Good communication between risk and resilience strengthens risk culture and builds a more resilient business. Understanding risk is essential for resilience. And a resilient organisation is better positioned to withstand risks.

Yet these teams often operate independently, each with its own goals, its own language, and its own metrics. That disconnect can undermine both functions – and have real cost implications for the organisation.

The Hidden Cost of Disconnection

Over time, many organisations have expanded their view of risk from its insurance roots to enterprise-level threats, causing the orbits of risk management and resilience to eclipse.

While these functions come from different perspectives, the goal of both risk and resilience is essentially to remove obstacles that could impede performance. The problem is when they reach conflicting conclusions about those obstacles because neither one could see the full picture.

Here’s why the disconnection is costly:

Conflicting priorities. Risk teams prioritize risks based on likelihood and impact, often relying heavily on past experience. Resilience teams prioritize efforts based on the plausibility of a scenario and whether it is credible even without historical evidence. It’s a problem when these priorities are at odds.

Language barrier. Are risk and resilience teams using the same term to measure different things – or different terms to measure the same thing? Something as simple as one team using “people” and the other using “employees” can cause time-wasting confusion. Terms to watch out for:

  • Incident/crisis
  • Threat/risk
  • Supplier/vendor
  • Location/area
  • Organisational risk/organisational resilience/operational resilience

Agreeing upfront on taxonomy and criteria can speed up communication and minimize misunderstandings.

Measurement misalignment. Resilience teams look at impact tolerance – the amount of disruption the organisation can handle before customers, employees, the business, and markets are intolerably harmed. Risk teams measure risks against risk appetite – the amount of volatility acceptable to achieve goals. When these concepts are considered in isolation, it’s difficult to assess the true impact of a risk or which controls are most meaningful. Two stories also make it difficult for the board to understand what to focus on.

Redundant work. Both teams asking others for the same – or almost the same – input on vendors, risks, impacts, etc. wastes time, squanders resources, and slows response to emerging threats. And the requests can be extra annoying if more work must be done to adjust the data to fit the peculiarities of each team.

How to Start the Conversation

Better communication between risk and resilience makes both teams more efficient by eliminating duplicate work and removing language barriers. But that’s just the start. Closer collabouration will help the risk team think more practically about potential outcomes. And it will help the resilience team bring a strategic focus to scenario testing.

Here are six steps to get the ball rolling:

  1. Create a cross-functional team. Put together a team with representation from both functions. This group can work together to identify risks, prioritize actions, and develop solutions. They can establish common workflows that bake in cross-collabouration from the start. You may even find that with your combined efforts, data gathered for one requirement can be leveraged to comply with another, saving everyone time and effort.
  2. Get leadership buy-in. An executive sponsor who can champion the cross-functional group’s work is a bonus. This person will have the authority to garner broad leadership support and secure necessary resources.
  3. Establish a regular cadence for talking. Don’t wait for trouble to happen. Get the cross-functional team together on a regular basis as a forum to raise issues, discuss solutions, and build trust.
  4. Decide on a common language and metrics. Come together to institute a common taxonomy and measurement criteria for all stakeholders – including both the risk and resilience teams and internal partners. Shared objectives and KPIs can motivate teams to collabourate on solutions. A common language also will help eliminate discrepancies and misunderstandings – which is especially important when facing the pressures of disruption.
  5. Include both functions in exercise testing. Don’t limit scenario testing to just the resilience team. Involving the cross-functional team helps everyone think beyond their roles and share different perspectives for making improvements. This also gets everyone comfortable with the plan – and with each other – which can boost performance and communication in an actual crisis. Practice makes perfect.
  6. Use integrated software. Today’s software gives all stakeholders access to the same high-quality data so they can exchange knowledge and collabourate on actions. It reinforces the agreed-on vocabulary, standardizes processes, and establishes one source of truth for all, from frontline management to the board.

Removing the walls between risk and resilience will unlock knowledge, eliminate duplicate work, and align strategic priorities. A collabourative view gives you the power to see around corners to minimize risk, disruptions, and costs. And a business that keeps going under any conditions inspires confidence with employees, customers, the board, auditors, and everyone else who matters.

For more on building a more resilient organisation, download our ebook, Getting Started with Business Resilience, and cheque out Riskonnect’s GRC and Business Continuity & Resilience solutions.