Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
operational risk management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
WHS-hard hat
Safety Management
Investigations and Case Management
Investigations & Case Management
Security - padlock
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Determining the ROI of Operational Resilience

Noggin

Business Continuity Management

Published November 9 ,2023

Table of Contents
Introduction

Introduction

The Medibank hack helps build the case for operational resilience

Understanding operational resilience

Developing an ROI-enhancing operational resilience program

Operational resilience and governance

Operational risk management, risk appetite, and impact tolerances

Operational resilience, business continuity planning, and outsourcing

Become operationally resilient with consolidated resilient management software

Conclusion

Sources

Introduction

Money (or budget) doesn’t grow on trees. And in  challenging economic times like these, department heads  will be asked to justify their budgets – not just financial  outlays, either, but time expended, as well.

This goes double for relatively new departments or capabilities, such as Operational Resilience. These programs likely haven’t been up and running for sufficient time to have secured deep C-suite and/or Board commitments.

So, when decisions must be made, how does Operational Resilience stay off the chopping block? The short answer is show your ROI.

How to go about determining the ROI of operational resilience? Let’s start with a resonant example.

The Medibank hack helps build the case for operational resilience

Medibank is one of Australia’s largest private health  insurers. In October of 2022, the insurer detected unusual  activity on its internal systems, in what would soon  become one of the top crises of the last 12 months. It  subsequently announced that it lacked evidence to suggest  that customer data had been accessed.

Fast forward to a few days later, and the insurer was  approached by a third party aiming to negotiate with the  company based on claims that they had illegally removed  customer data. These claims were soon confirmed,  bolstering the validity of the initial threat to release the  data of high-profile customers if ransom demands weren’t met.

Medibank refused, backed by expert advice that there was little chance that the company would get the stolen data  back even if it paid the ransom.

Meanwhile, investigative journalists working on the story soon alleged that the breach itself was the result of  hackers gaining access to Medibank’s internal systems. Journalists claimed that these systems were accessed via compromised login credentials.

How many records were ultimately compromised? Medibank revealed that the data of 9.7 million past and present customers had been accessed. Data included email addresses, phone numbers, addresses, Medicare numbers, names, dates of birth, passport numbers, and visa details, as well as the private medical information for 192,000 customers, e.g., where customers were admitted for procedures, service provider names, and locations and codes associated with diagnosis and procedures given.

Those documents would soon be released, as the hacker, linked to a Russian cyber gang, published a “good-list” and “naughty-list” of customer data files on the dark web. The Australian Federal Police, in turn, partnered with  Commonwealth agencies and the Five Eyes Law Enforcement partners to investigate.

For Medibank, though, the damage had been done. The nation’s prudential regulator, APRA (Australian Prudential Regulation Authority) took the extraordinary step of imposing an AUD 250 million increase in Medibank’s capital adequacy requirement.

The regulator claims these new requirements reflect weaknesses identified in Medibank’s information security environment. That’s not all. Medibank now faces its fourth class-action lawsuit over the cyberattack, as well.

Think that’s bad. If Medibank suffered a significant service disruption, the insurer could have lost USD 10,000 per hour, according to industry datai. Financially ruinous for many companies, but a reality  for the one in two companies that have experienced an extended break in continuityii .

Understanding operational resilience

What does this have to do with operational resilience?

In this case, the ROI of operational resilience would have been the penalties and sanctions avoided for remaining in compliance with regulatory strictures. And that’s because operational resilience itself is the capability that ensures companies don’t suffer disruptions and adverse consequences from those disruptions.

Operational resilienceiii, here, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners.

The Bank of England (BoE), one of the premier operational resilience regulators, defines operational resilience as “the ability of firms, and the financial sector as a whole [over which the BoE regulates], to absorb and adapt to shocks and disruptions, rather than contribute to them”iv.

In that regard, operational resilience goes far beyond business continuity and disaster recovery. And so, for companies to be resilient, they must “have robust plans in place to deliver essential services, no matter what the cause of the disruption”v.

Potential threats firms must prepare for include:

  • Man-made threats, e.g., physical and cyber attacks

  • IT system outages

  • Third-party supplier failure

  • Natural hazards, e.g., fire, flood, severe weather, and pandemic

Developing an ROI-enhancing operational resilience program

So, how to ensure operational resilience through ROI-enhancing protocols?

Financial regulators, such as the BoE, have put forth frameworks detailing what it means to be operationally resilient for the sake of regulatory compliance.

At a glance, regulators require firms to:

  • Identify important business services. Boards and senior management must identify and prioritize services that, if disrupted, would impact objectives and the public interest.

  • Set impact tolerances. Firms must say to what extent they would be able to continue important business services following severe but plausible disruptions. 

  • Ensure they can remain within impact tolerances. Firms must map their important business services and test their capacity to continue them to the agreed extent. Where firms identify vulnerabilities which might stop them from remaining within impact tolerances, these should be addressed. 

In this respect, though, regulators are seeking to establish a floor.

To enhance ROI, though, businesses, facing stiff resilience challenges in this era of compounding crisis, should strive to reach the ceiling. That means implementing context-specific, operational resilience best practices – not just  complying with the letter of regulators but their spirit.

Again, the entire framework propounded by financial services regulators is a good place to start, even for companies outside of the financial services space. The point of this resilience framework is (1) to enable firms to prevent disruption from occurring; (2) barring that to enable firms to return to normal running promptly when a disruption, (3) as well as and learn and evolve from both incidents and near misses.

To do so, systems and processes must first be adopted, to ensure firms can continue to provide services and functions in the event of an incident.

How to go about it? ROI-enhancing operational resilience frameworks encompass four crucial areas:

  • Governance

  • Operational risk management

  • Business continuity planning

  • Management of outsourced relationships

The subsequent guide will touch on each briefly.

Operational resilience and governance

When it comes to governance, Boards are responsible for prioritizing the investment and cultural change required to improve operational resilience.

It’s also the Board’s responsibility to approve the identification of their firm’s important business services, impact tolerances, and self-assessment.

What other responsibilities do Board’s have in ensuring operational resilience? Boards are expected to:

  • Have appropriate management information available to inform decisions which have consequences for operational resilience

  • Have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience

  • Articulate and maintain a culture of risk awareness and ethical behavior for the entire organization, which influences the firm’s operational resilience

Operational risk management, risk appetite, and impact tolerances

Per best-practice guidance, firms are encouraged to have  effective risk management systems in place to manage  threats that are integrated into their organizational  structures and decision-making processes.

That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.

Regulators, here, are often looking to see that firms have  taken the public interest into consideration when building  operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but  plausible disruptions.

Firms able to remain within their impact tolerances  increase their capability to survive severe but plausible  disruptions. However, risk appetites are likely to be exceeded in these scenarios.

What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of  policyholder protection.

Operational resilience, business continuity planning, and outsourcing

Setting impact tolerances alone won’t ensure  operational resilience.

In fact, many regulators are likely already requiring  adequate contingency and business continuity plans, with  the aim of ensuring that in the case of a severe business  disruption a firm is able to operate on an ongoing basis.

Other best practices include:

  • Setting recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances

  • Allocating resources and communications planning for business continuity planning focusing on the delivery of important business services

  • Testing business continuity plans, complemented by the testing of disruption scenarios in relation to impact tolerances

Best-practice operational resilience policies will also consider outsourcing. Firms should remain responsible  for their obligations even when those functions are  outsourced to third parties.

How then can firms avoid compromising the delivering  of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?

The main measure, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities.

That policy should include (1) sufficient monitoring processes to manage the outsourcing of material business activities as well as (2) legally-binding agreements with third parties.

Firms might also consider, when not required, consulting  with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.

Become operationally resilient with consolidated resilient management software

ROI-enhancing best-practices don’t just implement themselves, though. Organizations looking to become  operationally resilient will need to invest in the appropriate resilience management software platforms, as well.

What should the platform do?

Well, operational resilience challenges tend to be highly site-specific, dictating the measures needed to address them. The platform itself should therefore enable agility in the implementation of operational resilience programs, plans, and projects, to enable greater self-management, self-improvement, and commitment to obtaining results.

Many organizations think they have such solutions in place already. Only problem is that they have multiple, often duplicative solutions, eating away at ROI and breeding lack of familiarity among staffers who must address disruptions.

What should they do, instead?

Organizations should look to replace the multiple systems they currently use to manage various aspects of the resilience conundrum (e.g., point solutions, manual go-arounds, legacy platforms, etc.).

With what, though?

Firms should consider a comprehensive resilience workspace that not only manages the interrelated fields of business continuity and resilience management but also their intricately related solution areas: work safety, operational security, emergency and disaster management, incident management, and risk.

Only these platforms will help organizations remain adaptable to the volatile business environment by expanding into new areas of operation seamlessly while still managing a wholly integrated operational resilience management program on a common information foundation.

Here are the other ROI-enhancing capabilities firms should be looking for in their consolidated resilience management platforms:

Configurability

Given the extent of the resilience challenge, customers need to get up and running quickly. However, poor configurability stands in the way.

Here, firms should look for platforms featuring no-code designer tools that will allow them to create or modify their respective workspaces without a single line of code.

For increased agility, responsive user interface will enable organizations to design forms and workspaces once and then to access the same information and features across desktop, tablet, and mobile.

Automation

Organizations should also seek out platforms that make the lives of their principal users easier. That means access to powerful workflow engines to automate operational resilience processes, by building site-specific workflows that include notifications, business rules, approvals, and much more.

Business Impact Analysis

The BIA remains a mainstay of the resilience process. And so, resilience management platforms should help forward-looking Managers to make that mainstay more agile, as well.

That they can do with digital capabilities that make the BIA  process as simple and efficient as possibility to promote greater usability across the entire organization.

What would that look like? BIA-specific dashboards should boast easy step-by-step guides to help navigate stakeholders through the process.

Dynamic planning and exercise management

When customers need to develop their resilience place, all the data they have previously entered into the platform should seamlessly come together, so that Managers don’t have to go sifting through documents to find the data they need.

The resultant plans must be exercised, though. To that end, consolidated resilience software should feature exercise dashboards that guide users and their teams through each stage of an exercise, ensuring everyone understands what needs to be completed and when.

From there, the platform’s automation capabilities should ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.

Once the exercise is activated, all users should be able to see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.

Personalized user workspace

Personalized user workspaces, like exercise management functionality, should also enable the self-management, accountability, and agile response needed to address resilience challenges. How so?

Workspaces should allow users to visualize outstanding tasks that have been assigned to them, as well as any checklist actions items which still need to be actioned as part of the exercise or incident response.

Users should also be able to visualize relevant BIA activity, such as the owner, which BIAs they are involved in, as well as any outstanding BIA recommendations they need to action, and/or reports that require their approval. What’s more, users should also be able to see any incidents or exercises they are involved in, as well as any outstanding improvements from incidents or exercises that they need to action.

Conclusion

Finally, what’s the ROI of Operational Resilience? Just ask companies who’ve suffered major disruptions what their financial, reputational, and other non-monetary setbacks were. These often-prodigious numbers give one a sense of what the value of an Operational Resilience program is.

Want to realize that value? Then you will need to invest in the appropriate integrated resilience management platform. Likely to pay for itself, that solution will provide a comprehensive and holistic approach to resilience, facilitate crucial collaboration and coordination, unlock critical insights, keep stakeholders informed, and streamline essential workflows for planning and response.

New call-to-action

Sources

 i. Data available at Dale Shulmistra, Invenio IT: 23 Business Continuity Statistics You Need to Know. Available at https://invenioit.com/continuity/ business-continuity-statistics/.

ii. Ibid.

iii. Gartner, Gartner Glossary: Operational Resilience. Available at https://www.gartner.com/en/information-technology/glossary/operational-resilience. 

iv. Bank of England, Operational resilience of the financial sector. Available at https://www.bankofengland.co.uk/financial-stability/operational-resilienceof-the-financial-sector 

v. Ibid. 
close (3)

Download your copy