Companies and governments incur significant losses from incidents resulting from their exposure to risk. To stem these losses, managing risk is of paramount importance. However, considering the complex environments that most organizations operate in, this is no easy task, especially in the context of a threat landscape that grows increasingly sophisticated with advancements in technology, and greater interdependencies.
A good case study is the 2010 Deepwater Horizon oil rig explosion in the Gulf of Mexico. The disaster killed 11 workers and dumped more than 200 million gallons of oil into the sea, becoming one of the worst oil disasters in human history. The 87-day spill caused irreversible damage to human life, wildlife, the environment and local economies. A series of mistakes and system failures were at the root of this disaster, including a poor safety culture, absence of a crisis management plan, and underestimation of multiple red flags.
While no organization will ever be impervious to risk, by building resilience, it is possible to mitigate the severity of threats like these and bounce back when a negative event occurs. To become resilient, organizations must be aware of future threats and current weaknesses to their operations, and they must make informed strategic and tactical decisions in order to prepare for risks and respond effectively to internal and external events.
This strategy requires setting a resilience framework that protects organizations against potential shocks, focuses on being proactive, helps to explore options for dealing with surprises and changes, and defines resilience objectives and guiding principles. What’s more, a well-conceived resilience strategy should include a robust Risk Management (RM) program to identify and assess risks across the entire organization, and to help with the implementation of risk management strategies. Booz Allen Hamilton outlines the following risk management strategies to help organizations build resilience in the MENA region.
It is important to provide oversight, develop a monitoring structure, and set risk objectives, which in turn set the tone for a successful RM program. The entire organization needs to understand the importance and purpose behind risk and resilience to ensure proper commitment and resources.
When it comes to organizational and decision-making processes, it is essential to define responsibilities and accountability, and to ensure that risk management responsibilities are shared and understood by all employees across the organization.
RM Strategy and Policy
In addition to defining responsibilities, it is vital to define the scope of the RM program, as well as the rationale and principles for managing risks. Here, the risk commitments should also be clearly stated.
Risk Appetite and Tolerance
An organization should determine the amount of uncertainty it is prepared to accept and the level of exposure it is willing to withstand.
Processes and Tools
Another critical component of any RM program is developing the processes to identify, assess, and report risks. Here it is important to design tools that enable effective risk management (e.g., risk matrix and risk register structure) and to establish a comprehensive risk reporting system that facilitates effective risk mitigation decisions.
Culture and Communication
Communication may seem like one of the ‘softer’ elements of risk management, but it is in fact indispensable in building employee understanding and nurturing a long-term risk management culture.
The performance of any RM program must be subjected to regular, rigorous evaluation to ensure continuous efficacy and improvement over time.
Last, but not the least, organizations should consider the breadth of information sources and the gathering mechanisms they intend to use for business intelligence purposes. Similarly, they should determine the parameters for information gathering, including frequency, scope, mode, and tools.