts buries the organization when managed in silos.
- Operational intelligence. Risk and resilience management, done correctly, requires a detailed and intimate understanding of how the business operates and how it breaks. Only with this intelligence can the organization manage uncertainty in the context of the business achieving its objectives. This has taught organizations that risk management requires a 360° view of objectives, risks, processes, and services within the organization and the extended enterprise.
- Disruption. International and local events easily disrupt business. Organizations have had to respond to disruptions, geo-political risk, unrest, economic uncertainty, inflation, commodity availability, competitive shifts, changes in business models, shifting regulations, environmental disasters, cyber risk, and more. Organizations face a complex, chaotic, and even hostile risk environment while attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resiliency. The velocity, variety, veracity, and volume of risk data is overwhelming, disrupting the organization and slowing it down at a time when it needs to be agile and fast.
- Dependency on others. No organization is an island; the modern organization is the extended enterprise. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions that now define the organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. This requires the organization to manage and monitor risk and resilience in third-party relationships.
- Risk ownership and accountability. There is a growing awareness among executives and directors that risk management needs to be taken seriously. Oversighting risk management as an integrated part of business strategy and execution is part of their fiduciary obligations.
The Bottom Line: The goal is comprehensive, straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of the organization’s objectives and how it impacts strategy, performance, operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. This enables risk agility to forecast and plan what is coming at the organization to prepare and navigate it. It also gives a detailed understanding of how the organization operates and how it breaks to ensure resilience when risk becomes a reality. Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture.
This blog post is an excerpt from GRC 20/20’s latest research paper: Risk & Resilience Management by Design