Operational resilience is an organisation’s ability to detect, prevent, respond to, recover and learn from operational disruptions that may impact delivery of important business and economic functions or underlying business services.
The key components of operational resilience - which include defining and understanding important business services and impact tolerance, as well as completing end-to-end mapping, scenario testing, and regular self-assessments - are essential guideposts on the road to resiliency.
A GLOBAL CYBERSECURITY EXERCISE
Completed November 17, 2021
Resilience is ingrained in our vocabulary, especially in today’s challenging business landscape. In its simplest form, resilience can be defined as the ability to recover from setbacks. Unlike risk, which has a probabilistic component and creates significant uncertainty, operational resilience must be contemplated as an inevitability.
Systems will fail, cyber-attacks will be successful, and pandemics will occur. Having a firm understanding of how to minimise the impact of a disruption to your external stakeholders and the broader economy, knowing where your organisation’s vulnerabilities lie, and developing your foundational elements (e.g., cyber, business, third-party, and technology resilience) will help your organisation recover more quickly and minimise customer harm.
Business Continuity Management (BCM) is the design, development, implementation and maintenance of strategies, teams, plans and actions that provide protection over, or alternative modes of operation for, those activities or business processes which, if they were to be interrupted, might bring about seriously damaging or potentially significant loss to an enterprise.
All sectors and sizes of companies can benefit from a BCM programme. An operational resilience programme can enhance and extend traditional BCM practices and concepts by incorporating various approaches such as testing extreme-but-plausible scenarios, front-to-back process mapping and aligning all aspects of cyber, third-party and technology resilience, as illustrated in Protiviti’s Operational Resilience framework.
Interested in a quick explanation of the relationship between BCM and Operational Resilience? Check out Protivit’s video here.
With developments in technology and potential heightened risk for an extreme-but-plausible event, companies have implemented resilience roles to oversee operational processes and controls and understand the complexity of the organisation and economic environment. Owning an operational resilience programme within an organisation involves governance of the programme, technology change to enhance recovery, and the adoption of a cultural change to embed resilience in the minds of all employees.
Some key questions the Head of Resilience should ask are:
Quantifying downtime can come in many forms but, at its core, it is a function of the cost of being down against a function of time. A firm can accept loss from an operational disruption for a specific period of time, after which it is bound to go out of business. The severity of the cost impact will dictate how long the firm can absorb the disruption. Calculating the organisation’s initial level of resilience and reporting that information will allow the organisation to effectively assess the recovery of an important business service or process and determine the related potential downtime and cost assumptions.
Some key questions the CISO should ask are:
As heads of technology for an organisation there will be incredible challenges with aligning technology strategy and spend with the needs of resilience. Regulated institutions should be able to demonstrate not only their ability to keep important business services running but also how they can keep data secure.
Some key questions the CIO/CTO should ask are:
Incorporating a comprehensive resilience assurance approach into existing governance and foundational element audits will enable firms to develop a resiliency culture and position themselves to respond effectively to common operational disruptions as well as extreme-but-plausible events that could threaten the viability of their organisations, customers and financial markets. The bar in auditing resilience will align with the current third line work efforts, as resilience will be, if it is not already, a critical part of an ongoing audit plan. Self-assessment will advance the work efforts of the third line and provide regulators some comfort that the recoverability of the firm is acceptable.
Some key questions the CAE should ask are:
The expectations for regulated institutions include ownership of their operational resilience, prioritising plans and investment choices based on their impacts on the public interest and communicating clearly to customers when disruptions occur. Regulated institutions should be prepared to address issues (e.g., large-scale and sustained power outages) that may extend their resilience beyond their impact tolerances.
Some key questions the CRO should ask are:
The culture of the firm, starting at the board level, has a significant impact on the resilience a firm. Culture will drive firms’ decision, actions by employees, and assure firms are conducting themselves to enhance resilience and decrease harm.
The tone must be set at the top of the organisation for resilience to become a part of business as usual. The ability to recover from an event so that consumers are not harmed, should drive key decisions around project selection, technology implementation and other key functions of the firm.
Some key questions the Board of Directors should ask are:
Protiviti is a Premium Associate Member of SIFMA, AFME and ASIFMA.
Protiviti actively engages with the associations, committees and working groups, sharing insights and expertise on crucial industry developments, speaking at conferences an events, and contributing to advocacy efforts for effective and resilient capital markets. Our membership allows us to contribute our deep understanding of the continued evolving and competitive financial services industry landscape.
Access collaborated reports and podcasts: