Operational resilience refers to the organization and its people's capability to withstand, adapt to, and recover from unexpected disruptions such as cyberattacks, natural disasters, or technical failures.
Operational resilience goes beyond business continuity and operational risk management. It aims to minimize the impact on consumers and the wider economy. Major disruptive events such as the COVID-19 pandemic have clearly highlighted the need for organizations to ensure continuity of operations by embedding operational resilience as part of their organizational DNA.
The following reasons have highlighted how important it is for organizations to build operational resilience.
Operational incidents not only have a significant financial impact but can also disrupt entire markets and systems. According to IBM, the global average cost of data breach in 2023 was $4.45 million. The systemic nature of such incidents is showcased by a New York Fed study which highlighted that if the system of five of the most active US banks is disrupted, it would result in a significant spillover to other banks, affecting 38% of the network on average. These incidents can also have a long tail and result in a long-term impact on the shareholder value as well as the operational risk capital requirements.
By implementing a robust operational resilience program, an organization can ensure a systematic and well-defined process for identifying potential risks and establishing effective controls to proactively mitigate those risks.
In the last few years, operational resilience has been a key priority for the regulatory authorities around the globecommunity. Some of the recent regulatory developments on operational resilience include the EU’s Digital Operational Resilience Act (DORA), FCA policy statement (PS21/3) and PRA policy statement (PS6/21) in the UK, an interagency paper published by financial regulatory authorities in the US, and many more.
Today the regulatory focus is shifting as well. Regulators don’t just want to see how effectively organizations can attempt to prevent events from occurring but also how quickly they can recover from them.
Regulatory authorities expect organizations to understand the firm’s vulnerabilities, invest in protecting those and themselves, their consumers, and the market, to preserve the interest of the public, and retain continuity of supply of products—even in events of operational disruptions.
Any operational resilience program needs to be aligned with the overall strategy of the organization so that it can drive and support investment decisions and day-to-day operations. To be successful with this approach, businesses require direct efficient engagement from the board, the front line, and the extended enterprise. The goal is to manage the volatility of the impact generated by problems associated with “business-threatening events.” This means a comprehensive risk program that accommodates operational risk management, business continuity management, and third-party risk management.
Building a comprehensive operational resilience framework requires organizations to first identify critical business services and operations that need to be safeguarded during disruptive events. Next, they need to set impact tolerances and define key metrics. They then need to understand the interrelationships and dependencies of processes and business functions, both internally and externally. Scenario planning and analysis can help further fine-tune the framework by identifying potential points of failure. Lastly, the entire framework, along with key roles, responsibilities, and accountabilities, should be communicated across the enterprise.
As organizations prepare to streamline and improve their operational resilience program, the first step is to identify relevant key business services - which, if disrupted, could cause substantial harm to the organization, consumers, and the business environment. The concept of causing potential harm is core to operational resilience and forms the crux of the program as all subsequent processes are dependent on the right identification of these CEFs.
To effectively do this, organizations will need to:
There are multiple known and unknown factors that contribute to critical disruptions, which may put the organization at risk. Trying to forecast, pre-empt, manage, or mitigate these factors are of high importance if organizations are to accurately report on the stability of the organization.
Organizations need to keep track of the following while setting impact tolerances and risk metrics:
Companies operate in a dynamic environment today. Building a relational data framework to map people, process, systems, and third parties required for delivering the business service is an important step in understanding the dependencies. Crucial to building business resilience is to understand the internal and external interconnections and points of view while ensuring that the full picture exists, is current, and that all changes are relevant.
Since organizations are increasingly dependent on third-party providers and outsourcing of some functions, such an approach can help navigate the risks presented by third and fourth parties.
The following best practices can help gain a better understanding of upstream and downstream dependencies:
While looking for points of failure it is important to ensure the real impact on the organization and to create a better understanding of the organization’s risk appetite and capabilities.
Consider the following when building scenarios for potential points of failure:
A communication plan forms an integral element in any risk management strategy.
Formulate your communication plan and stakeholder map by:
Effectively executing the above steps by integrating GRC to support business objectives can prove to be a powerful differentiator. Technology provides a scalable platform and the necessary data model to build a relational data framework and align organizational hierarchy, business services, market expectations, strategic and regulatory objectives. Leveraging the right GRC platform further helps simplify this process with a single, panoramic view that shows the hierarchy of business processes and the functionality--enabling organizations to comprehensively evaluate their impact on strategic and supervisory objectives. Organizations can easily gain tangible insights for arriving at the core/critical functions. Additionally, they are empowered with insights on risk rating or relevance rating of important services which can help identify critical economic functions. A GRC platform can also simplify the capturing, reporting, and tracking of business anomalies—empowering and equipping the front line.
Enterprise-wide risk management frameworks in many organizations are capable enough to effectively manage operational resilience. Sustaining these plans will require integration of enhanced preventative, responsive, recovery, and learning capabilities. Here are some key considerations for organizations:
To attain a holistic view of risks, consolidate risk identification through service mapping and stress testing. Risk data from service mapping and service risk assessment, with internal and external sources such as threat intelligence, incident data, and loss events, is an asset in operational resilience.
Leverage quality and readily available risk and control data from the cloud applications and infrastructure. This ensures the ability to streamline processes using advanced technologies and analytics, including AI and ML techniques.
Enable easy understanding of large data sets to provide continuous monitoring of threats and vulnerabilities and ensure there is a more data-driven and fact-based risk assessment.
Operational resilience is a proactive approach to ensuring an organization has the essential measures in place to quickly identify, analyze, prevent, respond to, and recover from business disruptions. Business continuity is reactive and involves implementing pre-determined response measures in the aftermath of an event.
The key components of operational resilience are:
The ultimate responsibility for an organization’s operational resilience lies with the board and senior management. It is essential for the board and the top management to have insights into critical business operations and services, impact tolerances, and key metrics. Also, they need to set the tone from the top to ensure the operational resilience program is implemented effectively across the firm.
Subscribe for Latest Updates
Subscribe Now