Create a Risk Management Process to Develop Organizational Resilience

Today’s guest blogger is Ed McConnell with HUB International, discussing best practices for organizational resilience. HUB International provides a wide range of business and personal insurance options including liability, health, life, and more.

Typically, about 80% of small businesses in the U.S. will survive their first year, but only half of the 400,000 new businesses that open their doors annually will still be around five years later.[1]

Consider the following statistics:

• 5% of business revenue is lost to fraud annually[2]
• 43% of cyber breach victims in 2019 were small or medium business[3]
• 39% of small businesses fear they won’t survive 2021[4]

No matter their age, many organizations will struggle to survive this year. Whether an organization remains afloat or not depends on how resilient they are and how capable they are to prepare for, respond and adapt to disruptive events.

In this pursuit, an organization needs to leverage all of the financial, technical, and human resources at its disposal. It will need to develop skills and competencies in an efficient, flexible manner to manage the risks and challenges it faces.

While there is no single strategy or solution to make an organization resilient, an organization can enhance its resilience by:

• Strengthening individual management disciplines of the organization that manage risk and doing so in an integrated and coordinated manner.
• Building a culture that ensures the organization behaves in a healthy manner.
• Increasing its adaptive capacity and ability to manage change.

The resilient company or organization uses its financial, technical and social resources to do the following:

• Develop long-term skills and competencies
• Deploy resources in an efficient, reliable and flexible manner
• Manage challenges and exploit opportunities

5 Aspects of Risk Management

Strong risk management practices are an important aspect of resilience. Though risk management can be challenging, the importance of building a solid foundation and program to protect your people, property and profitability is vital. Enterprise Security Risk Management (ESRM) is a strategic, all-hazards approach to risk management that provides a framework to identify, evaluate and mitigate the impact of security risks to an organization.

A comprehensive and effective risk management program incorporates the following elements and associated capabilities:

1. Emergency Action Planning: Emergency action plans are intended to protect people and property and prevent further harm during an emergency event. As defined by OSHA, an EAP facilitates and organizes employer and employee actions during workplace emergencies. When there’s well-developed emergency plans and employees are trained properly, there’s fewer and less severe injuries and structural damage to property. Conversely, poorly designed plans and poor training leads to disorganized evacuation and emergency response, which could lead to avoidable injuries and property damage.
2. Crisis Risk Management: When a crisis hits, a resilient organization will bounce back or even pivot, if necessary. Crisis risk management includes an organization’s ability to coordinate an effective response to protect people, operations, profitability and reputation. Planning may require gathering resources for outside support and partnerships to manage the issues, as well as a careful consideration of the vulnerabilities inside the organization.
3. Business Continuity: Business continuity plans help keep a resilient organization operational. Key to this are processes that ensure critical activities keep going during a crisis. A formal written plan notifies team members of their responsibilities and allows them to take charge when the time comes, especially if they have already practiced those tasks during drills and exercises.
4. Fraud Risk Management: Theft and fraud are two of the most complex risks to your organization today. Indeed, they can be so costly that they threaten even the most resilient organizations. While external and insider threats are posing new and heightened risks, regulations and public scrutiny are demanding greater responsibility. Now, more than ever, organizations are looking for ways to manage the risk of fraud, especially within the ESRM context and in a way that takes industry-specific considerations into account.
5. Cyber Security: Developing organizational resilience means taking into account even newer and ever-evolving risks like cyber security. In fact, cyber security may be one of the least understood areas of the risk picture. Adequately managing cyber risk does not require all participants and stakeholders to be technical subject matter experts. However, it does require comprehensive awareness of cyber risk issues and strategic and appropriate mitigation efforts, especially vendor risk management and privacy laws.

This can be daunting for those at the very beginning but planning and preparing for all areas of risk is vital to an organization’s survival today.

Contact your HUB consultant for more information on organizational resilience and Enterprise Security Risk Management.

[1]United States Small Business Administration, Frequently Asked Questions, June 2016.

[2]Association of Certified Fraud Examiners, Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, accessed April 20, 2021.

[3]Verizon, 2019 Data Breach Investigations Report, accessed April 20, 2021.

[4]FED Small Business, Small Business Credit Survey, accessed April 21, 2021.