Building resilience through risk management: methodology and strategy

This article presents a risk management methodology designed to enhance the resilience of organisations as complex nonlinear dissipative socio-technical systems. These systems are distinguished by intricate interrelationships, information exchanges, self-organisation, and adaptability to changes in the external environment. A central tenet of this methodology is a quantitative analysis of the likelihood that specific risks could lead to the complete dysfunction of critical processes, potentially resulting in catastrophic outcomes for the organisation. Furthermore, the methodology employs a combined qualitative and quantitative approach to evaluate critical risk mitigation scenarios, acknowledging the stochastic or sporadic nature of these threats. The risk prioritisation process is driven by an assessment of the expected utility of risk mitigation, which facilitates the strategic allocation of resources in accordance with the organisation's risk appetite as defined by its budget. In alignment with the modern resilience paradigm, the proposed methodology prioritises the maintenance of critical operations continuity, rapid recovery from disruptions and the enhancement of the system’s capacity to adapt to unforeseen changes. This methodology can be integrated seamlessly into existing information security management systems, providing a robust framework for sustainable organisational resilience.