Operational resilience is an organisation’s ability to continue to deliver critical business services after facing one or more disruptive events. It also covers the ability to predict and prevent disruptive events and better control and recover from them, should they occur.
The pandemic, for example, became a real-world test for many organisations globally. With lockdowns, border closures, and working from home, businesses had to rapidly adapt to new working methods, which normally would have taken a couple of years to implement.
The newly drafted Australian Prudential Regulatory Authority (APRA) Standard CPS 230 on Operational Risk has stated that regulated organisations will need to tighten up several areas of their risk management to meet the new requirements. The focus includes preventing disruption to critical operations, adapting processes and systems to continue operations in the event of a disruption, and returning to normal operations promptly after a disruption is over. APRA does not see operational resilience as something new or separate from operational risk management. It is the outcome and an extension of business continuity management.
Protecht recently surveyed risk professionals to determine their organisations’ operational resilience understanding and requirements, and it was clear from the results that most respondents value the idea but implementation remains limited. Nearly all surveyed (96 per cent) believe operational resilience should be an important priority for their organisation, but only under half (46 per cent) currently rates their organisation’s operational resilience capacity as “high/very high”.
So, with a high probability of major disruptive events expected in the future, operational resilience is the key to an organisation’s ability to survive and even thrive during such incidents. If there was ever a time to focus on building operational resilience within an organisation, it is now, and here is how to get started.
Identify the core components of operational resilience
An operational resilience framework will require an understanding of:
- Your important or critical business services.
- The sub-processes that deliver those services.
- The resources (hardware, software, teams, infrastructure) connected to the service.
Once identified, it becomes easier to model the risk scenarios that would disrupt that service and think about any preventative controls that will mitigate the likelihood of those scenarios occurring. Should the scenario occur, we also are in a better position by having planned, documented and tested the recovery strategy.
Integrate it into your overall Enterprise Risk Management (ERM) systems and framework of your organisation
Integrating operational resilience as part of your ERM systems ensures that the maximum leverage is obtained from your existing risk and control libraries and processes are not reinvented. This reduces overall costs and the effort it would take to implement the strategy. Instead of starting from scratch, the efforts can be focused on extending current capabilities.
Ensure that the key elements are in place
It is important to have a robust framework to build a sustainable and effective operational resilience Capability. Some key focus areas in this regard are:
- Who will govern the implementation and management of the project?
- Is the project adequately budgeted for both in terms of people and dollars?
- A clear plan that doesn’t just rebrand current systems but improves and evolves them to create true enterprise-wide resilience.
- Provide adequate training and upskilling to the staff in operational resilience principles that align with the project plan.
Get the leadership buy-in
Since cost and effort are minimised in building operational resilience into the current systems and overall ERM framework, board, and management buy-in is easier as it is not delivered as some new major project but as an additional part of what already exists. The survey found that in over 34 per cent of organisations, operational resilience is a concept that uses much of their existing risk management capability, consolidating existing practices. With the leadership team invested, implementation of the resilience framework would be smoother thereby further reducing effort and time.
Monitor results and use them to your advantage
An important step in any new systems implementation is to analyse its performance, learn from it, modify plans, and communicate the results to all key stakeholders. Resilience can assure critical processes continue under a range of potentially disruptive events. but must be continually monitored to help identify areas of improvement, single points of failure and redundancy. Resilience considerations can also be used in decision making, whether regarding the location of office premises or a decision to take on a new supplier.
Ultimately, operational resilience is important for any organisation – not just regulated financial institutions.