Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Business Continuity Management
Published November 29 ,2023
Operational resilience refers to the ability of a firm to deliver operations, including critical operations and core business lines, through a disruption from any hazard. What safeguards are needed to mitigate cyber threats and other forms of ICT (information-communication-technology) risk, specifically? That’s where digital operational resilience comes into play.
What’s digital operational resilience? An aspect of operational resilience, digital operational resilience refers to the ability of a business to build, assure, and review its operational integrity and reliability.
Digital operational resilience is secured and maintained when a business boasts the full range of ICT-related capabilities needed to address the security of those network and information systems that support the continued provision of a business’ services and their quality even through disruption.
Why the focus on ICT risk in the first place, though? Well, it’s ICT risk that’s increased exponentially in the last few years, particularly with the disruptions introduced by pandemic-era policies, such as remote work.
Not only have ICT risk vectors multiplied, but individual risk vectors themselves have also become more serious.
Indeed, by producing adverse effects in the digital or physical environment, there are any number of reasonably identifiable circumstances that if materialized would seriously compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, and of the provision of services.
Traditional ICT risksi include:
Should any of these threats materialize, they are liable to become ICT-related incidents.
Of course, ICT-related incidents can be single events or entire series of linked, unplanned events. To be classed an incident, the event must (1) compromise the security of the network and information systems as well as (2) adversely impact the availability, authenticity, integrity, or confidentiality of data or of services provided.
If such an event is sufficiently serious, it becomes a major ICT-related incident. That means the incident has had a highly adverse impact on the network and information systems that support critical or important functions of the financial entity
The promotion of digital operational resilience is meant to mitigate ICT risk, either preventing ICT-related incidents from happening in the first place or attenuating their effects, should they take place.
But beyond mitigating ICT risk, what are the other benefits of digital operational resilience?
The key benefits include:
If major policymakers and regulators are mandating digital operational resilience, the question then is how do individual organizations achieve and maintain it, to ensure compliance? This is a thorny question.
Digital operational resilience is highly site-specific. However, there are certain generic steps that the statutes themselves refer. The subsequent guide provides a primer to the steps needed to develop such a digital operational resilience capability.
As noted, entities must mitigate ICT risk to ensure digital operational resilience.
To address ICT risk, like risk more broadly, businesses should consider putting in place an internal governance and control framework to ensure its effective and prudent management.
Tasked with developing, maintaining, and updating such a framework would be the management body of the business.
And here, specific duties delegated to that body might include:
A further requirement might also include keeping up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations, including by following specific training on a regular basis – with that training being commensurate to the ICT risk being managed.
The business should also establish a role to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services or designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation (More on ICT third-party risk later).
What if an ICT incident should occur anyway? Firms will require incident reporting and notification protocols to ensure appropriate stakeholders are kept abreast of relevant information, either for statutory, contractual, operational, or reputational reasons.
What might some of these protocols look like? Relevant protocols might look like:
Regulators for their part have also mandated specific protocols for external reporting. Some of those requirements include:
Of course, these protocols must all be tested to ensure they will hold up during an ICT-related incident. And so, it should be incumbent on businesses to establish, maintain, and review a sound and comprehensive digital operational resilience testing program.
That program, including a range of applicable assessments, tests, methodologies, practices, and tools, will become an integral part of the larger ICT risk-management framework, for the purpose of assessing preparedness for handling ICT related incidents, as well as identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.
What else should be involved in the testing program? Best practice dictates the program should check the following boxes:
The rationale behind increasing attention on digital operational resilience stems from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. But what is ICT third-party risk, exactly?
ICT third-party risk refers to ICT risk arising from ICT services provided by ICT third-party service providers or their subcontractors. How to tamp down on such risk while continuing to receive the productivity gains that comes from such arrangements?
For starters, companies should manage their ICT third-party risk as an integral component of ICT risk within the entity’s ICT risk management framework. In practical terms, that means ensuring contractual arrangements for the use of ICT services to run business operations remain fully responsible for compliance with, and the discharge of, all internal and external obligations.
Firms should also adopt and regularly review a strategy on ICT third-party risk, as part of their ICT risk management framework, with a view to a multi-vendor strategy. The strategy on ICT third-party risk should also include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and should apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis.
For its part, senior management should regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions, on the basis of an assessment of the overall risk profile of the firm and the scale and complexity of its business services.
Due diligence is also critical. And so, before entering a contractual arrangement on the use of ICT services, entities should:
Finally, firms should have exit contingencies. Contractual arrangement should be cut off in the following circumstances:
The remaining question is how. How exactly to implement a robust digital operational resilience program at your firm in a timely manner? For this task, digital resilience management technology is recommended.
Indeed, an integrated digital solution will cover all aspects of digital resilience management, including incident and crisis management, situational awareness, business continuity, risk and compliance, security operations, and threat intelligence. But what are the specific capabilities to consider?
They include:
In close, digital operational resilience has become more important than ever, with the escalating risk arising from dependence on third party providers. However, up to this point, few firms have gotten serious.
Targeted regulation like DORA will help spur change. But firms shouldn’t wait for regulators to enhance their digital operational resilience capabilities. They should begin today, implementing many of the steps outlined in this guide and procuring the right resilience management platform.
Should they not, a major ICT-related incident awaits, with potentially catastrophic financial, operational, and reputational effects. Fortunately, digital operational resilience measures will have the effect of building threat intelligence to mitigate such risk. Not just that, digital operational resilience can also ensure proactive decision making, which can have its own positive ROI for businesses as they better understand their digital environment and that of critical partners.
i. Business Queensland: Managing information technology risk. Available at https://www.business.qld.gov.au/running-business/digital-business/online risksecurity/risk#:~:text=IT%20risks%20include%20hardware%20and,the%20types%20of%20IT%20risks