ABC’s of Operational Resilience Part 1: What is Operational Resilience in 5 key insights

1. What is operational resilience?

Put simply, operational resilience is the capability of organizations to effectively withstand and adapt to disruption. It is the overall ability to deliver important business services, even during challenging times.
 
Disruption can come in many forms, including cybersecurity threats & data breaches, pandemics, extreme weather events, geopolitical conflicts, climate change, and economic upheavals. In an increasingly uncertain world, it's not a matter of if these disruptions will occur, but rather when.
 
Unfortunately, most companies are ill-prepared to handle such challenges. Data from BCG shows that only 10% of organizations exhibit true resilience and are thriving in the face of disruptions. When any disruptive event impacts their operations, companies must be able to respond swiftly and effectively. This response may involve accelerating their digital transformation efforts, making real-time decisions, and rapidly adjusting their operational strategies.
 
This capability to adapt and withstand adversity is what we define as Operational Resilience. It’s critical for all businesses, and it’s a critical component of a modern Governance, Risk & Compliance (GRC) framework.
 
While the ability to prevent and bounce back from any disruption sounds relatively simple, in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organizational operations. This requires a holistic view of your business, operations, finances, governance, regulation and compliance, and information security, which is where modern-day operational resilience software becomes such an important tool.
 

Definitions from regulators

 
Financial Conduct Authority (FCA)

In the UK, the FCA defines operational resilience as ‘the ability of firms, financial market intermediaries (FMIs), and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’
 
Australian Prudential Regulation Authority (APRA)

According to APRA, operational resilience refers to ‘how well an organization can continue providing goods or services when faced with a sudden shock to its normal operating environment – such as COVID-19.’
 
Digital Operational Resilience Act (DORA)

In Europe, DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of disruptions and threats related to information and communications technology.
 

How is operational resilience different from business continuity?

Business continuity planning (BCP) is an organization’s ability to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions, processes, and strategies you will implement.
 
While both operational resilience and business continuity planning address the best way to manage operational risks, the main difference is that business continuity focuses on short-term disruptions and maintaining critical services, while operational resilience takes a more holistic and proactive approach, addressing a much wider range of risks.
 
While business continuity planning is a vital part of your organization’s planning, operational resilience is the foundational element that will allow your organization to continue to adapt to a changing environment in the long term. Business continuity planning comes into play immediately, but resilience helps you to continually change, adapt and improve, to keep pace with the ever-changing business environment.
 

2. Who is operational resilience relevant for?

Operational resilience is relevant and important to every business, regardless of size or industry, and should form an integral part of an organization’s GRC framework.
 
While larger organizations typically have more resources to invest in resilience, Small and Medium-sized Enterprises (SMEs) are also vulnerable to disruptions. They need to develop practical strategies to maintain their operations during adverse events.
 
Similarly, any organization that relies on external suppliers, partners, or vendors must consider operational resilience, as disruptions in their supply chain or service providers can affect their operations.
 
Operational resilience has particular importance for Financial Services firms, which are highly regulated and face significant operational risks. Building resilience is crucial to ensure the stability of financial markets and protect the interests of customers and investors. That’s why – in recent years – regulatory bodies such as the FCA in the UK and APRA in Australia have mandated new standards for operational resilience.
 
Learn more about meeting the new requirements for the FCA and APRA.
 

3. Why is operational resilience so important now?

Ongoing pandemic implications, market uncertainty, economic volatility, supply chain struggles, talent shortages, cybersecurity and climate risk are all concerning global trends for businesses to watch into 2024 and beyond. In today's business environment, even the best-laid plans can fail.
 
It’s no longer good enough to have a disaster recovery plan, ISO accreditation and yearly audits. Today, those checks are the absolute minimum baseline. Compliance standards do not consider the specifics, such as the organization’s business model, strategy, and value proposition. Being merely compliance-driven does not guarantee an increase in resilience, nor does it enable the build of governance processes that are fit-for-purpose.
 
The combination of COVID-19, the rise in the frequency and magnitude of other major shocks, and attention from financial services regulators have placed operational resilience firmly in the spotlight.

Operational resilience remains one of the top supervisory priorities for regulators around the world. 
 

4. Understanding key operational resilience terms 

What are Important Business Services?

‘Important business services’ (also called ‘critical operations’) refer to the core services or functions within an organization. These are the services that are essential for the business to continue operating. Safeguarding and maintaining them is crucial, as disruptions to any of these services can greatly affect a company's ability to deliver value. Identifying these services is step one.

Learn more about Important Business Services

What is Impact Tolerance?

According to the Bank of England, impact tolerance is defined as, ‘the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.’

As an example, this could include examining the maximum acceptable downtime for key information technology systems. It could also include insight into when a particular threat could represent a risk to the organization’s overall viability. In other words, impact tolerance accepts that disruptive events will happen to and within an organization. It requires your organization to determine how much disruption you can actually withstand, and for how long.

Learn more about Impact Tolerance
 

What is Scenario Testing?

Scenario testing is a way to put those impact tolerances to the test in a safe environment to mimic possible real-life situations. It helps companies prepare for plausible but relevant disruptions like power outages, cyberattacks, or natural disasters by testing how their most important services will hold up in those scenarios.

Learn more about Scenario Testing
 

5. How can you build resilience in your organization?

As an organization, you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security.
 
This full spectrum business mapping must be backed by stringent scenario testing and regular organizational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
 
That’s no easy task.
 
The new Operational Resilience module from Ansarada GRC brings order to the chaos by providing an integrated, 360-degree view of your critical business processes, with the ability to set impact tolerances and conduct robust scenario testing. We’ll help you create a resilient and responsible organization that provides the peace of mind that you can prevent and bounce back from any disruption.