• Risks cascade across financial, operational, and reputational areas.

• Siloed resilience approaches are no longer effective.

• Strong governance and clear ownership are essential.

• Integrated frameworks improve visibility of second-order effects.

• Traditional stress tests often miss behavioural and political shocks.

• Boards must embed resilience into strategy and decision-making.

Ahead of Risk Evolve, Søren Agergaard Andersen explores why risks now cascade across capital, liquidity, operations, and reputation, and why organisations must adopt integrated frameworks, strong governance, and board-level strategic foresight to turn resilience from a compliance exercise into a competitive advantage.

Why is treating financial and operational resilience separately no longer fit for today’s risk environment?

In today’s environment, we can no longer purely look at each risk category in isolation. For theoretical purposes, we can focus on each factor in our stress tests, but we know that risks cascade across the different categories – capital, liquidity, operations, technology, reputation, and so on.

For a bank, a funding squeeze will quickly become an operational strain with e.g. collateral bottlenecks. This leads to increased conduct risk and eventually reputational risk. Another example could be cyber security related issues which translate into payment disruptions, liquidity risk and perhaps regulatory escalation. 

From my industry, a material incident on a portfolio asset (e.g. wind or solar farm) can lead to revenue disruption, covenant breach risk and impact on LP confidence. 

These simple examples illustrate how one risk or incident will spill over to others – and eventually (almost) always end up as financial impact. Operational shocks become financial shocks with a very short time delay.

What’s the hardest part of integrating liquidity, capital, and operational resilience into a single enterprise framework?

I would argue that we have had time to prepare for this, but it’s not a simple task. The deep process, risk, and control understanding is there, and we have our well-designed methodologies and systems/tools. But integrating into a single enterprise framework requires a strong governance architecture. 

This means a CRO ownership of the unified framework, a clear escalation path, a resilience committee (or something similar) with representatives from all relevant stakeholders, and board level risk appetite statements that set quantitative and qualitative thresholds for both financial and operational resilience. This part is foundational but also hard to get right. 

Mapping critical processes and establishing an integrated risk taxonomy is also important – and especially the latter can be crucial for understanding the second-order effects. E.g. looking at a category like market stress – what financial impact will this have (PnL, liquidity strain) and what operational impact will it have (redemptions process overload)?

Another important part is the design of scenario playbooks, unifying financial stress tests and the BCP. We are all used to working with classic single dimension scenarios, but these need to extend with a broader scope. One example would be a cyber failure in a volatile market. What happens to trading, risk monitoring, and client communication – all being part of the scenario playbook. You need common and coordinated scenario designs and a common severity scale. 

I think we are at a stage where all professional firms know where ownership is anchored. Combining the risk categories in this way, however, is not that easy for all executives, and the risk function will have a major role in facilitating.

And then finally, this needs to be embedded into the operating model – and not just be something that lives in pdf files. This part can also be very challenging.

Are organisations stress-testing for the right kinds of shocks, or are cascading and second-order impacts still being underestimated?

I still believe in traditional stress-testing. It is an important exercise which provides information to the risk picture. But second-order effects are underestimated. We all stress interest rates, GDP, liquidity spreads, credit exposures, etc. But fewer are stressing political fragmentation, social licence erosion, regulatory escalation. 

As an example, we saw much more quantitative stress tests post the financial crisis, but second-order effects like behavioural reactions – e.g. client runs and media dynamics - are extremely hard to model.

In a real crisis, what matters more: data and technology, or governance and decision-making — and why?

I am not sure there is a simple answer to that. But if I was to choose, I normally always go with Governance. Governance is the foundation – in my experience you can build and manage all you want, but if the governance is not set properly and accepted/respected in the organisation, resilience will still not work as intended. 

Governance determines the plan and direction. When COVID hit, it was not really data that was the constraint. There might be some challenges gathering and structuring, but that was manageable. The real constraint was decision rights, escalation clarity, preparedness.

Data and technology provide speed – assisting with fast and insightful decisions. And this can have a huge impact on value preservation.

At board level, what needs to change for resilience to become a strategic capability rather than a regulatory obligation?

This is where firms can differentiate themselves. For resilience to evolve into a real strategic capability, boards must shift their operating rhythm from passive oversight to active foresight. They need to replace backward-looking compliance updates with forward-looking scenario debate. And they must routinely challenge management with extreme but plausible narratives to make sure the organisation is prepared for non-linear shock patterns.

The capabilities improve when the board systematically interrogates single-points-of-failure, behavioural choke-points, and organisational interdependencies.

And finally, the board needs to integrate resilience into the strategy – the decision-making and resource prioritisation.

When the board connects resilience to investment decisions, capital allocation, and growth ambition, they ensure resilience informs strategic direction.