Resilience Assessments Give Your Board Insight Into Your Risk Appetite

This is part 2 of a two-part series exploring the resilience movement, how it can positively impact modern business, and the roles executives and key stakeholders play in ensuring operational resilience while managing efficiencies and adapting to changing environments with an expanding threat landscape.

When it comes to figuring out the balancing act between managing efficiencies and embracing the resilience movement, your executives and key stakeholders play critical roles in organizational success.

That’s part of what we chatted about recently as Castellan joined the Women Corporate Directors (WCD) Foundation for an event focused on the role executives and board members play in developing resilience management programs that integrate in a holistic way to facilitate readiness and response activities for organizations around the globe. The conversation was a result of a new report we worked on together which takes a closer look at WCD members’ thoughts about business continuity and operational resilience.

If you haven’t done so already, check out part one of this blog series, where we discuss what that looks like and how continuity and resilience professionals can work closely with their boards and executives to keep the momentum going forward post-pandemic.

In part two, we dive even deeper into board engagement, specifically as it relates to your organization’s ability to develop a strong enterprise risk management program and how you can evolve your program beyond just Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to build resilience across a range of challenges and disruptions.

To begin, as we discussed in our chat with WCD, when it comes to board engagement, especially in our current environment where we’re constantly facing new and evolving threats, toss out the traditional approach to risk and continuity where conversations at the board level happen maybe only one or two times a year. Instead, your board and executives should be discussing risks and risk management on an ongoing basis. It should be integrated into all of your meetings and business decisions.

That’s because today, when we talk about resilience, it’s more than just adopting plans and testing and exercising them on occasion. Truly resilient organizations see risk analysis and risk management as a part of the organization, and as a result, it becomes part of everything the board does.

So where do you begin? How can you help your board members better understand what risk is, what that looks like for your organization, and how it can negatively affect your continuity? Consider conducting routine resilience assessments.

See How Boards are Prioritizing Resilience


Resilience Assessments

When it comes to assessing just where your organization is today in terms of resilience—and where you have gaps that need addressing, you may find it beneficial to conduct a resilience assessment. Think of the assessment as a framework or a set of questions that can help you scope all of the different aspects of your organization’s resilience—where you are today and how that compares to where you think you are and where you want to be.

If your organization has not yet done a resilience assessment or it’s been a significant amount of time since your last one, you may find that you don’t really know where your resilience issues are, which makes it even more difficult to deal with new ones that come up as your organization changes and evolves.

Remember, disruptors are everywhere and our threat landscape is constantly changing. We can’t approach these assessments from a one-and-done or surface approach. Instead, we should dig deep, asking the tough “what could kill the company?” types of questions and talk about those tough realities—what risks exist and how to address them.

This is where having a strong ERM is important. It helps you see all of your risks and a range of scenarios that could impact your organization. This helps you develop response plans for all risks your organization can’t mitigate or control.

In the report, “Resilience Management: Bringing People, Process and Technology Together,” we partnered with WCD to come up with a 10-question framework to help organizations tackle a resilience assessment. The model tackles everything from your organization’s financial risk model to customer and product components, all the way through crisis response and recovery.

But the model isn’t designed to be simply answered as yes or no. Instead, for each question you’re encouraged to rate your responses on a scale of 1 to 10, with 1 being the least prepared and 10 meaning you’re confident in your organization’s abilities.

Would you like to see all 10 questions and start looking into conducting a resilience assessment? Download the report here.

Work with Executives to Define Risk Appetite

When we talk about these risk assessments and the role board members can play in helping organizations balance being both efficient and resilient, there is another risk component that should always be front of mind—your organization’s risk appetite. Your board plays an important role in developing a quantification of your organization’s risk appetite and should be able to clearly articulate it from a perspective that includes important aspects such as your critical products and services and your tolerance for interruptions for production or service delivery.

You can use your risk appetite to take a closer look at that disruption tolerance. For example, it can empower you to say: Given our risk tolerance, what capabilities do we have in place right now? What are our known risks? This will help guide board and executive conversations about risks and what to do about them.

One common mistake to avoid here is worth noting. As we shared in our conversation with WCD, many organizations have large, generic risk appetite statements. When put to the test, they just don’t truly help guide programs or plans. For example, if your organization has a blanket statement that it has a low or near-zero risk appetite, what does that actually mean? Is it even achievable? How does that statement actually translate into risk tolerance levels?

It may be more helpful instead to develop a process that effectively measures your organization’s risk tolerance levels for all risk categories. That way you have more insight into when a risk becomes a threat and what the potential impact is, especially for those critical processes and services.

It may be helpful to approach your risk threshold conversations similarly to how you tackle financials. Think of it this way: If you don’t do the oversight needed for risk management, how can you ensure you have a resilient organization?

The tone-from-the-top is important here, especially as your organization embraces that resilience isn’t just about certain plans or one specific program–it should be the way your organization routinely conducts business. And it’s not just about risk that exist today. True resilience also continuously looks out for new and emerging risks and ensures your organization is always prepared to respond.

Want to improve your organization’s resilience readiness? If you haven’t already, check out part one of this two-part blog series and download the report, Resilience Management: Bringing People, Process and Technology Together,” for a deeper dive into the resilience movement and how it can positively impact your organization.

See How Boards are Prioritizing Resilience


Goodbye, uncertainty. Hello, confidence.
Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.

Now you’re ready.TM

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.