Mastering the process: Key steps in your operational resilience journey
In part five of our ABCs of Operational Resilience series, we look at the key steps in the process of building resilience so you can develop a best-practice operational resilience strategy moving forward.
By AnsaradaThu Mar 14 2024CEO-CFO, Audits and compliance, Governance Risk and Compliance, Environmental Social and Governance
Operational resilience is a critical aspect of your organization's ability to withstand disruptions and continue delivering essential services.
At its core, operational resilience is about effectively managing operational risks. This involves identifying potential risks that could impact business services and implementing strategies to mitigate or eliminate these risks. By proactively addressing vulnerabilities, your organization can enhance its ability to withstand disruptions.
Developing a best-practice operational resilience strategy involves a strategic and systematic approach to ensure that the business can adapt and thrive in the face of unexpected challenges.
Here, we break down the key steps in building and managing operational resilience.
Step one is identifying your critical operations, or Important Business Services as they are known in the UK.
These are the essential functions that your company relies on – the critical operations that can’t cease without risking your business’s ability to deliver value. Any interruptions to these services would have a significant impact on your company.
That’s why the first step in building operational resilience is identifying and prioritizing the crucial business services that must be maintained, even during challenging times. These may include customer support, financial transactions, or key operational processes. Clearly defining these services sets the foundation for resilience planning.
Step two is taking your list of essential functions and mapping out all the resources that support them. These resources could be people, technology, systems, processes, infrastructure, or service providers. What they have in common is a supporting role in delivering each critical operation, so it’s vital that they too can adapt in the event of a disruption.
Having a comprehensive overview of these resources allows for more thorough risk management and targeted resilience efforts. A visual overview or flow chart comes in very handy here.
Step three is setting clear impact tolerances for the maximum level of disruption you are willing to accept, including around data loss.
Impact tolerances lay out the maximum level of disruption that can be tolerated. They are measured against customers, the company, and the market, across a specific timeframe.
For each critical operation, you should establish tolerance levels for:
Controls and mitigants need to be put in place to ensure you can maintain critical operations within tolerance levels and be able to confidently demonstrate this to regulators, such as APRA or the FCA.
Step four requires conducting robust scenario testing. This involves using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances.
Scenario testing is a way to see how well your organization will handle unexpected challenges in real-life situations. It helps you proactively prepare for disruptions like outages, cyberattacks, or natural disasters by testing how your most important services will hold up in those scenarios.
Tests should include failures within your control (e.g. IT system failures) as well as those outside of your control (e.g. cyberattack or disruption to power supply). These tests will help you identify weaknesses in your current setup and enable you to refine your strategies for responding to various disruptions. Regular testing will ensure readiness and continuous improvement.
Step five requires developing and maintaining appropriate monitoring, analysis, and reporting of operational risks. This includes any escalation processes for operational events that occur.
Communication is key in operational resilience. Regularly reporting resilience strategies, risk assessments, and testing outcomes to the board and relevant regulators ensures transparency and accountability. It also provides an opportunity to receive feedback and make necessary adjustments to enhance resilience further.
Effective information systems should be used to monitor operational risk, compile and analyze data, and facilitate reporting to the Board and senior management. This includes scenario tests executed, lessons learned from scenario tests, and what remediation activities you are undertaking based on those lessons.
Business Continuity Planning (BCP)
Leading-practice regulation such as APRA requires companies to have Business Continuity Plans in place to outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs should be regularly tested with severe but plausible scenarios.
Disaster Recovery (DR)
BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations. Firms must maintain the necessary capabilities to execute the BCP, including access to people, resources and technology.
Developing and maintaining robust BCP and DR plans ensures that your organization has clear procedures in place to minimize downtime and recover quickly in the event of disruptions.
Identifying and assessing supply chain risks
Many businesses rely on complex supply chains to deliver products or services. Identifying and assessing risks within these supply chains is crucial for operational resilience. Understanding dependencies and vulnerabilities in the supply chain ensures that organizations can respond effectively to disruptions, such as supplier failures or logistical challenges.
Developing a best-practice operational resilience strategy involves a holistic approach, from identifying crucial business services to regularly testing and refining strategies. By following these steps, you can fortify your organization’s ability to adapt and thrive in the face of unforeseen challenges, ultimately safeguarding its long-term success – but, you need the right tools for the job.
Following this process using legacy systems like Excel spreadsheets quickly becomes untenable. Where manual efforts fall short, purpose-built resilience software can give you a 360-degree view of risks and opportunities and help you manage this ongoing process in the simplest way.
At its core, operational resilience is about effectively managing operational risks. This involves identifying potential risks that could impact business services and implementing strategies to mitigate or eliminate these risks. By proactively addressing vulnerabilities, your organization can enhance its ability to withstand disruptions.
Developing a best-practice operational resilience strategy involves a strategic and systematic approach to ensure that the business can adapt and thrive in the face of unexpected challenges.
Here, we break down the key steps in building and managing operational resilience.
1. Identify critical operations
What operations are crucial for your organization to keep running?Step one is identifying your critical operations, or Important Business Services as they are known in the UK.
These are the essential functions that your company relies on – the critical operations that can’t cease without risking your business’s ability to deliver value. Any interruptions to these services would have a significant impact on your company.
That’s why the first step in building operational resilience is identifying and prioritizing the crucial business services that must be maintained, even during challenging times. These may include customer support, financial transactions, or key operational processes. Clearly defining these services sets the foundation for resilience planning.
2. Catalogue and map resources that support critical operations
What processes, systems, people, data or third parties do these services depend on?Step two is taking your list of essential functions and mapping out all the resources that support them. These resources could be people, technology, systems, processes, infrastructure, or service providers. What they have in common is a supporting role in delivering each critical operation, so it’s vital that they too can adapt in the event of a disruption.
Having a comprehensive overview of these resources allows for more thorough risk management and targeted resilience efforts. A visual overview or flow chart comes in very handy here.
3. Set impact tolerances
What defines an ‘inconvenience’ compared to ‘intolerable harm’ for your company?Step three is setting clear impact tolerances for the maximum level of disruption you are willing to accept, including around data loss.
Impact tolerances lay out the maximum level of disruption that can be tolerated. They are measured against customers, the company, and the market, across a specific timeframe.
For each critical operation, you should establish tolerance levels for:
- the maximum period of time the entity would tolerate a disruption to the operation;
- the maximum extent of data loss the entity would accept because of a disruption; and
- minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
Controls and mitigants need to be put in place to ensure you can maintain critical operations within tolerance levels and be able to confidently demonstrate this to regulators, such as APRA or the FCA.
4. Scenario testing
How would a disruptive event impact your most important processes? What happens next?Step four requires conducting robust scenario testing. This involves using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances.
Scenario testing is a way to see how well your organization will handle unexpected challenges in real-life situations. It helps you proactively prepare for disruptions like outages, cyberattacks, or natural disasters by testing how your most important services will hold up in those scenarios.
Tests should include failures within your control (e.g. IT system failures) as well as those outside of your control (e.g. cyberattack or disruption to power supply). These tests will help you identify weaknesses in your current setup and enable you to refine your strategies for responding to various disruptions. Regular testing will ensure readiness and continuous improvement.
5. Self assessment & reporting
How do you report back these results and learnings to your Board and management?Step five requires developing and maintaining appropriate monitoring, analysis, and reporting of operational risks. This includes any escalation processes for operational events that occur.
Communication is key in operational resilience. Regularly reporting resilience strategies, risk assessments, and testing outcomes to the board and relevant regulators ensures transparency and accountability. It also provides an opportunity to receive feedback and make necessary adjustments to enhance resilience further.
Effective information systems should be used to monitor operational risk, compile and analyze data, and facilitate reporting to the Board and senior management. This includes scenario tests executed, lessons learned from scenario tests, and what remediation activities you are undertaking based on those lessons.
6. Other critical components of operational resilience
Business Continuity Planning (BCP)
Leading-practice regulation such as APRA requires companies to have Business Continuity Plans in place to outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs should be regularly tested with severe but plausible scenarios.
Disaster Recovery (DR)
BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations. Firms must maintain the necessary capabilities to execute the BCP, including access to people, resources and technology.
Developing and maintaining robust BCP and DR plans ensures that your organization has clear procedures in place to minimize downtime and recover quickly in the event of disruptions.
Identifying and assessing supply chain risks
Many businesses rely on complex supply chains to deliver products or services. Identifying and assessing risks within these supply chains is crucial for operational resilience. Understanding dependencies and vulnerabilities in the supply chain ensures that organizations can respond effectively to disruptions, such as supplier failures or logistical challenges.
Resilience requires a holistic approach
Developing a best-practice operational resilience strategy involves a holistic approach, from identifying crucial business services to regularly testing and refining strategies. By following these steps, you can fortify your organization’s ability to adapt and thrive in the face of unforeseen challenges, ultimately safeguarding its long-term success – but, you need the right tools for the job.
Following this process using legacy systems like Excel spreadsheets quickly becomes untenable. Where manual efforts fall short, purpose-built resilience software can give you a 360-degree view of risks and opportunities and help you manage this ongoing process in the simplest way.
Resilience by Ansarada GRC
Connect data points across your entire organization to eliminate risk silos and improve organization-wide resilience with Ansarada GRC. With purpose-built tools for mapping your critical operations and resources, setting impact tolerances and running stringent scenario testing, you can manage all aspects of building resilience in a single, secure platform.
Book a demo today.jpg?height=180)
