The vision for a new house starts with glossy pictures and high-level wants and needs. The blueprint is where that vision becomes more tangible, with floor plans, and structural and material requirements. Similarly, organizational risk resiliency starts with a culture that prioritizes and shares responsibility for proactively managing risk. The blueprint for how it’s done is achieved through methodology. Without a resiliency culture, methodology can lack direction and commitment. Without a comprehensive risk management methodology, the cultural vision is not persistently achievable.
Proper methodology is tool-agnostic. This is crucial because tools and technologies evolve or are replaced when better versions are available. A tool-focused (or tool-limited) approach to managing risk will likely be hit-or-miss, at best. Persistent resiliency is supported by two key methodological components: 1) risk definition that reflects the unique contextual needs of the organization and its subunits and functions, and 2) logical and repeatable risk management processes.
Various phrases over the years have touched upon the topic of context: “perception is reality”… “context is everything”… even “don’t miss the forest for the trees”. The context of an event matters greatly in its interpretation. On the beach, people commonly eschew typical clothing for bathing suits and bare feet, while the same attire at a restaurant is most often thwarted by the sign “No shirt, no shoes, no service.”
When it comes to risk, context matters: the same risk exposure or event doesn’t impact everyone in the same way. Even different business units of the same organization may be impacted and respond differently. This dynamic is illustrated in the Ebbinghaus Illusion – where the center circle is the same size in both images, but it looks bigger or smaller when placed in the context of different sized circles.
For this reason, methodology is crucial for creating persistent resiliency. Your approach to managing risk must consider the unique needs and characteristics of your organization. The industry or industries in which you operate, where are your operations located, and the diversity of your operations as contained in divergent business units, divisions, or subsidiaries must be accounted for and accommodated by your risk management methodology.
What are the key elements of a resilient methodology?
Alignment with organization type and structure: the methodological model should mirror the organizational hierarchy.
Alignment with organizational priorities: the methodology should reflect the things that are important to strategic, tactical, and operational goals of the organization.
Inclusion of all organizational functions: risks can arise from any part of the organization – not just the supply chain – and the right methodology will include inputs from across the whole organization.
Facilitation of organizational learning: while past risks may not always predict the future, they can certainly provide context in which to evaluate new or recurring risks, and a proactive methodology will ensure this context is retained to improve future response effectiveness and shorten the time to respond.
Independence from specific tools: although the methodology obviously needs tools for its implementation, it should not be defined in the context any specific tools to prevent tool-based limitations from constricting the implementation of the methodology.
Persistent resiliency cannot be achieved without efficient, optimized, and repeatable processes. More so, anyone in the organization should be able to start the process – not just supply chain. Risks occur from top-down and bottom-up, and from supply side as well as demand side. If a regulatory issue exists, the legal team should start the risk management evaluation process. If negative product reviews are cropping up in social media, the brand management team needs to raise the issue for root cause analysis with warehousing, production, and procurement team members. If you have managed to cultivate a resiliency-focused organizational culture, it is vital to support that with a broadly inclusive methodology. Restricting risk management processes to one functional silo will kill organizational enthusiasm for and commitment to maintaining proactive and effective resiliency.
Resilient risk management process should include:
Alerting about both external risk events and identified internal issues and events.
Scenario Planning of hypothetical risk event situations to assess potential impact.
Prioritization of real and hypothetical risk exposures by meaningful organizational metrics (revenue, profit, budget, mission, etc.).
Mitigation Planning – the who, what, when, where of a proposed risk response.
Mitigation Management – the workflows, status tracking, outcome capture and evaluation.
Continuous Improvement – retaining information about risk, responses, and outcomes to help drive faster and better responses in the future.
Much like constructing a house from a detailed blueprint, building a persistently resilient organization requires a firm commitment, a clear plan, and the appropriate tools. It starts with fostering a culture that values and supports proactive risk management. The blueprint for this culture is a comprehensive risk management methodology, which should be context-aware, organization-wide, and independent of specific tools. In the same way that a well-designed house caters to the unique needs and preferences of its inhabitants, an effective risk management methodology should be tailored to the unique structure, priorities, and functions of your organization. Furthermore, just as a house can't be built overnight, persistent resiliency is not achieved immediately, but is the result of implementing repeatable, efficient processes over time.
Remember, the end goal is not just about managing risks as they come, but about creating a resilient organization that is better prepared for future uncertainties. The final picture may not look exactly like the glossy image on the brochure, but with the right blueprint and methodology, you'll build an organization that stands strong in the face of risk, maintaining its core functions and bouncing back quicker from disruptions.