Building a robust operational resilience strategy
Your operational resilience strategy will mitigate risk and drive opportunities into the future. Learn how.
What are the essential components
of operational resilience?
We live in an interconnected global economy and worldwide marketplace. Increasingly we’re seeing new and rising risks to business operational resilience that span those connections. These risks are things we’ve never encountered before – and that makes them difficult, if not impossible, to predict. Our global interdependence compounds the impacts of these risks as well.
​
We have to accept that there will be disruptions to our operations. And because of that, every organisation must be prepared with a robust operational resilience strategy to see you through that disruption.​
Operational resilience hasn’t always been on the radar for organisations, but now it’s widely accepted to be a vital part of enterprise risk management. In fact, the Prudential Regulation Authority (PRA) and the UK Financial Conduct Authority (FCA) have formed an extensive regulatory framework around operational resilience, which came into force on 31 March 2022.
​
The essential components of operational resilience below form the bedrock of your resulting operational resilience strategy, and will support your organisation’s ability to detect, withstand and recover from inevitable shocks when they occur.
01
Full spectrum
business mapping
You need holistic visibility of your business, operations, finances, corporate governance, regulation and compliance and even information security to accurately identify and manage potential threats and disruptions and minimise the impact on customers.
02
Stringent scenario testing
Your business mapping must be backed by stringent and innovative scenario testing, which recognises that unknown risks and disruptions are inevitable.
03
Creation & implementation of impact tolerances
Impact tolerances help you to understand the maximum tolerable level of disruption to your key business services, including the maximum tolerable duration of a disruption.
04
Regular organisational assessments
Consistent risk assessments ensure that your framework is robust enough to withstand the uncertain world that we operate in today.
Why is operational resilience important to your organisation?
These elements are vital to your operational resilience, and operational resilience is vital to understanding your organisation’s risks as a whole—and how they impact your business. At the end of the day, the stronger your operational resilience, the better your organisation will respond to rising threats and disruptions. This protects your business and your customers, and puts you in a better strategic position in the future.
​
Learn more: Operational Resilience Examples​​
How to build a robust operational resilience strategy
Building a robust operational resilience strategy at an organisational level requires that your organisation adopt certain behaviours and put specific protocols and processes in place. Your strategy should connect the dots between all your risk management and corporate governance activities and be built around the five pillars of operational resilience.
1. People resilience
Ensuring your governance, accountability and culture are building morale and empowering success within your organisation, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions.
2. Systems resilience
Ensuring that your cyber information and data is secure, as well as ensuring the physical security of tangible operational elements. In order to be adaptable, you'll also want to continually assess your technology and build on your existing processes and systems to be prepared for the unexpected.
3. Financial resilience
Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you're managing your finances prudently.
4. Regulatory resilience
Ensuring you maintain full compliance with regulatory requirements and can adapt to changing regulatory expectations. This includes understanding your third-party compliance requirements and delivering actionable reporting.
5. Structural resilience
Ensuring that you have solid legal and operational structures in place, and that they are clear to all stakeholders. It also involves learning from past experiences.
5 steps to build your operational resilience strategy
1. Define your key business services
In step 1, you’ll need to define the services that are central to the operation of your business. These are the services that, if they were disrupted, could cause damage to your viability or to your consumers or the business environment as a whole. This first step is vital to get right since every subsequent step rests on its correct implementation.
​
To complete this step, you’ll undertake your holistic business mapping, integrate your business objectives and align them with your organisation’s risk appetite and tolerance. This will help you to identify the services that are truly critical to your business objectives, as well as the processes, systems, human resources, and other related stakeholders that support the interplay of your services and objectives.
​
A GRC compliance software system like Drova can help you to uncover and build out the relational data that will allow you to better map your key business services, align your organisational objectives, resource your human power and create a stronger risk and compliance management strategy.
Defining your impact tolerances is necessary to understand the risks and disruption levels that your organisation is equipped to handle. As such, it informs every subsequent element of your operational resilience strategy.
To define your impact tolerances you should blend enterprise risk, actuarial, and modelling with data and resilience expertise in order to deliver a fully integrated system that ties operational risk, risk transfer, and resilience capabilities together. ​
2. Define impact tolerances
3. Map your dependencies
Today’s organisations are highly dependent on third-party suppliers, providers, and outsourcers, as well as primary clients and industries. Understanding these upstream and downstream dependencies is critical to building a resilient business model.
​
A mapping tool will allow you to gain a single overview of the dependencies across your organisation. This will prepare you for the next steps you need to take in your strategy formulation.​
Scenario testing is the next step in your strategy implementation. Scenario-based testing must obtain data from every level and every team within your organisation to ensure that a broad range of cross-organisational information is available. This can be done via questionnaires, interviews, simulations, expert roundtable discussions, and other industry and market research.
​
The information and data that you collect will allow your risk management teams (including business continuity, crisis management, disaster response, and recovery teams) to understand the weak links in their resilience plan, set protocols for responding to a variety of different complex external and internal threats and disruptions, and test methods for responding to those threats. The end result is a stronger, operationally resilient organisation.
4. Conduct wide-ranging
scenario testing
5. Develop a communication plan
Your organisation’s ability to communicate effectively in times of crisis, change, or disruption is an integral part of risk management generally, but also to your operational resilience strategy. This communication plan needs to embrace both your internal and external stakeholders to give each relevant party clarity around the disruption, how it’s being managed or rectified, and any other information that’s important to that stakeholder individually.
​
As part of this process you’ll need to map your stakeholders so you understand where to focus and how to frame your communications. Each of these stakeholders will have more or less importance depending on what disruption occurs, and your communication plan will need to be able to respond flexibly to those various scenarios. However, it should always include regulators who will want to understand your impact tolerances and mitigation efforts, which should be included in your plan.
​
Learn more: Operational Resilience in Financial Services
How a GRC platform will help build
your operational resilience strategy
Operational resilience begins and ends with understanding and managing risk, and a platform like Drova helps you do that. Think of it as operational resilience software, aiding you to:
​
-
Gather the data you need to define your key business services by significantly improving the way GRC data is gathered, stored, curated and linked and compiling it into a single source for the entire organisation
-
Review data and processes to define your impact tolerances within the entire organisation by connecting data points to eliminate risk silos and improve organisation-wide understanding
-
Enable richer scenario testing via analysis to test ‘what if’ events
-
Identify and track regulations and emerging risks with automated news monitoring and provide timely and accurate information to stakeholders, including reporting and financial information
-
Enhance your communications via fast and accurate reactions to GRC data flows and the efficient management of GRC workflow