This article, published in the Academy of Management, argues that to succeed in a turbulent and uncertain world, companies should shift their attention from excessive risk management to building resilience.
- The traditional way of coping with crises is to identify risks, based on empirical data, mathematical modelling, and probability distributions
- Such an approach helps companies anticipate and mitigate some risks, but it’s impossible to identify all potential risks. Many disasters and crises nowadays are triggered by improbably events the causes of which are not well understood
- Some of these crises happen because of patterns of several events occurring simultaneously in space and time — related cascading consequences are hard to anticipate and predict with risk management tools
- To cope with disruptive events that cannot be adequately addressed with traditional risk management, organisations should shift their attention from identifying and mitigating risk to increasing resilience
- In contrast to risk management, a resilience approach implies focussing on organisational capabilities and capacities
- Re-orienting from risk to resilience better captures the desired outcome: preparedness for dealing with unforeseen – and perhaps unforeseeable – disruptive events
Why does this matter for businesses?
- Many companies invest heavily in cybersecurity protection and risk management, while neglecting to build organisational resilience. Risk and resilience are related concepts, but differ in their intended outcome
- Traditional risk mitigation focusses in the most likely and most impactful risks. Resilience, on the other hand, helps deal with events with high impact in which risk mitigation plans are ineffective