You get no R&R with Risk and Resilience


“Oops, we spillled our data all over the internet,” said nobody this week. But it happens, and far more often than is to effected customers.

We might savour the embarrassment of the super-rich when their tax dodging is exposed by the Pandora Papers, the biggest leak of financial data in history. But we’re less comfortable when it’s our data, or that of our clients, that’s being paraded in public. Or, with more sinister overtones, on the dark web.

Data spills are just one of the crises you face right now. Holding information too tightly can be just as damaging, as Facebook found out when a whistle-blower went public with word of all the information the social media giant isn’t choosing to share. And as Facebook also discovered, it doesn’t matter a dot how much data you’re holding, if no one can access it. Recently we even saw major supermarkets unable to process any home delivery orders. It’s hard to put a number on the damage, both in lost revenue and in reputation, of their massive network of products disappearing from the internet for six hours.

If all that wasn’t enough to worry about, your business also faces the old-fashioned risks of flood, fire and theft. UK businesses are learning the hard way that tropical downpours are no longer limited to the tropics, as flash flooding associated with climate change becomes more common in London and other cities.

If risk is about dodging bullets, then resilience is how well you respond to taking a hit

Managing risk and resilience will continue to keep you busy, and even keep you awake at night. How, then, do you secure some R&R when there’s so much at stake?

Preparing to beat the averages

Whatever your business, and particularly if you’re in financial services, you understand numbers. Risk is all about numbers.

UK businesses and individuals reported losing £2.3 billion to fraud in 2023. And Cybercrime cost the UK economy £30.5 billion last year, hitting 1.5 million businesses, according to a study by internet service provider Beaming.

Cybercrime is just one area of risk. The averages say your business is going to get hit by something that does damage. Effective risk management is about doing what you can to dodge those bullets for as long as possible. But even Neo in the Matrix couldn’t escape everything coming his way, and neither will you. This is where resilience kicks in – the capacity to absorb crisis damage with minimal impact.

Risk management may not be as exciting as a Hollywood movie, but it’s not something you want to take your eyes off.

Four steps to improve your risk assessment process

Winning at risk demands that you have a robust methodology. It requires research and planning, along with developing and implementing a strategy. In short – it’s damn hard work. And that’s just to set it up.

There are four ways you can make this process easier and more palatable.

Broaden the conversation

Go beyond asking your C-suite execs to put together a list of risks. They can’t see everything, so you need to involve more people. Asking your staff on the ground to identify possible risks (having educated them on what a risk might look like), moves risk management from theory to be much more practical.

Keep it light  

When was the last time you got excited about attending a risk assessment meeting? But it needs to be done, and you want anyone involved to be alert and imaginative. Perhaps holding a risk assessment party is taking it a little too far, but by keeping the process fun you’re more likely to stimulate creativity and bring new insights into possible risk areas.

Beware of data overload

The weight and range of data can become a real drag on the risk assessment process. Analysis is important, but what you want is to enable high-quality decision-making that takes into account information that’s both quantitative and qualitative. Scoring risk factors will always have an element of subjectivity.

Look forward more often than looking back

Past experience and history information will always help inform the risk assessment process, but just as technology and the commercial environment evolve, so too do risks. Stay in touch with the wider economy, commercial trends and regulatory developments, as well as best practices for risk and resilience project management.

Nurture a culture of resilience

Building resilience isn’t just about protecting your business against potential harms. Truly resilient businesses are consistently high performers.

If risk is about dodging bullets, then resilience is how well you respond to taking a hit.

Because you will get hit.

Resilience is the capacity of your business to absorb stress, recover its core functions and thrive despite circumstances having changed due to a crisis or disaster.

Businesses, including those in financial services, don’t usually have a handle on measuring resilience. Risk is easier to capture with numbers – probabilities of something going wrong and estimates of potential damage. But resilience is harder to express. One approach is to war game or model potential scenarios and work through the possible outcomes. However, the value of this depends entirely on the nature of the crisis being mocked up, while in reality the disaster could be something quite unpredictable and have very different impacts from those modelled.

Nurturing resilience is about infusing strength into day-to-day systems and processes. It’s not a plug-in or a set of tools to call on in an emergency.

There are six foundational principles built into businesses that absorb stress well, and can even turn an apparent disaster to their advantage. These are:

Being prudent – where leadership accepts that something will eventually go wrong, and puts contingency planning in place.

Adding redundancy – creating buffers to absorb shocks, such as multiple layers of controls.

Fostering diversity – encouraging multiple ways of thinking and working across the organisation.

Build-in modularity – meaning the failure of an individual element doesn’t cascade across the whole.

Open to adaptation – a flexible approach gives space for the continual development of processes and structures.

Embedded in the broader ecosystem – remaining aligned to the economy, society, supply chains and other external systems that the business is part of.

Building resilience isn’t just about protecting your business against potential harms. Truly resilient businesses are consistently high performers.

Resilience isn’t a skill. You can’t run a training course in it. But you can, through policy, strategy and practice, develop a culture of resilience.

Get Yourself Some R&R

A governance, risk and compliance (GRC) solution, should be designed specifically to manage risk and help with regulatory compliance while streamlining processes and reducing costs.

In short – it’s designed to deliver resilience.

The intuitive GRC toolset includes:

  • Risk and control self-assessment
  • Regulatory rule mapping
  • Issue and risk events
  • Policy attestation
  • Automated reporting
  • Compliance approval

It needs to be flexible enough to meet any organisation’s operational risk and compliance framework. With the added benefit of being more efficient and less expensive than the spreadsheet-based processes many organisations still use.

This approach makes it easier for them to manage risk and resilience, and as a result, you get more R&R time!


About Author

Avatar photo

Bea is Head of Risk & Compliance and Managing Director at 1st Risk Solutions. Bea has vast experience across all 3 Lines of Defence gained at some of the worlds largest global banks and financial institutions (HSBC, JP Morgan and American Express). She has been at the forefront of global change and risk programmes, driving the design and implementation of the associated operational risk framework for: • Global regulatory programmes such as SOX, SAO, FATCA, SM&CR • Global Financial Crime risk remediation • Operational Risk frameworks within global functions (technologies, finance, HR) • Global M&A and divestment programmes, managing buyer risk, separation risk and transitional service risk Bea also spent many years at American Express working globally within various areas across all 3 lines- Group Treasury, Group Internal Audit and within Group Operational Risk, obtaining in depth knowledge of credit services, Insurance products, and Private Banking.

Leave A Reply