A holistic view of risk management in the context of ‘better practice’ is now viewed as ‘organisational resilience’ and is built around a framework that incorporates financial, operational and strategic risk.
A fully integrated risk model is achieved by intelligently fusing the disciplines of risk management, crisis management, emergency management, security, business continuity and other key areas.
The Janellis Resilience model incorporates four key focus areas of Risk, Readiness, Response and Assurance. The model forms the basis by which Janellis reviews and builds an organisation’s resilience capability. An effective resilience framework ensures organisations can rapidly adapt and respond to internal or external change, risks, opportunities, demands, disruptions or threats; and continue operations with limited impact to the business.
An organisation with a mature resilience capability is able to demonstrate the following:
- Integrate strategic, operational and financial risks
- Ensure a response capability is built against known catastrophic risks through training and exercising
- Demonstrate high levels of confidence to respond to emerging threats
- Embed critical thinking across the organisation
- Align the resilience capability with key inter-dependencies
- Regularly provide assurance to the board and other key stakeholders
About the Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high risk industries both nationally and internationally, this framework is based on the International Benchmarking on Organisational Resilience.
The framework is aligned with International and Australian standards including: ISO 31000, the Australasian Inter-service Incident Management System (AIIMS), the Prevention, Preparedness, Response and Recovery (PPPR) principles, AS/NZS 5050, HB 167-2006, Security Risk Management Standard and the Australian Federal Government’s Critical Infrastructure Resilience Strategy for owners and operators of critical infrastructure.
Janellis has embedded key elements of the framework in leading organisations and government agencies.
– ISO 31000 is the cornerstone of the framework and requires an integrated and consistent approach to managing strategic operational and financial risks across the enterprise. In addition to traditional enterprise-wide risk management, it entails a greater focus on: the identification, management and reporting of ‘catastrophic risks’; understanding the dependencies and vulnerabilities related to critical suppliers and other third parties; the identification and management of emerging threats and using scenario-based modelling to build situational awareness and adaptability.
“The capability to respond to extreme events is an essential part of building and maintaining organisational resilience.”
– The readiness components of the framework includes a more strategic approach to pre-planning for disruptions and ‘shocks’ through: the development and alignment of plans; training and awareness; implementing appropriate technology and having alternate site arrangements. Advanced readiness capabilities include: the alignment of plans with critical suppliers or external agencies; ensuring all communication mechanisms are in place to receive and distribute information; the development and use of tools including a decision-making framework and response handbook as an aide memoire.
– The response components of the framework encompass the capability to respond to specific known strategic, operational or financial ‘catastrophic’ risks or emerging threats the organisation is managing. The response aspects involve a robust exercising and testing process that builds and maintains capability. An effective exercise development process will highlight vulnerabilities and identify strengths within the organisation. The response elements of the framework build crisis management leadership as well as critical thinking capabilities.
“An organisation may have exhaustive risk management processes, detailed plans and experienced individuals but; if a team comes together in a crisis and they are unable to demonstrate critical thinking capabilities, they may not be effective. Critical thinking skills developed at all levels within an organisation – and evident during BAU – is one of the leading indicators of organisational resilience.”
– Higher levels of assurance are being sought to ensure that organisations can effectively respond to a wide range of potential threats. Traditional governance frameworks are being improved with targeted ‘readiness’ reporting, robust post-incident reviews, benchmarking and audits. Benchmarking is used to highlight areas of capability as well as areas of vulnerability and this can be done nationally and internationally.
The internal and external audit process is a recognised and effective way to provide assurance and there is a growing requirement in the areas of risk, organisational resilience, emergency and crisis management. Whilst it may not be possible to predict or mitigate the full range of unknown risks, assurance can be provided to key stakeholders if the organisation can demonstrate: an acceptable level of pre-planning; a robust exercising program and an effective and auditable decision making process.
Download the Harvard Business Review submission containing case study examples including: NSW State Emergency Service; Qantas; Lendlease Group, Transfield Services and Westpac Banking Corporation. Or the technical version here.