ERM Chapter 9 Resilience

ISO 31000:2018 44 Minutes

We will explore the concept of organizational resilience and its role in helping organizations cope with future shocks, disruptions, and significant incidents. We will also look at the importance of organizational agility and how resilience can be tested to provide stakeholders with confidence. As organisations recover from the effects of the COVID-19 pandemic—similar to the way many rebounded after the 2008/9 financial crisis—the idea of resilience has gained significant attention. Since resilience is a relatively new and evolving concept, it is useful to begin by understanding its meaning. According to ISO 22316 (2017) Security and resilience: guidelines for organisational resilience, organisational resilience is defined as an organisation’s ability to adapt within a complex and constantly changing environment. The IRM Innovation Special Interest Group (2021), in their publication Organisational resilience: a risk manager’s guide, highlights two key aspects of resilience: operational resilience and strategic resilience. Operational resilience refers to an organisation’s capacity to continue delivering critical operations during periods of disruption. In contrast, strategic resilience involves adapting organisational strategies in response to environmental changes, often providing a competitive advantage. This unit primarily focuses on organisational resilience as a framework to navigate an increasingly volatile, uncertain, complex, and ambiguous (VUCA) world. It is also essential to differentiate between organisational resilience and business continuity planning (BCP). While BCP is event-driven, focusing on preparedness and recovery from crises that disrupt essential operations, organisational resilience has a broader scope, addressing both operational and strategic challenges.

According to ISO 22316 (2017), resilience equips organisations with the ability to anticipate and respond effectively to both threats and opportunities, whether these arise from sudden disruptions or gradual shifts within their internal or external environment. The standard emphasises that building resilience should be viewed as a key strategic objective for any organisation. It outlines essential principles that serve as the foundation for designing, implementing, and evaluating a framework and strategy aimed at strengthening organisational resilience. These principles include:

  • Resilience is strengthened when organizational behavior aligns with a common vision and shared purpose.
  • It depends on maintaining an up-to-date understanding of the organization’s internal and external environment.
  • It requires the capacity to absorb shocks, adapt, and respond effectively to changes.
  • It is supported by strong governance and sound management practices.
  • Diversity in skills, leadership, knowledge, and experience contributes positively to resilience.
  • Collaboration and coordination across different management functions, along with input from technical and scientific experts, enhance resilience.
  • Effective risk management is a critical factor in sustaining resilience.

Evolution of organizational resilience

The concept of resilience first emerged in the field of Information Technology (IT) during the 1990s and later expanded into business continuity practices in the 2000s, leading to the establishment of the International Consortium for Organizational Resilience in 2006. The development of organizational resilience has evolved over time — starting with a focus on IT disaster recovery in the 1990s, shifting towards business continuity in the mid-2000s, and more recently adopting a broader, organization-wide approach. This contemporary view integrates multiple disciplines and engages a range of stakeholders to strengthen both protective and responsive capabilities. Several important standards have since been developed to guide organizational resilience, including:

  • BSI 65000 by the British Standards Institute, providing guidance on organizational resilience.
  • ISO 22316 (2017) by the International Standards Organization, which focuses on security and resilience for organizations.

In the financial services sector, regulators have placed greater emphasis on resilience, particularly in managing operational risks. Institutions are now required to maintain a risk capital buffer to address potential operational failures. Looking ahead, organizational resilience is expected to continue evolving, especially in light of the growing number of significant global risk events.

9.1 Building organizational resilience capability

The concept of resilience and how it connects to enterprise risk management (ERM), as outlined in the previous chapter, is not yet fully defined and continues to evolve. Measuring and managing resilience presents its own set of difficulties, primarily because its meaning remains unclear and also because it is a complicated idea, emerging from the behavior of dynamic systems. With this in view, the goal of this section is to present the best practices observed during this project to encourage discussion and improvement among risk professionals. To start, it’s crucial to understand that resilience, much like ERM, seeks to dismantle organizational silos, acknowledging that achieving future goals and strategic objectives demands effort across all areas due to their unpredictable and complex nature. This mindset should push risk experts to approach resilience capabilities in a comprehensive way, relying on an adaptable and cooperative workforce and processes. Now more than ever, it’s evident that companies must view their employees as their most valuable resource. For example, during the Covid-19 pandemic, employees had to be quick to adjust and dedicated to their work despite challenging conditions. Senior leaders had to act decisively, finding innovative solutions to sustain operations while keeping their teams motivated. Governments showed empathy by supporting the most affected through initiatives like furlough programs. Suppliers and customers depended on each other to find a new balance. In short, various stakeholders had to collaborate and foster a supportive environment to keep the economy moving forward. Recognizing this broader ecosystem in which businesses operate is vital for understanding its parts and making necessary changes. Beyond that, companies had to rapidly reassess their core values and priorities. Sadly, in many instances, profit became the sole focus. Yet, there were also inspiring examples where people united for a common cause—a special acknowledgment goes to the NHS and frontline workers worldwide who risked their lives and time with loved ones for the benefit of everyone.

These points collectively form the strategic components of resilience frameworks, characterized by their complexity, fluidity, ambiguity, and unpredictability. As a result, uncertainty is a natural feature of these processes. Questions like: Will people respond as anticipated? How might minor actions affect long-term risks or possibilities? Can positive progress be maintained, and if so, for how long? How do we strike a balance between immediate needs and future goals without undermining the latter? These uncertainties have lingered in the minds of executives and risk managers before, during, and after the pandemic. How can we ensure our organizations are genuinely resilient? While simulations can help us prepare for disasters, real reactions to unexpected or catastrophic events may differ significantly. This highlights the value of training, yet it’s the firsthand experience in the midst of a crisis that truly reveals human behavior, as all preconceptions fade when reality hits. We anticipate crises as defining moments, hoping our responses don’t worsen the situation. Still, those who are well-prepared and trained are more likely to excel compared to those less ready, though we must always watch for discrepancies between expected and actual outcomes. To address these discrepancies, benchmarks for assessing variations should be established in advance. In the thick of a crisis, critical choices take priority, and it may be too late to implement effective systems and metrics to manage the escalating ripple effects of interconnected disruptions across multiple areas.

To begin, organizations should take stock of the data they already possess to avoid redundant efforts that could lead to inconsistencies across departments or levels. Quality data is unified data—capable of validating or challenging other sources. This allows us to uncover hidden links, identify what’s working or not, and steer the system back toward the intended alignment. Fortunately, much of this information is already housed in ERP and CRM systems. That said, there’s a clear need to merge internal data with external sources and tackle the abundance of unstructured data still present in our systems. Our core advice in this guide is straightforward: start with what you have, then seek out what’s missing. As illustrated in Figure , organizational resilience at an operational level emerges from the overlap of various protective disciplines. Yet, silos often persist between areas like business continuity, crisis management, and conventional risk management practices. This lack of coordination and integration can result in a fragmented perspective on organizational performance and resilience strengths. Consequently, blending these and other protective disciplines is essential for organizations striving to embed resilience, as depicted in the accompanying figure:

The figure illustrates that organizational resilience arises from dismantling silos between preventive disciplines, embodying proactive, comprehensive, integrated, and advanced ERM practices. However, in reality, the way these disciplines intersect varies depending on each organization’s structure, capabilities, and risk tolerance. Thus, we should view these areas as fluid management and control mechanisms that can blend and overlap to address disruptions and shifts impacting a company’s operations and strategy. Treating organizational resilience as a quality that emerges from intricate management and control systems, risk management should embrace a flexible, all-encompassing, integrated, and value-focused approach to foster resilience, consistent with the ERM framework’s vision. Mature ERM programs need to move past simply spotting, analyzing, and judging risks or opportunities. They should also bolster the value of resilience across different levels and departments, drawing lessons from both triumphs and setbacks, whether triggered by external factors or internal dynamics. To achieve this, we must recognize that resilience is always a comparative measure, requiring us to define the desired level and the context it applies to. Everything has a threshold of resilience (or fragility), relative only to other entities or conditions. Traditionally, the focus has been on “structural resilience,” which seeks to preserve competitive standing by minimizing or neutralizing risks, often through tools like insurance. Yet, in today’s volatile, uncertain, complex, and ambiguous (VUCA) landscape—marked by a rise in emerging risks—organizations must also prioritize absorbing, responding, adapting, and recovering from crises. While business continuity management (BCM) and disaster recovery plans address “robust resilience” after the fact, they alone are neither sufficient nor efficient. As a result, organizations should pursue “dynamic resilience” through an ongoing adaptive process, growing stronger from challenges and adopting smarter, more adaptable business models and processes to continually refine their practices. Rather than attempting to anticipate every possible future scenario—an impossible task given the presence of unknown unknowns—the focus should shift to mitigating permanent losses. Leveraging existing ERP systems along with their KPIs and KRIs, companies can assess their resilience capabilities across various organizational dimensions, such as those outlined below:

Organisational ElementsStructural ResilienceRobust ResilienceDynamic Resilience
1. GeographyGeopolitical stabilityDiversified portfolioExpansion into other countries
2. MarketFocus on existing competitorsAwareness of new entrantsExpansion through new partnerships (M&A)
3. ProductMaintain brand positionRange of product offeringsInnovations and disruptions
4. CustomersThreats of substitutesDiverse client baseNew demands and segments
5. Talent/PeopleRetention of talent poolDependency of talent (range)Interdependencies of talent retention & staff satisfaction
6. DeliveryStrategic locationPunctual failures (BCM & DR)Ability to scale up & down
7. SupplierSupplier powerContingency plansVertical integration
8. FinanceGearing ratiosFunding availability and variabilityNew sources of finance
9. IT/CyberReliance of data and cyber products and servicesCyber vulnerability evaluationLeveraging data & technology

The table provided is neither exhaustive nor all-encompassing, as each organization will develop its own metrics and categories based on its specific goals for resilience. Nevertheless, it serves as a practical illustration of benchmarks that can be used to assess various facets of organizational resilience and gauge a company’s current standing. Not every company will strive for the highest level of resilience—nor is that necessary—but evaluations should allow Boards to determine whether existing practices fall within an acceptable range aligned with the company’s risk tolerance. In this context, resilience capabilities will fluctuate across these focus areas as actual performance is measured against anticipated outcomes or standards. While the initial table shows how existing KPIs and KRIs from ERP systems can help evaluate aspects of organizational resilience, true resilience requires more advanced, real-time risk management tools. The SoluxR model exemplifies this approach, offering tailored, timely, scalable, and automated visual tools that allow risk managers to track emerging risks as they unfold, exploring root causes and connections through graphical depictions of threats and opportunities. These RiskTech solutions deliver cost-effective, dependable, and dynamic risk assessments across diverse regions and organizational silos, integrating seamlessly into weekly performance tracking systems. They provide clear, evidence-based visual insights, highlighting predictable trends and enabling sophisticated scenario planning and testing that digs into the underlying data. Additionally, they cut costs tied to travel, labor-intensive analysis, meetings, and presentation prep by consolidating data onto a single platform, offering real-time reporting and decision-making support accessible via mobile devices, all while ensuring data integrity, governance, transparency, and auditability. As depicted in the figure below, the challenges businesses face today demand a fundamental shift in risk management—from handling straightforward, structured issues to tackling complex, unstructured ones.

Shortly after the Covid-19 pandemic struck the global economy, some pointed fingers at risk management for failing to avert the crisis. However, the pandemic ultimately prompted businesses and individuals alike to rethink the knowledge and mindset needed to address emerging risks. Most existing risk management frameworks and systems are built to handle “Slow Risk Clockspeed” risks—those where ample information is available beforehand to prepare for extreme events. Yet, many extreme or long-tail risks don’t fit this mold. This calls for a “Fast Risk Clockspeed” approach to better grasp and manage emerging risks. To address this, the clock speed risk model was introduced years ago and has since been refined to distinguish between simple and complex risk solutions based on fast and slow risk timelines. Conventional risk management tends to target straightforward, structured issues, where processes can be crafted with abundant information in a predictable, manageable setting. This allows for clear rules to be set and enforced, ensuring compliance through the consistency of contained, closed operational systems. But today’s reality doesn’t align with this simplicity—current challenges are far more intricate than once assumed. Consequently, risk solutions must be reimagined and realigned with this complexity; we can’t force reality to fit outdated approaches. At its core, risk management should stem from a strategic view of business models and operations, with people as the central focus. Their actions need to align with intended goals and organizational objectives, though human behavior remains unpredictable and hard to fully control. In complex systems, information can be scarce and unclear, making rigid controls and predictions difficult. Still, this doesn’t rule out solutions or progress. Risk managers must think creatively, setting guiding principles for individual and organizational behavior while continually assessing whether results stay within the expected range of open, unbounded systems. These systems, by their dynamic nature, may frequently stray from set parameters rather than neatly aligning with them. In essence, organizations must learn to operate on the more complex, adaptive side of this framework—not just the simpler, structured one. Over time, as more data emerges, improved solutions become possible, as shown in the figure below:

As depicted in the figure, the shift in perspective needed to address emerging risks hinges on the nature, amount, and quality of information and how it evolves over time. The diagram highlights the contrast between the initial signals and responses to emerging risks and the options available once risks become more defined on a company’s radar. These distinctions relate to the reliability of information, the frequency of observed events, the sophistication of risk management practices, and regulatory reactions. In essence, emerging risks are typically marked by faint hints of their potential, surrounded by uncertain data that lacks the precision needed for predictive modeling due to their unclear origins and development. In contrast, traditional “risks” come with clearer, more dependable signals, allowing us to assess their positive and negative impacts and foster deeper, more meaningful discussions. The information for these established risks is widely accessible and trustworthy, and as events accumulate, data and databases grow more accurate, paving the way for refined risk management processes that tackle threats and opportunities while engaging broader stakeholders. Over time, these well-defined risks often lead to regulatory frameworks, which may evolve through reactive legal precedents. The key challenge for resilience and disruption response lies at the tipping points between normalcy and crisis. While the need for a shift may be obvious in retrospect, it’s often murky looking forward. This makes it tempting to leap to selecting KPIs, but harder to determine what data truly informs decisions and who’s making them based on what. With emerging risks—where the risk is recognized but supporting knowledge is thin—traditional risk management, reliant on impact and likelihood, falters. We might foresee a major impact, but sparse data makes likelihood hard to pin down, and fixating on “likelihood value” can stall action. Shifting to scenario analysis, a common tool for such cases, lets us consider something “plausible” even without a precise likelihood figure. Thus, we might need to ask “why” before “how,” weighing whether a scenario is “possible” and “plausible” rather than waiting for a quantifiable likelihood. Embedding resilience into decision-making requires balancing cultural actions with metrics. Conversations about organizational resilience, both internal and external, should stress that building resilience adds value—prevention costs less than repair, and crises reveal the worth of resilience investments (and perhaps insurance). Convincing managers and Boards of this value during calm periods is tough, as control measures don’t directly generate revenue. Still, forward-thinking preparation equips organizations and individuals to handle challenges when they arise. RiskTech’s dynamic forecasting tools can provide valuable data for resilience-building. Unlike traditional reports that merely compile known information, RiskTech apps—through daily or weekly targeted surveys—enable risk managers to “forecast forward” with timely, precise analyses, tracking risk speed, likelihood, and impact nearly in real time, while refining financial predictions for 5, 10, 20, or even 50 years ahead. Horizon scanning and scenario exercises can simulate disruptions and test capabilities periodically, tailored to specific organizational needs. Combining quantitative self-assessments with detailed qualitative insights into threats and opportunities can shed light on the emergence and pace of risks. Risk managers must therefore stay attuned to market shifts, the digital transformation driven by risk technologies, and global supply chain links. At its heart, resilience reflects an organization’s values and purpose. The push for long-term sustainability through resilient organizations echoes longstanding risk management ideals, particularly ERM’s focus on interconnectedness, integration, and a comprehensive view of corporate financial health.

9.2 Organizational resilience maturity levels

In today’s global landscape, defined by volatility, uncertainty, complexity, and ambiguity (VUCA), threats often emerge unexpectedly. The deep interconnectedness of global markets amplifies risks, heightening pressure from regulators who demand effective risk management. Traditional models face skepticism and scrutiny, while organizations grapple with the tension between “performance and protection goals.” Consequently, recent years have seen a growing push to shift focus from risk to resilience. The core idea is to be ready for disruptive events—whether expected or not. This raises a key question: Does risk management fuel organizational resilience, or does resilience shape risk management practices? This debate has surfaced in our discussions as well. Since resilient organizations don’t emerge spontaneously, we need to explore the roots of resilience more deeply.

The journey of organizational resilience has evolved over time: from a focus on IT disaster recovery in the 1990s, to the rise of business continuity in the mid-2000s, and more recently, a broader, company-wide approach that integrates multiple disciplines and stakeholders, blending protective and responsive strategies. Resilience combines proactive ERM processes—aimed at ensuring continuity amid disruptions and long-term sustainability in shifting internal and external contexts. Acknowledged across industries and formalized in documents like the UK Civil Contingencies Act (2004), British Standard 65000 (2014), and ISO 22316 (2017), resilience encompasses operational and strategic dimensions as distinct yet linked elements. This requires cohesive, ongoing planning and integration. While operational resilience is increasingly viewed externally—focusing on minimizing impacts on services and products—recent regulatory and sector trends also highlight its role in safeguarding and creating value across critical sectors, infrastructure, and service hubs.

It’s essential to differentiate risk management and resilience from other protective fields. For instance, while business continuity is typically event-focused, ERM provides a broader strategic lens for viewing resilience as a company-wide goal. In practice, preventive disciplines overlap and shift in relevance at various stages—before, during, and after disruptions—depending on a company’s model and structure. This “resilience universe” comprises proactive and reactive elements: proactive resilience seeks to limit downside risks and boost upside potential through tools like strategic planning and self-assessments, fostering ongoing capability growth; reactive resilience, meanwhile, sets thresholds that, when crossed, trigger responses like business continuity or crisis management to counter threats to organizational objectives. The specific disciplines and their weighting within this universe vary by organization, with each defining its own “resilience universe.”

Risk management has always been integral to this universe, and ERM serves as a critical glue binding these disciplines together. ERM establishes thresholds for proactive and reactive resilience, evaluates extreme risks and their impacts, and pinpoints priority areas. It fosters a shared framework for aligning perspectives, ensuring resilience efforts produce tailored results that keep capabilities within the organization’s risk appetite and tolerance. By unifying efforts and data, ERM supports consistent decision-making, enabling organizations to explore options through horizon scanning and scenario analysis of acceptable risks and responses—covering both preventive and corrective measures. This positions risk professionals as key connectors and integrators across protective disciplines.

Mature and well-integrated risk management practices are the key to building and strengthening organizational resilience. These practices require fostering cooperation and teamwork across silos and areas of specialization. According to the 2015 E&Y report, risk managers must identify emerging vulnerabilities to develop adaptable corporate structures and operations rooted in a unified, resilient risk culture. While various components come together to shape resilient practices tailored to each business, a comprehensive risk governance framework is vital—one that mitigates known risks while proactively scanning for plausible, significant emerging threats and opportunities. Additionally, overly complex corporate hierarchies often need streamlining to enable swift decision-making rather than relying on excessive control measures. For these shifts to be meaningful and lasting, cultivating commitment, ownership, and accountability for risk management is essential, alongside emphasizing the importance of calculated risk-taking to maintain a robust and resilient risk culture. In many cases, the necessary resources are already available but underutilized. Understanding the company’s current operations, strengths, and weaknesses is therefore critical. Risk managers, collaborating with specialists from various fields, can piece together a complete view of what makes an organization resilient. This might include input from crisis management teams, business continuity experts, and subject matter specialists—such as epidemiologists during a pandemic or environmentalists, activists, and regulators in the context of climate change. In short, resilience is a collective effort requiring diverse perspectives. To achieve this, we should focus on forming collaborative teams to build a wider, more integrated vision of the desired future. Resilience Committees can also play a key role during crises, bringing together trained staff from different departments with complementary skills. For major projects, decentralized decision-making can be supported by judgment calibration techniques, such as general knowledge quizzes for individuals and teams, to evaluate confidence levels and biases related to risk and resilience. These weaknesses can be addressed through surveys and training workshops, improving project forecasting accuracy. Subject matter experts can also be monitored against project timelines and outcomes, allowing for ongoing refinements and enhancements. Interviews with managers and Board members revealed varying stages of organizational resilience across companies. Those with more advanced ERM and resilience practices have leveraged past crises as catalysts to refine their approaches. These organizations prioritize education to deepen understanding of practices and gain buy-in for necessary changes. Chief Risk Officers (CROs) in such cases have been instrumental in uniting teams and promoting cross-company collaboration, using analytical tools to reveal interconnections. Ultimately, Board backing has proven crucial in sustaining this mindset and aligning mature ERM practices with resilience frameworks.

Successful organizations have shown traits that have bolstered their resilience over time. These include:

  • Gaining the foresight to spot issues before they escalate.
  • Embedding diverse, flexible structures to adapt to both negative and positive shifts.
  • Dismantling barriers and hierarchies to ensure risk information flows freely, avoiding blind spots.
  • Establishing quick-response mechanisms to keep incidents from spiraling into crises.
  • Learning from their own and others’ past missteps, making necessary adjustments.

In essence, organizational “resilience” emerges from a well-implemented, company-wide risk strategy, distinct from the event-focused nature of business continuity. ERM provides a lens to see resilience as the ultimate goal. Moreover, framing resilience positively—as a driver of “competitiveness, transformation, growth, and strength”—highlights its role as an opportunity for organizations. However, it’s undeniable that some organizations fall short of achieving this ideal resilience. This often stems from a disconnect between less-developed risk management practices and the Board’s vision. Here, Boards are forward-looking, expecting risk management to be a strategic pillar of the business. They seek insight into what lies ahead, the broader context, and the intricacies of decision-making. For them, resilience isn’t just about bracing for crises but ensuring agility before, during, and after disruptions. This aligns with IRM and ERM principles, shifting the focus from merely mitigating downside risks to seizing the potential upside of uncertainties. Thus, risk managers and CROs must move beyond compliance-driven thinking, making room to tackle the unexpected or uncomfortable. They need to offer solutions and equip teams to act in line with Board expectations, internal policies, and proven best practices during such events.

Yet, not all risk managers have met these Board demands or embraced risk management as a value-adding endeavor. This can signal immature risk cultures and ERM practices within organizations. It also reflects a lack of leadership emphasis on the importance of risk management and resilience. Some managers note that, in other companies they’ve observed or worked at, resilience gains traction more readily after setbacks—echoing insights from successful CROs. Before such failures, risk management might feel like a shallow compliance exercise. Until a crisis hits, these managers may opt to “keep dancing to the tune,” focusing on past events to explain what went wrong rather than strategizing for the future. This leans toward an operational, not strategic, approach. For them, “resilience” means readiness and sturdiness in a simple, cause-and-effect framework, missing the nuanced complexity of future uncertainties. Here, resilience feels like a future goal for risk management, while compliance remains the priority. Consequently, these risk managers become trapped in checklists and risk registers, disconnected from Boards that seem out of reach. Organizational resilience doesn’t happen instantly—it’s a gradual maturity process driven by mindset shifts and tailored to specific organizational aims. That said, not every organization will target the same resilience level, as it’s both resource-intensive and time-consuming. Progress should align with overarching goals and Board expectations. For example, the Cranfield report suggests companies may exhibit five distinct resilience levels. Thus, organizations will pursue varying degrees of resilience within their practices, as it’s just one piece of their broader strategic objectives.

Organisational resilience maturity levels

Resilience serves multiple purposes: it’s a tool for continuous stress testing, a way to underscore the value of mature risk management and preventive measures, and a means to unify metrics that look ahead. The disconnect between Board expectations and risk management practices can, and has been, a catalyst for change. Some Board members, however, may not fully understand—or have been briefed on—how risk management is woven into their organization. They might also be unaware of specific shortcomings or the potential scale of impact if risks turn into real issues. This can foster a false sense of security and an overconfidence in control, far exceeding their intended risk appetite and tolerance. Resilience initiatives can help risk managers bridge this divide, aligning Board expectations with actual risk management practices and vice versa. That said, organizations may not aim for the pinnacle of resilience maturity but instead weigh the costs and benefits of options based on their risk appetite and tolerance (more on achieving this balance will follow in the next section). The challenge lies in organizations often relying on aspirational response plans that outline intentions and needs but lack clear implementation steps. These plans frequently fail to align with relevant risks, appetites, and tolerances. Crisis management setups may fall short in managing information flow and decision-making, and teams are often undertrained and unpracticed for crisis readiness. In short, the systems to support and sustain resilience are often missing. When push comes to shove, it’s well-prepared people and teams, working through cohesive, thoughtful plans, that make the difference. This lack of integration within a solid resilience framework has tripped up many organizations recently, forcing them to abandon poorly crafted plans.

9.3 Risk management and resilience

Enterprise risk management (ERM) and organizational resilience are closely linked. Resilience integrates proactive ERM with business continuity management. This idea is echoed in ISO 22316, which emphasizes that organizational resilience depends on effectively managing the risks an organization encounters. ERM focuses on handling uncertainty’s impact on achieving organizational goals, meaning that steps taken to address risks inherently bolster resilience. ERM is a central component of an organization’s “resilience universe,” , which highlights ERM’s significance within the broader resilience framework. This critical role stems from several key aspects:

  • ERM takes a proactive approach to risk management, in contrast to more reactive disciplines like crisis management and business continuity management.
  • ERM works to align the organization’s risk response across all departments and functions, offering a comprehensive, company-wide perspective that accounts for interconnected and related risks.
  • ERM establishes a structure for overseeing and evaluating the effectiveness of the organization’s control environment.

True resilience reflects a coordinated capability spanning proactive and reactive disciplines, grounded in robust risk management and uniting various business areas to build strength. It thrives when proactive measures prevent crises and reactive ones enable effective responses. This vital, holistic balance ties resilience tightly to risk and its management, cautioning against an overreliance on business continuity alone for handling disruptions. Resilience brings together people and processes, proactively balancing perspectives and resources. From this analysis of the interplay between risk management and resilience, it’s clear that risk managers must recognize the distinctions and synergies between control and management practices, including their own. Not all Boards are equally attuned to the importance of resilience-building, so risk managers must act as educators and unifiers, boosting awareness of mature risk management’s value, processes, structures, and the need for cross-silo collaboration and communication. It’s also key to note that not every organization should target the same resilience maturity level. The critical task is aligning Board expectations with the practical control and management on the ground. Given that organizational resilience is a dynamic, emergent trait of complex systems, this remains an ongoing effort for risk managers today. In essence, resilience plays diverse roles within companies. Those engaged in “infinite games” prioritize long-term competitive edges. ERM can weave together practices to cultivate and strengthen organizational resilience.

A FERMA (Federation of European Risk Management Associations) survey on Covid-19’s effect on corporate resilience found that executives observed “risk management now includes the wider scope of resiliency management. It’s embedded in long-term strategy formulation at leading organizations, enabling them to adapt to a much more unpredictable operating landscape.”

9.4 Organisation disruptors

A disruptor is someone or something that interferes with an event, activity, or process by creating a disturbance or issue. An innovative disruptor introduces a product, service, or approach that upends the dominance of current market leaders, potentially overtaking them as the top player in the field. Often, these disruptors are entrepreneurs, outsiders, or visionaries. While they’re frequently associated with the fast-paced tech sector, disruptors can emerge in nearly any industry. Conversely, a negative disruptor typically has the opposite effect of an innovative one and is commonly used to describe major global shocks, such as those in health, geopolitics, natural disasters, and similar areas. Let’s examine a few notable past disruptors and explore the risk management lessons they offer:

  1. Covid-19 – Public Health
  2. 2007/8 Financial Crisis – Banking
  3. Suez Canal Blockage – Goods Supply Chain
  4. Social Media – Communication

1) Covid-19

Event: In late 2019, a novel virus, severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), surfaced in Wuhan, China, leading to an infectious illness officially termed COVID-19 by the World Health Organization on February 11, 2020. The disease rapidly spread worldwide. Although its impact was felt globally, the effects varied widely. The outbreak’s severity and its economic fallout differed in timing and scale across nations, sectors, companies, and individuals. The OECD (Organisation for Economic Co-operation and Development) released a 2021 report titled Strengthening Economic Resilience Following the COVID-19 Crisis: A Firm and Industry Perspective, offering guidance for policymakers. Key points included:

  1. An analysis of how the crisis impacted firms differently across industries through various channels.
  2. Identification of country-specific factors that could either cushion or intensify these effects, influencing resilience to this and future shocks.
  3. Examination of how the crisis affected different population groups and the resulting policy implications.

In its Executive Summary, the OECD (2021) emphasized, “As nations rebound from COVID-19, it’s critical not to overlook other pressing global challenges. The recovery phase is a chance not just to rebuild stronger, more resilient systems, but also to leverage strategic policies and enhanced international collaboration to tackle issues like inequality, climate change, and digital transformation. Governments and businesses should seize this unique moment to reconstruct in ways that advance these pressing global priorities.”

Risk Management Observations:

Here are some risk management insights to consider and whether they contribute to embedding resilience and adaptability in your organization:

  1. Many organizations had to revisit their core objectives, prompting a reassessment of their risk strategies.
  2. The pharmaceutical industry, tasked with vaccine development, embraced the opportunity, often expanding their risk appetite to meet the challenge.
  3. New risks surfaced, especially concerning employee well-being, such as mental health challenges.
    The IT sector faced intense pressure on firewall security as remote and hybrid work surged, opening numerous access points. This tested resilience, and in most instances, systems held up well, showcasing the agility of IT teams.

2) 2007/8 Financial Crisis

Event: The Chartered Finance Institute (2022), in its article 2008-2009 Global Financial Crisis, described this downturn as “the severe financial crisis that gripped the world from 2008 to 2009.” Dubbed “The Great Recession,” it profoundly affected individuals and institutions globally, with millions feeling its impact. Financial entities began to falter—some were swallowed by larger firms, while others relied on government bailouts to survive. The crisis didn’t emerge suddenly. It stemmed from a housing market bubble fueled by an overload of mortgage-backed securities tied to risky loans. Lax lending practices triggered a wave of defaults, and as these losses piled up within bundled securities, numerous financial institutions crumbled, necessitating government intervention. Many who had taken subprime mortgages couldn’t repay, causing significant losses for financial firms. This led to some of the biggest corporate failures of that era, including Lehman Brothers in the United States and the Royal Bank of Scotland in the United Kingdom, among others.

Risk Management Observations:

Here are some risk management insights to consider and whether they help embed resilience and adaptability into your organization:

  1. Bank regulators lost substantial trust in financial institutions, posing a severe reputational risk for both banks and their overseers.
  2. Excessive dependence on complex risk exposure models backfired. Regulators shifted their stance, permitting such models only when bankers, their overseers, and auditors could prove a deep understanding of the models, their inputs, and their results.
  3. Banking operations saw a shift in focus toward Conduct Risk, emphasizing fair treatment of customers (e.g., avoiding product mis-selling) and market stability (e.g., preventing threats to the banking system).
  4. Boards began dedicating more effort to shaping organizational culture and enhancing resilience to better endure unexpected shocks.

3) Suez Canal Blockage

Event:

In 2021, the Ever Given—a 400-meter-long, 220,000-ton ship chartered by Evergreen, surpassing the Eiffel Tower in length—became lodged in the Suez Canal for six days. Carrying 17,600 containers, it halted traffic in both directions, creating a jam of over 400 ships. This incident disrupted global shipping, stalling nearly $10 billion in daily trade. For the shipping industry, it was a stark reminder of the risks posed by massive modern freighters navigating narrow passages. Richard Meade, editor-in-chief of Lloyd’s List, a maritime intelligence outlet, called it “a wake-up call” for the sector.

Risk Management Observations:

Here are some risk management insights to consider and whether they contribute to fostering resilience and adaptability in your organization:

  1. Many organizations relied on a “just-in-time” inventory approach, which minimized obsolescence and streamlined stock management. However, the significant delays exposed weaknesses in supply chain controls, prompting a reevaluation and a push for greater local resilience.
  2. The event highlighted concentration risk for organizations overly dependent on supplies from one region.
  3. Numerous companies found it challenging to devise creative solutions for customers due to their heavy reliance on a single supply chain, revealing a lack of agile alternatives.

4) Social Media

Event:

As of January 2022, around 4.2 billion people—roughly half the global population—were active social media users, making it a preferred resource for many. According to Statista’s 2022 article Social Media as a News Source Worldwide, between 35% and 70% of people, depending on their country, rely on social media as their main news outlet.

Key risks tied to social media include:

  • Cyberbullying
  • Privacy breaches
  • Identity theft
  • Children encountering inappropriate content
  • Predators using platforms to target vulnerable users

Risk Management Observations:

Here are some risk management insights to consider and whether they help foster resilience and adaptability in your organization:

  1. The rapid rise of social media has opened a powerful window for delivering instant news. Media organizations that capitalized on this shift gained a chance to stay highly relevant to their audience, showcasing an impressive agile response.
  2. The unchecked expansion of social media has fueled the spread of fake news and algorithmic bias, tailoring content to reinforce existing beliefs or limit perspectives. This poses a daily challenge for those seeking unbiased information to make well-rounded decisions.
  3. The risk of unauthorized or unethical access to online data underscores a major weakness in data security, emphasizing the need for strong, resilient systems to protect against threats from both external and internal sources.

4) Potential future disruptors

By its very nature, predicting future disruptors with confidence is a challenging task. Nonetheless, organizations are constantly on the lookout for the “next big thing,” which could either open doors to new possibilities or pose significant risks. When considering potential future disruptors, various tools can aid the process, such as:

  • Knowns and unknowns: Recognizing:
    • Unknown unknowns – unexpected surprises.
    • Unknown knowns – risks that are present but ignored, often called the “elephant in the room.”
  • Horizon scanning – a method to explore the potential consequences of emerging trends, particularly in areas like sustainability.

The European Parliament’s “Future Shocks” report identifies key risks for Europe by 2030 (assessed by likelihood and impact), including:

  • Energy price volatility
  • Extreme weather events
  • Rising social divisions
  • Migration challenges
  • Risks tied to Russia
  • Political risks from China
  • Public debt pressures
  • Semiconductor supply shortages
  • A faltering economic recovery

There are many different sources of information on future disruptors.

#Topic areaSource example (note these are regularly updated)
  1  World risksWorld economic forum – risk report – https://www.weforum.org/reports/global-risks-report-2022/
  2  Compliance risksAccenture compliance risk predictions – https://www.accenture.com/_acnmedia/PDF-177/Accenture-Compliance-Risk-Study- Report-2022-May13.pdf
  3  Security threatsGov Tech Security threat predictions – https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-22-security- predictions-for-2022
  4  Geo-political risk landscape indexBlackrock – Geo-political risk landscape https://www.blackrock.com/corporate/literature/whitepaper/geopolitical-risk- dashboard-july-2022.pdf
  5  EU lensEuropean Union – Future shocks  https://www.europarl.europa.eu/RegData/etudes/STUD/2022/729374/EPRS_STU(2022)729374_EN.pdf
  6  Innovative disruptorsCNBC disruptor 50 – https://macventurecapital.com/the-2022-cnbc-disruptor-50-list-meet-the-next-generation-of-silicon- valley/
  7  Security threatsGov Tech Security threat predictions – https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-22-security- predictions-for-2022

9.5 Agility and risk management

Resilience is the preventative actions that keep the organisation away from breaches of controls, and Agility is the fast recovery actions that help an organisation recover after an event or incident.

The Four Managers and the Shock

Annie, Freddy, Poly, and Tommy are close friends, each holding management roles in different companies. They frequently gather to discuss how they manage risks within their organizations. This tale reveals how each handled a sudden “shock” that tested their abilities.

  • Agile Annie is a forward-thinker. She prepares for potential disruptions by putting reasonable safeguards in place to strengthen her company’s resilience. By running simulations and stress tests, she ensures her team can bounce back quickly when trouble strikes, showcasing her agility.
  • Fire-fighting Freddy also invests in prevention, but when a shock hits, he reacts with a burst of energy and urgency. His flurry of activity gets results, but it’s chaotic and lacks a clear recovery plan, making him less adaptable in the long run.
  • Procrastinating Poly feels paralyzed when a shock occurs. She responds by setting up a group to study the problem and consults others for insights. While these steps could be useful, her timing is off—her company’s performance plummets as she delays, leaving her little room to recover.
  • Tumbling Tommy assumes shocks are beyond his influence, so he waits for external solutions, like government action, rather than taking initiative. Though many events—like the Covid-19 crisis in 2020—are indeed uncontrollable, organizations that adapted creatively during such times thrived. Tommy’s inaction, however, risks letting his company falter due to a lack of agility.
  • Moral: The lesson here is to emulate Annie—proactive planning and swift adaptability are the keys to overcoming challenges successfully.

The Four Managers and the Supply Chain Crisis

Once upon a time, in a thriving industrial town, four friends—Prepared Priya, Rushing Ravi, Cautious Clara, and Idle Ian—each led their own businesses. They often met over coffee to share their strategies for managing risks and staying resilient. One day, a massive supply chain crisis struck, halting the flow of critical materials their companies depended on. Here’s how each friend responded to this unexpected challenge.

  • Prepared Priya was always ready for the unexpected. She had diversified her suppliers and built backup plans for disruptions like this. When the crisis hit, she quickly shifted to alternative sources and adjusted operations with ease. Her proactive approach kept her business running smoothly and even allowed her to support struggling clients, turning a challenge into an advantage.
  • Rushing Ravi didn’t hesitate to act. As soon as the crisis emerged, he scrambled to find new suppliers and redirected resources on the fly. His quick moves kept his business from collapsing, but the lack of a solid plan led to confusion among his team and higher costs than necessary. His reaction worked, but it was far from efficient.
  • Cautious Clara preferred a careful approach. She convened her leadership team to assess the crisis and explore every possible option. While her thoroughness was admirable, it took too long—by the time she decided on a course of action, her competitors had already adapted, and her business lost significant ground.
  • Idle Ian saw the supply chain crisis as an external problem he couldn’t fix. He waited, hoping industry leaders or regulators would step in to resolve it. As weeks passed with no action, his company’s production stalled, and customers turned to rivals. His passivity left his business vulnerable and on the brink of failure.
  • Moral: In times of crisis, being like Priya—prepared and adaptable—is the path to success. Anticipating risks and acting decisively ensures not just survival, but the chance to thrive when others falter.

Business Continuity Management

The globally accepted benchmark for business continuity, ISO 22301:2019 Security and Resilience – Business Continuity Management Systems, describes business continuity as an organization’s ability to maintain product and service delivery within acceptable timeframes and at predetermined levels during a disruption. The standard urges organizations to “identify and choose business continuity strategies that address options for before, during, and after a disruption.” Expanding on this framework, it’s useful to view business continuity management as unfolding in three phases:

  1. Planning and preparation
  2. The initial reaction to the crisis
  3. The restoration following the crisis

a) Planning : This model aligns with the broad stages of assessing risks, preventing disruptions, and preparing for action.

  1. Assess / Know Your Organization
    Understanding your organization’s context is key, including its internal dynamics. This involves grasping the company’s culture and its awareness of resilience. Sections 4 and 5 of ISO 22301:2019 provide relevant guidance here.
    Risk assessment tools come into play to pinpoint and analyze potential risks that could interrupt operations.
    A critical step is conducting a Business Impact Analysis (BIA), which evaluates the effects of disruptions on each organizational function and activity. The BIA determines the significance and priority of these functions to the organization’s overall operations. Its goals are to:
    • Highlight mission-critical activities.
    • Assess the potential impact and resources needed for recovery.
      ISO 22301:2019, in Section 8.2, clarifies the difference between risk assessments and BIAs.
  2. Prevent / Mitigate / Develop Business Continuity Strategies
    Prevention is emphasized as a distinct phase—don’t assume disruptions to vital functions, processes, and dependencies are unavoidable. Proactive steps can make a difference.
    Section 8.3 of ISO 22301:2019 offers direction on identifying, choosing, and resourcing contingency strategies and solutions to reduce risks.
  3. Prepare
    Create detailed plans specifying the steps to take during a disruption or crisis. ISO 22301:2019 addresses planning in this context.
    Regularly test these plans, recovery processes, and systems, as outlined in Section 8.5 of the standard. Testing options include:
    • Checklist: Share plans for review, though this doesn’t confirm their effectiveness.
    • Structured walkthrough: Carefully examine each plan step-by-step.
    • Scenario planning: Simulate realistic scenarios to practice recovery actions.
    • Parallel exercises: Conduct a full test without halting core business operations.
    • Full interruption: Replicate a disruption up to the point of stopping primary activities.
      Audit the business continuity plans to ensure they’re solid and suitable, as covered in Section 9 of ISO 22301:2019. Continuously refine and enhance the organization’s business continuity management and planning, per Section 10 of the standard.

b) Reaction to crisis :ISO 22301:2019 describes a disruption as an “incident, whether expected or unexpected, that results in an unplanned, adverse shift from the anticipated delivery of products and services aligned with an organization’s goals.” A particularly difficult element of any disruption or crisis is its speed or rate of onset. Typically, a crisis is seen as a abrupt event requiring instant response, resolving quickly, and followed by a recovery phase—think of a car crash. Yet, crises can also unfold slowly and linger, which outlines the four different paces at which a crisis can emerge and subside.

C) Restoration : When a crisis or disruption strikes, an organization’s priority shifts to restoring normal operations, aiming to regain its usual standards of service quality and operational costs. Several key factors come into play for organizations during recovery from a crisis or disruption:

  • Should the organization reassess its prior benchmarks for service quality or operational costs post-crisis?
  • A crisis or disruption often serves as a strong push for organizational change, acting as a spark to overhaul processes, procedures, work habits, or broader activities.
  • What insights can be drawn from the crisis experience?
  • Are new controls or procedures needed? How well did the organization handle the crisis?
  • Did the business continuity plan prove successful?
  • What does the crisis response reveal about the organization’s culture?
  • Did the response align with the resilience expectations set by senior leadership and the board?

Innovation

Risk management and innovation can work hand in hand to benefit an organization in various ways:

  • Risk management can pinpoint strategic vulnerabilities, such as over-reliance on a single product or service, which innovation can then address. In this sense, risk management sparks the drive for innovative solutions.
  • A well-defined tolerance for innovation-related risks gives creators the freedom to experiment within safe boundaries. Accepting that some risks may lead to setbacks can encourage bolder creativity and breakthroughs.
  • Strong risk management accelerates the innovation process. A solid control framework allows an organization to take calculated risks confidently, knowing that safeguards will prevent negative outcomes from spiraling.

Risk management brings structure and clarity to innovation efforts. An organization’s culture heavily shapes its capacity for innovation. In environments where blame dominates—where mistakes are penalized or successes are overly glorified—the fear of failure stifles risk-taking. Innovators in such settings tend to stick to proven, low-risk options rather than exploring uncharted territory. However, risk management can shift this dynamic. In organizations with a mature risk culture—where taking risks within defined limits is normalized—innovation and creativity thrive. By fostering a balanced approach to risk, risk management supports an environment where new ideas can flourish without undue fear of repercussions.

9.6 Testing for resilience

Scenario Analysis

Scenario analysis is a strategic method used to prepare for various potential future events, helping organisations reduce uncertainty and improve their chances of achieving desired outcomes. This process requires significant investments in people, time, and financial resources. Creativity also plays a role, as managers must explore and develop possible courses of action to minimise risks and enhance organisational value. Scenario analysis originated during World War II as a military planning tool. It was used to outline different possible futures, synthesise key variables into clear narratives, and explore multiple strategic choices that could influence outcomes. The method transitioned into the corporate world after the war, with Shell Oil Company pioneering its use to assess oil price fluctuations and consumption patterns, enabling smarter capital investment decisions. Today, scenario analysis is widely used across various industries. Beyond business, the approach is applied in urban planning to anticipate population growth, in engineering to design adaptable structures, and in scientific research to predict experimental outcomes. Even political campaigns use it to model electoral strategies by analyzing voter behavior, turnout trends, and demographic shifts.

The Scenario Analysis Process

Scenario analysis involves evaluating future uncertainties and exploring different pathways to a desired outcome. It requires an assessment of internal capabilities—such as operational strengths and weaknesses—alongside external factors, including emerging opportunities and threats in the broader business environment. Unlike forecasting models that rely on historical data, scenario analysis does not attempt to predict a single future outcome. Instead, it highlights multiple potential developments, offering alternative paths to success. While it cannot eliminate uncertainty, it clarifies what is realistic and helps decision-makers prepare for a range of possibilities. By identifying different future conditions, organisations can develop both strategic actions (long-term planning) and tactical responses (immediate reactions) based on the evolving situation. Since uncertainties increase over longer time horizons, scenario planning helps organisations adapt by defining plausible futures and assessing potential trade-offs.

Key Steps in Scenario Development

  1. Defining Uncertainties: The first step is to ask critical questions that define the scope and limits of possible future scenarios. A common challenge in this stage is relying too heavily on past experiences, which may not be applicable to future conditions. Managers must actively challenge assumptions by considering, “What if these assumptions are wrong?” Encouraging diverse perspectives and playing devil’s advocate helps build robust scenarios.
  2. Determining the Number of Scenarios: Typically, organisations develop multiple scenarios, including:
    • A best-case scenario
    • A worst-case scenario
    • One or two moderate scenarios in between

Each scenario involves trade-offs, but none should be dismissed outright, as even worst-case scenarios provide valuable insights for risk management.

  1. Assessing Probabilities and Risks: After defining scenarios, organisations must evaluate the likelihood of each one occurring. Even low-probability scenarios should be considered if they pose significant risks. This step helps leaders compare options and make informed decisions to mitigate uncertainty.
  2. Applying Scenario Insights to Decision-Making: Once the analysis is complete, organisations can adjust their strategies accordingly. For example, one company used scenario analysis to assess security risks and financial viability when expanding its locations. As a result, it opted for fewer but more secure sites, leading to improved risk management and revenue outcomes. The process also helped security teams demonstrate their strategic business value.

Four key features make scenario analysis particularly effective in decision-making:

  1. Expanding Strategic Thinking: By outlining different possible futures, scenario analysis challenges the assumption that the future will closely resemble the past. This helps organisations prepare for rapid and unexpected changes.
  2. Reducing Groupthink: In hierarchical organisations, employees often hesitate to challenge senior leaders’ opinions. Scenarios create a structured way to consider multiple perspectives, making it safer for contrarian ideas to be explored.
  3. Challenging Status Quo Bias: Many companies resist change, but scenario analysis provides a structured approach to question existing assumptions and adapt strategies accordingly.
  4. Enhancing Preparedness for Extreme Events: Scenarios help organisations navigate major disruptions such as natural disasters, pandemics, cyberattacks, and geopolitical crises. By offering a balanced approach between rigid forecasting and reactive decision-making, scenario analysis improves resilience in uncertain times.

When executed effectively, scenario analysis provides organisations with a sophisticated understanding of risk and opportunity, enabling better strategic planning and decision-making.

Horizon Scanning: Strengthening Organisational Resilience

While it is understandable that organisations were unprepared for disruptions caused by major global events—such as the 2007–2008 financial crisis, the COVID-19 pandemic in 2020, and the supply chain disruptions following the Ukraine invasion in 2022—it raises the question of whether better foresight and horizon scanning could have mitigated these impacts. Horizon scanning is a structured approach to identifying potential sources of uncertainty, ensuring preparedness, capitalising on opportunities, and mitigating threats. However, it is not about predicting the future. Instead, it serves as a key tool in enhancing organisational resilience by helping decision-makers anticipate and prepare for emerging risks.

The Three Horizons Model

Horizon scanning is often structured around a three-horizon model, which provides different perspectives on future developments:

  • Horizon 1: Focuses on immediate actions and current challenges, impacting the organisation today and in the near future.
  • Horizon 2: Identifies visible trends that require strategic consideration in the short to medium term.
  • Horizon 3: Highlights emerging uncertainties and long-term trends that may not yet be well understood but require proactive planning.

Each horizon provides valuable insights, helping organisations balance short-term decision-making with long-term strategic planning.

Benefits of Horizon Scanning

  1. Enhancing Understanding: Helps organisations grasp the key drivers influencing future policy and strategy decisions.
  2. Identifying Knowledge Gaps: Highlights areas where further research is needed to better understand emerging trends.
  3. Building Stakeholder Consensus: Facilitates agreement among diverse stakeholders on key challenges and potential solutions.
  4. Clarifying Policy Choices: Makes explicit the difficult trade-offs and decisions that may need to be addressed in the future.
  5. Strengthening Strategic Resilience: Enables the development of adaptable strategies that can withstand external changes.
  6. Mobilising Action: Encourages stakeholders to take proactive steps in response to anticipated risks and opportunities.

Horizon Scanning Process: Six Key Steps

StepDescription
1. Identify Key StakeholdersEnsure a diverse range of perspectives is included in the process.
2. Initiate the ProcessDefine the purpose, objectives, and expected outcomes of horizon scanning.
3. Conduct ResearchAssign specific, time-bound research topics to team members.
4. Gather OutputsRegularly collect and review research findings.
5. Synthesize and ValidateCompile insights, present findings, and secure stakeholder agreement.
6. Monitor and ReviewContinuously track key risks and reassess priorities as conditions evolve.

While horizon scanning is a valuable tool, organisations should be mindful of potential challenges, such as overly long timeframes, excessive reliance on trend analysis, outdated risk assessments, misjudging the severity of risks, and the influence of groupthink or media-driven hysteria.

Integrating Horizon Scanning into Risk Management: Three Lines Model

To ensure horizon scanning effectively supports risk management, organisations can integrate it into the Three Lines of Defence Model, which consists of:

  1. First Line (Frontline Operations): Assess the potential impact of emerging risks from an operational perspective.
  2. Second Line (Risk Management Function): Evaluate risks at an organisational level and identify potential control gaps.
  3. Third Line (Internal Audit): Review the control environment’s effectiveness in responding to the identified risks.

This process involves:

  1. Identifying relevant sources and emerging topics.
  2. Feeding these topics into the three lines of defence for analysis.
  3. Reviewing the output to determine if additional risks should be considered.
  4. Using the findings to shape future organisational strategy and risk mitigation efforts.

By incorporating horizon scanning into risk management, organisations can improve their ability to anticipate and adapt to future challenges, ultimately enhancing long-term resilience.

Stress Testing

Stress-testing is a critical exercise used to evaluate a bank’s financial resilience under adverse economic conditions. Regulators mandate periodic stress tests of varying severity to ensure banks can withstand future economic shocks. If a bank’s capital, under stressed conditions, falls below the regulatory minimum, it may be restricted from distributing capital through dividends or stock buybacks. Some stress tests, such as the US Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) and the Dodd-Frank Act Stress Test (DFAST), as well as those conducted by the Bank of England, are conducted annually. Others, like the European Banking Authority’s EU-wide stress test, occur biennially. A key element of stress-testing is the use of macroeconomic scenarios. Regulators define financial parameters such as GDP fluctuations, unemployment rates, and commodity price changes. Banks then model their financial performance under these conditions to determine their capital adequacy. The required capital buffer depends on the severity of the stress scenarios applied. Beyond financial metrics, stress tests also evaluate a bank’s risk governance and control frameworks. An effective stress-testing framework should clearly define:

  • Responsibilities for model development and validation
  • The design and selection of stress scenarios
  • The application of stress test results in decision-making
  • The reporting and review process to ensure robust oversight

By integrating both quantitative and qualitative assessments, stress-testing helps strengthen the overall stability and resilience of the financial sector. Stress testing evaluates an organization’s ability to endure a variety of potential challenges. A common dictionary definition describes it as a test, often lab-based, to measure how much stress, strain, or wear a product or material can handle. In practice, stress testing involves subjecting an organization to realistic yet extreme risk scenarios until it nears collapse, helping to define risk tolerance thresholds and establish preventive measures to avoid failure. In banking, stress testing assesses financial resilience, with regulators mandating periodic tests of varying intensity to ensure banks can weather future economic downturns. These tests rely on macroeconomic scenarios, where regulators specify shifts in broad indicators like GDP, unemployment rates, or commodity prices. Banks must then simulate their performance under these conditions, with the results determining the capital reserves they need to maintain—higher severity scenarios demand more capital. Regulator-led stress tests occur at least yearly and can lead to impactful decisions, such as:

  1. Limiting business activities, like capping new loans.
  2. Requiring more risk capital, potentially necessitating new funding.
  3. Selling off high-risk business segments (e.g., trading operations) to protect core functions like consumer lending.
  4. Curbing dividend payouts to shareholders.

A robust stress-testing framework incorporates qualitative elements, such as Clear roles and responsibilities for developing and validating models, designing scenarios, applying test results, and reviewing outcomes. While these lessons stem from banking, the concepts are adaptable across industries, with risk professionals increasingly borrowing best practices from one sector to apply to others. At its core, stress testing supports various facets of risk management, as outlined in the table below:

#Risk AreaStress Testing Examples
1ObjectivesScenarios altering internal/external contexts; testing shifts in strategic direction
2Appetite & ToleranceAssessing impacts of significantly raising or lowering appetite and tolerance levels
3Risk IdentificationUsing risk taxonomies to verify the thoroughness of risk identification
4Risk Treatment/ManagementEvaluating the strength of controls
5Reporting and AssuranceEmploying internal audits for stress tests to provide independent validation

9.7 – Viability statements

After a series of corporate collapses, the UK’s Financial Reporting Council (FRC) reviewed whether the disclosures provided by directors in Annual Reports and financial statements adequately informed stakeholders about an organization’s risk profile and its capacity to remain operational. Companies were already required to provide a “going concern” assessment, confirming their ability to meet debt obligations as they arise. However, this assessment only covers a 12-month period following the signing of the annual financial statements. The FRC’s review led to a new mandate for directors to include a Longer-Term Viability statement in the annual report and financial statements, extending the focus beyond the short term. Although this rule applies specifically to UK listed companies, FRC guidelines often evolve into widely adopted best practices across other industries and nations. Initially introduced in 2014 under the UK Corporate Governance Code, the longer-term viability requirement fell under Principle C: Accountability, which used alphabetic labeling. The 2018 revision of the code switched to numeric referencing for its principles.

The following are the relevant extracts from the FRC (2018) Code on disclosure requirements:

Principle O:

The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take to achieve its long-term strategic objectives.

The disclosure requirements:

  1. The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.
  2. Taking account of the company’s current position and principal risks, the board should explain in the annual report how it has assessed the prospects of the company, over what period it has done so and why it considers that period to be appropriate. The board should state whether it has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions, as necessary.

Key aspects of the above including:

  • Appropriate period of time.
  • Principal risks.
  • How risks are managed and mitigated.
  • Ability to continue in operation and meet liabilities as they fall due.
  • Making an assessment

1) Appropriate Time Period: The duration to be covered should be decided based on various considerations, such as:

  1. The board’s duties as stewards of the company.
  2. Prior statements made, particularly those tied to capital-raising efforts.
  3. The type of business and its current developmental phase.
  4. The timelines for its investment and planning cycles.

This period must extend well beyond 12 months from the date the financial statements are finalized.

2) Principal Risks: The principal risks are those that could trigger events or conditions jeopardizing the company’s business model, ongoing performance, solvency, liquidity, or reputation. Organizations must evaluate whether they’re accounting for all credible threats to their survival, including emerging risks and significant uncertainties. Directors should reflect on what long-term shareholders would reasonably expect them to monitor as potential hazards.

3) Managing Risks: The board’s approach to handling and reducing risks is a factual matter that should be included in the risk description provided. Risk-taking is inherent to business operations. The viability statement offers a chance to show shareholders that the board grasps and balances risk versus reward on their behalf. The board must ensure routine operational risks are managed effectively, allowing scenario planning to zero in on realistic, transformative events.

4) Liabilities: When assessing the organization’s ability to keep running and meet obligations as they arise, directors are urged to take a wide-ranging view:

  1. Identifying factors that could undermine future performance.
  2. Assessing impacts on the ability to stay operational.
  3. Ensuring long-term viability.

Directors should also weigh risks to:

  1. Solvency – the ability to fully cover financial obligations.
  2. Liquidity – the capacity to pay debts when due, which could be a timing challenge even if solvency holds long-term.
  3. Other threats to the company’s sustainability.

5) Making an Assessment: The FRC’s guidance highlights stress testing and reverse stress testing as foundational methods for evaluation. Stress testing involves applying pressure to a scenario—using severe yet believable conditions—to see if the company can endure. Reverse stress testing determines the stress level needed to “break” the company and checks if that threshold remains plausible.

Three analytical approaches are possible:

  1. Qualitative analysis: Low complexity and minimal data needs, but unlikely to suffice alone for a “robust” outcome as required.
  2. Scenario planning: Moderate complexity and data demands; likely the preferred choice outside financial services.
  3. Modeling: High complexity and data-intensive; common in financial services for regulatory compliance, but less feasible elsewhere without substantial resources.

In 2020, the UK’s Financial Reporting Council (FRC) evaluated how UK listed companies were handling longer-term viability reporting. This review also touched on going concern reporting, though that aspect falls outside your current studies. Key takeaways from the review include:

  1. Assessment Period
    When companies shorten their viability assessment timeframe due to uncertainties like Covid-19 or other factors, the FRC expects a transparent rationale for the adjustment and justification for the new, shorter period chosen.
    Most companies reviewed assessed their viability over a three-year span.
  2. Risks and Uncertainties
    Viability statements didn’t always address all principal risks and uncertainties. For instance, one company highlighted three risks chosen for intensified stress testing, while another noted that although all identified risks could affect group performance, only certain ones threatened its financial stability. This clarity was valuable, showing which risks most endangered viability.
    Top-tier disclosures tied specific scenarios directly to particular principal risks and uncertainties.
    Some firms offered vague assurances about applying mitigating actions or simply pointed to mitigations listed elsewhere in the strategic report’s principal risks section.

You should be able to locate disclosures meeting these standards:

  1. The board must perform a thorough evaluation of the company’s emerging and principal risks, confirming in the annual report that this has been done. This should include a rundown of principal risks, details on processes for spotting emerging risks, and how these risks are being managed or mitigated.
  2. Considering the company’s current standing and principal risks, the board should outline in the annual report how it evaluated the company’s future prospects, the timeframe used, and why that period is suitable. The board must also indicate whether it reasonably expects the company to remain operational and meet its obligations as they arise over that period, noting any caveats or assumptions as needed.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply