Building a Robust Operational Resilience Strategy

We live in an interconnected global economy and worldwide marketplace. Increasingly we’re seeing new and rising risks to business operational resilience that span those connections. These risks are things we’ve never encountered before – and that makes them difficult, if not impossible, to predict. Our global interdependence compounds the impacts of these risks as well. 

We have to accept that there will be disruptions to our operations. And because of that, every organization must be prepared with a robust operational resilience strategy to see you through that disruption.

What are the essential components of operational resilience? 

Operational resilience hasn’t always been on the radar for organizations, but now it’s widely accepted to be a vital part of enterprise risk management. In fact, the Prudential Regulation Authority (PRA) and the UK Financial Conduct Authority (FCA) have formed an extensive regulatory framework around operational resilience, which came into force on 31 March 2022.

The essential components of operational resilience form the bedrock of your resulting operational resilience strategy, and will support your organization’s ability to detect, withstand and recover from inevitable shocks when they occur. 

The essential components of operational resilience
 

1. Full spectrum business mapping. You need holistic visibility of your business, operations, finances, corporate governance, regulation and compliance and even information security to accurately identify and manage potential threats and disruptions and minimize the impact on customers.
2. Stringent scenario testing. Your business mapping must be backed by stringent and innovative scenario testing, which recognises that unknown risks and disruptions are inevitable.
3. Creation and implementation of impact tolerances. Impact tolerances help you to understand the maximum tolerable level of disruption to your key business services, including the maximum tolerable duration of a disruption.
4. Regular organizational assessments. Consistent risk assessments ensure that your framework is robust enough to withstand the uncertain world that we operate in today.

Why is operational resilience important to your organization?

These elements are vital to your operational resilience, and operational resilience is vital to understanding your organization’s risks as a whole—and how they impact your business. At the end of the day, the stronger your operational resilience, the better your organization will respond to rising threats and disruptions. This protects your business and your customers, and puts you in a better strategic position in the future. 

Learn more: Operational Resilience Examples
 

How to build a robust operational resilience strategy

Building a robust operational resilience strategy at an organizational level requires that your organization adopt certain behaviors and put specific protocols and processes in place. Your strategy should connect the dots between all your risk management and corporate governance activities and be built around the five pillars of operational resilience.

Steps to build your operational resilience strategy

Now it’s time to build out your own customized operational resilience strategy using the following  steps:


Step 1: Define your key business services

In step 1, you’ll need to define the services that are central to the operation of your business. These are the services that, if they were disrupted, could cause damage to your viability or to your consumers or the business environment as a whole. This first step is vital to get right since every subsequent step rests on its correct implementation.

To complete this step, you’ll undertake your holistic business mapping, integrate your business objectives and align them with your organization’s risk appetite and tolerance. This will help you to identify the services that are truly critical to your business objectives, as well as the processes, systems, human resources, and other related stakeholders that support the interplay of your services and objectives. 

A GRC compliance software system, such as TriLine GRC by Ansarada can help you to uncover and build out the relational data that will allow you to better map your key business services, align your organizational objectives, resource your human power and create a stronger risk and compliance management strategy.

Step 2: Define impact tolerances 

Defining your impact tolerances is necessary to understand the risks and disruption levels that your organization is equipped to handle. As such, it informs every subsequent element of your operational resilience strategy. To define your impact tolerances you should blend enterprise risk, actuarial, and modeling with data and resilience expertise in order to deliver a fully integrated system that ties operational risk, risk transfer, and resilience capabilities together. 

Step 3: Map your dependencies

Today’s organizations are highly dependent on third-party suppliers, providers, and outsourcers, as well as primary clients and industries. Understanding these upstream and downstream dependencies is critical to building a resilient business model.

A mapping tool will allow you to gain a single overview of the dependencies across your organization. This will prepare you for the next steps you need to take in your strategy formulation.
 

Step 4: Wide-ranging scenario testing
 

Scenario testing is the next step in your strategy implementation. Scenario-based testing must obtain data from every level and every team within your organization to ensure that a broad range of cross-organizational information is available. This can be done via questionnaires, interviews, simulations, expert roundtable discussions, and other industry and market research.

The information and data that you collect will allow your risk management teams (including business continuity, crisis management, disaster response, and recovery teams) to understand the weak links in their resilience plan, set protocols for responding to a variety of different complex external and internal threats and disruptions, and test methods for responding to those threats. The end result is a stronger, operationally resilient organization. 

Step 5: Communication plan

Your organization’s ability to communicate effectively in times of crisis, change, or disruption is an integral part of risk management generally, but also to your operational resilience strategy. This communication plan needs to embrace both your internal and external stakeholders to give each relevant party clarity around the disruption, how it’s being managed or rectified, and any other information that’s important to that stakeholder individually.

As part of this process you’ll need to map your stakeholders so you understand where to focus and how to frame your communications. Each of these stakeholders will have more or less importance depending on what disruption occurs, and your communication plan will need to be able to respond flexibly to those various scenarios. However, it should always include regulators who will want to understand your impact tolerances and mitigation efforts, which should be included in your plan.

Learn more: Operational Resilience in Financial Services

How a GRC platform will help build your operational resilience strategy

Operational resilience begins and ends with understanding and managing risk, and a platform like TriLine GRC by Ansarada helps you do that. Think of it as operational resilience software, aiding you to:

• Gather the data you need to define your key business services by significantly improving the way GRC data is gathered, stored, curated and linked and compiling it into a single source for the entire organization
• Review data and processes to define your impact tolerances within the entire organization by connecting data points to eliminate risk silos and improve organization-wide understanding
• Enable richer scenario testing via analysis to test ‘what if’ events
• Identify and track regulations and emerging risks with automated news monitoring and provide timely and accurate information to stakeholders, including reporting and financial information
• Enhance your communications via fast and accurate reactions to GRC data flows and the efficient management of GRC workflow