Is Resilience a Step Up from Risk Management?

Key Takeaways

• Resilience Is Not Enough: While resilience—adapting and recovering from disruption—is critical, it's only one form of response within a broader risk management strategy.
• Disaster Planning Must Be Practical: Effective recovery planning focuses less on specific causes (e.g., fire, earthquake) and more on universal response and communication strategies.
• Prevention and Preparedness Go Hand in Hand: Storing critical data, ensuring system redundancy, and planning for resource availability are essential complements to traditional response plans.
• Risk Is a Range, Not a Point: Good risk management means reshaping the curve—reducing the likelihood of severe outcomes rather than assuming a fixed level of risk.
• Sometimes the Strategy Must Change: Resilience may not always be the best answer; in some cases, abandoning or revising the strategy altogether is the wisest course of action.

Deep Dive

In this reflective piece, risk management expert and author Norman Marks draws from his own leadership experience in IT and governance to explore the relationship between resilience and risk management. From disaster recovery planning to strategic decision-making, he explains why resilience, while essential, is just one tool in a much larger toolkit. Sometimes, being resilient isn’t enough. Sometimes, the smartest move is to change course altogether.

Rethinking How We Respond to Risk Beyond Bouncing Back

I am all in favor of being resilient.

Gemini AI tells us, "Resilience is the ability to adapt to and recover from adversity, trauma, tragedy, threats, or significant sources of stress."

One of my responsibilities as a vice president in IT for a financial institution was IT disaster recovery planning (DRP). Later, my portfolio grew and business disruption planning was added. Initially, my Disaster Recovery Coordinator started writing separate plans for a fire, earthquake (we were in the San Fernando Valley area of Los Angeles), flood, and loss of electrical supply. But then we realized that whatever caused the loss of a data center, our response was essentially the same.

We also realized that the most important element of any DRP (or business recovery plan) was communications planning. That became our top priority, and it was completed without delay. A DRP is all about resilience, but we needed more than procedures for response and recovery.

We needed to enhance our recovery resources—storing critical data where it would be readily accessible in the event of a disaster, making sure we had somewhere to restore and run our systems, and ensuring we would have the people and other resources, such as funding, available for the recovery. We also developed a Disaster Prevention Plan with measures that would reduce the potential effect of a natural disaster. We couldn’t change the likelihood of an earthquake, or an airplane trying to land at Burbank airport hitting our building instead. But we could take reasonable measures to limit the likelihood of a severe impact.

I have been preaching incessantly that the level of risk is not a point—it’s a range or distribution of potential effects, each with its own likelihood. What we were doing was changing the shape of the curve. We reduced the likelihood of the more significant effects on our objectives.

But there is more to risk management than resilience. Being resilient is not always sufficient. Sometimes, you need to change your strategy because of the level of risk—not just become more resilient.

When Tosco was considering engaging a Mexican channel partner, one of my direct reports facilitated a discussion about the risks and opportunities involved. The prudent decision was made not only not to engage with that channel partner, but also to abandon the strategy entirely—at least for the time being.

The way I look at it, you need effective risk management to understand what lies between you and your objective—the risks and opportunities. One way to respond (some talk about “treating the risk,” but I don’t think that is sufficiently descriptive of the response choices) is to become as resilient as justified by the risk, given the cost. But it’s not the only way. Too often, we overlook the response of changing the strategy—or even the objective.

What do you think?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.