Operational Resilience

Learn how to drive operational resilience within your organization.

The global economy has faced challenges in recent years–such as supply chain disruption and regulatory upheavals. Though these are specific concerns now, they’re really just iterations of challenges that have occurred over time, and will continue to do so. 

No matter what the event, when there’s a disruption that impacts operations, companies have to be able to respond quickly and well. They may have to accelerate their digital transformation, make real-time decisions and pivot their operational practices rapidly. This is called operational resilience and it’s a critical component of a modern GRC framework

What is Operational Resilience?

What is Operational Resilience?

The definition of operational resilience is simple: an entity's ability to “withstand and recover from shocks” (APRA). But in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organizational operations. 

This complexity means that as an organization you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organizational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.

What is Impact Tolerance?

What is Impact Tolerance?

Recently there has been a great deal of chatter around the notion of impact tolerance and how this relates to operational resilience. PricewaterhouseCoopers cautions against going down this path too far, as it is likely to become a distraction from the main goal of developing robust operational resilience solutions that will allow an organization to continue to operate in the face of disruptions. 

However, it is a rising part of operational resilience. Impact tolerance is defined as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” 

Impact tolerances then embrace the notion that disruptive events will happen and set the tolerance levels accordingly. For example, this would include examining the maximum acceptable downtime for key information technology systems. It would also include understanding the metrics for when this particular threat (as well as all the others) would represent a threat to that organization’s overall viability. 

Despite PwC’s cautions, regulators are starting to expect organizations to have plans in place to enable them to resume important functions despite a major disruption. The UK regulator, Financial Conduct Authority, anticipates that all organizations governed by it will need to comply with impact tolerances by the second half of 2024, and the European Commission is consulting on similar issues. 

Why is Operational Resilience Important to Your Organization?

Why is Operational Resilience Important to Your Organization?

Operational resilience begins with understanding your organization’s risks. While risk management is often undertaken by various teams in differing ways, to understand your operational risk you need to be able to view all these risks together as a whole, understanding how they will impact the entire organization. 

Shocks will occur to business. It is inevitable. Whether it’s an external shock, like a cyber attack or a pandemic, or an internal shock like a systems failure or personnel issue, understanding your organization's vulnerabilities means you’ll be able to ride them out when they inevitably occur. And the better your operational resilience, the better your organization will come out in the end, protecting your customers and putting you in a better strategic position into the future. 

See also: Enterprise Risk Management

Operational Resilience vs Business Continuity Management


Operational resilience and business continuity management feel similar. After all, both are looking to organizational risks to determine the best way to manage them. But there is a difference. 
 

What is Business Continuity Management?


Business continuity management is essentially an organization’s ability, and the processes put in place to support that ability, to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions you will take and the strategies you will implement. 

 

Business Continuity and Operational Resilience


While business continuity management is a vital part of your organization’s planning, operational resilience is the foundational element that will allow your organization to continue to adapt to a changing environment in the long term. So while business continuity management comes into play immediately, resilience helps you to continually change, adapt and improve, in order to keep pace with an ever-changing business environment.

When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well. But as the world has continued to move in and out of the office, as regulations have been amended, employee and customer needs have changed and technology has advanced or been adapted, it has been operational resilience driving ongoing success for organizations. 

How to Achieve Operational Resilience
 

Resilience at an operational level requires that an organization adopt certain behaviors and put specific operational resilience metrics in place. These include:

  • Shared vision and purpose. This empowers employees’ success and increases morale, allowing your workforce to operate in the face of uncertainty and adversity. 
  • The ability to absorb, adapt and respond to change. Your organization must develop the ability to evolve in tandem with the business landscape. 
  • Excellent governance, risk and compliance (GRC). A strong GRC management framework ensures you’re on top of your operational (and other) risks. 
  • Strong strategic operational management. This involves aligning your business structure and operations to the prevailing environment. 
     

Operational Resilience Framework 

An operational resilience framework should be implemented that adopts and promotes those behaviors, as well as specific actions and processes. It should connect the dots between all your risk management and corporate governance activities. In particular, your organization should focus on five pillars of operational resilience:

 

5 Pillars of Operational Resilience

 

  1. People resilience. Ensuring your governance, accountability and culture are building morale and empowering success within your organization, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions. 
  2. Systems resilience. Ensuring that your cyber information and data is secure, as well as ensuring the physical security of tangible operational elements. In order to be adaptable, you’ll also want to continually assess your technology and build on your existing processes and systems so that you’re prepared for the unexpected. 
  3. Financial resilience. Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you’re managing your finances prudently.
  4. Regulatory resilience. Ensuring you maintain full compliance with regulatory requirements and can adapt to changing regulatory expectations. This includes understanding your third party compliance requirements and delivering actionable reporting. 
  5. Structural resilience. Ensuring that you have solid legal and operational structures in place, and that they are clear to all stakeholders. It also involves learning from past experiences.

These pillars will enable your organization to implement a framework to:

  • Identify and protect itself from potential risks; 
  • Respond and adapt quickly to crises and disruptions;
  • Minimize impact on customers and on the delivery of business-critical operations; and
  • Maintain strong operations outside of the crisis or disruption.
operational resilience

How a GRC Platform Helps Build Operational Resilience


Operational resilience begins and ends with understanding and managing risk, and a GRC platform like TriLine GRC by Ansarada helps you do that, including:

  • Significantly improving the way GRC data is gathered, stored, curated and linked
  • Creating a single source of GRC data and processes for the entire organization
  • Connecting data points within the entire organization to eliminate risk silos and improve organization-wide understanding
  • Enhancing GRC data flows to ensure fast and accurate reactions
  • Automating GRC processes to reduce compliance and operational risks
  • Managing GRC workflow
  • Identifying and tracking regulation and emerging risks with automated news monitoring
  • Embedding operational resilience processes within GRC, including assessments, tracking, linking risks and controls and more
  • Enhancing overall control effectiveness
  • Providing timely and accurate information to stakeholders, including reporting and financial information
  • Undergoing scenarios analysis to test ‘what if’ events

Build your Operational Resilience framework

Identify important business services, set impact tolerances, and map all of them in an easy-to-use dashboard view with TriLine GRC by Ansarada.
Download the brochureBook a demo