Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Guide to Digital Operational Resilience and the Software Capabilities Needed to Achieve It

Noggin

Business Continuity Management

Published November 29 ,2023

What is digital operational resilience?

Operational resilience refers to the ability of a firm to deliver operations, including critical operations and core business lines, through a disruption from any hazard. What safeguards are needed to mitigate cyber threats and other forms of ICT (information-communication-technology) risk, specifically? That’s where digital operational resilience comes into play.

What’s digital operational resilience? An aspect of operational resilience, digital operational resilience refers to the ability of a business to build, assure, and review its operational integrity and reliability. 

Digital operational resilience is secured and maintained when a business boasts the full range of ICT-related capabilities needed to address the security of those network and information systems that support the continued provision of a business’ services and their quality even through disruption.

Why is digital operational resilience needed?

Why the focus on ICT risk in the first place, though? Well, it’s ICT risk that’s increased exponentially in the last few years, particularly with the disruptions introduced by pandemic-era policies, such as remote work.

Not only have ICT risk vectors multiplied, but individual risk vectors themselves have also become more serious.

Indeed, by producing adverse effects in the digital or physical environment, there are any number of reasonably identifiable circumstances that if materialized would seriously compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, and of the provision of services. 

Traditional ICT risksi include:

  • Hardware and software failure
  • Human error
  • Spam
  • Viruses and malicious attacks
  • Natural disasters, e.g., fires, severe storms, and/ or floods

Should any of these threats materialize, they are liable to become ICT-related incidents.

Of course, ICT-related incidents can be single events or entire series of linked, unplanned events. To be classed an incident, the event must (1) compromise the security of the network and information systems as well as (2) adversely impact the availability, authenticity, integrity, or confidentiality of data or of services provided.

If such an event is sufficiently serious, it becomes a major ICT-related incident. That means the incident has had a highly adverse impact on the network and information systems that support critical or important functions of the financial entity

The benefits of digital operational resilience

The promotion of digital operational resilience is meant to mitigate ICT risk, either preventing ICT-related incidents from happening in the first place or attenuating their effects, should they take place.

But beyond mitigating ICT risk, what are the other benefits of digital operational resilience?

The key benefits include:

  • Digital operational resilience helps build threat intelligence. A major part of being operationally resilient is having information that has been aggregated, transformed, analyzed, interpreted, and/or enriched. That type of information is called threat intelligence. What’s one of the benefits of threat intelligence? Well, threat intelligence helps to provide the necessary context for decision-making and to enable relevant and sufficient understanding to mitigate the impact of an ICT-related incident or of a cyber threat.
  • Digital operational resilience enables proactive decision making. To put a finer point on it, digital operational resilience, achieved through effective threat intelligence, makes relevant information available to decision makers in a timely manner. High-quality information made available in real time helps to facilitate proactive decision making during a disruption.
  • Digital operational resilience mitigates the risks coming from service-delivery dependencies. Much ICT risk comes from third parties. Ensuring your digital environment is operationally resilient means addressing these key service-delivery dependencies. By providing visibility into these dependencies, as digital operational resilience exercises seek to do, that key risk vector is mitigated.
  • Digital operational resilience ensures compliance. Individual organizations aren’t the only actors with an interest in ensuring digital operational resilience. So, too, do regulators, particularly in the financial services sector. Indeed, major regulators have already issued policies addressing digital operational resilience, with the EU’s Digital Operational Resilience Act (DORA) being the latest example. 

How to achieve digital operational resilience

If major policymakers and regulators are mandating digital operational resilience, the question then is how do individual organizations achieve and maintain it, to ensure compliance? This is a thorny question.

Digital operational resilience is highly site-specific. However, there are certain generic steps that the statutes themselves refer. The subsequent guide provides a primer to the steps needed to develop such a digital operational resilience capability. 

ICT risk management. 

As noted, entities must mitigate ICT risk to ensure digital operational resilience.

To address ICT risk, like risk more broadly, businesses should consider putting in place an internal governance and control framework to ensure its effective and prudent management.

Tasked with developing, maintaining, and updating such a framework would be the management body of the business. 

And here, specific duties delegated to that body might include:

  • Put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data
  • Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation, and coordination among those functions
  • Bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the entity
  • Approve, oversee, and periodically review the implementation of the entity’s ICT business continuity policy and ICT response and recovery plans, which may be adopted as a dedicated specific policy forming an integral part of the entity’s overall business continuity policy and response and recovery plan
  • Approve and periodically review the entity’s ICT internal audit plans, ICT audits, and material modifications to them
  • Allocate and periodically review the appropriate budget to fulfil the entity’s digital operational resilience needs with respect to all types of resources, including relevant ICT security awareness programs and digital operational resilience training and ICT skills for all staff
  • Approve and periodically review the entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers

A further requirement might also include keeping up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations, including by following specific training on a regular basis – with that training being commensurate to the ICT risk being managed.

The business should also establish a role to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services or designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation (More on ICT third-party risk later).

ICT-related incident reporting and notification. 

What if an ICT incident should occur anyway? Firms will require incident reporting and notification protocols to ensure appropriate stakeholders are kept abreast of relevant information, either for statutory, contractual, operational, or reputational reasons.

What might some of these protocols look like? Relevant protocols might look like: 

  • Early warning indicators
  • Procedures to identify, track, log, categorize, and classify ICT-related incidents according to priority and severity and the criticality of the services impacted
  • Roles and responsibilities that need to be activated for different ICT-related incident types and scenarios
  • Plans for communication to staff, external stakeholders, and media and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to entities that act as counterparts
  • Reporting of at least major ICT-related incidents to relevant senior management and the management body with explanation of the impact, response, and additional controls needed to be established as a result of the incident
  • ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner

Regulators for their part have also mandated specific protocols for external reporting. Some of those requirements include:

  • Define, establish, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents
  • Record all ICT-related incidents and significant cyber threats
  • Establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents, to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents

Digital operational resilience testing. 

Of course, these protocols must all be tested to ensure they will hold up during an ICT-related incident. And so, it should be incumbent on businesses to establish, maintain, and review a sound and comprehensive digital operational resilience testing program. 

That program, including a range of applicable assessments, tests, methodologies, practices, and tools, will become an integral part of the larger ICT risk-management framework, for the purpose of assessing preparedness for handling ICT related incidents, as well as identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.

What else should be involved in the testing program? Best practice dictates the program should check the following boxes:

  • Follow a risk-based approach duly considering the evolving landscape of ICT risk, any specific risks to which the organization concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the business deems appropriate
  • Ensure that tests are undertaken by independent parties, whether internal or external
  • Establish procedures and policies to prioritize, classify, and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies, or gaps are fully addressed
  • Ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions

ICT third-party risk management. 

The rationale behind increasing attention on digital operational resilience stems from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. But what is ICT third-party risk, exactly?

ICT third-party risk refers to ICT risk arising from ICT services provided by ICT third-party service providers or their subcontractors. How to tamp down on such risk while continuing to receive the productivity gains that comes from such arrangements?

For starters, companies should manage their ICT third-party risk as an integral component of ICT risk within the entity’s ICT risk management framework. In practical terms, that means ensuring contractual arrangements for the use of ICT services to run business operations remain fully responsible for compliance with, and the discharge of, all internal and external obligations. 

Firms should also adopt and regularly review a strategy on ICT third-party risk, as part of their ICT risk management framework, with a view to a multi-vendor strategy. The strategy on ICT third-party risk should also include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and should apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. 

For its part, senior management should regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions, on the basis of an assessment of the overall risk profile of the firm and the scale and complexity of its business services.

Due diligence is also critical. And so, before entering a contractual arrangement on the use of ICT services, entities should:

  • Assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function
  • Assess if supervisory conditions for contracting are met
  • Identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk 
  • Undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable
  • Identify and assess conflicts of interest that the contractual arrangement may cause.

Finally, firms should have exit contingencies. Contractual arrangement should be cut off in the following circumstances:

  • Significant breach by the ICT third-party service provider of applicable laws, regulations, or contractual terms
  • Circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider
  • ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and the way it ensures the availability, authenticity, integrity, and confidentiality of data, whether personal or otherwise sensitive data, or non-personal data
  • Where the competent authority can no longer effectively supervise the entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement

Digital technology to help secure and maintain digital operational resilience

The remaining question is how. How exactly to implement a robust digital operational resilience program at your firm in a timely manner? For this task, digital resilience management technology is recommended.

Indeed, an integrated digital solution will cover all aspects of digital resilience management, including incident and crisis management, situational awareness, business continuity, risk and compliance, security operations, and threat intelligence. But what are the specific capabilities to consider?

They include:

  • Automation. Your resilience management platform should make life easier for you and your team when it’s up and running, as well. Needed to make that happen is a platform with a powerful workflow engine. This engine should allow Resilience and Compliance Managers to automate key resilience tasks, by building their own workflows with notifications, business rules, approvals, and much more. 
  • Included GRC Module. Get better bang for your buck with a resilience management platform that includes Governance, Risk, & Compliance (GRC) functionality. Why? Besides avoiding redundancy, such a Module will work to manage cyber, emergency, and security threats, risks, and treatments based on industry best-practice guidelines and ISO standards, as well. 

    What should such a Module look like? Well, the Module should enable customers to plan their objectives, set targets, manage all elements of standards’ compliance, as well as schedule and record audits and inspections. Customers should also be able to manage non-compliances and corrective actions to drive continual improvement.
  • Integrations. Besides including a GRC Module, a resilience management platform should also come equipped with a full range of integration options. Indeed, the platform, to garner better ROI, should be deliberately architected to play well with other resilience-enhancing
    technologies.

    It should do so through the easy connection and synchronization of data. Add to that, import, export, and API capabilities should also help to ensure that customers can always get their data when and where they need it, and that they can plug in their own systems (e.g., single sign-on, messaging, and mapping) into the resilience management platform. 

In close, digital operational resilience has become more important than ever, with the escalating risk arising from dependence on third party providers. However, up to this point, few firms have gotten serious.

Targeted regulation like DORA will help spur change. But firms shouldn’t wait for regulators to enhance their digital operational resilience capabilities. They should begin today, implementing many of the steps outlined in this guide and procuring the right resilience management platform. 

Should they not, a major ICT-related incident awaits, with potentially catastrophic financial, operational, and reputational effects. Fortunately, digital operational resilience measures will have the effect of building threat intelligence to mitigate such risk. Not just that, digital operational resilience can also ensure proactive decision making, which can have its own positive ROI for businesses as they better understand their digital environment and that of critical partners. 

Sources

i. Business Queensland: Managing information technology risk. Available at https://www.business.qld.gov.au/running-business/digital-business/online risksecurity/risk#:~:text=IT%20risks%20include%20hardware%20and,the%20types%20of%20IT%20risks

New call-to-action