The global economy has faced challenges in recent years–such as supply chain disruption and regulatory upheavals. Though these are specific concerns now, they’re really just iterations of challenges that have occurred over time, and will continue to do so.
No matter what the event, when there’s a disruption that impacts operations, companies have to be able to respond quickly and well. They may have to accelerate their digital transformation, make real-time decisions and pivot their operational practices rapidly. This is called operational resilience and it’s a critical component of a modern GRC framework.
The definition of operational resilience is: an entity's ability to “withstand and recover from shocks” (APRA). But in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organizational operations.
This complexity means that as an organization you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organizational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
Impact tolerance is defined as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” (Bank of England)
Impact tolerances embrace the notion that disruptive events will happen and set tolerance levels accordingly. For example, this would include examining the maximum acceptable downtime for key information technology systems. It would also include insight into when a particular threat could represent a risk to the organization’s overall viability.
Recently there has been a great deal of chatter around impact tolerance and how it relates to operational resilience. PricewaterhouseCoopers cautions against going down this path too far. The global consultancy warns that it could distract from the main goal of developing robust operational resilience solutions that allow an organization to continue operating in the face of disruptions.
Despite PwC’s cautions, regulators are starting to expect organizations to have plans in place to enable them to resume important functions despite a major disruption. The UK regulator, Financial Conduct Authority, anticipates that all organizations governed by it will need to comply with impact tolerances by the second half of 2024, and the European Commission is consulting on similar issues.
Shocks will occur to business. It is inevitable. Whether it’s an external shock, like a cyber attack or a pandemic, or an internal shock like a systems failure or personnel issue, understanding your organization's vulnerabilities means you’ll be able to ride them out when they inevitably occur. And the better your operational resilience, the better your organization will come out in the end, protecting your customers and putting you in a better strategic position into the future.
Operational resilience begins with understanding your organization’s risks. While risk management is often undertaken by various teams in differing ways, to understand your operational risk you need to be able to view all these risks together as a whole, understanding how they will impact the entire organization.
See also:
So what’s the difference between operational resilience and business continuity planning? They do feel similar, as both look at the best way to manage organizational risks. The main difference is that business continuity management focuses on short-term disruptions and maintaining critical services, while operational resilience takes a more holistic and proactive approach, addressing a wider range of risks.
Business continuity management is essentially an organization’s ability to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions, processes, and strategies you will implement.
While business continuity management is a vital part of your organization’s planning, operational resilience is the foundational element that will allow your organization to continue to adapt to a changing environment in the long term. So while business continuity management comes into play immediately, resilience helps you to continually change, adapt and improve, in order to keep pace with an ever-changing business environment.
When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well.
Example of business continuity management in action:
When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well.
Example of operational resilience in action:
As the world has continued to move in and out of the office, as regulations have been amended, employee and customer needs have changed and technology has advanced or been adapted, it has been operational resilience driving ongoing success for organizations.
Resilience at an operational level requires that an organization adopt certain behaviors and put specific operational resilience metrics in place. These include:
An operational resilience framework should be implemented that adopts and promotes those behaviors, as well as specific actions and processes. It should connect the dots between all your risk management and corporate governance activities. In particular, your organization should focus on five pillars of operational resilience:
These pillars will enable your organization to implement a framework to:
Operational resilience begins and ends with understanding and managing risk, and a GRC platform like TriLine GRC by Ansarada helps you do that, including: