We’ve heard of operational resilience, the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. And we understand why operational resilience is so important today: the growth in cyber threats.
So, how to ensure your business can thwart threats to its digital environment? That’s where digital operational resilience comes in.
What then is digital operational resilience?
Digital operational resilience refers to the ability of a business to build, assure, and review its operational integrity and reliability. A business achieves digital operational resilience once it’s ensured the full range of information-communication-technology (ICT) related capabilities needed to address the security of the network and information systems which the business uses, and which support the continued provision of its services and their quality, including throughout disruptions.
Why is digital operational resilience needed?
Why’s it needed? Well, for firms, ICT risk, which digital operational resilience seeks to mitigate, has increased exponentially.
Not only have ICT risk vectors themselves multiplied, but individual risk vectors have also become more serious.
Indeed, there are now any number of reasonably identifiable circumstances which, if materialized, would seriously compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, and/or of the provision of services by producing adverse effects in the digital or physical environment.
And once those threats materialize, they become ICT-related incidents. ICT-related incidents can be single events or entire series of linked, unplanned events that compromise the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on services provided.
If such an incident is sufficiently serious, it gets classed a major ICT-related incident. That means the incident has had a highly adverse impact on the network and information systems that support critical or important functions of the financial entity.
The benefits of digital operational resilience
Beyond mitigating ICT risk, what are the other benefits of digital operational resilience?
The key benefits include:
Digital operational resilience helps build threat intelligence
A major part of being operationally resilient is having information that has been aggregated, transformed, analyzed, interpreted, and/ or enriched. That type of information is called threat intelligence. What’s one of the benefits of threat intelligence? Well, threat intelligence helps to provide the necessary context for decision-making and to enable relevant and sufficient understanding to mitigate the impact of an ICT-related incident or of a cyber threat.
Digital operational resilience enables proactive decision making
To put a finer point on it, digital operational resilience, achieved through effective threat intelligence, makes relevant information available to decision makers in a timely manner. High-quality information made available in real time helps to facilitate proactive decision making during a disruption.
Digital operational resilience mitigates the risks coming from service-delivery dependencies
Much ICT risk comes from third parties. Ensuring your digital environment is operationally resilient means addressing these key service-delivery dependencies. By providing visibility into these dependencies, as digital operational resilience exercises seek to do, that key risk vector is mitigated.
Digital operational resilience ensures compliance
Individual organizations aren’t the only actors with an interest in ensuring digital operational resilience. So, too, do regulators, particularly in the financial services sector. Indeed, major regulators have already issued policies addressing digital operational resilience, with the EU’s Digital Operational Resilience Act (DORA) being the latest example.
How to achieve digital operational resilience
If regulators are mandating digital operational resilience, the question is how do individual organizations achieve it, to ensure compliance? This is a thorny question.
Digital operational resilience, like the broader category of organizational resilience and the narrower category of cyber resilience, is highly site-specific. However, there are certain generic steps a business can take.
Steps to achieve digital operational resilience
They include the following:
ICT risk management
Organizations should put in place an internal governance and control framework to ensure the effective and prudent management of ICT risk, to achieve a high level of digital operational resilience. That framework should be implemented with an eye toward ensuring the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data.
Reporting of major ICT-related incidents and notifying
Should an ICT incident occur, organizations should have an ICT-related incident management process in place to detect, manage, and notify relevant stakeholders. Such a process, whose procedures include identifying, tracking, logging, categorizing, and classifying ICT-related incidents according to priority and severity and the criticality of the services impacted, will help to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.
Digital operational resilience testing
Those processes must be tested, though. And the testing regime for digital operational resilience, inclusive of a range of assessment, tests, methodologies, practices, and tools, such as operational resilience management software, should be robust. An integral part of the ICT risk management framework, the testing program should be able to assess preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.
Sound management of ICT third-party risk
The increase in risk arising from ICT third-party service providers or their subcontractors is a key reason why digital operational resilience is needed. But how to manage such risk? For starters, businesses should have in place contractual arrangements for the use of ICT services to run their business operations.
Businesses ought also to have a strategy on ICT third-party risk that includes a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. And senior leadership, for its part, should regularly review the risks identified with respect to contractual arrangements on the use of ICT services supporting critical or important functions, doing so based on an assessment of the organization’s overall risk profile and the scale and complexity of its business services.
Sound like overkill? Those measures don’t even scratch the surface of what’s needed to ensure digital operational resilience and to comply with major digital operational resilience regulations like the Digital Operational Resilience Act (DORA). What will? Download our Guide to the Digital Operational Resilience Act to find out.
.svg)
.svg)
.svg)