Taking a systems approach to managing risk and increasing resilience

Published: Friday, 23 September 2022 10:19

Lynnda M. Nelson looks at how to increase your preparedness and reduce risk by taking a systems approach to managing risk and increasing resilience. She also explores risk-based thinking and the importance of considering your organization’s risk culture.

Introduction

This article considers the behaviors of being prepared, robust, and redundant. These behaviors can be observed in relationship to the 17 Strategies to increase resilience documented in ICOR’s Organizational Resilience Capability Assessment (ORCA). 

So often the behaviors of being prepared, robust, and redundant are applied to the infrastructure and systems of organizations. However, these behaviors are just as important for everyone to embrace and should be considered when allocating and managing resources, managing change, and managing risk.

COVID-19 has helped to sell the ‘preparedness’ story

The pandemic revealed the value of organizational resilience to business leaders. Many recognized that their crisis plans were instrumental to managing through the crisis.

Though the magnitude of the pandemic and its domino effects were not generally foreseen, the processes and procedures companies had in place proved themselves (or not) in very trying conditions.

The pandemic revealed hidden vulnerabilities and weaknesses in response capabilities.

Organizations had to respond quickly to a variety of challenges in operations such as:

As a result of the pandemic, organizations have been forced to move from managing well-defined risks, often focused primarily on financial risks, to a more strategic approach with a broader mandate where managing risk and being prepared for the unexpected is included as part of the organization’s long-term strategy.

The time to be prepared is now yesterday

To ensure that your organization is prepared for the unexpected (or even the expected!), requires that there are detailed plans of action in advance of their being needed. This includes building robust systems that are well-conceived, constructed and managed so that they can withstand the impacts of incidents without significant damage or loss of functionality. 

A robust design enables the organization to anticipate potential failures in systems while making provisions to ensure that any failure is predictable, safe, and not disproportionate to the cause. A well-prepared organization ensures that there is not an over-reliance on a single asset and avoids exceeding failure and design thresholds that if exceeded, could lead to catastrophic collapse.

Redundancy refers to spare capacity purposely created within systems so that they can accommodate disruption, extreme pressures or surges in demand. It includes diversity: the presence of multiple ways to achieve a given need or fulfil a particular function. Redundancies should be intentional, cost-effective, prioritized at an organization-wide scale, and should not be of inefficient design.

Preparedness and managing risk

To succeed at any initiative requires intentional planning. There are three accepted aspects to being prepared: managing resources, managing change, and managing risk. There should be a coordinated approach to being prepared to ensure that there is an alignment of systems to manage risk while minimizing silos which create barriers across business functions.

Managing resources

The first aspect of being prepared and managing risk is to allocate and manage resources such as people, premises, processes, technology, and information to address vulnerabilities and increase the organization’s capability to adapt to changing circumstances.

Top management should routinely review the suitability, availability, and allocation of resources, considering of the impact of any changes in the organization and its context. Those resources need to be adequate and available when needed to ensure that the organization remains productive and minimizes risk to operations.

Managing change

The second aspect of being prepared and managing risk is to intentionally develop the ability to identify and respond to change in a flexible manner. This includes how it will modify and deploy capabilities, arrangements, structures, activities, and behaviors to adjust to these new conditions.

In order to effectively and efficiently manage change, the organization needs to be aware of circumstances that are likely to influence change and demonstrate the ability to anticipate, manage, and influence change.

The organization should implement systems to anticipate, plan, and respond to changing circumstances and ensures that these systems are sufficiently robust and effective to respond to change. This will enable the organization to consistently deliver on its commitments during changing circumstances and adapt its operations accordingly.

Managing risk

The third aspect of being prepared and managing risk is that the organization anticipates and responds to threats and opportunities, arising from sudden or gradual changes in its internal and external context, therefore effectively managing risk.

The organization should empower its people to identify and communicate threats and opportunities and to take action that will benefit the organization. As part of that process, it should identify and implement risk-based systems that contribute to the organization's resilience and ensure that they are sufficiently robust and effective to respond to change.

Three pillars of systems-based thinking

To increase an organization’s level of preparedness and overall resilience, the organization should have a coordinated approach to managing risk. The organization should identify and align the various systems that manage risk to ensure the silos which create barriers between the systems are eliminated. Generally, we can consider three pillars of systems-based thinking: operations, technology, and management. See figure one, below.

Figure one

Systems for operations

Consider figure two as an option for an organization to manage risk to its operations. Organizations may have different names for how they manage risk to operations, but these four systems are often implemented.


Figure two

Systems for technology

Organizations today and in the future will continue to be dependent upon technology. The four systems included under figure 3 should be present in all organizations no matter the size, location, or services provided.

Figure three

Systems for management

Oftentimes, business management systems are not included under traditional methods of managing risk. This results in a siloed way of managing risk. There are many different systems used in management, but these four, as demonstrated in figure four, are seen in most organizations.

Figure four

Systems theory, preparedness, and managing risk

Wikipedia defines systems theory as ‘the interdisciplinary study of systems, i.e., cohesive groups of interrelated, interdependent parts that can be natural or human-made. Every system is bounded by space and time, influenced by its environment, defined by its structure and purpose, and expressed through its functioning’.

A system may be more than the sum of its parts.

Systems theory seeks to explain and develop hypotheses around characteristics that arise within complex systems that seemingly could not arise in any single system within the whole. This is referred to as emergent behavior.

Changing one part of a system may affect other parts or the whole system. It may be possible to predict these changes in patterns of behavior. For systems that learn and adapt, the growth and the degree of adaptation depends upon how well the system is engaged with its environment.

Some systems support other systems, maintaining the other system to prevent failure. However, the relationship between the parts and the outcome can be both unstable and uncertain.

In business, as in private life, people generally make decisions regarding complex situations in which the relationship between a decision, the action and its outcome are part of a complicated system. The instinct of many people when such a difficult situation occurs is to decompose the situation into separate parts, focus on the important parts first, and analyze the rest individually.

While this can be effective in some cases, in others the relationship between the parts are essential to the problem, and therefore decomposing or reducing the parts avoids seeing the real problem at hand. 

Promoting risk-based thinking

Risk-based thinking requires organizations to evaluate risk when establishing processes, controls, and improvements. One of the most important aspects of applying risk-based thinking to your management process is to make it part of your process rather than a siloed activity. There are several practical ways to accomplish this:

Use these simple questions as a framework for managing risks - your people can easily understand what you are asking them, and they shouldn't feel overwhelmed with risk management jargon:

The impact of risk culture

Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. The Institute of Risk Management (IRM) is a professional body for enterprise risk management (ERM). They help build excellence in risk management to improve the way organizations work.

The IRM has led the debate on risk culture for nearly 30 years. Drawing upon the wealth of practical experience and expert knowledge across the Institute, they have developed guidance for organizations wanting a greater understanding of their own risk culture and the practical tools which can drive change.

Resources for Practitioners is complimentary and downloadable from their website.

In IRM's publication, Risk Culture, I found that the most interesting and important areas in enabling a risk culture were outlined in how to gain an understanding of the organization’s predisposition to risk. Tied to this is an understanding of each person in the organization’s predisposition to risk. 

The document provides practical guidance on how to measure and identify risk types and then how you can use this knowledge to view your organization’s ‘risk landscape’ in a very tangible way. Across the organization, functions, or levels of management or within sections, departments, or teams, you know where the different risk types are most concentrated, or where there is underrepresentation or complete absence of a risk type.

The IRM Risk Culture Aspects Model, shown in figure five identifies eight aspects of risk culture, grouped into four themes, key indicators of the ‘health’ of a risk culture, aligned to an organization’s business model. This approach, set out diagrammatically in the figure below, requires the organization to self-assess in the areas of:

Tone at the top

Governance

Competency

Decision making

Figure five

The Risk Culture Aspects Model links with the sociability versus solidarity analysis through planned action to address deficiencies in the current culture. Interventions required may relate to driving an increase in the levels of sociability and/or solidarity and pushing the organization into a position more conducive to effective risk management.

The model specifically links the aspects shown in blue in the diagram to greater impact on sociability and the red aspects to improvements in solidarity.

Organizational capabilities and attributes

ICOR’s Organizational Resilience Capability Assessment (ORCA) identifies capabilities and attributes of more resilient organizations. The following capabilities and attributes demonstrate what organizations should do in order to be more prepared, robust, and redundant:

Shared vision and unity of purpose

Understanding and influencing context

Effective leadership and management / governance and accountability

A culture supportive of organizational resilience

Shared information and knowledge

Agile management

Availability of resources

Effective management of change / risk

Coordination and alignment of systems

In conclusion

It is time to move beyond a reactive approach to managing change and uncertainty. Organizations need to move from a narrow focus on risk controls, governance, and reporting to a broader mandate where managing risk and being prepared for the unexpected is included as part of the organization’s long-term strategy.
Taking a systems-based approach to managing risk and increasing preparedness will increase the resilience of the organization. Understanding your organization’s risk culture is an important aspect of this effort.

Works cited

Additional resource

Learn more by viewing ICOR's webinar How Being Prepared Increases Resilience on Youtube.

The author

Lynnda M. Nelson is a Founder and the President of The International Consortium for Organizational Resilience (ICOR). She manages the day to day operations of ICOR’s education and credentialing programs.

As a member of the US delegation to the ISO TC 292 and TC 268 Series of Standards, Lynnda is an expert on international standards for business continuity management systems, crisis management and communications, organizational resilience, and community resilience.

She is a frequent speaker on the subject of organizational and community resilience and the capabilities that support building more resilient organizations and communities. She conducts a monthly webinar, writes regularly in the ICORrespondence Newsletter, and shares in podcasts. She can be contacted at Lynnda@theicor.org.

About ICOR

The International Consortium for Organizational Resilience (ICOR) provides education to individuals on how to build more resilient organizations and communities and credentials individuals with the competence to lead and manage risk throughout the organization. The organization participates globally in instructing individuals, organizations, and communities to become more resilient. For more information about ICOR, credentialing or membership opportunities, visit www.build-resilience.org