The best way to think about risk is to build resilience

Ed Barrows considers a more resilient way of managing risk

We live in a world of ever-increasing uncertainty. Where organizations once existed in a state of relative equilibrium buffeted by an occasional shock, major jolts have become the norm for industries and whole economies. From 9/11 and the decades-long war that followed, to the Indian Ocean tsunami of 2004, the financial crisis of 2008, the Deepwater Horizon oil spill, and Hurricane Sandy: over the past 20 years, a wide range of events have wreaked devastation on communities and businesses, often on a level that has never been seen before. Covid-19 is the latest event, and its impact is still unfolding. At the time of writing, unemployment in the United States had risen to 14.5% – a level not seen since the Great Depression.

What most leaders are realizing, if they hadn’t already, is that volatility, uncertainty, complexity and ambiguity (VUCA) now reflect normal rather than exceptional operating conditions. With this comes the recognition that many of the tools and approaches that served leaders admirably in the past no longer provide the value they once did.

What’s needed are approaches that take account of today’s realities and enable leaders to steer teams and organizations through virtually any scenario. Nowhere is that need felt more than in the field of risk management and business resilience; and, while relevant to every sector, it is a challenge that is particularly acute for leaders in the healthcare sector.

The risk with risk management

Risk management is one of the tools to which managers turn – or return – after major disruptions. It entails identifying the risks facing a firm, assessing their likelihood and potential impact, and then deciding what actions should be taken to mitigate those that are the most significant and the most likely to occur. It is a well-established management activity, with widely-available guidelines, such as the Enterprise Risk Management Integrated Framework produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Yet such tools focus almost entirely on identifying and managing risk events before they happen; only one of the 20 elements in COSO’s framework – dubbed “Implements Risk Reponses” – addresses the main challenge that organizations are contending with currently, which is how to respond rapidly and effectively when major disruptive events hit.

Ironically, focusing too intently upon identifying and mitigating events before they happen may be the very thing that impairs leaders’ abilities to equip their organizations to respond effectively.

The challenge for healthcare

The way to avoid this trap is illustrated by some of the improvements made by the healthcare industry, which has taken significant steps to improve its risk management practices in recent years. Until recently, healthcare risk management has consisted largely of activities aimed at safeguarding patient safety. While precise information varies, in 2019 the World Health Organization (WHO) reported that the risk of patient death occurring due to a preventable medical accident while receiving healthcare is estimated to be 1 in 300; in high income countries, one in ten patients is harmed while receiving hospital care (Patient Safety Fact File, 2019). These numbers are both alarming and expensive, explaining in large part why healthcare risk orientation has been laser-focused on error prevention.

Changes in the broader environment, however, have widened healthcare’s risk management lens considerably. In a 2019 survey by Deloitte, senior healthcare administrators identified their top risk priorities as consumer engagement, cybersecurity, transitioning to value-based care and digital transformation – challenges affecting many organizations outside of healthcare too.

What wasn’t on leaders’ radar was a pandemic. This oversight on the part of risk management systems is what led to US hospitals being poorly prepared to handle 2020’s coronavirus. Early estimates indicated that hospitals would only have enough beds to meet a 20% infection rate over a year, and that massive equipment shortages – ventilators and personal protective equipment (PPE) in particular – would ultimately threaten the lives of patients.

The bottom line is clear: even the best risk management is likely to fail to prepare organizations for the unpredictable challenges faced in today’s volatile environment.

From risk management to resilience planning

Given the magnitude of the events which have occurred since the start of the millennium, it is perhaps inevitable that leaders would default to redoubling their efforts to manage risk. But simply analysing previous disruptions in greater depth or improving the precision of forecasting models won’t improve leaders’ ability to lessen the impact of things that are hard to foresee to begin with.

As Nassim Taleb, Daniel Goldstein and Mark Spitznagel point out in their Harvard Business Review article, ‘The Six Mistakes Executives Make in Risk Management’: “Instead of perpetuating the illusion that we can anticipate the future, risk management should try to reduce the impact of threats we don’t understand.”

The question is how leaders can do this while at the same time continuing to manage those risks they do understand. The answer lies in redirecting attention away from identifying and classifying specific events and placing greater emphasis on establishing mechanisms and methods to lead through degradations when they arrive. This is what resilience planning accomplishes.

Resilience planning, or business continuity planning as it is sometimes called, is the practice of developing systems of prevention and recovery to ensure operations continue during and after a major disruption. In some cases, this entails identifying temporary ways to flex operations over the short term; in other more severe situations it demands adapting to new ways of working that match the changed environment.

In either case, building resilience enables an organization to withstand significant environmental changes and still function effectively.

How to start resilience planning

Many leaders will be inclined to start resilience planning by considering what external triggers could happen and then thinking through how their organization might respond. But this places emphasis in the wrong area: events that may occur outside the organization. Instead of taking an outside view, leaders should look inside their organizations and consider a different set of questions, including the following:

  • Which areas of operation are mission critical versus those that aren’t?
  • What level of degradation could we absorb from a major event?
  • At what level of degradation would activities be temporarily or permanently impaired?
  • Where is redundancy or additional support required? How can it be put in place and readied for the time when needed?

Each of these questions should be directed at critical business areas and drive analysis of human resources, technology platforms, data, physical assets and documentation, either electronic or physical. Through ongoing dialogue and monitoring of operations, leaders should be able to identify areas that require resilience plans and take steps to create them. Testing draft plans with ‘what if’ scenarios can prove especially helpful – such as thinking what would happen if a major facility could no longer be used, or what could be done if key employees were no longer working. The point of resilience planning isn’t to identify events that might happen, but rather to identify impacts that could occur. Focusing this way gives leaders a much better chance of creating the kind of contingencies that set up their organizations to survive, regardless of the events that befall them.

Business leaders won’t be facing reduced risk anytime soon. A focus on resilience planning doesn’t mean leaders should abandon efforts to continue identifying and mitigating risk in their enterprises – these practices should continue. But leaders do need to spend considerably more time and energy thinking through the potential consequences of hard-to-predict events, and take the steps necessary to develop actionable plans for business resilience. Involving leaders and employees at all levels in resilience discussions will help contribute to a culture that is risk-cognizant, so that the next time a major event happens, there will be a plan in place.

––– Ed Barrows is a managing director of Duke Corporate Education