The State of Play in Operational Resilience: A guide to overcoming challenges in getting operational resilience programs off the ground

The state of operational resilience

After an unbroken series of critical events, resilience has become a mantra of the business world. Industry regulators, in their turn, have also alighted on operational resilience as a key sector-wide objective.

Operational resilience itself, according to Gartnerⁱ, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners. 

But as these initiatives grow in kind and importance, the question remains: are they bearing fruit?

BCI set out to answer just that question, releasing the results of its multi-sector survey into operational resilience practices

The resultant report, the Operational Resilience Report 2022ⁱⁱ, finds unsurprisingly that operational resilience practices have risen in popularity – quickly.

Now, over three quarters of organizations report either having or developing an operational resilience program. Within tightly regulated sectors (such as finance), adoption numbers are even higher.

Organizations aren’t just being swayed by regulatory mandates. The desire to implement best practices is also driving adoption. Nearly three quarters of respondents reveal that they are developing their operational resilience programs because of good practices.

Not everyone understands what operational resilience is

The battle for operational resilience is hardly won, though. Despite their rise in popularity, operational resilience programs themselves are struggling. Often enough it’s because practitioners don’t know what those programs should do.

Worryingly, many operational resilience programs come to resemble organizational resilience programs, following the ISO 22316 standard as a best-practice prototype. Other firms confuse operational resilience as “business continuity done well”

This is the case in small organizations, in particular. As the report finds, BC professionals at smaller firms are being tasked to manage the operational resilience program. The result: professionals worry that their staff doesn’t have the requisite knowledge and resources to lead the transition to a more strategic and customer-centric operational resilience approach.

That’s not all. Concerns have also cropped up that practices implemented might even be harmful to the resilience cause: for instance, using the business impact analysis exercise to define impact tolerances. Which might be dangerous given the different focuses between operational resilience and business continuity.

Dedicated staff also admits to finding it difficult to understand, monitor, and manage supply chain risk. Concentration risk is another challenge.

And though adoption is higher in heavily regulated sectors, that adoption often comes with its own issues. The report found that half of all respondents were concerned that meeting relevant regulatory requirements was turning operational resilience into a tick-the-box exercise.

Indeed, firms are eager to get their resilience programs off the ground, as the findings indicate. The open question is how. To that end, this guide lays out best practices in operational resilience that will help interested firms overcome some of the more salient challenges to implementing a successful operational resilience program.

Best practices in operational resilience

Many of our best practices are drawn from regulatory requirements, which will help firms kill two birds with one stone: uplevel their resilience protocols and maintain compliance. 

What are some of the relevant best practices? Here, UK financial services regulators have been leading the way, developing a frameworkⁱⁱⁱ to ensure operational resilience among its entities. 

The framework in question seeks to uplevel firm resilience, such that a firm will be able to prevent disruption occurring to the extent practicable. Firms should also be able to return to normal running promptly when a disruption is over as well as and learn and evolve from both incidents and near misses.

To do so, systems and processes must first be adapted, so that firms can continue to provide services and functions in the event of an incident. 

How to go about it? The framework encompasses four crucial areas:

• Governance
• Operational risk management
• Business continuity planning
• Management of outsourced relationships

Operational resilience and governance

When it comes to governance, Boards are responsible for prioritizing the investment and cultural change required to improve operational resilience

It’s also the Board’s responsibility to approve the identification of their firm’s important business services, impact tolerances, and self-assessment (More later).

What other responsibilities to Board’s have in ensuring operational resilience? Boards are expected to:

• Have appropriate management information available to inform decisions which have consequences for operational resilience
• Have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience
• Articulate and maintain a culture of risk awareness and ethical behavior for the entire organization, which influences the firm’s operational resilience
  
  

Operational risk management, risk appetite, and impact tolerances

Per best-practice guidance, firms are encouraged to have effective risk management systems in place to manage those threats that are integrated into their organizational structures and decision-making processes. 

That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.

Regulators, here, are looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.

But what are impact tolerances? Is it a given firm’s appetite for risk?

Not, exactly. Impact tolerances assume a particular risk has already crystalized rather than focusing on the likelihood and impact of operational risks occurring.

Firms able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions. However, risk appetites are likely to be exceeded in these scenarios. 

What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.

Operational resilience, business continuity planning, and outsourcing

Setting impact tolerances alone won’t ensure operational resilience. Business continuity and contingency planning come into play, as well. 

In fact, regulators are likely already requiring adequate contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm is able to operate on an ongoing basis.

Other best practices include:

• Setting recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances
• Allocating resources and communications planning for business continuity planning focusing on the delivery of important business services
• Testing business continuity plans, complemented by the testing of disruption scenarios in relation to impact tolerances

Best-practice operational resilience policies will also consider outsourcing. Firms should remain responsible for their obligations even when those functions are outsourced to third parties.

How then can firms avoid compromising the delivering of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?

The main measure, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities. 

That policy should include: 

• sufficient monitoring processes to manage the outsourcing of material business activities as well as
• legally-binding agreements with third parties. 

Firms might also consider, when not required, consulting with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.

Improve operational resilience with pragmatic business continuity management software

With the rise of new risks, achieving operational resilience can be more challenging than ever, as catalogued in the BCI Report . Continuing reliance on legacy software, though, stymies meeting that objective. 

In fact, addressing legacy infrastructure was deemed a critical or major challenge for nearly 40 per cent of respondents. The fear noted is that once momentum towards a best-practice programs is gone, there will be no follow-up actions in the medium term to ensure validation and maintenance actions are in place after the mapping of important business services and the establishment of impact tolerances. 

How do organizations ensure they don’t lose momentum? Ditching legacy software in favor or pragmatic business continuity management software can provide the much-needed boost. 

What follows are the technology factors to consider: 

• Identify the most important business services (and underlying dependencies), and how much disruption could be tolerated in what circumstance. The BIA (Business impact Analysis) is intended to help organizations isolate critical business functions in tandem with the processes and resources needed to support those functions, as well as assess how the failure of an individual system or process impacts the business service. But it shouldn’t become a laborious, academic exercise. 
  
  Instead, firms should invest in BCM software, with easy-to-use functionality, that defines domains, critical business activities, assets, and sites, as well as records inter-dependencies. The solution should also be able to create registers of
  critical business activities, risks, insurances, roles, and responsibilities, as well as assess the risk and impact of outages across all activities, assets, and sites. On the risk control side, the solution needs to implement risk treatment plans and actions, essentially recovery strategies, to mitigate risks and/or reduce the likelihood of impact.
• Map the systems and process that support these business services; clearly define ownership. Find software that enables managers to assign and track business impact assessments and other risk management activities for organizational unit owners. In addition, the solution should allow teams to easily visualize the locations of specific risks (also, incidents, people, and assets) with fully integrated mapping features.
• Test using scenarios and by learning from experience, that resilience meets the firm’s tolerance. New mandates make scenario testing firm requirements. To facilitate testing, find pragmatic BCM software that already provides a comprehensive library of crisis and incident response plans and teams structures, covering common disruptions, hazards, and scenarios. BCM technology should also be able to digitize business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, as well as pre-assigned checklists that are ready to deploy when incidents do occur. That way plans come to life seamlessly, teams know what they need to do, and progress gets tracked in real time. Also, when scenario-testing plans, it’s necessary to incorporate feedback generated as improvement activities back into the original plan.
• Communicate timely information to internal stakeholders, supervisory authorities, customers, counterparties, and other market participants. Firms and FMIs need to stay abreast of what’s going on during a disruption. And BCM software should help here, too, enabling maximal situational awareness, by providing teams and stakeholders with a single, integrated system capable of tackling critical events in real time. 
  
  To support better visibility and awareness, as well as facilitate communication and collaboration, the flexible system should include chat, impact, assessment, and communication planning functionality. BCM software should also let teams communicate and follow-up within the app itself, preferably via dedicated, event-specific chat rooms, in addition to email, SMS, and app notifications. Additional, advanced features to improve collaboration include dashboards and collaboration spaces which provide teams with key details, actions, feeds, and timelines.

Finally, data points to increasing adoption of operational resilience programs. But those programs aren’t always churning out best practices that will keep their companies resilient when disruptions arise.

Often standing in their way is a lack of know-how and resources. Legacy software also makes it difficult to get best-practice measures implemented quickly.

What can be done? Digital software, such as Noggin’s suite of business continuity and risk management products, can help. These pragmatic solutions enable organizations run every aspect of their resilience operations effortlessly, while achieving compliance with mandates, and uplevelling their own resilience capabilities.

Sources

i. Gartner, Gartner Glossary: Operational Resilience. Available at https://www.gartner.com/en/information-technology/glossary/operational-resilience. 

ii. BCI: BCI Operational Resilience Report 2022. Available at https://www.thebci.org/resource/bci-operational-resilience-report-2022.html. 

iii. Bank of England Prudential Regulation Authority: Statement of Policy Operational resilience. Available at https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/statement-of-policy/2021/operational-resilience-march 2021. pdf?la=en&hash=908CF0854077E5F466D512BFB904C6EA4503F54B.