The global economy has faced challenges in recent years–such as supply chain disruption and regulatory upheavals. Though these are specific concerns now, they’re really just iterations of challenges that have occurred over time, and will continue to do so.
No matter what the event, when there’s a disruption that impacts operations, companies have to be able to respond quickly and well. They may have to accelerate their digital transformation, make real-time decisions and pivot their operational practices rapidly. This is called operational resilience and it’s a critical component of a modern GRC framework.
The definition of operational resilience is simple: an entity's ability to “withstand and recover from shocks” (APRA). But in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organizational operations.
This complexity means that as an organization you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organizational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
Recently there has been a great deal of chatter around the notion of impact tolerance and how this relates to operational resilience. PricewaterhouseCoopers cautions against going down this path too far, as it is likely to become a distraction from the main goal of developing robust operational resilience solutions that will allow an organization to continue to operate in the face of disruptions.
However, it is a rising part of operational resilience. Impact tolerance is defined as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.”
Impact tolerances then embrace the notion that disruptive events will happen and set the tolerance levels accordingly. For example, this would include examining the maximum acceptable downtime for key information technology systems. It would also include understanding the metrics for when this particular threat (as well as all the others) would represent a threat to that organization’s overall viability.
Despite PwC’s cautions, regulators are starting to expect organizations to have plans in place to enable them to resume important functions despite a major disruption. The UK regulator, Financial Conduct Authority, anticipates that all organizations governed by it will need to comply with impact tolerances by the second half of 2024, and the European Commission is consulting on similar issues.
Operational resilience begins with understanding your organization’s risks. While risk management is often undertaken by various teams in differing ways, to understand your operational risk you need to be able to view all these risks together as a whole, understanding how they will impact the entire organization.
Shocks will occur to business. It is inevitable. Whether it’s an external shock, like a cyber attack or a pandemic, or an internal shock like a systems failure or personnel issue, understanding your organization's vulnerabilities means you’ll be able to ride them out when they inevitably occur. And the better your operational resilience, the better your organization will come out in the end, protecting your customers and putting you in a better strategic position into the future.
Operational resilience and business continuity management feel similar. After all, both are looking to organizational risks to determine the best way to manage them. But there is a difference.
Business continuity management is essentially an organization’s ability, and the processes put in place to support that ability, to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions you will take and the strategies you will implement.
While business continuity management is a vital part of your organization’s planning, operational resilience is the foundational element that will allow your organization to continue to adapt to a changing environment in the long term. So while business continuity management comes into play immediately, resilience helps you to continually change, adapt and improve, in order to keep pace with an ever-changing business environment.
When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well. But as the world has continued to move in and out of the office, as regulations have been amended, employee and customer needs have changed and technology has advanced or been adapted, it has been operational resilience driving ongoing success for organizations.
Resilience at an operational level requires that an organization adopt certain behaviors and put specific operational resilience metrics in place. These include:
An operational resilience framework should be implemented that adopts and promotes those behaviors, as well as specific actions and processes. It should connect the dots between all your risk management and corporate governance activities. In particular, your organization should focus on five pillars of operational resilience:
These pillars will enable your organization to implement a framework to:
Operational resilience begins and ends with understanding and managing risk, and a GRC platform like TriLine GRC by Ansarada helps you do that, including: