How to Build your Organisation’s Resilience
Boards and senior executives are seeking greater assurance their organisations can identify and respond to increasingly complex risks.
Now more than ever, organisations are operating in challenging conditions. Cyber-attacks, volatile global markets, and scrutiny from the regulator as well as staff wellbeing and skills shortages highlight the complexity in building organisational resilience.
Many organisations are looking at better ways to proactively build their resilience and alleviate the impact of external factors, to ensure they can respond effectively to a range of potential disruptions; whilst still achieving their strategic objectives.
Aligned with these drivers is a stronger focus on identifying resilience indicators that lead, rather than lag, major events or change. Leading indicators of resilience provide quantifiable evidence of current capability, visibility of immediate gaps and assurance to key stakeholders.
A resilient organisation has the ability to intelligently anticipate and manage change swiftly, the capacity to learn from challenges and seeks opportunities to enhance its capability to adapt, bounce back faster, smarter and stronger.
Executive and board resilience challenges
Executives and boards are facing many risk and resilience challenges:
- An increasingly complex and wide range of risks including those related to cyber security and critical third-party providers.
- On-going changes to regulations.
- Increased accountability and penalties for non-compliance.
- A vast array of guidelines and standards.
- Internal structures that are based on functions and inherently siloed.
Increased accountabilities and penalties
New resilience regulations from governments and regulators around the world are increasing and expanding to include a wider range of industries. By imposing increased responsibility on boards to improve their oversight of operational risks, business continuity and the management of third-party providers, many board members are now required to demonstrate they have taken ‘reasonable steps’ to meet their obligations.
A vast array of guidelines and standards
Many of the changes in regulation are designed to address specific risks. For example, Australia’s Privacy Legislation Amendment Bill 2022 includes some of the harshest financial penalties globally, designed to protect the privacy of data; while the new Digital Operational Resilience Act (DORA), addresses ICT-related risks in the financial services sector in the EU.2
In some instances, the regulations are very clear and in other instances, organisations can meet the requirements any way they see fit. This lack of clarity about ‘what good looks like’ makes it challenging for executives and board members to establish that ‘all reasonable steps have been taken’ from a compliance and assurance perspective.
Internal structures that are inherently siloed
Organisational resilience capabilities span risk management, security, information technology, information security, business continuity, disaster recovery, emergency management, incident management, crisis management, insurance and audit. Typically, projects and capabilities in these areas are distributed across the organisation and not sufficiently aligned.
How to build organisational resilience
Leaders can draw on the experiences of owners and operators of critical infrastructure and those operating in high-risk industries who have taken an ‘all risks’ approach to developing their resilience and capability, in the following ways:
- A CEO-led and board endorsed resilience statement.
- A holistic and integrated resilience framework designed for all risks that aligns and maintains capabilities in the areas of Risk, Readiness, Response and Assurance.
- Embedded team-based critical thinking across the enterprise.
- An ongoing schedule of scenario-based exercising activities.
- A resilience scorecard to measure and maintain capability.
Taking an all-risks approach draws on existing investments, capabilities and risk controls and builds the capability to respond to a range of current risks and emerging threats, while meeting the changing regulatory requirements.
1. CEO Resilience Statement
A CEO Resilience Statement can be used to mobilise the organisation to manage all types of risks including strategic, operational, financial, environmental and reputation. The CEO Resilience Statement should be agreed by the executive and board and communicated to all levels of the organisation. The statement is used to align capability, guide decision-making, and prioritise investments in building organisational resilience.
2. Enterprise-wide Resilience Framework
The CEO Resilience Statement is operationalised using an enterprise-wide Resilience Framework that leverages existing capability and takes a holistic, integrated, and co-ordinated approach to the development and maintenance of capability.
The resilience framework extends beyond traditional risk management reporting, by integrating readiness and response capabilities and considering the interdependencies and links across the business and with external parties.
A fully integrated resilience model is achieved by intelligently fusing the disciplines of Risk; Readiness; Response and Assurance:
- RISK: An ‘all risks’ approach to managing risk including emerging threats, extreme risks and those related to third party providers.
- READINESS: Effective risk and security controls, plans, systems, procedures, frameworks, tools, training and testing.
- RESPONSE: An adaptive capability to respond to a range of potential risks and threats and ensuring high-quality decision-making is occurring at all levels of the organisation and is aligned with third parties.
- ASSURANCE: A governance structure that provides assurance to all key stakeholders internally and externally and that meets all regulatory requirements.
The framework needs to be sufficiently technical but high-level enough for executive and board level oversight.
The resilience statement and framework provide evidence to regulators and key stakeholders that ‘reasonable steps’ are being taken to embed and maintain risk and resilience capability.
3. Embedded team-based critical thinking
Leading indicators of organisational resilience are embedded team-based critical thinking capabilities and transparent, high-quality decision-making.
Resilient organisations ensure robust and high-quality decision-making is occurring at all levels of the organisation in the key resilience areas of risk, readiness and response.
The importance of critical thinking in building resilience cannot be overstated. In many Post-Incident Reviews (PIRs) following crisis events, the underlying issue or contributing factors are poor decision-making and a lack of critical thinking.
Resilience decisions require complex decision-making skills, due to evolving technical complexity, conflicting or incomplete information and many competing stakeholders’ needs and expectations.
Other factors which contribute to the complexity of resilience decisions are:
- High levels of scrutiny, increased pressure from the regulators and greater demands for transparency highlight the need for a more robust, discoverable, and defendable decision-making process.
- Compressed timeframes, social media, regulators and community expectations are driving the timeframes for decisions, even where there may be incomplete or inconsistent information.
- Significant impacts, a single poor decision or an accumulation of poor decisions can result in significant cascading impacts.
A unified, robust, and transparent decision-making process embedded at all levels of the organisation will provide tangible evidence that leaders have taken ‘all reasonable steps’ to protect the organisation from known risks and emerging threats.
Enabling critical thinking skills
High quality decision-making is underpinned by critical thinking skills. The vast number of skills required to be a critical thinker, highlights the need for a team-based approach that draws upon the brains trust of the organisation. Critical thinking skills include: analysing; verifying; clarifying; actioning; forecasting; perceiving; synthesising; prioritising and communicating.
Enterprise-wide critical thinking capabilities
Organisations should embed a decision-making framework that facilitates team-based critical thinking. The framework should enable individuals and teams to ‘step through’ a transparent process, work collaboratively, record information gathered and make key decisions.
The critical thinking framework should be used to:
- Clarify the facts and assumptions in a changing situation.
- Uncover vulnerabilities, blind spots and challenge assumptions.
- Build a shared view of the risks and opportunities and generate new perspectives and unique insights.
- Facilitate deeper levels of thinking for critical decisions that may have cascading impacts.
By driving critical thinking behaviours, organisations will become more resilient to current risks, enhance their skills to execute strategy and provide assurance to regulators.
Embedding critical thinking into ‘ways of working’
Advances in technology can enable and uplift critical thinking skills across the enterprise in a scalable, cost effective and accessible way.
For example, the Janellis Critical Thinking Framework is now available as a Microsoft Application (App), available on a mobile device and at the desktop.
Utilising a Critical Thinking App can embed critical thinking skills into current ways of working and ensure teams apply high-quality decision-making when developing strategy, managing risk, delivering projects, designing systems and responding to incidents or crisis situations.
4. Scenario-based exercising
Scenario-based exercising activities are an essential aspect of aligning investments in capability and providing assurance. Scenarios enable a broad range of stakeholders to understand their operating environment, share information, challenge assumptions, understand risk and assess strategic options. A key strategy in building organisational resilience is embedding critical thinking skills through scenario-based exercising activities.
Scenario-based exercising can be used to:
- Identify areas that require immediate action and uncover blind spots and vulnerabilities.
- Validate investments in key systems, plans or processes.
- Create alignment across functional areas and between response teams.
- Clarify roles, uplift and embed capability and build confidence.
- Develop contingency plans for emerging threats.
Current and proposed legislation specifically mention scenario-based exercising and testing as a key metric of resilience and compliance.
Information is better evaluated within a scenario framework as it provides a context for making decisions, reaching consensus on key issues or opportunities and developing a plan of action.
Key indicators of successful scenario-based exercising activities are:
- Developing credible scenarios by including current risks or emerging threats the organisation is managing.
- Allowing teams to practise using a decision-making framework for the chosen scenario or any other scenario or risk that may eventuate.
- The opportunity to practise generating a situation report (Sitrep) to communicate between teams internally and to external teams and stakeholders.
5. Organisational Resilience Scorecard
Defining and measuring resilience is crucial to prioritising resilience investments and providing assurance to boards, shareholders, insurance providers and other key stakeholders.
A balanced scorecard can be used to meet regulatory requirements and provide executive and board level visibility of how cyber security investments are aligned and integrated within an organisation’s broader resilience capability. The scorecard can be used to align, measure, embed and maintain capability.
An Organisational Resilience Scorecard provides boards with a comprehensive, qualitative review of cyber resilience indicators across the enterprise, in the areas of risk, readiness, response and assurance, and is used to:
- Ensure resilience investments are aligned with the current risk profile.
- Identify gaps in design or capability for resilience, that need immediate action.
- Validate and prioritise resilience investments.
- Ensure adequate insurance cover and third-party support.
- Provide assurance of current capability to key stakeholders internally and externally.
- Ensure that ‘all reasonable steps’ have been taken to prevent, prepare and respond to a high profile incident.
The scorecard reviews current investments and competencies against industry standards and provides assurance to boards, shareholders, insurance providers and other key stakeholders assurance the organisation is effectively prepared to respond to a range of risks, threats and disruptive events.
Opportunities to build resilience
The insurance industry has a pivotal role to play in helping organisations build resilience. It is crucial for leaders to assess their risk profiles, explore comprehensive insurance solutions, and integrate resilience into their overall strategic planning.
Insurance is a crucial part of an organisation’s strategy to build resilience and provide assurance.
A mature resilience capability
Organisations with a mature resilience capability demonstrate the following:
- A CEO-led and board endorsed resilience statement that is used to inform decision-making and prioritise investments.
- Integrated management of all risks including strategic, operational, environmental, financial and third-party risks.
- High visibility of the known ‘catastrophic’ or ‘extreme’ risks at all levels.
- Effective controls, plans, systems, procedures, frameworks and tools to manage risks, including training and awareness.
- Adequate insurance cover for the risk profile.
- Response capability built against known risks through exercising and training.
- High levels of confidence to respond to emerging threats.
- Consistent, robust, transparent, and high-quality decision-making and critical thinking at all levels of the organisation.
- Effective stakeholder management both internally and externally.
- Alignment of resilience capability with key inter-dependencies and third-party providers.
- Effective governance structure, audit and reporting of capability using scorecard/dashboard methodologies.
- Regular assurance to the board and other key stakeholders.
The evolving nature, potential severity and velocity of risks, and increased accountability and penalties for non-compliance, require organisations to take a targeted and focused approach to building organisational resilience. The most efficient way to build resilience is to take an ‘all risks’ approach, which draws on existing capabilities and prepares the organisation to respond to a range of current risks and emerging threats, while meeting changing regulatory requirements.
A best practice approach includes: a CEO resilience statement; a holistic and integrated resilience framework; embedded team-based critical thinking; an ongoing schedule of scenario-based exercising and a scorecard record of capability to provide visibility and assurance.
To learn more, visit: Organisational Resilience Scorecard
Why is Critical Thinking Important?
“Team-based critical thinking allows us to be both agile and robust in our decision making, drawing upon the brains trust of the organisation”
“By developing our critical thinking capabilities our teams can manage cyber crises more effectively. The tool also enables us to see the opportunities to execute strategy more efficiently”
Our Upcoming Events
Click on any of the below events to find out more details
 Australian Financial Review. 2023. ASIC to target boards, execs for cyber failures. [ONLINE] Available at: https://www.afr.com/technology/asic-to-target-boards-execs-for-cyber-failures-20230913-p5e4bf. [Accessed 05 October 2023].
 Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. 2023. Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. [ONLINE] Available at: https://www.digitaloperational-resilience-act.com/. [Accessed 05 October 2023].