Control-Risks-Global-Resilience-Survey-2020-report V0.6

Global Resilience Survey 2020: Findings Report

A siloed approach to Enterprise Risk Management (ERM) is not enough to deal with today’s – and tomorrow’s – rapidly shifting risk landscape

While some sectors, such as Financial Services, have vigorously implemented ERM and found it to be effective from a governance and compliance perspective, others have struggled to robustly build and/or run strong ERM programmes. For all, the practices of using audits to identify, measure and prioritise risks, and define specific mitigation strategies mostly work with short-term, traditional risks. COVID-19 – which is clearly not a short-term nor a traditional risk – significantly challenged organisations’ ERM programmes. Some survey participants noted that their existing ERM model wasn’t suited to deal with the fast changing, often operational risks, posed by the crisis. This underlines the emerging reality that dynamic, broad and fast-moving risks need a fresh approach that is aligned with resilience and supported by robust risk intelligence . We believe

strategic level of planning for scenarios like public policy and perception changes or expanding definitions of duty of care. How can companies grow beyond traditional ERM and truly become resilient? Companies can think beyond standard risk management by using a resilience model which includes horizon scanning, scenario planning, and emerging risk identification. The model needs to include robust risk intelligence which ingests information from a number of external sources ranging from the strategic, such as geopolitics and supply chain, down to the operational, such as local security risks and local infection rates. Key risk indicators can be used to flag key information for risk and resilience professionals. For example, several large technology and manufacturing firms are now using a joint risk and resilience approach to actively monitor the risks to their strategic supply chain. Once key indicators are triggered, risk and resilience teams work seamlessly together to communicate and mitigate the risks, in this case moving strategic sourcing to other

the horizon for risks, changes, and disruptions. Resilient companies conduct forward-looking scenario planning sessions that include event triggers to define when a scenario becomes more (or less) likely , which is critical as it allows leadership teams to think through broad, inter-related risks and define concrete triggers that would then prompt business decisions. It is also essential to establish key performance indicators (KPIs) to measure success and determine their level of resilience maturity. 39% of respondents have established KPIs to benchmark their resilience. This practice greatly differs geographically, as well as by sector. While 46% of North American respondents use KPIs, only 27% of their European counterparts do the same. 54% of businesses in Financial Services reported they used KPIs, compared to literally none of the Oil and Gas respondents.

Fig.7

Two thirds of businesses monitor and analyse risks 12 or more months in advance

How far ahead of time does your organisation monitor and analyse risks?

9.2 %

5.0 %

18.3 %

37.5 %

22.5 %

7.5 %

Source: Control Risks

that companies that adopt a fluid and risk-agnostic approach to risk

Companies that have truly, fully implemented resilience throughout their organisation are very rare. They have spent significant time and effort into embedding their resiliency and deal with uncertainty and change centrally, with clear intent and coherence, and leveraging their corporate values and culture to embed the principals of resiliency. Keep in mind that a business’ level of resilience maturity fluctuates – it’s not that an organisation which has checked all the above boxes can consider the job done. No one

organisation can maintain a high degree of resilience all the time - crisis, disruption and change is the great equalizer. These factors will shift a business up and down the resilience continuum, the trick is to find the balance against a company’s specific risk profile and risk tolerance.

management are more resilient and can better manage long-term, evolving crises. Companies who currently employ ERM do not need to reinvent the wheel – they can overlay a resilience methodology to create a more holistic approach, which includes non-traditional, high-impact low-probability risks. This allows organisations to become capable of thinking beyond BCM and CM, beyond traditional risks like terrorism or natural disasters, and move to the

low COVID-19 locations. Consider bringing together

business functions and expanding interdependencies to further embed resilience, and proactively scan

Made with FlippingBook Online newsletter