So, what is operational resilience?
At its most basic, operational resilience is simply your business’ ability to adapt to (remain resilient during) times of uncertainty and stress.
Operational resilience initiatives expand upon the traditional complement of business continuity management programs, focusing on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders. Sounds pretty prosaic when you put it like that. So, why are regulators interested?
Operational resilience tracks systemic risk
It’s all about the implied stakeholders in an operational resilience initiative. Who are they? Well, like in business continuity management, stakeholders can include employees, customers, partners, and yes, even citizens.
Industry regulators have leaned on the public dimension of operational resilience to increase oversight over businesses under their purview. The rationale being: threat levels are increasing in the risk domains across which operational resilience initiatives coordinate management. Those domains tend to include:
- Cyber Security
- Physical Security
- Environment, Health, and Safety
- Continuity of Operations
It’s hard to say regulators are wrong. Most indicators point to increased levels of risk in each of those domains. The pandemic alone has increased health and safety risk precipitously. A knock-on effect has been the rising number of cyber attacks.
Even before the pandemic, certain operational threat levels, such as the risk of digital outages, were believed to have increased to such a degree that they posed risk to macroeconomic systems and citizens. It was that increase in risk that forced regulators to act to shore up the integrity of regulated systems.
What sort of operational resilience proposals are out there?
One of the biggest operational resilience initiatives came out of the financial sector. In the U.K., financial regulators noted accumulating risk triggers like a hostile cyber environment, technical innovation, increased system complexity, and changing mobile behaviours.
The accumulation of those triggers made disruption likelier – disruption at the firm level which might have a cascading effect on the financial system as a whole.
The subsequent actions taken by the Bank of England (BoE), Prudential Regulatory Authority (PRA), and Financial Conduct Authority (FCA) might give industry actors not just in global finance but also in other sectors a hint as to what future operational resilience regulations might look like. The preview might even be beneficial for firms looking to expedite (anticipated) compliance.
Proposals in this space tend to be more generic than prescriptive. In the main, they set out to have regulated firms meet the following objectives:
- Prioritise the things that matter, i.e., critical business services
- Set clear, internal standards for operational resilience, i.e., maximum allowable levels of disruption, including time limits within which the firm will be able to resume the delivery of important business services following a disruption
- Invest in building resilience, e.g., contingency arrangements to ensure that a firm’s important business services can remain within impact tolerances
Following, the authorities define important business services, as activities provided by a firm to an external end user or participant whose disruption could cause the following: intolerable harm to consumers or market participants, harm to market integrity, a threat to policyholder protection, financial instability.
And to ensure that an important business service remains within its impact tolerance, firms are asked to understand the totality of how the service is delivered and how it can be disrupted.
Identifying and documenting the resources required to deliver an important business service within its impact tolerance calls for comprehensive mapping, which will facilitate scenario testing as well as help firms identify existing vulnerabilities (to correct). According to proposals, mapping, already a business-continuity best practice, will become a firm requirement in addition to scenario testing.
How to comply with Operational Resilience proposals
So, how to comply? The requirement to identify critical business services, in particular, calls for firms to perform business impact analyses to determine prioritised resilience activities for each important business service. Business continuity management software can help expedite the process. But it also helps to avoid the pitfalls that make the process so laborious in the first place. To get a better sense of those, download our free Guide to Pragmatic Business Impact Analysis (BIA):