2023 GRC Trends: Resilience
In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility. We now turn to the second trend of five, resilience . . .
Dynamic, Disrupted & Distributed Business is Difficult to Control
The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates the organization implements a strategic approach to business and operational resilience.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity requires 360° contextual awareness of risk and resilience. Organizations must see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resilience.
There is a lot of focus right now on resilience right now. Resilience is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resilience program. Business continuity management as a separate function in the organization is a thing of the past. Over the next two to three years we will see a mass migration to an integrated operational risk and resilience program.
The Resilience Challenge to Boards, Executives, and Management
Keeping resilience, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout the organization. This challenge is even greater when resilience management is buried in the depths of departments and approached from a compliance or continuity angle and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management.
Resilience in the modern organization is challenging because the organization is:
- Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick and mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
- Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts buries the organization when managed in silos.
- Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resilience. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
- Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution.
The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impacts the entire ecosystem.
This interconnectedness of business drives demand for 360° contextual awareness in the organization’s resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations must see the intricate intersection of objectives, risks, and boundaries across the business.
Firms globally and across industries are focusing on integrating their resilience (historically business continuity/disaster recovery) programs into enterpriser and operational risk management, and broader GRC. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view into the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity.
Business or Operational Resilience?
Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . .
- Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
- Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.
Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.
Providing 360° Integrated Awareness of Risk and Resilience
Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. Complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement.
Successful resilience requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive, straightforward insight into resilience to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased resilience maturity in the organization.