Assessing operational resilience maturity: How prepared are organisations?
In our Operational Resilience Outlook Report 2024, only half of all respondents reported having a common understanding or definition of operational resilience within their organisations, with 30.8% saying they do not, and 19.2% unsure.
By AnsaradaWed Jan 24 2024CEO-CFO, Audits and compliance, Security and risk management, Governance Risk and Compliance, Environmental Social and Governance, Board
Despite this uncertainty, only 26.9% of respondents rate their current operational resilience maturity as ‘beginner’ - over half (57.7%) rate themselves as ‘emerging’, and 15.4% rate themselves as advanced.
When it comes to implementing a formal operational resilience framework, the majority (53.8%) have one in the early stages of development, while 23.1% feel confident they already have a comprehensive framework in place. 19.2% of respondents have not implemented any formal framework, while a small percentage (3.8%) are unsure.
Understanding versus maturity
These two results raise questions surrounding the understanding of operational resilience versus maturity. The majority of respondents considers themselves at an emerging level of maturity, which contradicts with only half indicating a common understanding of resilience. This raises questions about the alignment between perception and actual implementation.
Despite a sizeable portion (53.8%) having a framework in early stages of development, the lack of a comprehensive framework for almost a fifth (19.2%) may impact the overall effectiveness of resilience efforts.
The contradiction between those with confidence in their frameworks and the overall lack of a common understanding is a point of concern.
Dedicated teams
Responsibility seems to be divided, with only 34.6% of respondents having a dedicated team for overseeing operational resilience. 61.5% say that operational resilience is managed by various teams across the organisation, while 3.8% are not sure.
With 61.5% stating that operational resilience is managed by various teams, and only 34.6% having a dedicated team, it suggests a potential lack of centralised oversight. This decentralised approach might hinder the efficiency and consistency of resilience efforts.
“Entities must build a new mindset about where their boundaries of responsibility sit. Perhaps the most significant change introduced by [APRA CPS230] is the requirement for an end-to-end view of operational risk, with a focus on critical operations, including those performed by third and fourth parties,” says Therese McCarthy Hockey, APRA.
