Resilience and Enterprise Risk Management
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
The term resilience is used in reports and studies by numerous government agencies and international institutions. For instance, in 20014 the Organization forEconomic Cooperation and Development issued a report entitled “OECD Reviews ofRisk Management Policies: Boosting Resilience Through Innovative Risk Governance”.
In 2015, the Rand Corporation conducted a study to the UnitedStates Department of Energy. It was entitled: “Measuring the Resilience of Energy Distribution Systems”. Resilience is considered important by insurance experts. The National Academies of Sciences, Engineering and Medicine note the need for resilience when updating the National Highway System. This piece examines why it is important, what resilience means and its relation toEnterprise Risk Management (ERM).
Why Resilience Is Important
The idea of resilience is important because the costs of risk events is increasing. Lloyd’s of London estimates that risks such as cyber-attacks, interstate conflicts, civil unrest and market crashes could cost the 279 largest cities in the world $320 billion. In 2017, 219 weather related events in theUnited States cost $1.5 trillion. These events are not limited to a specific geographic area. The impact is wide spread and cuts across political boundaries. Hurricane Harvey impacted Texas, Louisiana Mississippi, Tennessee and Kentucky. It affected 13million people and flooded 800 water and waste water treatment plants and 13superfund sites.
But the costs are greater and more long term than just the immediate repair costs. It is estimated that the 2018wild fires in California will cost the state $400 billion in economic loss. This includes reduced property values, job loss and health problems due to air pollution. The average home owner insurance, which increased fifty percent from 2005 to 2015, is likely to continue to increase.
Merced County Insurance Company, which insured customers in the Sacramento CentralValley, has declared bankruptcy. The insurance company has assets of $23 million but has claims of $64 million from the town of Paradise, which was destroyed by the Camp Fire, alone. The balance of the liability will be picked up by a state of California insurance fund.
Increasingly, where private insurance fails to cover insurance liability, either federal or state government insurance funds pick up the balance. But, the National Flood Insurance Program, which subsidizes insurance premiums, had to borrow $25 billion to pay out claims. Government insurance claim payments, such as this, are in addition to the cost of recovering from the damage inflicted by the natural disaster.
Natural disasters are not the only costs governments incur due to risk events. For instance, the U.S. Justice Department has charged Iranian hackers with attacks on American hospitals, universities, theColorado Department of Transportation and the City of Atlanta. The attack on Atlanta shut down the city’s computer network for over a week and cost the city an estimated $9 million dollars. The riots in Paris not only cause physical damage but are damaging the reputation of the national government.
The increasing cost of repairs, insurance, plus the multiple types of risks governments face has increased the interest in resilience.
What Is Resilience?
There are several definitions of resilience. One specifies the major stages of resilience. It was developed by theNational Academies of Sciences. It states: “Resilience is the ability to prepare and plan for, absorb, recover from and more successfully adapt to adverse events.” Under this definition there are four major stages. Stage 1 is to prepare and plan for the risk. Stage 2 is to absorb the consequences of the risk. Stage 3 is to recover from the risk event. Stage 4 is to successfully adapt to the risk event. The ability to success fully manage these steps helps determine the resilience of the organization. Step 1 is directly related to Enterprise RiskManagement (ERM). ERM can also assist with the negotiation of the other three steps.
ERM’s Relation to Resilience
EnterpriseRisk Management (ERM) is an organizational process which allows management to identify, prioritized and mitigate all the risks that can adversely impact the accomplishment of their mission. Consequently, it provides the foundation for decisions which allow the completion of Step 1. ERM cuts across organizational silos. In addition to internal risk, ERM considers external caused risks, such as cyber-attacks and natural disasters. This allows management to identify risks that can adversely impact the effective administration of organizational policies. Having this capability, means that it has a better positioned to absorb the adverse impact. Most organizations have emergency action plans. These plans allows management to respond quickly to the risk event. But these plans would not be as effective without an assessment of the risks and some mitigative actions. Thus, ERM can assist with recovery.
OnceStep 3 has been successfully negotiated, repair and successful adaptation is necessary. ERM because it requires continual risk monitoring, assessment and mitigative adjustments, facilitatesStep 4.
While the step in the resilience process are clear, the current approach to Resilience has flaws.
Flaws in the Approach to Resilience
There are three major flaws in the approach to resilience. First, the risk events most closely associated with the need to improve resilience are classified and siloed. This is in part because they have been separate according to government functions. TheDepartment of Energy has oversight to functions related to energy. The Federal Emergency Management Agency has responsibility for assisting with recovery from natural disasters. Seldom in the past did the two intersect in a significant manner. However, as theFourth National Climate Assessment Report noted, there is increasing cascading affects and overlap among risk events. The impact of Hurricane Harvey is a good example of the broad-based cascading effects.
The second flaw is that resilience requires organizational adaptability. If an organization cannot adsorb the adverse impact of a risk event, the idea of resilience is not optimized. Organizations have limited resources and face multiple risks that can come from multiple directions. Thus, a resilient organization needs to allocate resources in the most effective manner. This requires that the organizational processes be sensitive to risks and include identification, prioritization, mitigation and continual monitoring. ERM provides the organization with these capabilities. But, because the focus is still siloed, administratively ERM is ignored.
The last flaw is the definition of what resilience means at the recovery stage. Does resilience mean repair to pre-loss conditions. If recovery is to the same condition prior to the risk event, with risk events occurring with considerable frequency, is that the appropriate level for repair?
TheCity of Huston experience three five hundred-year floods in a row. With such frequency, any repairs that have been made, might be washed away with the next event. With repair costs increasing and federal, state governments and private insurance companies seeing claims escalate, several questions need to be addressed. These are: After a significant risk event, to what level of resistance are repairs going to be set? Who is going to set the resistance level? Is it going to be the federal government, state government, insurance companies or is it going to be left to individual companies? How quickly should the disrupted activity come back on line? Should it be up and operating in a few hours or months? These are important questions. Some have been raised in relation to utilities. But, most have yet to be raised in a holistic manner in major policy circles.
The concept of resilience is increasingly important. Broadly, resilience can be viewed as having four stages. Stage 1 is to prepare and plan for the risk event. Stage 2 is to absorb the consequences of the risk event. Stage 3 is to recover from the risk event. Stage 4 is to successfully adapt to the risk event. ERM is the main stay of Stage1. It also assists with the other three stages.
However, there are several flaws with the current thinking to resilience. First, it is too siloed and focused on specific types of risk events. ERM is not being used. Yet, ERM provides an enterprise wide assessment of all the risks organization face. It also provides a methodology for prioritizing and assessing the impact and costs of the risk events. That assessment allows management to develop mitigative actions and prioritize resource allocation accordingly.
The second problem is resilience requires organizational adaptability. ERM provides the flexibility to recognize and adjust to new or increasing threats. Yet, ERM is not stressed in U.S. federal resilience related documents and studies. Without mitigative efforts being implemented and aligned effectively with budget constraints, the organization is an a reactive not proactive status.
Finally, policy discussions need to occur on the level of recovery once a risk event occurs. With events occurring more frequently, repairs may not be completed or have even started, before the next event occurs. With the costs increasing for risk events, and federal and state governments acting as claims guarantor, how much can, or should the governments continue to payout for repairs? If there is a cost limit, who is going to set the levels for repair? In addition, whois going to determine how soon affected activities should come back online?
James J. Kline is a Senior Member of ASQ,a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and aCertified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. firstname.lastname@example.org