Operational Resilience
The global economy has faced challenges in recent years–such as supply chain disruption and regulatory upheavals. Though these are specific concerns now, they’re really just iterations of challenges that have occurred over time, and will continue to do so.
No matter what the event, when there’s a disruption that impacts operations, companies have to be able to respond quickly and well. They may have to accelerate their digital transformation, make real-time decisions and pivot their operational practices rapidly. This is called operational resilience and it’s a critical component of a modern GRC framework.
What is operational resilience?
The definition of operational resilience is: an entity's ability to “withstand and recover from shocks” (APRA). But in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organizational operations.
This complexity means that as an organization you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organizational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
What is impact tolerance?
Impact tolerance is defined as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” (Bank of England)
Impact tolerances embrace the notion that disruptive events will happen and set tolerance levels accordingly. For example, this would include examining the maximum acceptable downtime for key information technology systems. It would also include insight into when a particular threat could represent a risk to the organization’s overall viability.
Recently there has been a great deal of chatter around impact tolerance and how it relates to operational resilience. PricewaterhouseCoopers cautions against going down this path too far. The global consultancy warns that it could distract from the main goal of developing robust operational resilience solutions that allow an organization to continue operating in the face of disruptions.
Despite PwC’s cautions, regulators are starting to expect organizations to have plans in place to enable them to resume important functions despite a major disruption. The UK regulator, Financial Conduct Authority, anticipates that all organizations governed by it will need to comply with impact tolerances by the second half of 2024, and the European Commission is consulting on similar issues.
Why is operational resilience important to your organization?
Shocks will occur to business. It is inevitable. Whether it’s an external shock, like a cyber attack or a pandemic, or an internal shock like a systems failure or personnel issue, understanding your organization's vulnerabilities means you’ll be able to ride them out when they inevitably occur. And the better your operational resilience, the better your organization will come out in the end, protecting your customers and putting you in a better strategic position into the future.
Operational resilience begins with understanding your organization’s risks. While risk management is often undertaken by various teams in differing ways, to understand your operational risk you need to be able to view all these risks together as a whole, understanding how they will impact the entire organization.
See also:
Operational resilience vs business continuity management
So what’s the difference between operational resilience and business continuity planning? They do feel similar, as both look at the best way to manage organizational risks. The main difference is that business continuity management focuses on short-term disruptions and maintaining critical services, while operational resilience takes a more holistic and proactive approach, addressing a wider range of risks.
What is business continuity management?
Business continuity management is essentially an organization’s ability to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions, processes, and strategies you will implement.
How do business continuity and operational resilience interact?
While business continuity management is a vital part of your organization’s planning, operational resilience is the foundational element that will allow your organization to continue to adapt to a changing environment in the long term. So while business continuity management comes into play immediately, resilience helps you to continually change, adapt and improve, in order to keep pace with an ever-changing business environment.
When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well.
Example of business continuity management in action:
When the world was suddenly thrust into remote working, organizations with a strong business continuity management plan made this change well.
Example of operational resilience in action:
As the world has continued to move in and out of the office, as regulations have been amended, employee and customer needs have changed and technology has advanced or been adapted, it has been operational resilience driving ongoing success for organizations.
How to achieve operational resilience
Resilience at an operational level requires that an organization adopt certain behaviors and put specific operational resilience metrics in place. These include:
- Shared vision and purpose. This empowers employees’ success and increases morale, allowing your workforce to operate in the face of uncertainty and adversity.
- The ability to absorb, adapt and respond to change. Your organization must develop the ability to evolve in tandem with the business landscape.
- Excellent governance, risk and compliance (GRC). A strong GRC management framework ensures you’re on top of your operational (and other) risks.
- Strong strategic operational management. This involves aligning your business structure and operations to the prevailing environment.
Operational Resilience Framework
An operational resilience framework should be implemented that adopts and promotes those behaviors, as well as specific actions and processes. It should connect the dots between all your risk management and corporate governance activities. In particular, your organization should focus on five pillars of operational resilience:
5 Pillars of Operational Resilience
- People resilience. Ensuring your governance, accountability and culture are building morale and empowering success within your organization, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions.
- Systems resilience. Ensuring that your cyber information and data is secure, as well as ensuring the physical security of tangible operational elements. In order to be adaptable, you’ll also want to continually assess your technology and build on your existing processes and systems so that you’re prepared for the unexpected.
- Financial resilience. Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you’re managing your finances prudently.
- Regulatory resilience. Ensuring you maintain full compliance with regulatory requirements and can adapt to changing regulatory expectations. This includes understanding your third party compliance requirements and delivering actionable reporting.
- Structural resilience. Ensuring that you have solid legal and operational structures in place, and that they are clear to all stakeholders. It also involves learning from past experiences.
These pillars will enable your organization to implement a framework to:
- Identify and protect itself from potential risks;
- Respond and adapt quickly to crises and disruptions;
- Minimize impact on customers and on the delivery of business-critical operations; and
- Maintain strong operations outside of the crisis or disruption.
How a GRC platform helps build operational resilience
Operational resilience begins and ends with understanding and managing risk, and a GRC platform like TriLine GRC by Ansarada helps you do that, including:
- Significantly improving the way GRC data is gathered, stored, curated and linked
- Creating a single source of GRC data and processes for the entire organization
- Connecting data points within the entire organization to eliminate risk silos and improve organization-wide understanding
- Enhancing GRC data flows to ensure fast and accurate reactions
- Automating GRC processes to reduce compliance and operational risks
- Managing GRC workflow
- Identifying and tracking regulation and emerging risks with automated news monitoring
- Embedding operational resilience processes within GRC, including assessments, tracking, linking risks and controls and more
- Enhancing overall control effectiveness
- Providing timely and accurate information to stakeholders, including reporting and financial information
- Undergoing scenarios analysis to test ‘what if’ events