The Tunnel of Eupalinos: a Blueprint for Connecting Strategic and Operational Risk & Resilience
Risk management, when done effectively, is both an art and a science, requiring a careful balance of top-down strategic insight in the context of the organization’s objectives and bottom-up operational risk, control, and resilience. To understand this delicate alignment, let’s take inspiration from an ancient engineering marvel: the Tunnel of Eupalinos on the Greek island of Samos.
The Tunnel of Eupalinos: An Architectural Feat
The Tunnel of Eupalinos, constructed in the 6th century BCE, was designed to supply fresh water to the city of Samos. What makes this tunnel remarkable is that it was excavated from two opposite ends of Mount Kastro, eventually meeting in the middle with stunning precision. It’s an ancient testament to the power of coordination, foresight, and understanding the bigger picture while working through the minute details.
In the same way that two teams of engineers worked from opposite ends of the mountain, risk management requires a meeting of two critical perspectives:
- The Top-Down Strategic View. This is the broader vision, where leaders define the organization’s objectives and set the stage for growth, innovation, and navigating a chaotic business world. In risk terms, this is where you need to align your risk management framework with the organization’s strategic goals and objectives. ISO 31000 defines risk as the “effect of uncertainty on objectives,” making it clear that risk is inseparable from business objectives. These objectives can be financial, operational, or even ethical (ESG) objectives. Objectives start at the entity level and filter down into division, department, process, project, asset, and even third-party relationship objectives. They go across business departments and functions from sales, marketing, IT, finance/accounting, and more. Risk is the uncertainty in achieving these objectives.
- The Bottom-Up Operational View. Down in the depths of the organization, there is the daily grind of mitigating and managing specific risks—cybersecurity threats, operational disruptions, supply chain vulnerabilities, and more. This is where resilience is built, controls are implemented, and where tactical responses to emerging threats are honed. The operational view of risk down in the weeds is critical as this is where some small thing goes wrong and can bring down the organization.
Much like the Tunnel of Eupalinos, these two approaches to risk management must converge for true risk management success. Focusing on only the strategic top-down view can lead to what the military calls a CLUSTER F***. Focusing only on the operational down-in-the-weeds view misses what risk management is about, and that is enabling the business to achieve its objectives amid uncertainty. Here’s how these two perspectives need to work together to navigate the chaotic and unpredictable world of modern business.
The Top-Down Strategic View of Risk: Charting the Course
In any organization, leadership needs to have a clear, top-down understanding of risk. This is not simply about identifying what could go wrong—it’s about understanding the broad landscape of risk in the context of organizational objectives. The leaders of the ancient city of Samos knew they needed a water supply to ensure the city’s survival and growth. Their strategic view informed the need for the tunnel.
Today’s business leaders need to ask similar strategic questions:
- What are our business objectives from the top down into the functions and processes of the organization? Whether it’s growing market share, launching a new product, or entering a new geographical market, these objectives will shape the risk landscape.
- How does uncertainty affect these objectives? This is where the ISO 31000 definition of risk becomes crucial. Uncertainty, whether economic, operational, technological, geo-political, regulatory/legal, or environmental, can affect the organization’s ability to meet its goals.
- How do we allocate resources to manage these risks? Just like the city of Samos invested resources in building the tunnel, organizations must allocate the right talent, technology, and capital toward mitigating strategic risks.
At this level, risk management is not about individual incidents or isolated risks. It’s about understanding how uncertainty in the external and internal environment affects your ability to achieve strategic objectives and steer the organization accordingly. This top-down view provides clarity on where the organization is headed, but it is incomplete without understanding what happens at the ground level—down in the “tunnel” of daily operations.
The Bottom-Up Operational View: Navigating the Depths of Risk
While the top-down view provides the strategic direction, the bottom-up operational view ensures that the day-to-day management of risks is aligned with broader objectives. The workers digging the tunnel had a much different view of the project than the city leaders who envisioned it. But their work was just as critical to its success.
This is where operational risk and resilience comes into play. In today’s business environment, risks are increasingly complex and interconnected. Whether it’s a cyberattack, a natural disaster, or a supply chain disruption, organizations face risks that require resilience at every level of operations.
Some questions to consider from the bottom-up perspective:
- How are risks manifesting at the operational level? These risks often appear in the form of cybersecurity vulnerabilities, supplier disruption, equipment failures, or human error. Understanding these risks in detail is key to building resilience.
- How does resilience at the operational level support strategic objectives? It’s not enough to simply mitigate risks as they arise; you need to ensure that operational responses are aligned with the broader organizational goals. For example, if the strategic objective is to expand into new markets, how do you ensure that your operational resilience supports this expansion?
- How do we ensure constant communication between operational risk managers and strategic decision-makers? Just as the two ends of the tunnel had to stay coordinated, the operational teams must maintain clear lines of communication with leadership to ensure that their efforts are contributing to overall success.
Operational risk management is about building resilience, and ensuring that the organization can continue to function effectively even when faced with disruptions. This is the nitty-gritty work that happens in the trenches, where risks are identified, assessed, and managed in real time.
The Convergence: Bringing Strategy and Operations Together
The true magic of risk management happens when these two perspectives—strategic and operational—meet in the middle. Just as the two teams digging the Tunnel of Eupalinos had to meet with precision, the top-down and bottom-up views of risk management must align seamlessly.
Why Both Perspectives Are Necessary:
- Strategic Risk Management without Operational Insight is Blind. If leadership only focuses on the big picture, they miss the crucial details that could derail their strategy. Without understanding the specific risks at the operational level, they are essentially flying blind. This leads to a CLUSTER F***.
- Operational Risk Management & Control without Strategic Alignment is Rudderless. On the flip side, operational risk managers can get bogged down in the details without understanding how their efforts support broader organizational objectives. Without the top-down view, they lack direction and purpose.
How to Bring Them Together:
- Strategy, Collaboration, and Communication is Key. Leadership must foster an environment where communication flows freely between strategic and operational teams. Risk management is not a siloed activity—every level of the organization must be engaged.
- Use a Common Framework. ISO 31000 provides an ideal framework for this convergence, emphasizing that risk management should be integrated into all processes of the organization, aligned with the overall strategy.
- Build a Culture of Risk Awareness. When everyone from the C-suite to front-line employees understands their role in managing risk, the organization becomes more resilient. It’s not just about following a risk checklist but about cultivating a mindset that recognizes and responds to risks dynamically in the context of the organization’s strategy, objectives, and operations.
- Risk Technology Architecture Enablement. Unfortunately, there are very few GRC solutions on the market that can enable the entire picture from strategic to operational. The majority of solutions are solely focused in the weeds of operational risks and completely miss the top-down strategic view. Feel free to inquire with GRC 20/20 in our coverage of the GRC market to know which solutions are best fit for bringing this broad picture together. But at the end of the day, it requires an architecture as one solution does not do everything, and certainly not everything very well.
Building the Future Tunnel of Resilience
The Tunnel of Eupalinos stands as a reminder that even the most ambitious projects require a balance of vision and detailed execution. In the same way, effective risk management in today’s chaotic business environment requires both a strategic view from the top and operational resilience at the bottom. These two perspectives must meet, support each other, and work in harmony to guide organizations through uncertainty.
In the end, it’s not just about avoiding risks; it’s about understanding how uncertainty affects your objectives and how to navigate through them with precision and purpose. Just like the tunnel builders of ancient Samos, risk managers must balance the broad view with the fine details, ensuring that their efforts lead to a successful and resilient future.