Creating a Process for Corporate Resilience

Enterprise security risk management is a strategic, all-hazards framework for identifying, evaluating and mitigating threats.


Typically, about 80% of small businesses in Canada will survive the first three years, but only half of the 100,000 new businesses that open their doors annually will still be around eight years later.

Consider the following statistics:

  • Canadian businesses lost $30.4 million to fraud in 2017.
  • 29% of cyber breach victims in 2019 were medium-sized businesses, while 18% were small businesses.
  • Almost one-third of small businesses fear they won’t survive 2021.

No matter their age, many organizations will struggle to survive this year. Whether an organization remains afloat or not depends on how resilient they are and how capable they are to prepare for, respond to and adapt to disruptive events.

In this pursuit, an organization needs to leverage all of the financial, technical and human resources at its disposal. It will need to develop skills and competencies in an efficient, flexible manner to manage the risks and challenges it faces.

While there is no single strategy or solution to make an organization resilient, an organization can enhance its resilience by:

  • Strengthening individual management disciplines of the organization that manage risk and doing so in an integrated and coordinated manner.
  • Building a culture that ensures the organization behaves in a healthy manner.
  • Increasing its adaptive capacity and ability to manage change.

The resilient company or organization uses its financial, technical and social resources to:

  • Develop long-term skills and competencies
  • Deploy resources in an efficient, reliable and flexible manner
  • Manage challenges and exploit opportunities

See also: Navigating the Future of Risk Management

Five Aspects of Risk Management

Strong risk management practices are an important aspect of resilience. Though risk management can be challenging, the importance of building a solid foundation and program to protect your people, property and profitability is vital. Enterprise security risk management (ESRM) is a strategic, all-hazards approach that provides a framework to identify, evaluate and mitigate threats to an organization's resilience.

A comprehensive and effective risk management program incorporates the following elements and associated capabilities:

  1. Emergency Action Planning: Emergency action plans are intended to protect people and property and prevent further harm during an emergency. As defined by OSHA, an EAP facilitates and organizes employer and employee actions during workplace emergencies. When there are well-developed emergency plans and employees are trained properly, there are fewer and less severe injuries and less structural damage to property. Conversely, poorly designed plans and poor training leads to disorganized evacuation and emergency response, which could lead to avoidable injuries and property damage.
  2. Crisis Risk Management: When a crisis hits, a resilient organization will bounce back or even pivot, if necessary. Crisis risk management includes an organization’s ability to coordinate an effective response to protect people, operations, profitability and reputation. Planning may require gathering resources for outside support and partnerships to manage the issues, as well as a careful consideration of the vulnerabilities inside the organization.
  3. Business Continuity: Business continuity plans help keep a resilient organization operational. Key to this are processes that ensure critical activities keep going during a crisis. A formal written plan notifies team members of their responsibilities and allows them to take charge when the time comes, especially if they have already practiced those tasks during drills and exercises.
  4. Fraud Risk Management: Theft and fraud are two of the most complex risks to your organization. Indeed, they can be so costly that they threaten even the most resilient organizations. While external and insider threats are posing new and heightened risks, regulations and public scrutiny are demanding greater responsibility. Now, more than ever, organizations are looking for ways to manage the risk of fraud, especially within the ESRM context and in a way that takes industry-specific considerations into account.
  5. Cyber Security: Developing a resilient organization means taking into account even newer and ever-evolving risks like cyber security. In fact, cyber security may be one of the least understood areas of the risk picture. Adequately managing cyber risk does not require all participants and stakeholders to be technical subject matter experts. However, it does require comprehensive awareness of cyber risk issues and strategic and appropriate mitigation efforts, especially vendor risk management and privacy laws.

Risk management can be daunting for those at the very beginning, but planning and preparing for all areas of risk is vital to an organization’s survival today.

Ray Monteith

Profile picture for user RayMonteith

Ray Monteith

Ray Monteith is a senior vice president with HUB International's risk services division. He leads the organizational resilience practice for the division and is the risk control services leader for the Canadian region.

Read More