To discharge its governance, risk and compliance (GRC) responsibilities, the board needs to understand that risk, resilience and recovery are interconnected.
By Michael Davies, CEO, ContinuitySA
Governance codes, such as King IV amongst others, make boards ultimately responsible for managing an organisation’s risk. However, too many boards and executive teams fail to realise that the risk an organisation faces cannot be separated from its ability to respond to any disaster and its ability to recover its business processes.
The first important step is for the board to understand and consciously decide what the organisation’s appetite for risk is. The higher the risk appetite, the less time, attention and resources will be devoted to ensuring resilience and recovery. An organisation with a high risk appetite might decide to spend the minimum of time and money on something that might never occur, accepting that if (or, rather, when) a disaster occurs, it will deal with it on the fly.
Of course, few companies would adopt that extreme position. In today’s volatile, uncertain, complex and ambiguous (VUCA) world, that would verge on recklessness. While there might be different approaches to risk, something that’s often influenced by industry sector, boards have to look carefully at the risks their organisations face, and assess which are the most pressing.
Having established its appetite for risk, the board has to then determine that the measures taken to ensure resilience and recovery are aligned with that appetite. This is an important point—too many companies seem to think that managing risk stops at identifying it. If there is no appropriate business continuity plan and capability in place, the risk is not managed properly in the sense that the two vital Rs of resilience and recovery are not covered.
In short: to obtain peace of mind that risk is being managed effectively, boards must ask questions about the three Rs:
- What is our appetite for risk?
- Is the company’s level of resilience appropriate to its risk appetite?
- Can we recover our key business processes (and do we know what they are)?
- Are we prepared for any eventuality, even if it is not one we have specifically planned for?