Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Business Continuity Management
Published November 9 ,2023
Money (or budget) doesn’t grow on trees. And in challenging economic times like these, department heads will be asked to justify their budgets – not just financial outlays, either, but time expended, as well.
This goes double for relatively new departments or capabilities, such as Operational Resilience. These programs likely haven’t been up and running for sufficient time to have secured deep C-suite and/or Board commitments.
So, when decisions must be made, how does Operational Resilience stay off the chopping block? The short answer is show your ROI.
How to go about determining the ROI of operational resilience? Let’s start with a resonant example.
Medibank is one of Australia’s largest private health insurers. In October of 2022, the insurer detected unusual activity on its internal systems, in what would soon become one of the top crises of the last 12 months. It subsequently announced that it lacked evidence to suggest that customer data had been accessed.
Fast forward to a few days later, and the insurer was approached by a third party aiming to negotiate with the company based on claims that they had illegally removed customer data. These claims were soon confirmed, bolstering the validity of the initial threat to release the data of high-profile customers if ransom demands weren’t met.
Medibank refused, backed by expert advice that there was little chance that the company would get the stolen data back even if it paid the ransom.
Meanwhile, investigative journalists working on the story soon alleged that the breach itself was the result of hackers gaining access to Medibank’s internal systems. Journalists claimed that these systems were accessed via compromised login credentials.
How many records were ultimately compromised? Medibank revealed that the data of 9.7 million past and present customers had been accessed. Data included email addresses, phone numbers, addresses, Medicare numbers, names, dates of birth, passport numbers, and visa details, as well as the private medical information for 192,000 customers, e.g., where customers were admitted for procedures, service provider names, and locations and codes associated with diagnosis and procedures given.
Those documents would soon be released, as the hacker, linked to a Russian cyber gang, published a “good-list” and “naughty-list” of customer data files on the dark web. The Australian Federal Police, in turn, partnered with Commonwealth agencies and the Five Eyes Law Enforcement partners to investigate.
For Medibank, though, the damage had been done. The nation’s prudential regulator, APRA (Australian Prudential Regulation Authority) took the extraordinary step of imposing an AUD 250 million increase in Medibank’s capital adequacy requirement.
The regulator claims these new requirements reflect weaknesses identified in Medibank’s information security environment. That’s not all. Medibank now faces its fourth class-action lawsuit over the cyberattack, as well.
Think that’s bad. If Medibank suffered a significant service disruption, the insurer could have lost USD 10,000 per hour, according to industry datai. Financially ruinous for many companies, but a reality for the one in two companies that have experienced an extended break in continuityii .
What does this have to do with operational resilience?
In this case, the ROI of operational resilience would have been the penalties and sanctions avoided for remaining in compliance with regulatory strictures. And that’s because operational resilience itself is the capability that ensures companies don’t suffer disruptions and adverse consequences from those disruptions.
Operational resilienceiii, here, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners.
The Bank of England (BoE), one of the premier operational resilience regulators, defines operational resilience as “the ability of firms, and the financial sector as a whole [over which the BoE regulates], to absorb and adapt to shocks and disruptions, rather than contribute to them”iv.
In that regard, operational resilience goes far beyond business continuity and disaster recovery. And so, for companies to be resilient, they must “have robust plans in place to deliver essential services, no matter what the cause of the disruption”v.
Potential threats firms must prepare for include:
Man-made threats, e.g., physical and cyber attacks
IT system outages
Third-party supplier failure
Natural hazards, e.g., fire, flood, severe weather, and pandemic
So, how to ensure operational resilience through ROI-enhancing protocols?
Financial regulators, such as the BoE, have put forth frameworks detailing what it means to be operationally resilient for the sake of regulatory compliance.
At a glance, regulators require firms to:
Identify important business services. Boards and senior management must identify and prioritize services that, if disrupted, would impact objectives and the public interest.
Set impact tolerances. Firms must say to what extent they would be able to continue important business services following severe but plausible disruptions.
Ensure they can remain within impact tolerances. Firms must map their important business services and test their capacity to continue them to the agreed extent. Where firms identify vulnerabilities which might stop them from remaining within impact tolerances, these should be addressed.
In this respect, though, regulators are seeking to establish a floor.
To enhance ROI, though, businesses, facing stiff resilience challenges in this era of compounding crisis, should strive to reach the ceiling. That means implementing context-specific, operational resilience best practices – not just complying with the letter of regulators but their spirit.
Again, the entire framework propounded by financial services regulators is a good place to start, even for companies outside of the financial services space. The point of this resilience framework is (1) to enable firms to prevent disruption from occurring; (2) barring that to enable firms to return to normal running promptly when a disruption, (3) as well as and learn and evolve from both incidents and near misses.
To do so, systems and processes must first be adopted, to ensure firms can continue to provide services and functions in the event of an incident.
How to go about it? ROI-enhancing operational resilience frameworks encompass four crucial areas:
Governance
Operational risk management
Business continuity planning
Management of outsourced relationships
The subsequent guide will touch on each briefly.
When it comes to governance, Boards are responsible for prioritizing the investment and cultural change required to improve operational resilience.
It’s also the Board’s responsibility to approve the identification of their firm’s important business services, impact tolerances, and self-assessment.
What other responsibilities do Board’s have in ensuring operational resilience? Boards are expected to:
Have appropriate management information available to inform decisions which have consequences for operational resilience
Have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience
Articulate and maintain a culture of risk awareness and ethical behavior for the entire organization, which influences the firm’s operational resilience
Per best-practice guidance, firms are encouraged to have effective risk management systems in place to manage threats that are integrated into their organizational structures and decision-making processes.
That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.
Regulators, here, are often looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.
Firms able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions. However, risk appetites are likely to be exceeded in these scenarios.
What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.
Setting impact tolerances alone won’t ensure operational resilience.
In fact, many regulators are likely already requiring adequate contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm is able to operate on an ongoing basis.
Other best practices include:
Setting recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances
Allocating resources and communications planning for business continuity planning focusing on the delivery of important business services
Testing business continuity plans, complemented by the testing of disruption scenarios in relation to impact tolerances
Best-practice operational resilience policies will also consider outsourcing. Firms should remain responsible for their obligations even when those functions are outsourced to third parties.
How then can firms avoid compromising the delivering of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?
The main measure, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities.
That policy should include (1) sufficient monitoring processes to manage the outsourcing of material business activities as well as (2) legally-binding agreements with third parties.
Firms might also consider, when not required, consulting with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.
ROI-enhancing best-practices don’t just implement themselves, though. Organizations looking to become operationally resilient will need to invest in the appropriate resilience management software platforms, as well.
What should the platform do?
Well, operational resilience challenges tend to be highly site-specific, dictating the measures needed to address them. The platform itself should therefore enable agility in the implementation of operational resilience programs, plans, and projects, to enable greater self-management, self-improvement, and commitment to obtaining results.
Many organizations think they have such solutions in place already. Only problem is that they have multiple, often duplicative solutions, eating away at ROI and breeding lack of familiarity among staffers who must address disruptions.
What should they do, instead?
Organizations should look to replace the multiple systems they currently use to manage various aspects of the resilience conundrum (e.g., point solutions, manual go-arounds, legacy platforms, etc.).
With what, though?
Firms should consider a comprehensive resilience workspace that not only manages the interrelated fields of business continuity and resilience management but also their intricately related solution areas: work safety, operational security, emergency and disaster management, incident management, and risk.
Only these platforms will help organizations remain adaptable to the volatile business environment by expanding into new areas of operation seamlessly while still managing a wholly integrated operational resilience management program on a common information foundation.
Here are the other ROI-enhancing capabilities firms should be looking for in their consolidated resilience management platforms:
Given the extent of the resilience challenge, customers need to get up and running quickly. However, poor configurability stands in the way.
Here, firms should look for platforms featuring no-code designer tools that will allow them to create or modify their respective workspaces without a single line of code.
For increased agility, responsive user interface will enable organizations to design forms and workspaces once and then to access the same information and features across desktop, tablet, and mobile.
Organizations should also seek out platforms that make the lives of their principal users easier. That means access to powerful workflow engines to automate operational resilience processes, by building site-specific workflows that include notifications, business rules, approvals, and much more.
The BIA remains a mainstay of the resilience process. And so, resilience management platforms should help forward-looking Managers to make that mainstay more agile, as well.
That they can do with digital capabilities that make the BIA process as simple and efficient as possibility to promote greater usability across the entire organization.
What would that look like? BIA-specific dashboards should boast easy step-by-step guides to help navigate stakeholders through the process.
When customers need to develop their resilience place, all the data they have previously entered into the platform should seamlessly come together, so that Managers don’t have to go sifting through documents to find the data they need.
The resultant plans must be exercised, though. To that end, consolidated resilience software should feature exercise dashboards that guide users and their teams through each stage of an exercise, ensuring everyone understands what needs to be completed and when.
From there, the platform’s automation capabilities should ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
Once the exercise is activated, all users should be able to see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
Personalized user workspaces, like exercise management functionality, should also enable the self-management, accountability, and agile response needed to address resilience challenges. How so?
Workspaces should allow users to visualize outstanding tasks that have been assigned to them, as well as any checklist actions items which still need to be actioned as part of the exercise or incident response.
Users should also be able to visualize relevant BIA activity, such as the owner, which BIAs they are involved in, as well as any outstanding BIA recommendations they need to action, and/or reports that require their approval. What’s more, users should also be able to see any incidents or exercises they are involved in, as well as any outstanding improvements from incidents or exercises that they need to action.
Finally, what’s the ROI of Operational Resilience? Just ask companies who’ve suffered major disruptions what their financial, reputational, and other non-monetary setbacks were. These often-prodigious numbers give one a sense of what the value of an Operational Resilience program is.
Want to realize that value? Then you will need to invest in the appropriate integrated resilience management platform. Likely to pay for itself, that solution will provide a comprehensive and holistic approach to resilience, facilitate crucial collaboration and coordination, unlock critical insights, keep stakeholders informed, and streamline essential workflows for planning and response.
i. Data available at Dale Shulmistra, Invenio IT: 23 Business Continuity Statistics You Need to Know. Available at https://invenioit.com/continuity/ business-continuity-statistics/.
ii. Ibid.
iii. Gartner, Gartner Glossary: Operational Resilience. Available at https://www.gartner.com/en/information-technology/glossary/operational-resilience.
iv. Bank of England, Operational resilience of the financial sector. Available at https://www.bankofengland.co.uk/financial-stability/operational-resilienceof-the-financial-sector
v. Ibid.