This year’s DRJ Spring conference continued a central theme of resilience. Blue sky days may be in the review mirror, but the collaboration and thought leadership showcased in Orlando speak to how agile and innovative our colleagues have been in managing this new norm.
Coming off a spirited week in Orlando, risk and business continuity professionals were put to the test after the tragic collapse of the Francis Scott Key Bridge. Business continuity managers are still navigating the cascading impacts of this accident. Every threat and incident have the potential to be a dynamic risk. Understanding the realities of dynamic risk—and the cascading and often-unexpected impacts of physical threats—is one of the biggest challenges facing organizational and government agency leaders today. During the keynote, OnSolve leaders set the stage for this year’s 2024 OnSolve Global Risk Impact Report and encouraged the audience to consider shifting from risk prevention to resilience management.
What Is Resilience Management? How Is It Different From Risk Prevention?
From my perspective, resilience is about the delta (in time and dollars) between impact from a risk event and return to operational normalcy. A return to normalcy can have a short (e.g., office closing for the day) or long tail (e.g., change in insurance premiums) depending on the risk event and organizational risk management. Put simply, resilience is about accelerating recovery after a risk event. Recovery looks different for each organization, requiring a unique blend of people, processes and technology. The critical event lifecycle for resilience is “prepare-detect-activate-recover.” Resilience management is about improving this cycle. We do this by accelerating discovery of the risk environment (prepare), discovery of risk events (detect) and accelerating “action-recovery” through critical communications and incident management processes.
Risk prevention by contrast focuses on stopping risk events from happening. While risk prevention effectively eliminates the resiliency delta, it’s impossible to achieve given the scale, frequency and complexity of risk events today. The OnSolve 2024 Global Risk Impact Report survey found that 99% of executives and 100% of U.S. government leaders experienced a physical threat in the last 24 months. It’s not a question of if but when a risk event occurs. The good news in our 2024 Report: 90% of executives, 100% of federal leaders and 89% of local leaders surveyed say their organization plans on technology investments to improve their critical event lifecycle.
Here are my thoughts from DRJ on building organizational resilience:
Practice: There’s a saying often attributed to Navy Seals, “Under pressure, you don't rise to the occasion, you sink to the level of your training.” It is important to stress test people, processes and technology through tabletop exercises. Even for teams that manage crises regularly, it’s important to practice.
Process: When evaluating people, process and technology, resilience is best achieved by getting the process right first—people change jobs and technology evolves. During tabletop exercises, leaders commonly mention they lack a mature process for managing a particular crisis or threat category, or lament how challenging it can be to educate and train employees on what to do when there’s a safety concern in the workplace. Only 45% of executives and 35% of federal leaders surveyed in this year’s Global Risk Impact Report said they have a mitigation plan for the top physical threats on their respective radars. Invest early in developing sound processes and organizational buy-in and then identify the right people and technology to deliver end-to-end in a repeatable and scalable manner.
Business Literacy: We must strive to understand our respective organizations better than anyone outside of our respective C-suites. It’s not enough to just track assets within the business and how they might be impacted by risk. We need to understand how the business operates, its strategy, priorities and objectives, and its ecosystem of partners, customers and suppliers. When the bridge collapsed in Baltimore, the port closed and thousands of companies had to divert shipping and trucking away from one of the biggest ports in the U.S. Business continuity managers had to act fast—business literacy empowers us to prioritize, act strategically and communicate key information to decision-makers within the company.
AI-powered technology is KEY…but it’s not a panacea for risk: I’ll be the first to stand on the table and tout the incredible advantage AI is giving us to improve resilience. AI accelerates our discovery of risk events, automates processes and procedures that were previously painful and slow, allows us to communicate faster, and can be a force multiplier for every team, regardless of size. After hearing great discussions at DRJ and listening to leaders talk about their business continuity programs, I’m reminded that AI is a tool (for the good guys and the bad guys) and true resilience is built on relationships. We need hard skills and soft skills. We must influence, build business cases, make tough decisions and lean on each other for insights, guidance and support.
The mission can feel daunting and the path forward unclear. If you’d like to continue this discussion, provide feedback or are looking for assistance, OnSolve is here to help.