Risk management shifts gear to resilience model

Consider the disruptions confronting businesses: a rapidly changing business landscape, digital and technology innovation, threats from non-traditional competitors, increasing cyber risks, rising customer expectations and demands for personalisation. Boards and senior management recognise that the goalposts, the players – and even the rules of the game – are changing. What has not changed is the need to reduce the probability and impact of disruptions while looking for ways to be responsive and resilient.

It is common for organizations to have developed policies and capabilities in the areas of risk management, business continuity and disaster recovery. While these mechanisms may have been effective in managing one-off or occasional interruptions, how will businesses navigate today’s environment where disruption is constant and transformative?

Shift from risk management to resilience

Many of the biggest changes in the current digital age have both upsides and downsides: opportunities that need to be embraced and dangers that need to be avoided. The capabilities needed to adapt in a complex, changing environment and the ability to bounce back after incidents is driving the need for resilience. This is a shift away from traditional risk management, which emphasized regulatory compliance and a more defensive posture, towards business enablement and building consumer trust.

Such a shift is driven by several factors. The business ecosystem is evolving such that businesses no longer work in silos; instead, they could be working with multiple partners in an ecosystem and possibly across different industries to innovate and deliver new products and services. Reliance among working partners will be heightened and this will amplify the complexity of managing partner risks in the ecosystem.

At the same time, customers expect continuous service delivery. Organisations need to ensure that they are constantly meeting and exceeding these expectations by being available in real time, as they evolve to meet changing requirements and shorter cycles with agility.

Further, there are increasing requirements from regulators on privacy, data protection and operational resilience against cyber threats. For example, in Singapore, businesses face an imminent challenge to discontinue the widespread practice of collecting, using or disclosing consumers’ NRIC information. With this new regulation, organizations are being challenged to innovate and rethink their data management policies and consumer loyalty and marketing programs.

What achieving resilience looks like

Ultimately, the goal of organizations must be to build and sustain trust in the organization, its stakeholders and customers. Knowing the organization’s risk appetite and adopting an integrated risk operating model such as “Trust by Design”, supported by automated processes, toolsets, machine learning and artificial intelligence will be vital.

This means integrating and aligning enterprise risk management and business continuity management within the organisation. Collectively, this can create greater awareness of the types of disruption and enable the organisation to proactively update their plans to handle varying scenarios, so as to mitigate the impact of incidents on revenue, brand, and customer trust. This will also provide opportunities to enhance and optimise the risk management and business continuity processes in place.

Transforming an enterprise risk management and business continuity framework to a business resilience framework that builds and sustains trust will require many components. Fundamentally, there must be strong risk management – both financially and operationally. There needs to be an unstinting focus on protecting assets, including customer data, which is commonly a target of cyberattacks. The organisation must also be able to comply with regulatory requirements as new rules are introduced – and do so in a cost-effective manner. Importantly, organizations need to shift from being solely concerned with ensuring continuity of business operations in the event of a disruption to being anticipatory of and more agile to a range of disruptive scenarios.

Beyond enterprise risk management and business continuity management, crisis management will also become an even more vital component.

In the July 2019 Business Continuity Institute report, Organizational Resilience: Perspectives from the Industry, crisis leadership and management was listed as the top priority in building the foundation of a resilient organization. However, having a crisis management program in place does not guarantee positive outcomes for every incident. It will depend on the users of the crisis management program but every crisis will provide a learning experience for the organisation to mature and become stronger and more adaptive.

The need to build trust and stay connected with customers at critical moments is reshaping the future of risk management and resiliency. Becoming a resilient organisation will require significant investments from management in terms of their time and organisational resources before practices can be properly institutionalised. After all, resilience is not a destination but a journey.

The author is John Ho Chi, Partner, Advisory Services, Ernst & Young Advisory

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.