Here are some thoughts on how to mature a policy management strategy from the recent GRC 20/20 research report, Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration
Dynamic, Disrupted & Distributed Business is Difficult to Control
The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implements a strategic approach to business and operational risk and resilience.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations need to see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.
What Have We Learned from 2020 and 2021?
2020 and 2021 brought organizations lots of disruption to objectives, operations, processes, and employees. It has been a risk and resiliency rollercoaster. Some industries and organizations failed, while others were held firm and navigated events with agility. But there are lessons to be learned. These lessons showed us:
- Interconnected risk. Organizations face an interconnected risk environment and risk, and resilience cannot be managed in isolation. What started with a health and safety risk became a global pandemic and had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resilience, human rights, and other risk areas.
- Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives in reaction to changes in risk exposure.
- Disruption. Business is easily disrupted from international to local events. Organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly wildfires), and information security breaches (e.g., SolarWinds, Colonial Pipeline).
- Dependency on others. No organization is an island. The past two years have shown us that disruption and the interconnectedness of risk and resilience impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships in the extended enterprise that the organization depends upon.
- Dynamic and agile business. Businesses had to react quickly to stay in business. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture amid global uncertainty.
- Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly during a crisis, to how they address human rights.
The past two years have taught organizations that to be resilient requires a 360° view of objectives, risk, processes, and services within the organization and the extended enterprise.
The Risk Challenge to Boards, Executives, and Management
Organizations take risks all the time but fail to monitor and manage this risk effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. It results in the inevitable failure of risk management, providing case studies for future generations on how poor risk and resiliency management leads to the demise of organizations – even those with strong brands.
Keeping risk, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout all levels of the organization. This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management. Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively to ensure the resilience of the organization.
Risk and resiliency management in the modern organization is challenging because the organization is:
- Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
- Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts bury the organization when managed in silos.
- Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resiliency. The velocity, variety, veracity, and volume of risk data are overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
- Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution.
Integrated Risk & Resilience is the Way Forward
The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.
This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s risk and resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.
Firms globally and across industries are focusing on integrating their risk management resilience (historically business continuity/disaster recovery) programs. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view of the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity.
Business or Operational Resilience?
Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . .
- Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
- Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.
Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.
Providing 360° Integrated Awareness of Risk and Resilience
Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. The business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. The complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement.
Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased risk and resilience maturity in the organization.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.
BTW . . . this is the topic of the next GRC Red Flag Series: Moving Beyond Risk Resiliency to Agility.