2022 was the year operational resilience went mainstream. But 2023 promises to be the year that organizations like yours take their operational resilience efforts to the next level. What will it take?
Evidence that operational resilience might have stalled out
For starters, operational resilience itself, according to Gartner, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners.
But as these initiatives grew in kind and importance over the last few years, questions emerged whether programs had stalled out.
Last year’s Operational Resilience Report, put out by BCI, found that operational resilience programs, despite surging popularity, were struggling. One of the main culprits: their practitioners didn’t know what the program should do.
Implement best-practice operational resilience measures in 2023
That’s where relevant best practices come in. What are some of the relevant ones?
Well, UK prudential regulators have been leading the way, in the attempt to uplevel the resilience of firms under their regulatory purview.
Per their best-practice guidance, firms are encouraged to have effective risk management systems in place to manage threats that are integrated into a given firm’s organizational structures and decision-making processes.
That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.
Regulators, here, are looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.
But what are impact tolerances? Is it a given firm’s appetite for risk?
Not, exactly.
Impact tolerances assume a particular risk has already crystalized rather than focusing on the likelihood and impact of operational risks occurring.
Firms able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions, even if risk appetites are exceeded.
What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.
Operational resilience, business continuity planning, and outsourcing
Setting impact tolerances alone won’t ensure operational resilience. Business continuity and contingency planning come into play, as well.
In fact, regulators are likely already requiring adequate contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm is able to operate on an ongoing basis.
Other best practices include:
- Setting recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances
- Allocating resources and communications planning for business continuity planning focusing on the delivery of important business services
- Testing business continuity plans, complemented by the testing of disruption scenarios in relation to impact tolerances
But those measures don’t even scratch the surface of what it will take to get operationally resilient in 2023. What else will be needed? To learn more, download our latest guide to overcoming the challenges in getting operational resilience programs off the ground, The State of Play in Operational Resilience.