Risk and resilience
Resilience is "the capacity to recover quickly from difficulties and changing circumstances". (Strength in Numbers Report, SIB, 2018)
There are five key areas for organisational resilience. The extent to which these apply to your organisation will depend on the size, complexity and operating context but each area is worth considering:
- Governance: There must be sound board and team alignment and consistent clarity of mission and values.
- Openness: To feedback, to partnerships, to experimentation, to learning.
- Finance: Good information, reserves, strategies, diversification.
- Networking: A comprehensive awareness of the external landscape, partnerships and other sources of support.
- Adaptation: A commitment to the mission (relating to risk) and not a fixed model which must be aligned with an ability to flex as best fits to the organisation.
In the face of growing uncertainty, organisations may need to invest in resilience, resulting in an ability to:
- Respond quickly to mitigate the effects of unanticipated events supported by effective crisis management
- Recover quickly from the aftermath of an unanticipated event with sound business continuity management
- Review past unanticipated events to improve future resilience and learn
The respective roles of Board, Audit Committee (if one is in place) and staff:
The roles from the above diagram:
- Must lead on risk management; is ultimately responsible
- Should be identifying new risks, challenging existing risks
- Must understand where impact of each risk lies within the organisation
- Must seek assurance on effective risk management
- Should identify its risk appetite and then use it
- Must receive regular updates on risk register
- Risk should be a standard agenda item for each meeting
- Should monitor and review risk.
- Independent adviser to the board
- Understands where to skim, question or dig deep
- Focuses on key risks
- Ensures risks are fully reflected in audit plan
- Undertakes or commissions additional detailed work on risk where necessary
- Commissions / uses external audit to test and validate risk management and controls
- Adds value to the Board’s work on risk (but ultimately Board is responsible)
- Has responsibility for the internal audit function.
- Identify new and emerging risks
- Review the strategic risk register and update quarterly
- Ensure strategic risk register is brought to Board regularly
- Provide assurance to the Board that risk is being managed
- Embed a culture of risk management throughout the staff, and make risk management a key aspect of the performance management framework.
This resource has been written by Angela Lomax from David Tolson Partnership, Chair of the Co-operative Governance Expert Reference Panel.