The last three years have led many to reconsider their approach to risk and resilience. In this process, risk assessments have come under scrutiny, as many organizations found themselves completely unprepared in the face of the pandemic. The feeling is that at a moment when risk assessments should have served their purpose, they just were not able to. Some might argue that the same has happened regarding the current energy crisis or the never-ending series of global supply chain disruptions that the global market is experiencing. Looking back at the previous decades, financial risk management models came under fire when they missed the 2008 financial crisis by miles.
Risk assessments – especially in relation to business continuity management – have often been object of debate, with several diverging opinions. The modern standards and guidelines suggest the integration of activities such as horizon scanning and business continuity risk assessments, but perhaps not everyone is fully on board. It will probably be tempting for some to argue for a threat agnostic approach, since they consider preparing for every possible threat as an unrealistic exercise. However, this is no different from the so called all-hazards approach, which tries to build capabilities for the full range of disruptive events. In other words, preparing for no specific threat or for every specific threat are two extreme and unfeasible approaches.
With this in mind, there still remains the question of how to address the past failures of risk analyses, how to improve them, and where to place them in the resilience process. Many consider the classic risk matrix as a simplistic approach; others regard it as a useful tool to show the overall risk status of an organization at a glance. More sophisticated risk models are not exempt from criticism either. Quantitative risk models depend on a number of factors such as quality of the data, personal biases of the scientist, historical biases, and unreliable assumptions – among many others. Furthermore, quantitative risk models may lull professionals into a false sense of security, which could make the organization completely blind to a disruptive event.
On the other hand, Logan et al. (2022) in their article for Nature Sustainability argue that there is no true resilience without assessing risk. Without this process, resilience capabilities would be incomplete; but, they acknowledge that a static, inflexible risk analysis will serve little purpose nowadays. Their definition of risk assessment factors in the fallibility of judgements, since in every event and its consequences lies a degree of uncertainty that cannot be easily predicted or quantified.
Therefore, they propose that risk assessments include:
- Possible events that may affect the organization
- Consequences and secondary effects
- The uncertainty regarding known consequences that may or may not occur
- The uncertainty over completely obscure consequences
- The recovery systems in place that can mitigate the known consequences of an event
- The reliability of the expertise and information used for the assessment
According to this reasoning, risk analysts (and resilience experts in general) must also be aware of the protraction of a disruptive event. Therefore, another crucial element in this equation is time. In the long term, a disruption can change, and its consequences can have lives of their own. Covid-19, the Ukraine war, and climate change are all prime example of this. For instance, rising sea temperatures can affect the presence of fish, disrupting the fishing industry across different geographical areas. This could lead to a shortage in supply, increasing prices for this particular good, and contributing to higher inflation.
Hence, the very idea of risk needs to be less stationary and more flexible, and so risk assessments – to be truly effective in modern times – need to be an almost organic process that continually receives and evaluates new information. A similar process – according to best practices – should already be happening for business continuity management process such as the business impact analysis (BIA), which is updated as the organization changes and evolves.
This idea of continual updating is already present in thorough crisis management. When a crisis occurs, the crisis management committee examines the crisis and starts directing a response based on the plans they have. As the crisis goes on, the committee keeps meeting as frequently and for as long as necessary. As a result of this process, should new information arise the committee can review, change, and update the plan.
Research on business continuity management and supply chain resilience suggests that having a crisis management committee during the first wave of the pandemic outbreak was at times more important than having a plan. As most plans proved not to be fit for purpose, teams could adjust them based on new information and revised risk analyses.
Perhaps, risk management practices should rely on the same principle of continual improvement. Running a snapshot analysis of risks and threats once or twice a year will not keep up with such a fast-changing threat landscape. Organizations operating today with a risk analysis dating back to 12 months ago would be completely detached from reality. At the same time, it is also important to keep in mind that even the best risk assessment process can fail, due to the intrinsic uncertainty that characterizes risk. Therefore, it is necessary that flexible mitigating and recovery mechanisms are in place to face the consequences of a disruptive event.
The approach to resilience in modern organizations must be holistic, but also flexible over time. It is not enough to bring different functions together on a sporadic basis, as analyses and plans must change according to the needs of the organization and the consequences of the environment where it operates.
Author: Gianluca Riglietti
If you liked this article, you might also want to read this one.