It’s becoming increasingly essential for organizations to be resilient in our polycrisis environment. As many organizations are quickly learning, the benefits of resilience go beyond reduced disruption, outages and costs in the event of a crisis to strategic opportunities.
For many, the question is not why to be resilient but how.
The key to resilience is effective risk management. Proactive identification and management of risk enhances both overall resilience and crisis response. This means that in addition to it becoming less likely that a crisis will happen, when a crisis does happen, your organization is able to respond better.
However, given the volatility of the past few years, we were surprised to see in our recent Global Crisis and Resilience Survey that some Canadian respondents aren’t planning any investment whatsoever in a number of areas foundational to risk management. For example, 19% aren’t investing in threat monitoring, and 10% aren’t investing in supply chain resilience. This is especially concerning in the current patchwork regulatory environment in which new regulations, such as Pillar Two, are continually emerging and organizations are repeatedly needing to review their risk profile.
Here we outline four practical recommendations for Canadian leaders to strengthen their organization’s resilience by breaking down barriers and taking a cross-disciplinary approach to risk management. These are: (1) integrate your crisis and risk management programs, (2) improve your horizon scanning, (3) have a process to monitor and escalate risks and (4) increase situational awareness at the time of an event.
One of the things we’ve seen historically is that crisis management and risk management programs are very poorly integrated—or not integrated at all. Organizations must align these, as an effective crisis management program is a critical mitigating control for enterprise risk management.
The first step is to use risk management tolerance definitions of likelihood and impact for deciding what constitutes a crisis. In other words: What’s the likelihood of a particular risk happening, and what would be the impact of a risk should it be realized? Your organization can then use these definitions for crisis declaration and escalation. This will help you facilitate more effective and timely escalation in the event of a crisis, as well as define where and how much to spend on preventative measures and recovery efforts.
Your risk program should have prioritized risk scenarios, and you can use these to define which scenarios to test your crisis management team on.
Organizations should also use residual risk scenarios for crisis management exercising. Your risk program should have prioritized risk scenarios, and you can use these to define which scenarios to test your crisis management team on. While you won’t be able to plan for every possible scenario, having these points of integration is critical and will allow you to be agile whatever happens.
Often in risk management programs, we see an emphasis on the short term. Organizations tend to focus on issues they’re currently facing and what might be coming in the next quarter or two. They often don’t do a good enough job of understanding what’s coming down the pike longer term that could significantly impact their business strategy, especially from a regulatory standpoint.
Organizations must improve their horizon scanning to both mitigate downside risk and capture new opportunities. A perfect example is generative AI: those who were tracking this development upfront now have a clear competitive advantage.
This type of horizon scanning can also link directly to the bottom line. For example, where inventory made with forced labour is prevented entry into a country by local customs, the owner of that inventory will experience financial loss, including write-offs and litigation costs. While Canadian companies may be aware of Canada’s new modern slavery regulations, many aren’t rating the risk of the changing regulatory environment as high or immediate enough and proactively remediating those risks.
Organizations should assess which regulatory and technological developments are most relevant and then monitor these and include updates in their reporting.
Where should risk management programs start? The first step is to broaden your organization’s line of thinking and consult external industry material already out there and then tailor this to the specifics of your organization. Organizations can assess which regulatory and technological developments are most relevant (based on, for example, geographical location, industry sector and size) and then monitor these and include updates in their reporting to senior leadership and boards.
The goal is to encourage dialogue about future risks, as well as their possible impact on business strategy, at the top levels of your organization.
Given all of the above, it’s perhaps unsurprising that only 30% of Canadian respondents to our survey say the risk and threat assessment element of their enterprise resilience program is optimized, integrated or industry leading. Where’s the gap? While we see a lot of organizations reporting after the fact (for example, annual reviews that look at execution risk), organizations often struggle to define metrics, report in real time on key risk indicators (KRIs) and then escalate as needed.
Only 30% of Canadian respondents to our survey say the risk and threat assessment element of their enterprise resilience program is optimized, integrated or industry leading.
Organizations must have a baseline of risks and tolerances to see where things have gone awry. Ask if your organization has enough insight into processes (for example, delivery times, call volumes, outages and employee absences) to be able to report when there are early warning indicators of elevated risks.
In addition to understanding both their risk-type scenarios and the controls and processes they need to put in place to monitor the KRIs, organizations need to define the triggers and protocols for escalation. To do this successfully, organizations need to look beyond themselves and collaborate with other entities—including competitors—to better manage their own risk and strengthen the overall resilience of their industry and ecosystem.
There’s immense value to be gained in collaborating with others, both to capture business potential as well as help solve important social problems.
In a crisis, leaders need to be able to get accurate information quickly, particularly about the nature of the situation, to make decisions in a timely manner. But this can be very difficult: 36% of Canadian respondents to our survey report gathering appropriate information quickly and effectively was a challenge during their most serious disruption in the last two years.
36% of Canadian respondents report gathering appropriate information quickly and effectively was a challenge during their most serious disruption in the last two years.
Situational awareness in a crisis gives leadership a better common operating picture of what’s going on: What are the risks associated with the situation? What’s our position on our people? Assets? Technology? Supply chain?
While part of strong situational awareness links back to better reporting and escalation, which give a crisis team advance awareness of a crisis, organizations need to make sure these processes continue to be available and working in the midst of a crisis. There are sophisticated software solutions that can help your organization do this, but it could be as simple as having a document in a shared drive that’s kept constantly up to date by the crisis management team.
Getting this wrong can be dire. During the pandemic, we all saw very clearly what happens when there isn’t a common operating picture in a crisis: different guidance was being given out by various health authorities, leaving many people confused about what to do and when. In the throes of a crisis, ill-informed decisions, actions and communications can have significant reputational and operational consequences.
In our survey, “adaptable, reactive, flexible and agile” were the top words selected by Canadian respondents to describe a resilient organization. How can you build an organization that has these traits? The more effectively you manage risk, the more resilient your organization will be and the better business outcomes you’ll achieve.
It’s critical to break down barriers—both within and outside of your organization—to enhance knowledge sharing between individuals, teams and business entities and create a stronger future together.
How organisations are adapting to constant disruption by transforming their approach to building resilience
Building your corporate immune system, together
Partner and National Enterprise Risk Management and Operational Resilience Leader, PwC Canada
Tel: +1 514 290 2809