13 questions to ask when building a long-term resilience framework

As Members complete their COVID-19 post-incident reviews, discussions have turned to how they can help their organisations build a resilience framework that can withstand the next global risk

COVID-19 and its economic and geopolitical impact will remain top of your risk register for some time.

In fact, as many Members work through their COVID-19 post incident review, conversation is turning to how they, as risk professionals, can create long-term resilience frameworks to minimise the impact of the economic and geopolitical ripple effects of the pandemic.

Of course, as a global corporate membership network, we brought Members together to collaboratively unpack the question of, how do you create a long-term resilience framework – then execute it?

There isn’t a straightforward, catch-all answer or approach. But Members have been kicking the tyres, brainstorming and exchanging ideas in our private Member meetings to find the most relevant approach for their organisations.

4 pillars to resilience

Here’s one framework created by Anthony Reardon, former head of risk strategy and transformation, at BHP and founder of ERM International.

The model is made up of four phases – prepare, prevent, respond, and recover. Each phase has three layers of required components, as follows:

1. The internal management systems represented in the inside layer
2. The intelligence model and signpost monitoring represented in the middle layer
3. The behavioural and cultural traits represented in the outside layer.

Each component is further explained below.

Strategy and appetite

Maintaining a corporate strategy that has inherent resilience and an appetite for risk allows freedom to adapt, innovate and grow, while simultaneously protecting the value of today.

The corporate strategy is resilient to changes and disruptions from the external landscape, for example being diversified by commodity and geography. In combination, the risk appetite is:

• Appropriate to balance risk and reward
• Uniformly supported by senior management,
• Well-communicated and applied to key decisions.

Prepare

This is defined by maintaining a robust understanding of the full risk landscape without major gaps or inaccuracies.

This is reviewed as internal or external context changes, and the horizon is constantly scanned for emerging risks.

Internal key risk indicators and external signposts are prioritised and monitored for knowledge of how risks are trending. A workforce with situational awareness is the nexus for organisations to be prepared and prevent unwanted outcomes.

Prevent

Maintaining proportionate control and governance for key vulnerabilities.

Contingencies are in place for risks beyond a company’s control, with an effective control environment adhered to for internal risks, supported by the three lines of defence model. 

Treatment efforts are proportionate to the potential consequences, likelihood, and speed of onset, and are aligned to the company’s risk appetite. Signposts provide intelligence for early mover advantage, while the workforce openly shares issues as they arise.

Respond

Integrated and scalable components for an effective response to any organisational resilience challenge.

Priorities, activities and responsibilities in line with the company’s tactical, operational and strategic response objectives. Response components are enacted, with control and coordination for any category of risk. 

Signposts provide intelligence to inform response activities, while the workforce remains nimble to respond to events as they unfold.

Recover

Insurance programmes respond to all key events. Actual and potential (including near-miss) events are investigated. The workforces persist, lessons are learned, with the view of ‘bouncing forward’ to a higher state of resilience in steady-state operations.

Maturity assessments

Underpinning the model is a maturity assessment that organisations can use to assess where they are currently at and get a prioritised improvement roadmap to resilience.

Reardon says: “Becoming a resilient organisation requires an integrated approach where all the components work in harmony, not isolation.

“This model does not represent a new framework or the need for new processes. Rather, it allows organisations to understand the components that should already be in place and test the robustness of these components individually and collectively.”

Further detail of this approach (in the form of a video recording) is held in our Intelligence platform – our searchable database of risk management case studies, tools and templates (and Members can access it via the Member Portal).

13 questions to ask

The meeting also sparked an insightful debate about the extent to which risk management frameworks – or existing resilience approaches – can effectively respond to the consequence of COVID-19.

There were more questions than answers during the discussion. But they were important questions that the risk management community must tackle – together – to come to an effective long-term resilience approach that can withstand a global risk. See below:

1. How will the repercussions of COVID-19 be further compounded by:

• Trumpism and the significant increase in polarisation?
• The growing divide between the rich and the poor, and the consequences this is already having on civil unrest?
• Pending climate change and the need for macro structural change?
• Automation and technology impacting jobs?

2. Does this mean we are now officially in a world of increasing disruption compared to anything we have previously experienced in our generation?

3. What impact could this have on your organisation?

4. Is your current risk and resilience approach ready for this, or does it need to change?

5. How can you make this change?

6. Is this already part of your strategic roadmap, or do you think it should be?

7. There is a lot of conversation about being able to return to business as usual, and to keep our people safe and healthy. But should there more conversation about how we adapt to these macro strategic issues and plan to 'bounce forward' rather than 'bounce back'?

8. Who owns ‘resilience’ and is responsible for creating a resilience framework: does it sit with risk or another department? Who should develop the framework and who should execute it?

9. Does a new role (for example, a chief resilience officer) need to be created to drive forward resilience and maturity? And what type of discipline/professional should be recruited into this role?

10. If you were to create a ‘resilience team’ what type of personnel would be recruited into this team?

11. Do existing approaches to resilience need revisiting based on the lessons learned from COVID-19?

12. How in practice do we grease the wheels between risk, crisis, HSE, BCM to get resilience to work? Most firms have the components in place already but how do you get them pulling in the same direction.

13. How do you capture opportunity in your resilience framework?

In fact, these very questions will form the agenda for a regular forum on resilience that we will be hosting. To qualify for the forum, you’ll need to be a practising risk manager and a Member of Risk Leadership Network. To enquire about membership, click here.

Interested in accessing more of our content on Resilience? Search through our most popular content here.