What Is Operational Resilience?
And why does Operational Resilience matter?
You may have heard the terms 'operational resilience' and 'business continuity' used fairly interchangeably, but there are distinct differences between the two practice areas, check out this article for a breakdown. You can also read a quick overview of Organizational Resilience, here.
Operational resilience, in the wake of COVID and related crises, has emerged as a key corporate objective. Despite its rapid uptick in popularity, though, operational resilience isn’t well understood, sometimes even to those responsible for managing their organization’s operational resilience programs.
So, what is operational resilience, anyway?
Central bank and key financial services regulator, the Bank of England (BoE) answers the question what is operational resilience as follows: the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them.
Albeit a specific definition, this characterization of what operational resilience is extends the purview of the field beyond that of business continuity and disaster recovery.
This latter point is taken up in the Gartner definition of operational resilience.
Gartner defines operational resilience as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., employees, customers, citizens, and partners.
The resilience-related initiatives in question coordinate the management of risk assessments, risk monitoring, and execution of controls that impact workforce, processes, facilities, technology, and third parties across the following risk domains used in the business delivery and value realization process:
- Security (cyber and physical)
- Continuity of operations
Why is operational resilience important to your business?
The definitions to the question what is operational resilience also hint at the importance of operational resilience for businesses. Indeed, there are many benefits to running an operational resilience program.
These are the specific reasons why operational resilience is important to your business:
Operational resilience programs cut down risks to service-delivery dependencies
As noted, the number of service-delivery dependencies a given company has keeps increasing. By providing visibility into those dependencies, operational resilience serves to cut down risk.
Operational resilience programs highlight the number of outsourced service providers
Similarly, outsourced services are on the rise, particularly cloud-related services. Operational resilience brings visibility to these providers in the context of service delivery, which serves to mitigate risk.
Operational resilience programs mitigate cyber and ransomware risks
What kind of risk? Outsourced service providers, most likely being digital, incur cyber and ransomware risk. By highlighting these vulnerabilities, operational resilience forces companies to act to ensure cyber risk has been mitigated. The same applies to digital services that have not been outsourced.
Operational resilience programs help companies address the risk that’s arisen from operating in different environments
As noted, the pandemic has precipitated stark changes in the way businesses interact with technology, customers, and their own employees. These changes can invite new risks. Operational resilience, by uncovering these risks, can help companies address new threats.
The rise in operational resilience regulations
Another major factor in the rising salience of operational resilience is the sharp uptick in operational resilience-related regulations. Again, the BoE stands out as one of the first major regulators to mandate operational resilience standards.
What’s more, the regulatory path paved by the BoE has been taken up by other national and supranational regulators, as well.
The Australian Prudential Regulation Authority (APRA) released draft Prudential Standard CPS 230, focusing on operational risk management. The U.S. Federal Reserve released a joint regulatory paper on Sound Practices to Strengthen Operational Resilience. And in the EU, the Digital Operational Resilience Act (DORA) seeks to align the approach to managing ICT and cyber risk in the financial sector across all EU member states.
By in large, these policies, regulations, and proposals seek to uplevel the capacity for operational resilience of individual firms, so that no firm can pose a systemic risk to the wider business sector.
However, there’s no reason to believe that these regulations will remain cloistered in financial services. Organizations, irrespective of their industry, are likely to see some form of operational resilience regulation come their way.
And if they don’t? Well, businesses should strive to uplevel their own operational resilience capabilities to protect the bottom line against manifold disruption threats.
How to do so? For starters, resilience management software that integrates both business continuity and crisis management, can help implement best practices in the field.
What’s the difference between operational resilience and organizational resilience?
But it’s important to note, here, that operational resilience and organizational resilience are distinct fields.
Organizational resilience deals more broadly with the ability of an enterprise to absorb change and adapt to a new environment. For more information on organizational resilience, check out this article.
On the other hand, operational resilience, as we’ve laid out, relates to initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders.
Organizations ought to know what best practices are for each field. What are they for operational resilience? Download our Introductory Guide to Operational Resilience to find out.