Enterprise Compliance Today

Resilience - The Evolution of Risk Management

Posted by Greg Carroll on Thu, Feb 05, 2015 @ 09:27 AM

In the last decade we have seen the evolution of Risk Management from an administrative practice to ERM for corporate governance.  But the realization that results come out of action not protection, has started people pursuing a more proactive role for risk management.   



Ecological resilience, focuses on adaptation and flexibility, not returning to how things were, but rather changing and innovating.


FastTrack Risk Product Demo
See how Fast Track provides risk management integrated with Corporate Objectives as part of the day-to-day operational management method of work and decision making.

In a recent article on Emerging Risk I covered being proactive required pursuing threat and vulnerability  management concurrent with but independent to risk management instead of as a mitigation strategy, and the need to establish a “Causal DMZ”. In this feeling apparently I am not alone.

In that same line of thought, British Standards has just released BS 65000 on Organisational Resilience (Nov 2014).  BS 65000 defines organizational resilience as “the ability to anticipate, prepare for, respond and adapt to events – both sudden shocks and gradual change. That means being adaptable, competitive, agile and robust”.

Explaining its evolution Rupert Johnston, part of the authoring team for BS 65000, further expanded “that risk and resilience are part of the same family but resilience is more of a deliberate objective and a broader concept than risk; it wraps in many "protective disciplines" including risk management, crisis and continuity management (amongst others - info security, physical security, environment, etc). Resilience also embraces aspects of culture, strategy and change.

Separately, but by far the best explanation of Resilience was from Imogen Stockton, a researcher specialising in Organisational Resilience from Victoria Australia, in a recent Q31000 LinkedIn forum on the subject. I have her permission to reprint here: 

“Broadly speaking, there are 2 types of resilience, engineering resilience and ecological resilience. Engineering resilience is described as the speed of return to the steady state following a disturbance which implies a focus of efficiency of function. This is a reactive response. Ecological resilience is different in that it accepts the inevitability of change and adapts to new or challenging conditions and has strong links to the notion of adaptive capacity. This is Proactive resilience using flexibility to accommodate perturbations and can be viewed as pre-event resilience, which originates from the ideas generated by environmental science.

The difference between Risk Management and Resilience I believe is that Risk Management is a component of resilience, in that it is the management of known risks. Woods and Wreathall (2008) discuss a model for resilience as a stress-strain analogy. The first level response to an event is when the entity has the existing capability and capacity to cope with the challenge. They call this first order adaptive capacity (Risk Management). The second level response or the second order adaptive capacity is true resilience as the entity is unable to use planned responses, procedures and resources as the 'demands exceed the limit of the first order adaptations. The first order response, which is the management of risk, cannot be considered resilience as it is merely anticipation, and it is the second order response during which innovation occurs which is characteristic of resilience.

I wonder at the idea of resilience and 'bouncing back' as that links to the idea of engineering resilience. I would caution against this approach to resilience, as it does two things: it implies a resistance to change, an effort to maintain the status quo and an effort to return to the previous state, to get back to how things were. BUT, this comes with considerable risk, because, a return to a previous state would mean returning to a place where the old vulnerabilities existed, the things that made you susceptible to the disturbance in the first place. I believe that ecological resilience, a focus on adaptation and flexibility which allow continuation of function is preferable, and this is accomplished by not returning to how things were, but rather changing and innovating. This is happens when we learn, grow, flex and create, really the opposite to resisting and preserving what we had.

I understand the considerable difficulties that rare or unprecedented events, such as Black Swan Events, pose for entities. By being situationally aware, together with the identification and management of keystone vulnerabilities, an entity or Complex Adaptive System develops a firm foundation upon which to build adaptive capacity.”


In 2013 I wrote on an article “Chaos Theory & C-Level disillusionment with Risk” highlighting the general feeling at the Board & Executive levels that Risk Management had failed to achieve expectations.  Resilience now adds a proactive edge to risk intelligence that might finally deliver on the promise.



paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Tags: risk management, Resilience, risk identification