Author: Winnie Richards

The ‘survival of the fittest’ is an ever-growing reality as firms face change and disruption from a number of angles. How quickly and well a firm adapts and recovers from adverse circumstances is crucial within a context of pandemics, IT disruption, natural disasters and changing third party dynamics. In fact, the resilience of individual organizations is of increasing importance as disruptions affecting one company may have system-wide implications. An effective Operational Resilience (Op Res) Programme is intended to build adaptability and resilience into a firm’s operations, positioning it for continued success. How does this relate to Business Continuity Management? Both concepts are certainly linked; however, OP Res takes a wider and arguably more robust approach to firm survival. Op Res balances the maintenance of an effective operational risk programme to provide ongoing protection of a firm’s critical services as well as the adequacy of business continuity management for disruptive situations. (A very rough analogy would be someone striving for a healthy lifestyle while having good provisions for medical emergencies.) With a good handle on this approach, firms are better able to apply preventive measures, adapt to slower changes and pivot more effectively in the face of disruption. Interestingly, the financial world has seen the emergence of a number of guidance documents and rules in relation to Op Res. For example, the Basel Committee of the Bank for International Settlements published Principles for Operational Resilience in March 2021. The seven principles outlined in the document were:

• Governance
• Operational risk management
• Business continuity planning and testing
• Mapping interconnections and interdependencies
• Third-party dependency management
• Incident management
• ICT including cyber security

These principles can help organizations understand key components for Op Res programmes and how to leverage the relationships between existing management disciplines and their OP Res efforts. Op Res is really not a ‘stand-alone’ discipline championed and implemented by one function. It is a whole of business approach that must be represented at the highest levels of organizational governance and experienced at the level of a firm’s third-party providers. The interconnectedness of business today and the volatility of our context certainly call for a wider view of resilience,and more comprehensive approaches to ensure firm survival. Stay tuned for more information and news on our upcoming virtual sessions on OP Res and related issues!

Risk culture is all about the attitudes and behaviours towards risk within your business. How you think and feel about risk-taking and the risk-taking practices in your business all come together to make up your culture. This is a big people issue, which can have big implications for your business.

A good risk culture is one where people are:

• Accountable
• Informed
• Transparent
• Objective
• Comfortable speaking up
• Ethical
• Co-operative and compliant with standards/regulations
• Responsive, flexible and innovative

Most importantly, a good risk culture is defined by a great ‘tone at the top’!

The ‘Risk Appetite’ of your business refers to the level of risk that you are willing to take on. This is one of the most important aspects of risk management because a clearly defined, well-thought-out Risk Appetite will help you to balance between taking too little or too much risk.

Of course, in order to understand your Risk Appetite, you will have to identify your Risk Capacity (how much risk you can really manage) and how much risk you are exposed to. Ideally, you will want to take on risk that is well below the absolute capacity of your business and to plan carefully when you need to take on more risk.

We often think of Risk Appetite in terms of capital investment but it is also important to understand your appetite for operational, reputational and market-place risk. An assessment of your risks in these areas can help to guide your development of Risk Appetite statements and policies for your business.

Good risk-taking rests on a good understanding of risk appetite that is applied throughout your business.

Risks may be classified in different ways, depending on the type of business you do, and the approach that you have taken to risk management. For starters, though, we may just define them as hazard risks, control risks and opportunity risks.

Hazard risks

These are the risks that you do not want to happen at all. They are threats to the success of your business. Hazard risks include health and safety incidents and operational risks like theft, fraud and process bottlenecks. Your aim is to minimize the probability that these risks will occur and to reduce their impact on your business.

Control risks

Control risks are sometimes called ‘uncertainty risks’. These risks may affect project-based activities in particular. With control risks, the challenge often is to manage timelines, budgets and expected benefits within a range that the business can tolerate.

Opportunity risks

Opportunity risks are those risks that your business will deliberately take because of the likely benefits associated with them. These include investment decisions and strategic moves such as business expansion and product diversification. Opportunity risks often have a ‘flip-side’ or chance of failure.

Effective risk management will help you to mitigate hazards, manage uncertainty and optimize opportunities.