Managing Risks in Uncertainty - Building your Organizational Resilience

Managing risks in uncertainty –
Building your organizational resilience
Esther Oh, MCRL, GAICD, CRMA, CISA, FCPA(Aus)
All Rights Reserved AusAsia Resources

Are you prepared for the VUCA Century?
V – Volatile
U – Uncertain
C – Complex
A - Ambiguous
Chart 1: ASX 200 trend from 1 Oct 2014 – 1 Oct 2015
Source: www.asx.com.au

Session Outline
How to manage risks and
build your organizational resilience?
- Risk Management
- Business Continuity
- Disaster Recovery

Source: Resilience Programme, UK

Organisational resilience:
“a business’s ability to adapt and evolve as the global market is evolving, to
respond to short term shocks—be they natural disasters or significant
changes in market dynamics—and to shape itself to respond to long term
challenges.”
Source:
http://www.organisationalresilience.gov.au/

“Resiliency wraps around the organization’s culture, values, attitudes
and business practices, especially towards changes and disruptions.”
Rod A. Beckstrom,
“The Spider and the Starfish”

Why is resilience so important?
It determines Your SURVIVAL & SUCCESS

Chances of failures
Consequences from such failures
Time to recovery
Reputation, trust & goodwill
Demand from customers
Speed to respond
Benefits:

When facing tough challenges, you can choose to:
Decline Survive Bounce back Move Forward

Components
1. Leadership
2. Culture
3. Systems
4. People
5. Workplace
Source: Gartner Group
Leadership
Culture
Workplace
Systems
People

Putting the building blocks together

Remember:
- Fit for purpose
- Current
- Flexible
- Responsive
- Practical
Resilience Framework

Reality Checklist:
1. Is your organization structure, policies and processes still fit for purpose?
2. Does your organization embrace and adapt to changes quickly?
3. Does your workforce exhibit commitment, flexibility and trust?
4. Does your employees constantly seek to create value despite challenges?
5. Are your employees engaged and connected to the vision, mission, values
and strategies of your organization?

Source: http://www.resorgs.org.nz
How to know and improve
your organizational
Resilience?

Common Roadblocks
1. No commitment - lack of visible leadership
2. Silo mentality – lack of communication
3. Myopic views – lack of vision, purpose and values
4. Resistance to change – lack of situational awareness
5. Detachment – lack of teamwork/toxic culture

Top global risks at a
macro level
Source: World Economic Forum, 2015 Global Risks
Report, 10th edition,
http://www.weforum.org/reports/global-risks-
report-2015

Top common risks at the micro level
1. Reputational
2. Financing
3. Human capital
4. Technology
5. Market
6. Geopolitical
7. Credit risk
8. Terrorism
9. Foreign exchange
10. Regulatory
11. Crime and security
12. Natural disasters

Definitions
Risk is the “effect. of uncertainty on objectives” and an effect is a positive or
negative deviation from what is expected.
Risk management refers to a coordinated set of activities and methods that
is used to direct an organization and to control the many risks that can affect
its ability to achieve objectives. It also refers to the architecture that is used
to manage risk.
Source: ISO31000:2009 Terms and Definitions

Risk management framework
ISO 31000:2009 Risk Management Principles and Guidelines
1. Principles (elements)
2. Framework model
3. Process
Useful reference:
https://www.theirm.org/media/886062/ISO3100_doc.pdf

ISO 31000 RM framework

How to manage risks in uncertainty
1. Set objectives within established framework
2. Assess and quantify your risks
3. Devise and implement your plans and
strategies
4. Use tools and technology to monitor and
review
5. Keep consulting and communicating with
stakeholders

Implementing ISO 31000
Risk management
process, tools and
resources
Source: http://esvc001356.wic015u.server-web.com/
iso31000/index.html

Example of a Risk Map:
Likelihood and impact of
the major global risks in
2015
Source: World Economic Forum, 2015 Global Risks Report,
http://www.weforum.org/reports/global-risks-report-2015 Likelihood

More examples of tools:
o Risk registers
o Risk matrix heat maps
o Traffic light indicators/trend
o Simulation models
o Decision tree analysis
o Fault tree analysis
o RACI matrix
o Dashboards
o Risk Barometers/odometers

Examples of risk assessment techniques

Examples of Technology

Integrating ORS-Keys
for effective risk
management

Key Risk Indicators Key Performance Indicators
Provide early warning of increasing risk exposure Provide high level indication of past performance
Provides forward looking prediction and insight
on potential risks BEFORE the risk event
Provides historical performance of the
organization AFTER the event occurred
Decreases likelihood for management to override
key controls
Rewarding on KPIs alone increases likelihood of
management override and risky behaviour
Promotes risk awareness, proper management of
risks and healthy risk culture
Measuring by KPIs alone can lead to unnecessary
risk taking and unhealthy risk appetite
Copyrights and All Rights Reserved AusAsia
Resources.

Illustrative Example
Objective: Manage bad debts to reduce financial loss
Risks: Slowing economy, increasing customers default = negative impact on cash flow
= affects ability to pay bills on time

Let’s assume your sales are dropping quickly.
1. Objectives?
2. Risks?
3. Strategies?
4. Key Risk Indicators?
5. Key Performance Indicators?
Copyrights and All Rights Reserved AusAsia
Resources.

Objective:
Increase profitability
Strategies
Increase revenue
with new
products
Negotiate with
suppliers for
lower costs
KRI
New Product
Rejection
Rate %/mth
#Suppliers
who walk
away/mth
KPI
New Product
Sales % total
Sales/mth
$ Saved from
suppliers/mth
Risks
Monitor KRIs/KPIs against Objectives and Risks,
and adjust Strategies to achieve desired outcomes

Be SMART about your KRIs/KPIs
 Specific
 Measurable
 Auditable
 Relevant
 Timely

Where possible, KPIs/KRIs should be
• Based on established benchmarks or practices
• Developed consistently across the organization
• Provide unambiguous view of highlighted risk
• Comparable across time and business units
• Simple and easy to monitor and communicate

Tips for RM implementation:

Business Continuity (BC)
“the capability of the organization to continue delivery of
products or services at acceptable predefined levels
following a disruptive incident. ”
Source: ISO 22301:2012 Societal security – Business continuity management
systems – Requirements

BCP Life Cycle
1. Risk assessment
2. Business Impact Analysis
3. Plan Strategies
4. Test, train and maintain BCP Source: www.eci.com

What You Need
 Business Continuity Plan
 Emergency Response Plan
 Disaster Recovery Plan
 Crisis Management Plan

Inter-relationships between
- Business Continuity Plan
- Emergency Response Plan
- Disaster Recovery Plan
- Crisis Management Plan
Source: http://www.chainlinkresearch.com/

Using Mindmaps as a BCP tool

Impact of Being Prepared vs Not Prepared on Business Resumption
Source: http://www.chainlinkresearch.com/

Tips for implementing BCP:
1. Identify and prioritize Critical Business Functions
2. Determine Recovery Time Objectives/Service Levels for Critical Assets
3. Establish Recovery Points for Critical Applications
4. Conduct Comprehensive Risk Assessments On Critical Facilities
5. Ensure Succession Plans Exist for Owners, Key Employees or Consultants
6. Test your BCP, DRP and emergency response plans regularly

Tips for implementing BCP (continued)
7. Ensure Multiple Sources are available for Critical Supplies and Processes
8. Engage People in Business Continuity Planning
9. Use Tools, Technology and Training to provide Advanced Warnings
10. Always have Plan B (or more) ready to execute when Plan A fails
11. Ensure Physical, Logical and Internet Security are monitored constantly
12. Ensure Capacity Planning is flexible and adaptive for dealing with increased
or decreased Demand

Disaster Recovery

DRP Focus: IT Systems and infrastructure

1 in 4 that experienced a disaster unprepared
never reopened after a disaster
Av. cost of downtime US$336,000/hour
Source: http://www.hostway.com/blog/the-increasing-importance-of-
disaster-recovery-and-business-continuity

Tips for implementing DRP:
1. Prioritize your systems and determine service levels by importance
2. Weigh your costs(risks) vs benefits and resources availability
3. Create redundancy in your systems, e.g. spare servers and electrical power
generators
4. Regularly back up using various storage methods e.g. Cloud, HDD, USB,
Google Drive, Dropbox, emails
5. Test and refine your systems, e.g. do a dry run or fire drill with the relevant
staff at least once a year

A resilient organization is always prepared by:
1. Demonstrating authentic leadership
2. Establishing frameworks
3. Documenting plans
4. Linking ORS-Keys
5. Communicating and engaging people
6. Increasing levels of capabilities
7. Actively assessing & monitoring risks
8. Using SMART tools and technology
9. Testing & refining the plans
10. Seeking independent advice and training
Source: Infographic origin not cited

Resources and tools:
Organizational Resilience Health Check
Adversity Leadership Booklet
Disaster Recovery process map
Emergency Kits…
www.organisationalresilience.gov.au/resources
www.ready.gov/business/implementation/IT
www.ausasiaresources.com

Questions and Feedback
esther.oh@ausasiaresources.com
https://au.linkedin.com/in/ohesther
@Oh4Esther
Oh4Esther

Managing Risks in Uncertainty - Building your Organizational Resilience

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (13)

Similar to Managing Risks in Uncertainty - Building your Organizational Resilience

Similar to Managing Risks in Uncertainty - Building your Organizational Resilience (20)

Recently uploaded

Recently uploaded (20)

Managing Risks in Uncertainty - Building your Organizational Resilience