Bounce forward: tips for resilience

Climate change, war in Ukraine, digital disruptions, cyber attacks – now, more than ever, organisations must anticipate, adapt and respond to numerous disruptions. These are only a few of the current causes of disruption that organisations face daily. The recurrent question is whether they would “bend” or “break” in the next crisis.

The Operational Resilience policy statement (2022) produced by the Bank of England, Financial Conduct Authority and Prudential Regulation Authority states that change is a constant and we must prepare for it. However, how can we balance resilience and efficiency before and during crises to emerge stronger after each one?

In 2021, the Institute of Risk Management’s Organisational Resilience Guide revealed that increased regulatory requirements, previous crises and a consistent tone from the top in more mature risk management cultures would enhance organisational resilience capabilities within organisations. However, after the Covid pandemic, the Chartered Institute of Management Accountants (CIMA) observed that, while the crisis had raised awareness, it also created overconfidence, partly because it was a global event, which increased the amount of leeway and compassion between third parties who were all exposed to similar challenges.

Certainly, it is unwise to wait until the next crisis to start creating and/or enhancing organisational resilience capabilities.

Organisational, operational and strategic resilience

The capacity to bounce back – or, better, bounce forward – during a crisis allows companies to continue operating in all situations. There are two aspects of organisational resilience: operational resilience and strategic resilience.

Operational resilience is commonly required by regulation and may refer to the minimum expected from companies to avoid systemic crises and prevent harm to customers and other vulnerable stakeholders. Operational resilience commonly overlaps with other preventative and control responsibilities, such as risk management, business continuity and change or crisis management.

Strategic resilience refers to the capability of organisations to add value, embed a collaborative culture and enhance communication across hierarchies and functions, which allows them to create competitive advantages. This is the upside of organisational resilience.

Although most organisations may currently be more concerned about operational resilience – particularly given regulatory requirements in financial services and the public sector – the most important form of resilience is strategic. Operational resilience normally focuses on compliance. However, it is through the strategic consideration of resilience that companies flourish.

When we consider emerging risks, we cannot wait for regulations to be introduced before we act. Furthermore, although preventative disciplines, such as risk management, are a key component in enhancing organisational resilience, some organisations do not focus on managing risks beyond mere compliance. This results in less mature risk management cultures in which those responsible for identifying and mitigating risks are given little time in board meetings and are distant from strategic discussions. They end up becoming prisoners of risk registers and tick-box exercises and the board is beyond their reach.

Open space for internal audit

Beyond the second line of defence and preventive disciplines, internal audit is a key component in the creation of organisational resilience. Internal auditors must scan the horizon for upcoming threats and opportunities to enhance the organisation’s resilience and offer assurance to the board. Internal auditors can also add value by scrutinising the fundamentals of organisational resilience, reassuring boards that those measures in place are sufficient and operating as they should within the corporate risk appetite and tolerance. This enables organisations to envision change and perform adjustments before, or even during, crises.

Of course, you do not need to experience crises to thrive, so internal auditors must proactively benchmark their organisation’s resilience capacities against those in their sector or the best-in-class in other industries. In this way, organisations can learn from within, considering the knowledge and skills already available, for instance, via brainstorming sessions and by opening channels to hear more from the first and second line of defence.

Internal auditors should also help to prioritise the issues that are already known, as this makes them easier to tackle. In a world that is constantly changing, we must all adopt a learning mindset and engage with people, processes and systems from within and outside. We must always be prepared so that we can bounce back, and aspire to bounce forward, to a new improved normal.

Fuzzy avalanche of resources

The number of publications focusing on organisational resilience has increased rapidly. Professional bodies and consultants are providing guidance and seeking to develop their expertise in this area and discussions about what it entails are cropping up everywhere – in the news, regulations, company announcements, etc. However, the idea of resilience dates back to the 1960s. Regulations to boost resilience increased because of concerns about the Millennium Bug and then again after the global financial crisis in 2008-09. Therefore, we should expect further regulatory attempts to safeguard consumer interests and socioeconomic systems following the Covid pandemic.

However, despite numerous references, the concept of resilience is still fuzzy. There are many analogies used to explain it – based on physics, ecology, psychology and other disciplines. For instance, the capacity to “bounce back” references material elasticity, while the idea that organisations may emerge stronger after disruptions corresponds to psychological traits observed in individuals who create coping mechanisms after traumas.

The way in which ecosystems readjust after disruptions to spaces and species demonstrate the interconnectedness between, and complexities within, systems. These definitions converge only in the reiteration that organisations must constantly anticipate, resist, adapt, respond and reshape to tackle emerging risks.

Customised and context-specific solutions

Organisations’ plans to enhance organisational resilience and their level of preparedness to deal with emerging risks vary widely. Attempts to measure organisational resilience are inconsistent and measurements are context-specific because of its relative and temporal nature. There is a plethora of models created by international standards, regulators, consultants and other experts, but during the pandemic most organisations relied on their workforce’s flexibility and adaptability, working with the skills and information already available to them.

Many people and organisations had then, and still have now, to overcome the false assurance that things will continue as they have done in the past. Internal auditors could help to establish and contrast the boards’ expectation with what people, systems and processes can actually deliver, shedding light on gaps between the real and ideal.

If boards do not yet know what they expect from their organisational resilience capabilities, there are opportunities to raise awareness by conducting self-assessments and desk inspections, or by interviewing people to see whether prominent issues can be brought to the surface and attract more attention. For instance, current challenges and the failure of competitors may create an opportunity to think ahead and prepare before similar issues have a negative effect on your organisation.

Where to start?

There are many opportunities, but you could start by considering the BSI (2015) Guidance of Organisational Resilience and the ISO 22316/2017 Principles and Attributes for Security and Organisational Resilience. Current overviews of this topic by AIRMIC’s Roads to Resilience and Cranfield/Deloitte’s Resilience Reimagined, or the IRM’s Organisational Resilience Guide may also help.

Organisational resilience requires a change of mindset, as we look to events that are not simple and structured, but which create complex and unstructured problems. Present threats and opportunities, and the unpredictable nature of these events, require creativity and a shift towards strategic thinking. Organisations should respond by considering not only processes and systems, but also principles and ethical concerns that focus on changing behaviours, to improve the poor information commonly available when emerging risks pop up on our radar. This will require collaboration across first-line and second-line silos and customised solutions, adapted to the complexity and nature of each business.

Conclusions

Organisational resilience is context-specific, and is always relative and temporal because of its multifaceted, dynamic and complex nature. No organisation can achieve full resilience or resilience against everything all the time. We must therefore set out our current priorities without compromising the long-term view. Covid may have created a false assurance, but internal audit can reassure boards
that the situation is under review and improving – sailing in the right direction may not always mean to the safest place, as we must balance resilience and efficiency and move forward taking necessary risks to thrive.

This will require endurance as much as flexibility, while we explore our different skills and capabilities and create multipurpose solutions, people, processes, systems and organisations. By understanding distinct roles and functions, and encouraging the organisation to think as a family or group of families, we will work better together and be able to (re)align our purpose as we learn and improve. 

Rodrigo Souza is a senior lecturer in accounting and risk management at the University of Roehampton, London. He is also the co-chair of the IRM Innovation Special Interest Group. His research focuses on risk management, organisational and strategic resilience and governance, considering the interaction of people and accounting technologies in the construction of managerial debate. This article is based on his recent presentation to the Chartered IIA’s forum for internal audit leaders.

He is keen to learn what you think. In your company, is operational resilience a requirement? Does it complement strategic resilience discussions? Are these two conflicting business imperatives? Or are they currently optional? To share your insights contact Rodrigo.Souza@Roehampton.ac.uk

This article was first published in September 2022.