Taking a systems approach to managing risk and increasing resilience

Lynnda M. Nelson looks at how to increase your preparedness and reduce risk by taking a systems approach to managing risk and increasing resilience. She also explores risk-based thinking and the importance of considering your organization’s risk culture.

Introduction

This article considers the behaviors of being prepared, robust, and redundant. These behaviors can be observed in relationship to the 17 Strategies to increase resilience documented in ICOR’s Organizational Resilience Capability Assessment (ORCA). 

So often the behaviors of being ‘prepared, robust, and redundant’ are applied to the infrastructure and systems of organizations. However, these behaviors are just as important for everyone to embrace and should be considered when allocating and managing resources, managing change, and managing risk.

COVID-19 has helped to sell the ‘preparedness’ story

The pandemic revealed the value of organizational resilience to business leaders. Many recognized that their crisis plans were instrumental to managing through the crisis.

Though the magnitude of the pandemic and its domino effects were not generally foreseen, the processes and procedures companies had in place proved themselves (or not) in very trying conditions.

The pandemic revealed hidden vulnerabilities and weaknesses in response capabilities.

Organizations had to respond quickly to a variety of challenges in operations such as:

• Workforce disruption
• Supply chain issues involving critical shortages and logistics barriers
• Information and cyber security issues

As a result of the pandemic, organizations have been forced to move from managing well-defined risks, often focused primarily on financial risks, to a more strategic approach with a broader mandate where managing risk and being prepared for the unexpected is included as part of the organization’s long-term strategy.

The time to be prepared is now yesterday

• The types and number of risks as well as the potential for significant disruption is growing.
• The dynamic pace of change makes disruptions hard to predict.
• All organizations need to plan for the unexpected and strengthen their response capabilities.

To ensure that your organization is prepared for the unexpected (or even the expected!), requires that there are detailed plans of action in advance of their being needed. This includes building robust systems that are well-conceived, constructed and managed so that they can withstand the impacts of incidents without significant damage or loss of functionality. 

A robust design enables the organization to anticipate potential failures in systems while making provisions to ensure that any failure is predictable, safe, and not disproportionate to the cause. A well-prepared organization ensures that there is not an over-reliance on a single asset and avoids exceeding failure and design thresholds that if exceeded, could lead to catastrophic collapse.

Redundancy refers to spare capacity purposely created within systems so that they can accommodate disruption, extreme pressures or surges in demand. It includes diversity: the presence of multiple ways to achieve a given need or fulfil a particular function. Redundancies should be intentional, cost-effective, prioritized at an organization-wide scale, and should not be of inefficient design.

Preparedness and managing risk

To succeed at any initiative requires intentional planning. There are three accepted aspects to being prepared: managing resources, managing change, and managing risk. There should be a coordinated approach to being prepared to ensure that there is an alignment of systems to manage risk while minimizing silos which create barriers across business functions.

Managing resources

The first aspect of being prepared and managing risk is to allocate and manage resources such as people, premises, processes, technology, and information to address vulnerabilities and increase the organization’s capability to adapt to changing circumstances.

Top management should routinely review the suitability, availability, and allocation of resources, considering of the impact of any changes in the organization and its context. Those resources need to be adequate and available when needed to ensure that the organization remains productive and minimizes risk to operations.

Managing change

The second aspect of being prepared and managing risk is to intentionally develop the ability to identify and respond to change in a flexible manner. This includes how it will modify and deploy capabilities, arrangements, structures, activities, and behaviors to adjust to these new conditions.

In order to effectively and efficiently manage change, the organization needs to be aware of circumstances that are likely to influence change and demonstrate the ability to anticipate, manage, and influence change.

The organization should implement systems to anticipate, plan, and respond to changing circumstances and ensures that these systems are sufficiently robust and effective to respond to change. This will enable the organization to consistently deliver on its commitments during changing circumstances and adapt its operations accordingly.

Managing risk

The third aspect of being prepared and managing risk is that the organization anticipates and responds to threats and opportunities, arising from sudden or gradual changes in its internal and external context, therefore effectively managing risk.

The organization should empower its people to identify and communicate threats and opportunities and to take action that will benefit the organization. As part of that process, it should identify and implement risk-based systems that contribute to the organization's resilience and ensure that they are sufficiently robust and effective to respond to change.

Three pillars of systems-based thinking

To increase an organization’s level of preparedness and overall resilience, the organization should have a coordinated approach to managing risk. The organization should identify and align the various systems that manage risk to ensure the silos which create barriers between the systems are eliminated. Generally, we can consider three pillars of systems-based thinking: operations, technology, and management. See figure one, below.

Figure one

Systems for operations

Consider figure two as an option for an organization to manage risk to its operations. Organizations may have different names for how they manage risk to operations, but these four systems are often implemented.

Figure two

Systems for technology

Organizations today and in the future will continue to be dependent upon technology. The four systems included under figure 3 should be present in all organizations no matter the size, location, or services provided.

Figure three

Systems for management

Oftentimes, business management systems are not included under traditional methods of managing risk. This results in a siloed way of managing risk. There are many different systems used in management, but these four, as demonstrated in figure four, are seen in most organizations.

Figure four

Systems theory, preparedness, and managing risk

Wikipedia defines systems theory as ‘the interdisciplinary study of systems, i.e., cohesive groups of interrelated, interdependent parts that can be natural or human-made. Every system is bounded by space and time, influenced by its environment, defined by its structure and purpose, and expressed through its functioning’.

A system may be more than the sum of its parts.

Systems theory seeks to explain and develop hypotheses around characteristics that arise within complex systems that seemingly could not arise in any single system within the whole. This is referred to as emergent behavior.

Changing one part of a system may affect other parts or the whole system. It may be possible to predict these changes in patterns of behavior. For systems that learn and adapt, the growth and the degree of adaptation depends upon how well the system is engaged with its environment.

Some systems support other systems, maintaining the other system to prevent failure. However, the relationship between the parts and the outcome can be both unstable and uncertain.

In business, as in private life, people generally make decisions regarding complex situations in which the relationship between a decision, the action and its outcome are part of a complicated system. The instinct of many people when such a difficult situation occurs is to decompose the situation into separate parts, focus on the important parts first, and analyze the rest individually.

While this can be effective in some cases, in others the relationship between the parts are essential to the problem, and therefore decomposing or reducing the parts avoids seeing the real problem at hand. 

Promoting risk-based thinking

Risk-based thinking requires organizations to evaluate risk when establishing processes, controls, and improvements. One of the most important aspects of applying risk-based thinking to your management process is to make it part of your process rather than a siloed activity. There are several practical ways to accomplish this:

• Utilize an integrated risk register: create a centralized place to record and monitor individual hazards and risk items.
• Use flexible risk tools: utilize risk assessment tools to identify and manage risks.
• Conduct risk-based effectiveness checks: adding a risk-based verification step for processes like corrective action helps satisfy performance evaluation and improvement requirements.
• Use Technology to reduce risk through automation: creating automated risk management processes ensures nothing falls through the cracks, giving you a documented history to turn to if things go wrong.

Use these simple questions as a framework for managing risks - your people can easily understand what you are asking them, and they shouldn't feel overwhelmed with risk management jargon:

• What are we aiming to accomplish?
• What could happen that might affect our objectives/goals/expected outcomes? How would it be affected?
• What are the most important effects/impacts?
• What are we going to do about them? How to make sure our actions are effective?
• Which actions were effective and which not? Why? 
• What will need to be changed and what have we learned?

The impact of risk culture

Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. The Institute of Risk Management (IRM) is a professional body for enterprise risk management (ERM). They help build excellence in risk management to improve the way organizations work.

The IRM has led the debate on risk culture for nearly 30 years. Drawing upon the wealth of practical experience and expert knowledge across the Institute, they have developed guidance for organizations wanting a greater understanding of their own risk culture and the practical tools which can drive change.

Resources for Practitioners is complimentary and downloadable from their website.

In IRM's publication, Risk Culture, I found that the most interesting and important areas in enabling a risk culture were outlined in how to gain an understanding of the organization’s predisposition to risk. Tied to this is an understanding of each person in the organization’s predisposition to risk. 

The document provides practical guidance on how to measure and identify risk types and then how you can use this knowledge to view your organization’s ‘risk landscape’ in a very tangible way. Across the organization, functions, or levels of management or within sections, departments, or teams, you know where the different risk types are most concentrated, or where there is underrepresentation or complete absence of a risk type.

The IRM Risk Culture Aspects Model, shown in figure five identifies eight aspects of risk culture, grouped into four themes, key indicators of the ‘health’ of a risk culture, aligned to an organization’s business model. This approach, set out diagrammatically in the figure below, requires the organization to self-assess in the areas of:

Tone at the top

• Risk leadership - clarity of direction
• How the organization responds to bad news

Governance

• The clarity of accountability for managing risk
• The transparency and timeliness of risk information

Competency

• The status, resources and empowerment of the risk function
• Risk skills - the embedding of risk management skills across the organization

Decision making

• Well informed risk decisions
• Appropriate risk taking rewarded and performance management linked to risk taking.

Figure five

The Risk Culture Aspects Model links with the sociability versus solidarity analysis through planned action to address deficiencies in the current culture. Interventions required may relate to driving an increase in the levels of sociability and/or solidarity and pushing the organization into a position more conducive to effective risk management.

The model specifically links the aspects shown in blue in the diagram to greater impact on sociability and the red aspects to improvements in solidarity.

Organizational capabilities and attributes

ICOR’s Organizational Resilience Capability Assessment (ORCA) identifies capabilities and attributes of more resilient organizations. The following capabilities and attributes demonstrate what organizations should do in order to be more prepared, robust, and redundant:

Shared vision and unity of purpose

• The organization is committed to protection, performance and adaptation but with the ability to shift focus without compromising its vision and core values.
• The organization coordinates its systems so that they individually and collectively contribute to the organization’s purpose and the protection of what it values.
• The organization’s leaders ensure that its resources are focused on initiatives with the best potential to increase the organization’s value and values.
• The organization addresses system vulnerabilities through robust design, redundancy and fail-safe measures, while balancing risk, performance and cost.
• The organization’s leaders ensure that the organization is prepared for the unexpected and being prepared is included as part of the organization’s long-term strategy;
• There is a shared mandate for how to manage risk.

Understanding and influencing context

• Mechanisms exist to ensure investments in resilience activities are appropriate to the organization’s internal and external context.
• Strategic decisions are based on robust, deep, broad and far-sighted data and projections. The data is supported by a science/policy interface bringing together policy makers and the best possible science and data. This builds on any existing joint strategic needs assessment working groups.

Effective leadership and management / governance and accountability

• The organization assigns roles and responsibilities for enhancing organizational resilience.
• Structures, roles and responsibilities for the rapid gathering, collation, sharing and use of data and information are defined.
• All employees are provided with equal access to information, opportunities, and relationships they need to be successful.
• Governance structures exist to achieve the effective coordination of organizational resilience activities.
• Resilience strategies are structured around a mixture of centralized and decentralized networked interested parties coordinated through a central program.

A culture supportive of organizational resilience

• The organization develops trusted and respected leaders who act with integrity and who are committed to a sustained focus on organizational resilience.
• The organization empowers people to identify and communicate threats and opportunities and to take action that will benefit the organization.

Shared information and knowledge

• There is communication, coordination, and cooperation between its systems to build a coherent approach.
• Agile, adaptive, and intelligent integrated systems exist to continually review and improve data and information flow to ensure information can be analyzed and shared effectively, turned into shared understanding, and used for evidence-based decisions.
• Shocks, stresses, and trend data is presented in ways that make them simple to understand, using high levels of visualization including exposure mapping and changes in risks, opportunities and vulnerabilities over time.
• Common metrics (for example, different values) are used for assessing the impact and opportunity potential of shocks, stresses and trends, allowing effective prioritizations and conceptualization.

Agile management

• The organization monitors data in real time to provide situational awareness, populate system models and provide feedback on metrics
• Adaptive pathways are developed to promote ‘just in time’ decision‑making, supported by decision point analysis as part of program and project management activities.
• Mechanisms exist to continuously evolve and the organization is able to modify its activities rather than seeking solutions based on the status quo.
• The organization demonstrates preparedness by responding quickly to mitigate adverse impacts of incidents on its systems and to accelerate recovery.

Availability of resources

• The organization develops and allocates resources, such as people, premises, technology, finance, and information, to address vulnerabilities, providing the ability to adapt to changing circumstances.
• Spare capacity is purposely created within systems so that they can accommodate disruption, extreme pressures, or surges in demand.
• Redundancy efforts includes diversity: the presence of multiple ways to achieve a given need or fulfil a particular function.
• The organization’s systems are sufficiently robust and effective to respond to change.
• The organization’s leaders have the ability to apply existing resources to new purposes.
• The organization has the ability to identify and respond to change in a flexible manner; including modifying and redeploying capabilities, arrangements, structures, activities and behaviors to adjust to new conditions.
• The suitability, availability and allocation of resources are routinely reviewed, taking account of the impact of any changes in the organization to ensure that the organization remains productive and minimizes risk to its operations.
• The organization makes appropriate decisions on resourcing and capacity, diversification, replication and redundancy to avoid single points of failure and respond to incidents and change, so that core services are maintained at an acceptable, pre-determined level.

Effective management of change / risk

• The organization is accepting of uncertainty and change.
• The organization remains aware of situations that are likely to influence change and is prepared to respond to change, or influence change if necessary.
• Systems exist to anticipate, plan, and respond to changing circumstances and ensure that these systems are sufficiently robust and effective to respond to change.
• The organization manages the effect of uncertainty on its objectives across its systems.
• The organization’s leaders understand that the strategy and program initiatives are not fixed, but are kept fluid to ensure they are agile and evolve with need, and are able to accelerate with need.
• Teams consider what challenges may occur during a project and address potential solutions collaboratively in order to prevent or minimize obstacles, using resources to anticipate problems before they arise.
• The organization addresses system vulnerabilities through robust design, redundancy and fail-safe measures, while balancing risk, performance and cost.

Coordination and alignment of systems

• Systems are in place that support the effective implementation of organizational resilience activities.
• Flexibility is built into its systems so that the organization can absorb and adapt to change and manage the effect of uncertainty on its objectives across systems.
• The organization’s systems are coordinated and include contributions from technical and scientific areas of expertise.
• Agile, adaptive and intelligent integrated systems are used to continually review and improve data and information flow to ensure information can be analyzed and shared effectively, turned into shared understanding, and used for evidence-based decisions.
• There is a regular assessment of how each system contributes to the overall resilience of the organization, and weaknesses are addressed where these are found.

In conclusion

It is time to move beyond a reactive approach to managing change and uncertainty. Organizations need to move from a narrow focus on risk controls, governance, and reporting to a broader mandate where managing risk and being prepared for the unexpected is included as part of the organization’s long-term strategy.
Taking a systems-based approach to managing risk and increasing preparedness will increase the resilience of the organization. Understanding your organization’s risk culture is an important aspect of this effort.

• The Institute of Risk Management. (n.d.). Risk Culture. Retrieved from https://www.theirm.org/what-we-say/thought-leadership/risk-culture
• Wikipedia (2022). Retrieved from https://en.wikipedia.org/wiki/Systems_theory

Learn more by viewing ICOR's webinar How Being Prepared Increases Resilience on Youtube.

The author

Lynnda M. Nelson is a Founder and the President of The International Consortium for Organizational Resilience (ICOR). She manages the day to day operations of ICOR’s education and credentialing programs.

As a member of the US delegation to the ISO TC 292 and TC 268 Series of Standards, Lynnda is an expert on international standards for business continuity management systems, crisis management and communications, organizational resilience, and community resilience.

She is a frequent speaker on the subject of organizational and community resilience and the capabilities that support building more resilient organizations and communities. She conducts a monthly webinar, writes regularly in the ICORrespondence Newsletter, and shares in podcasts. She can be contacted at Lynnda@theicor.org.

About ICOR

The International Consortium for Organizational Resilience (ICOR) provides education to individuals on how to build more resilient organizations and communities and credentials individuals with the competence to lead and manage risk throughout the organization. The organization participates globally in instructing individuals, organizations, and communities to become more resilient. For more information about ICOR, credentialing or membership opportunities, visit www.build-resilience.org