A holistic view of risk management in the context of ‘better practice’ is now viewed as ‘organisational resilience’ and is built around a framework that incorporates financial, operational and strategic risk.
A fully integrated risk model is achieved by intelligently fusing the disciplines of risks management, crisis management, emergency management, security, business continuity and other key areas.
The Janellis resilience model incorporates four key focus areas of Risk, Readiness, Response and Assurance. The model forms the basis by which Janellis reviews and builds an organisations resilience capability. An effective resilience framework ensures organisations can rapidly adapt and respond to internal or external change, risks, opportunities, demands, disruptions or threats; and continue operations with limited impact to the business.
An organisation with a mature resilience capability is able to demonstrate the following:
- Integration of strategic, operational and financial risks
- Response capability built against known catastrophic risks through training and exercising
- High levels of confidence to respond to emerging threats
- Embedded critical thinking across the organisation
- Alignment of resilience capability with key inter-dependencies
- Regular assurance to the board and other key stakeholders
About the Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high risk industries both nationally and internationally, this framework is based on the International Benchmarking on Organisational Resilience.
The framework is aligned with International and Australian standards including: ISO 31000, the Australasian Inter-service Incident Management System (AIIMS), the Prevention, Preparedness, Response and Recovery (PPPR) principles, AS/NZS 5050 and the Australian Federal Governments Critical Infrastructure Resilience Strategy for owners and operators of critical infrastructure.
Key elements of the framework have been embedded in leading organisations and government agencies.
The framework has four areas of focus which include RISK; READINESS; RESPONSE and ASSURANCE.
RISK – ISO 31000 is the cornerstone of the framework and requires an integrated and consistent approach to managing strategic operational and financial risks across the enterprise. In addition to traditional enterprise-wide risk management, it entails a greater focus on: the identification, management and reporting of ‘catastrophic risks’; understanding the dependencies and vulnerabilities related to critical suppliers and other third parties; the identification and management of emerging threats and using scenario based modelling to build situational awareness and adaptability.
“The capability to respond to extreme events is an essential part of building and maintaining organisational resilience”.
READINESS – The readiness components of the framework includes a more strategic approach to pre-planning for disruptions and ‘shocks’ through: the development and alignment of plans; training and awareness; implementing appropriate technology and having alternate site arrangements. Advanced readiness capabilities include: the alignment of plans with critical suppliers or external agencies; ensuring that all communications mechanisms are in place to receive and distribute information; the development and use of tools including a decision making framework and response handbook as an aide memoire.
RESPONSE – The response components of the framework encompass the capability to respond to specific known strategic, operational or financial ‘catastrophic’ risks or emerging threats that the organisation is managing. The response aspects involve a robust exercising and testing process that builds and maintains capability. An effective exercise development process will highlight vulnerabilities and identify strengths within the organisation. The response elements of the framework build crisis management leadership as well as critical thinking capabilities.
“An organisation may have exhaustive risk management processes, detailed plans and experienced individuals but; if a team comes together in a crisis and they are unable to demonstrate critical thinking capabilities, they may not be effective. Critical thinking skills developed at all levels within an organisation – and evident during BAU – is one of the leading indicators of organisational resilience.”
ASSURANCE – Higher levels of assurance are being sought to ensure that organisations can effectively respond to a wide range of potential threats. Traditional governance frameworks are being improved with targeted ‘readiness’ reporting, robust post-incident reviews, benchmarking and audits. Benchmarking is used to highlight areas of capability as well as areas of vulnerability and this can be done nationally and internationally.
The internal and external audit process is a recognised and effective way to provide assurance and there is a growing requirement in the areas of risk, resilience, emergency and crisis management. Whilst it may not be possible to predict or mitigate the full range of unknown risks, assurance can be provided to key stakeholders if the organisation can demonstrate: an acceptable level of pre-planning; a robust exercising program and an effective and auditable decision making process.
Download the Harvard Business Review submission containing case study examples including: NSW State Emergency Service; Qantas; Lend Lease Group, Transfield Services and Westpac Banking Corporation. Or the technical version here.