Modern organizations operate in a world of change and complexity, often unrealized and unseen. Keeping this change and complexity in sync with the broader business strategy, as well as operational processes, poses a momentous challenge for risk management processes and functions, particularly given the additional challenge of the lack of visibility to this risk. Given the evolving nature of the modern organization in today’s chaotic business environment, we must ask ourselves ‘how organizations can build a resiliency to emerging risks and disruptions to the business?’
Resiliency, within this context, can be no better defined than within the official definition of governance, risk, and compliance (GRC), defined and developed by OCEG – which is a capability to reliably achieve objectives, while addressing uncertainty, and acting with integrity.
Gaining a complete understanding of organizational and operational resilience requires a holistic and comprehensive understanding of the context of the organization, relating to meeting organizational objectives and strategy, in order to be able to manage risk and disruption in the pursuit of achieving overall business objectives.
The Modern Organization
In order to fully understand, the state of operational resiliency, first we must consider the state of the chaotic, modern business environment. Modern organizations are:
Interrupted. The evolving nature of modern business, added on top of the complexity of scattered operations, decentralized and siloed information, makes disruption to operational objectives inevitable. Modern organizations, have a need to, manage high amounts of, internal as well as external, risk data across a multitude of processes, relationships, and functions in order to gain an understanding of organizational risk, compliance, and performance. The overall volume of risk, and the speed in which it can cause disruption, is capable of completely overwhelming the organization and can threaten to bring the business to a near halt at a time when agility is crucial to the pursuit of the overall objectives. What is significantly alarming is the extent of the issues that is so limitedly understood by so many senior executives in all organizations, large and small.
Scattered. Business has changed dramatically. The old brick-and-mortar approach has become extinct, and modern business has become an interconnected snare of often global relationships and transactions that can affect all facets of the organization.
Constantly Evolving. The nature of business in our contemporary world is very dynamic. Change is a given, and technologies, processes, and objectives are evolving simultaneously with changes in regulations around the world, risk, and governance procedures. Meanwhile, distributed operations are growing, creating a multiplicity of potential risk environments for the organization across the globe.
In order to achieve operational resiliency, organizations must, attain a comprehensive real time view of the full scope of the context of the organization, in order to achieve an integrated view of risk across the business i.e., organizations must gain a full picture of how risk can impact its processes, products, services, clients, suppliers etc and how it interconnects throughout the organization. Business continuity and operational risk management (ORM) are therefore intrinsically related and connected and should be integrated together.
Making this connection is a key aspect of operational resiliency. Resiliency requires that the organization manage the interconnection of risk functions such as information management, third-party management, compliance, operations, performance etc. Since operational risk management encompasses a multitude of risk functions and departments throughout the organization, it is crucial that these functions collaborate and are integrated in order to connect ORM to the bigger picture of operational strategy in order to achieve a transparent and true state of resiliency.
Historically, this risk is managed in isolated silos. ORM is often misapplied as a result of these uncoordinated and nonstrategic approaches confined in silos and corporate egos that get in the way of developing a sound operational risk strategy to protect the organization from risk exposure and achieve business objectives. Risk is pervasive; there can be numerous departments throughout these organizations that manage risk with completely different approaches and thoughts on what risk is and how it should be measured and managed.
An integrated information and technology architecture is critical for organizations to build a more thoughtful and strategic approach to operational risk strategy. Organizations need complete situational awareness and vision into risk scattered across systems, operations, processes, relationships, and data in order to fully achieve operational resiliency, and to gain an understanding of the full impact of risk throughout the organization holistically and its impact on strategy, objectives, and performance.