Achieving operational resilience through risk management

January 10, 2022 08:53
Image: Reuters

Gartner defines operational resilience as “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders.”

If “disruption” sounds familiar, it’s because we’re living in one of the most volatile times in recent history. The pandemic created major challenges for supply chains and third-party relationships, which in turn has had a ripple effect on the market and an organization’s ability to provide products and services. In that sense, operational resilience is not only achievable but it’s now imperative for organizations.

It is evident that Hong Kong has recognised the urgent need for operational resilience among businesses, with the Hong Kong Monetary Authority (HKMA) developing principles for operational resilience within the banking sector and the Securities and Futures Commission (SFC) having laid down operational resilience standards and framework measures to supplement existing guidance for issuance of licences for corporations. As governance, risk, and compliance challenges are always evolving, the implementation of a strong integrated risk management plan is crucial in order to keep up with the constant changes and introduction of new regulations.

Why is Operational Resilience Needed?

Due to the acceleration of digitalisation efforts, Hong Kong businesses have shown a marked increase in readiness on the Cyber Security Readiness Index 2021 published by the Hong Kong Productivity Council, with 68.5% of large enterprises having centrally managed security with fine-grain control measures.

Cyberattacks and operational failures have forced organizations to identify their most critical business services, consider vulnerabilities that are broader than cyberattacks and IT failures, and define a consistent approach to prevent, adapt, and respond. In essence, operational resilience provides assurance to protect against various mishaps that can arise within an organization. And those threats such as the pandemic have made the construction of this framework even more vital.

Recently, we’ve learned a lot about the way the world works under pressure. For one, we need to be able to look at what processes used to work, which ones are still useful, and which ones are broken and need change. Often, organizations will find that processes pre-pandemic were largely manual and would not be applicable in today’s era, especially when considering the sheer number of organizations with a hybrid or remote work model. While these changes can seem overwhelming and maybe even uncomfortable to an extent, it’s the root of what operational resilience is. Being able to pivot in times of change, while displaying grit and determination, will lead to positive adoptions when transformation is least expected. Small amounts of progress soon lead to large-scale noticeable change, which will prove beneficial to an organization from top to bottom.

Achieving Operational Resilience Through Risk Management

One of the first steps in achieving strong operational resilience is understanding the volume and velocity of interconnected risks that exist within the organisation, as well as third-party risks. Then, the shift can be made to automated processes. Implementing artificial intelligence (AI) technology has rocketed to the forefront for organisations that want to make their routine processes – whether it’s financial, human resources, marketing, or otherwise – as efficient as possible. That being said, human intelligence still reigns supreme, especially when logical decisions are involved, because of the direct proximity to the process at hand.

AI also allows for multiple risks to be managed simultaneously, which becomes especially prevalent in times of chaos. In contrast, a disorderly, manual process to managing risks can impede progress.

Finding Stability in Times of Chaos

What happens when conflicting regulatory priorities come to the surface? After all, there are over 200 new compliance regulations a day, according to Boston Consulting Group. Because of this, an organisation is bound to face a dilemma when considering which regulation to sort through first. Not only do global companies need to be aware of these regulations constantly, but having a holistic view of regulatory requirements can uncover issues that were previously hidden. Once again, AI can establish a common risk platform that leads to a singular number assessing an organisation’s risk standpoint. Outside of AI, regulatory priorities can be handled within boardrooms, where executives can build practical solutions to manage risks while forming a consensus opinion on their risk management landscape.

Even when the best laid out risk management plan is thought through, several external threats can still arise such as security breaches and ransomware attacks. Last year, Hong Kong reportedly experienced an almost sixfold rise in technology-based crimes in a decade, with monetary losses reaching close to HK$3 billion. While no risk management plan is inherently perfect, a carefully-designed solution that is executed properly is the best form of crisis management for an organisation.

Looking Ahead to the Future of Operational Resilience

An integrated risk management approach is key to achieving operational resilience regardless of what type of business you lead. As Governance, Risk, and Compliance (GRC) solutions become more sophisticated, data gradually moves from qualitative to quantitative. This means that information that was once complex and difficult to sort through is now easy to understand and to translate into action.

Once again, AI can only do so much on its own – people must retain active involvement in the risk management process. For example, it is critical to engage the frontline, as they are often your first line of defence. You need to equip them with the physical tools to adhere to all compliance and regulatory policies. Furthermore, combining digital platforms with AI allows risk leaders to interpret and learn from data, highlight patterns, and effect specific tasks and outcomes.

To sum up, a strong risk management solution is the backbone to being operationally resilient. With proper processes in place to mitigate risks before they become a real threat, the likelihood of chaos ensuing in the wake of a crisis lessens dramatically. The pandemic is just one example of how companies can get derailed when issues such as flaws in the supply chain arise.

Although the decisions involved in managing growing threats or potential attacks and compliance issues may seem overwhelming, the truth is, achieving operational resilience is not as far-reaching as organisations once envisioned. Integrated risk management becomes the key to achieving operational resilience and helping organisations turn volatility into order.

-- Contact us at [email protected]

Senior Vice President & Managing Director, APAC for MetricStream