In the last decade we have seen the evolution of Risk Management from an administrative practice to ERM for corporate governance. But the realization that results come out of action not protection, people have started pursuing a more proactive role for risk management.
In a recent article on Emerging Risk I covered being proactive required pursuing threat and vulnerability management concurrent with but independent to risk management instead of as a mitigation strategy, and the need to establish a “Causal DMZ”. In this feeling apparently I am not alone.
In that same line of thought, British Standards has just released BS 65000 on Organisational Resilience (Nov 2014). BS 65000 defines organizational resilience as “the ability to anticipate, prepare for, respond and adapt to events – both sudden shocks and gradual change. That means being adaptable, competitive, agile and robust”.
Explaining its evolution Rupert Johnston, part of the authoring team for BS 65000, further expanded “that risk and resilience are part of the same family but resilience is more of a deliberate objective and a broader concept than risk; it wraps in many “protective disciplines” including risk management, crisis and continuity management (amongst others – info security, physical security, environment, etc). Resilience also embraces aspects of culture, strategy and change.”
Separately, but by far the best explanation of Resilience was from Imogen Stockton, a researcher specialising in Organisational Resilience from Victoria Australia, in a recent Q31000 LinkedIn forum on the subject. I have her permission to reprint here:
“Broadly speaking, there are 2 types of resilience, engineering resilience and ecological resilience. Engineering resilience is described as the speed of return to the steady state following a disturbance which implies a focus of efficiency of function. This is a reactive response. Ecological resilience is different in that it accepts the inevitability of change and adapts to new or challenging conditions and has strong links to the notion of adaptive capacity. This is Proactive resilience using flexibility to accommodate perturbations and can be viewed as pre-event resilience, which originates from the ideas generated by environmental science. The difference between Risk Management and Resilience I believe is that Risk Management is a component of resilience, in that it is the management of known risks. Woods and Wreathall (2008) discuss a model for resilience as a stress-strain analogy. The first level response to an event is when the entity has the existing capability and capacity to cope with the challenge. They call this first order adaptive capacity (Risk Management). The second level response or the second order adaptive capacity is true resilience as the entity is unable to use planned responses, procedures and resources as the ‘demands exceed the limit of the first order adaptations. The first order response, which is the management of risk, cannot be considered resilience as it is merely anticipation, and it is the second order response during which innovation occurs which is characteristic of resilience.
I wonder at the idea of resilience and ‘bouncing back’ as that links to the idea of engineering resilience. I would caution against this approach to resilience, as it does two things: it implies a resistance to change, an effort to maintain the status quo and an effort to return to the previous state, to get back to how things were. BUT, this comes with considerable risk, because, a return to a previous state would mean returning to a place where the old vulnerabilities existed, the things that made you susceptible to the disturbance in the first place. I believe that ecological resilience, a focus on adaptation and flexibility which allow continuation of function is preferable, and this is accomplished by not returning to how things were, but rather changing and innovating. This is happens when we learn, grow, flex and create, really the opposite to resisting and preserving what we had. I understand the considerable difficulties that rare or unprecedented events, such as Black Swan Events, pose for entities. By being situationally aware, together with the identification and management of keystone vulnerabilities, an entity or Complex Adaptive System develops a firm foundation upon which to build adaptive capacity.”
In 2013 I wrote on an article “Chaos Theory & C-Level disillusionment with Risk” highlighting the general feeling at the Board & Executive levels that Risk Management had failed to achieve expectations. Resilience now adds a proactive edge to risk intelligence that might finally deliver on the promise.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.