Despite their sharp rise in popularity, operational resilience programs aren’t firing on full cylinders – at least not yet. Indeed, BCI polled organizations across industry to determine how their operational resilience programs where fairing. The results suggested unforeseen challenges.
The state of operational resilience
First, the good news. BCI’s Operational Resilience Report 2022 finds that operational resilience practices are one the rise. Over three quarters of organizations report either having or developing an operational resilience program. Numbers are even higher for fields with regulatory requirements.
Organizations, however, aren’t just being swayed by regulatory mandates, suggesting likely stickiness to resilience practices. In fact, nearly three quarters of respondents reveal that they are developing their operational resilience programs because of good practices.
Practitioners are confused about operational resilience
But there’s a major spanner in the works. Those tasked with managing operational resilience programs oftentimes don’t know what those programs should be doing.
You heard that right. According to survey results, operational resilience programs too often become organizational resilience programs, following the ISO 22316 standard. Other practitioners consider their work to be “business continuity done well.”
What’s the problem? Well, a mismatch in approach means practices might be implemented that are harmful to the overall resilience effort.
Further challenges in developing operational resilience
That’s not the only issue. Among the more salient challenges cited include the following:
- Dedicated staff admits to finding it difficult to understand, monitor, and manage supply chain risk
- Concentration risk is proving difficult to control
- Adoption in highly-regulated sectors is turning operational resilience into a check-the-box activity
And, as the report finds, business leaders, especially at smaller firms, worry that their staff don’t have the requisite knowledge and resources to lead the transition to a more strategic and customer-centric operational resilience approach.
How to advance the operational resilience cause
What can be done, instead?
One step includes following the path laid out by industry-tested best practice, such as the operational resilience framework developed by UK financial regulators.
That framework encompasses four crucial areas, (1) governance, (2) operational risk management, (3) business continuity planning, and (4) management of outsourced relationships.
Its aim includes the following:
- Making firms able to prevent disruption occurring to the extent practicable
- Rendering firms able to return to normal running promptly when a disruption is over a
- Making firms able to learn and evolve from both their incidents and near misses
Operational risk management, risk appetite, and impact tolerances
Per the framework, firms are encouraged to have effective risk management systems in place to manage those threats that are integrated into their organizational structures and decision-making processes.
Regulators, here, are looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.
But what are impact tolerances? Is it a given firm’s appetite for risk?
Not, exactly. Impact tolerances assume a particular risk has already crystalized rather than focusing on the likelihood and impact of operational risks occurring.
Firms able to remain within their impact tolerances increase their ability to survive severe but plausible disruptions.
What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.
But that’s not all it takes to ensure operational resilience. For more including the benefits of business continuity management software and risk management platforms to the cause, download our guide to operational resilience best practices.