Organisational resilience: evolution and application 

Through extensive research over a period of 12 months, Control Risks has sought to shine a light on resilience and its evolution into a modern corporate practice. With our understanding of the core resilience values and tools prioritised by different organisations, Control Risks assists clients in benchmarking their own progress against a theoretical and practical understanding of resilience.

The evolution of organisational resilience – theory and practice 

Understanding the context from which organisational resilience originates assists us in understanding why it has become one of the most critical concepts in business today. The idea that organisations should be required to adhere to a framework of control, which would protect stakeholders from failure and financial malfeasance or loss, arguably grew from just that – financial scandals, irresponsibility and inadequate or incompetent financial reporting. Historically, the term risk management was used to describe an approach that was applied only to hazard risks. These hazard risks were insurable risks and risk management practices were meant only to ensure the continuation of normal efficient operations. Through the 1950s and into the 1990s, risk control activities broadened from an insurance-based response to one that encompassed ‘non-insurable’ risks and with it the tools and techniques of risk management.  

As a result, by the 1990s, many financial institutions had broadened their risk management initiatives to include structured consideration of operational risks, and the role of ‘Chief Risk Officer’ was first developed. Internal control frameworks were created to manage the reliability of financial reporting and the compliance with laws and regulations, and to give timely feedback on the achievement of operational and strategic goals. ‘Control activities’ included policies and procedures, security, business continuity planning and application change management. 

Concurrently, the concept of risk management as an integrated and holistic enterprise-wide concern, termed enterprise risk management (ERM), was gaining traction, in part due to the increasing connectivity and complexity both within and around an organisation. The fundamental idea behind the ERM approach is to move away from the practice of risk management as the separate management of individual risks. ERM is also concerned with the management of opportunities, as well as the management of control and hazard risks. 

In parallel with a more integrated and disciplined approach to managing risk, the concept of organisational resilience gained traction in academic and practitioner fields. The notion was born that through a better understanding of their operating environments, risks and opportunities, by preparing for potentially disruptive events and responding effectively, as well as by adapting to new operating conditions, organisations would continue to grow and prosper. 

Corporate security has traditionally adopted the guardianship of ‘organisational resilience’. Or rather, before the inception of ‘organisational resilience’, the function that most closely resembled what ‘organisational resilience’ has since hoped to achieve was the corporate security department – safeguarding an organisation from loss and allowing it to keep functioning.  

The concept of organisational resilience today, however, has moved on from this position. As CEOs and boards have re-appropriated risk, the concept of organisational resilience for many business leaders has reached beyond the corporate security and risk management functions. Organisational resilience has become central to corporate strategy across all units of the business. It is a continuously evolving state that allows an organisation to flourish in an evolving environment. It is a strategic initiative and should be adopted across the entire organisation to ensure its success. It cannot succeed in isolation, within one business unit or activity, because it relates to how each of these interacts with each other and the environment to contribute to the organisation’s objectives.

Tailored resilience: organisational resilience in practice

Our research aimed to assess whether organisations’ understanding of resilience has changed or developed over the last five to ten years (since the publication of the 2007 Demos paper The Business of Resilience: Corporate Security for the 21st Century), and if so, how. We wanted to uncover to what extent organisations’ practical implementation of resilience has developed, and whether or not it aligns with the theoretical and academic understanding of organisational resilience.

Key findings from our interviews:

• 60% of participants approach resilience as a risk management function. It is seen as a compliance activity, but one very much on the agenda of the board. 
• All organisations have seen a change in their risk profile over the last 5-10 years as a result of global geopolitical and environmental disruption. Events that may have previously been seen as ‘distant noise’ are now ‘closer to home’, having a direct influence on investment decisions or an impact on the supply chain and distribution networks. 
• 60% considered their organisations to have effective mechanisms to identify, understand and respond to current and future risks. The same 60% had a defined corporate strategy which included organisational resilience, though for many, this was focused on the principles of enterprise risk management rather than being specifically termed as resilience.
• A central and strategic planning of resources needs to support individual business units. Many participants also acknowledged that capacity and capability must exist at an operational level to manage risk, and to respond to and recover from incidents and events.
• Senior management needs to encourage resilience practices. Business units and departments should be empowered to manage events locally, allowing agile decision-making and response. 
• Encouraging the correct attitudes and behaviours through the communication of values and standards is important, not only to resilience as a function and set of activities but to the success of an organisation in general. 
• Monitoring, review and assurance was formally conducted by 90% of participants. Whilst in most cases this did not address resilience as a specific business function, many of the attributes of resilience fall into monitoring, review and assurance processes including the management of risk, accidents, injuries and near-miss reporting, the review of policies, procedures and protocols to ensure compliance with the corporate strategy.
• Learning and review processes are conducted by the audit and compliance function as action points to be addressed in the period prior to the next scheduled audit or review. 
  
  

4 principles of resilience that need to be implemented

All the foundations of resilience are considered and implemented at varying levels of maturity across organisations that consider themselves resilient. Key to this is starting with a good strategy and strong leadership to direct, guide, advise and support the organisation in the development of the risk architecture. This is required to identify risks, understand how those risks will impact and disrupt current or planned business activities and functions, how those risks are recorded and communicated, what resourcing needs to be made available, and what planning is required to reduce the likelihood, impact or period of disruption. 

From our own work with clients and our research, we have identified four key principles of resilience that lead to success:

1) Build capacity and capability at all levels 
Academic theory as well as ‘resilience’ practitioners widely acknowledge that business leaders should be mindful to build capability and capacity at all levels of the organisation. Encouraging and supporting business units and department heads and their teams is essential as it will often be those individuals who will be able to identify risks at an operational level, which at first may seem insignificant, but which could, if not recorded and communicated effectively, become a business-critical issue. 

2) Go beyond traditional physical security management towards an enterprise-wide risk and resilience function
Risks to organisations are no longer just physical, and in an increasingly connected world organisations need to be proactive and forward-looking. This requires a more comprehensive understanding of the internal and external environment that the organisation and its supply chain are operating in.

3) Risk-based resilience planning is essential
Just recording risk information is not enough. A plan must be in place to manage risks on a day-to-day basis as part of business-as-usual. This can be managed through policies and procedures, and reinforced through organisational standards and values programmes, training and an increased awareness. 

4) Communicate activities and responses to risk events and incidents 
Communication through emergency/crisis management and business continuity planning is critical. Plans need to be tested, reviewed and updated – this will allow the organisation to ‘stress test’ its resilience in a controlled and manageable environment. Part of this process (and the post-incident review of a response to a ‘real time’ event) should be the learning and review process to capture lessons learned and develop action plans to implement any recommendations made. It should not just be the audit and compliance function that identified the lessons learned and actions that need to be taken. Innovative ideas from across the organisation should be surfaced – this should be seen as part of building the adaptive capacity and strengthening the resilience of an organisation.

Authors

• Mark Whyte, Senior Partner
• Andy Cox, Partner
• Danny Spender, Associate Director 
• Rachel Love, Associate Consultant