Don’t Aim To Be Perfect, Aim To Be Anti-FragileRisk Management | 3 Min Read |13 January 22|by Suneel Sahi
The Instagram of Risk Blog Series
The holiday period is when I stop and indulge. Quality time with friends and family, a feast of food including sweet treats that shamefully begins before dawn, and the exchanges of gifts make this festive season magical. Talking about gift exchanges, I noticed the words “Fragile - Handle with Care” inscribed across the packaging that I was fortunate to receive from Santa.
Fragile and anti-fragile are interesting words. I have heard them both being deliberated in conversations to determine what makes organizations resilient. At the tail end of 2021, I had the opportunity to moderate a lively panel discussion with a banker, an analyst, and an oil and gas expert (which sounds like something from a movie plot). The discussion was centered on “moving from risk to resilience and making your organization anti-fragile.”
Operational failures have established regulators to ask questions of organizations and force them to implement an operational resilient framework to identify their most critical business services and consider vulnerabilities that are broader than cyberattacks.
Here is a sample of the conversation that I posed to the team.
Q: What are the key trends shaping operational resilience?
A: Operational resilience brings together several strands that need to be managed simultaneously. Outages and cyber-attacks can be a significant challenge and even though they are a fundamental part of your resilient model, there are other pivotal factors that you need to consider. For instance, you need to identify your critical business services, set an impact tolerant level for each of these services, have the appropriate controls in place, and carry out scenario testing to evaluate potential sources of disruption.
Q: What elements should be part of an operational resilience framework?
A: At a basic level you need to be aware of your cyber security, business continuity, enterprise risk, and third parties which includes your value chains. The trajectory of organizations migrating to the cloud is on the rise, therefore the security architecture of the organization will have a direct correlation to the resilience of an organization. Your services need to map out to your IT infrastructure. There are plenty of dependencies here, both internal and external.
Q: ESG metrics are a focal point across all industries. What are the challenges and what can you do?
A: There has been a seismic shift in the last year on ESG. It is imperative that you can articulate this before jumping in to meet ESG standards. There is a raft of important climate related initiatives that include sustainable finance disclosure regime, net zero transition plans, and work on ESG issues in the capital market. What is apparent is that customers and shareholders are demanding ESG metrics. They want to significantly reduce the carbon footprint as well as greatly improve diversity in the workplace. There needs to be structure in your ESG performance targets.
Q: How does technology help you stay resilient?
A: Technology has proven to be an enabler and a game changer. You need the right federated technology and real-time reporting dashboards to monitor and manage the wider ecosystem. Preferably with an integrated governance, risk, and compliance solution (GRC). It will allow chief security officers, chief risk officers, auditors, senior managers, and frontline employees to identify and document the necessary people, processes, technology, facilities, and resources required to deliver these business services.
If you understand your controls, risk tolerance, and risk appetite, you can appreciate your topology. With organizations facing a barrage of new competition, regulator changes, disruptive business models, and advanced technology changes, a critical agenda is that companies need to achieve their strategic objectives. Staying resilient has to be one of their top strategic objectives.
It might look like a hill, but we’ll get you over it
At MetricStream, we are leading the way on all these initiatives. As the market leaders of GRC and risk management, we bring your IT and cyber risk management, enterprise risk management, business continuity, regulatory change management, and third-party risk management all in one powerful and user-friendly tool for visualizing, comparing metrics, and staying resilient.
The regulation has been developed to protect organizations, markets and us, and Metricstream can help you take the right direction in staying anti-fragile and complying with regulators.
Have fun and stay strong.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk’ ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London, the European Compliance Week event, and the October 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.