Operational resilience 101
Learn how - and why - to drive operational resilience within your organisation.
What is operational resilience?
The global economy has faced challenges in recent years–such as supply chain disruption and regulatory upheavals. Though these are specific concerns now, they’re really just iterations of challenges that have occurred over time, and will continue to do so.
No matter what the event, when there’s a disruption that impacts operations, companies have to be able to respond quickly and well. They may have to accelerate their digital transformation, make real-time decisions and pivot their operational practices rapidly. This is called operational resilience and it’s a critical component of a modern GRC framework.
Definition of operational resilience
The definition of operational resilience is: an entity's ability to “withstand and recover from shocks” (APRA). But in reality it’s far more complex, as it encompasses the ability to prepare for, prevent, detect, respond to, recover from and learn from disruptions to organisational operations.
​
This complexity means that as an organisation you will need to create an operational resilience framework that takes a holistic view of your business, operations, finances, governance, regulation and compliance and even information security. This full spectrum business mapping must be backed by stringent scenario testing and regular organisational assessments in order to ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
Why is operational resilience important?
Shocks will occur to business. It is inevitable.
Whether it’s an external shock, like a cyber attack or a pandemic, or an internal shock like a systems failure or personnel issue, understanding your organisation's vulnerabilities means you’ll be able to ride them out when they inevitably occur. And the better your operational resilience, the better your organisation will come out in the end, protecting your customers and putting you in a better strategic position into the future.
​
Operational resilience begins with understanding your organisation’s risks. While risk management is often undertaken by various teams in differing ways, to understand your operational risk you need to be able to view all these risks together as a whole, understanding how they will impact the entire organisation.
​
See also:
What is impact tolerance?
Impact tolerance is defined as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” (Bank of England)
​
Impact tolerances embrace the notion that disruptive events will happen and set tolerance levels accordingly. For example, this would include examining the maximum acceptable downtime for key information technology systems. It would also include insight into when a particular threat could represent a risk to the organisation’s overall viability.
​
Recently there has been a great deal of chatter around impact tolerance and how it relates to operational resilience.
PricewaterhouseCoopers cautions against going down this path too far. The global consultancy warns that it could distract from the main goal of developing robust operational resilience solutions that allow an organisation to continue operating in the face of disruptions.
​
Despite PwC’s cautions, regulators are starting to expect organisations to have plans in place to enable them to resume important functions despite a major disruption. The UK regulator, Financial Conduct Authority, anticipates that all organisations governed by it will need to comply with impact tolerances by the second half of 2024, and the European Commission is consulting on similar issues.
Operational resilience vs
business continuity management (BCM)
So what’s the difference between operational resilience and business continuity planning? They do feel similar, as both look at the best way to manage organisational risks. The main difference is that business continuity management focuses on short-term disruptions and maintaining critical services, while operational resilience takes a more holistic and proactive approach, addressing a wider range of risks.
What is business continuity management?
Business continuity management is essentially an organisation’s ability to continue operations when an unexpected crisis occurs. In a nutshell, it’s your immediate, short-term crisis management planning. It’s the actions, processes, and strategies you will implement.
How do BCM and operational resilience interact?
While business continuity management is a vital part of your organisation’s planning, operational resilience is the foundational element that will allow your organisation to continue to adapt to a changing environment in the long term.
So while business continuity management comes into play immediately, resilience helps you to continually change, adapt and improve, in order to keep pace with an ever-changing business environment.
​
-
Example of business continuity management in action: When the world was suddenly thrust into remote working, organisations with a strong business continuity management plan made this change well.
​
-
Example of operational resilience in action: As the world has continued to move in and out of the office, as regulations have been amended, employee and customer needs have changed and technology has advanced or been adapted, it has been operational resilience driving ongoing success for organisations.
How to achieve operational resilience
Resilience at an operational level requires that an organisation adopt certain behaviours and put specific operational resilience metrics in place. These include:
01
Shared vision
and purpose
This empowers employees’ success and increases morale, allowing your workforce to operate in the face of uncertainty and adversity.
02
The ability to absorb, adapt & respond to change
Your organisation must develop the ability to evolve in tandem with the business landscape.
03
Excellent governance, risk & compliance
A strong GRC management framework ensures you’re on top of your operational (and other) risks.
04
Strong strategic operational managemen
This involves aligning your business structure and operations to the prevailing environment.
Operational Resilience framework
​
An operational resilience framework should be implemented that adopts and promotes those behaviors, as well as specific actions and processes. It should connect the dots between all your risk management and corporate governance activities. In particular, your organisation should focus on five pillars of operational resilience below.​
5 pillars of operational resilience
1. People resilience
Ensuring your governance, accountability and culture are building morale and empowering success within your organisation, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions.
2. Systems resilience
Ensuring that your cyber information and data is secure, as well as ensuring the physical security of tangible operational elements. In order to be adaptable, you’ll also want to continually assess your technology and build on your existing processes and systems so that you’re prepared for the unexpected.
3. Financial resilience
Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you’re managing your finances prudently.
4. Regulatory resilience
Ensuring you maintain full compliance with regulatory requirements and can adapt to changing regulatory expectations. This includes understanding your third party compliance requirements and delivering actionable reporting.
5. Structural resilience
Ensuring that you have solid legal and operational structures in place, and that they are clear to all stakeholders. It also involves learning from past experiences.
These pillars will enable your organisation to implement a framework to:
-
Identify and protect itself from potential risks;
-
Respond and adapt quickly to crises and disruptions;
-
Minimise impact on customers and on the delivery of business-critical operations; and
-
Maintain strong operations outside of the crisis or disruption.
How a GRC platform helps build operational resilience
Operational resilience begins and ends with understanding and managing risk, and a GRC platform like Drova helps you do that, including:
-
Significantly improving the way GRC data is gathered, stored, curated and linked
-
Creating a single source of GRC data and processes for the entire organisation
-
Connecting data points within the entire organisation to eliminate risk silos and improve performance
-
Enhancing GRC data flows to ensure fast and accurate reactions
-
Automating GRC processes to reduce compliance and operational risks
-
Managing GRC workflow
-
Identifying and tracking regulation and emerging risks with automated news monitoring
-
Embedding operational resilience processes within GRC, including assessments, tracking, linking risks and controls and more
-
Enhancing overall control effectiveness
-
Providing timely and accurate information to stakeholders, including reporting and financial information
-
Undergoing scenarios analysis to test ‘what if’ events