Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

What Is Operational Resilience? And the case for consolidated resilience management software to address operational resilience gaps

Noggin

Business Continuity Management

Published November 24 ,2023

You can’t be resilient if you don’t know what resilience means

After an unbroken series of crises, resilience has become a mantra of the business world. The BCI Operational Resilience Report 2022i , for instance, found that operational resilience practices have risen in popularity – quickly.

Now, over three quarters of organizations report either having or developing an operational resilience program. Within tightly regulated sectors (such as finance), adoption numbers are even higher.

Organizations aren’t just being swayed by regulatory mandates. The desire to implement best practices is also driving adoption. Nearly three quarters of respondents reveal that they are developing their operational resilience programs because of good practices.

The battle for operational resilience is hardly won, though. Despite their rise in popularity, operational resilience programs themselves are struggling. Why? Too often, it’s because practitioners don’t know what those programs should do. 

What’s going on? According to the survey data, many operational resilience programs over time come to resemble organizational resilience programs, following the ISO 22316 standard as a best-practice prototype. Organizations also admit to confusing operational resilience with “business continuity done well”.

In small organizations, particularly, BC professionals are being tasked to oversee operational resilience. The result: widespread concerns that staff doesn’t have the requisite knowledge and resources to lead the transition to a more strategic and customer-centric operational resilience approach.

That’s not all. Concerns have also cropped up that practices implemented might even be harmful to operational resilience: for instance, using the business impact analysis exercise to define impact tolerances. Which might be dangerous given the different focuses between operational resilience and business continuity.

Dedicated staff also admits to finding it difficult to understand, monitor, and manage supply chain risk. Concentration risk is another challenge.

And though adoption is higher in heavily regulated sectors, that adoption often comes with its own issues. Which ones? Meeting regulatory requirements often turned operational resilience into a tick-the-box exercise.

What then can be done to ensure best-practice operational resilience programs flourish in this time of compounding crises and disruption threats?

An introduction to operational resilience

For starters, knowledge is power. Many organizations are lacking that knowledge, failing to understand what operational resilience is and the best practice measures they should implement. 

Operational resilience itself, according to Gartnerii, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners. 

Meanwhile, the Bank of England (BoE), one of the premier resilience regulators, defines operational resilience as “the ability of firms, and the financial sector as a whole [over which the BoE regulates], to absorb and adapt to shocks and disruptions, rather than contribute to them”iii

In that regard, operational resilience goes far beyond business continuity and disaster recovery. And so, for companies to be resilient, they must “have robust plans in place to deliver essential services, no matter what the cause of the disruption”iv

Potential threats they must prepare for include:

  • Man-made threats, e.g., physical and cyber attacks
  • IT system outages
  • Third-party supplier failure
  • Natural hazards, e.g., fire, flood, severe weather, and pandemic

How to go about getting resilient

The question then turns to how. Financial regulators, such as the BoE, have put forth frameworks detailing what it means to be operationally resilient for the sake of regulatory compliance. 

At a glance, regulators require firms to:

  • Identify important business services. Boards and senior management must identify and prioritize services that, if disrupted, would impact objectives and the public interest.
  • Set impact tolerances. Firms must say to what extent they would be able to continue important business services following severe but plausible disruptions.
  • Ensure they can remain within impact tolerances. Firms must map their important business services and test their capacity to continue them to the agreed extent. Where firms identify vulnerabilities which might stop them from remaining within impact tolerances, these should be addressed.

In this respect, though, regulators are seeking to establish a floor. 

Businesses, facing stiff resilience challenges in this era of compounding crisis, should strive to reach the ceiling. That means implementing context-specific, operational resilience best practices – not just complying with the letter of regulators but their spirit.

Again, the entire framework propounded by financial regulators is a good place to start, even for companies outside of the financial services space. The point of this resilience framework is (1) to enable firms to prevent disruption from occurring; (2) barring that to enable firms to return to normal running promptly when a disruption, (3) as well as and learn and evolve from both incidents and near misses.

To do so, systems and processes must first be adopted, to ensure firms can continue to provide services and functions in the event of an incident. How to go about it? Best-practice operational resilience frameworks encompass four crucial areas:

  • Governance
  • Operational risk management
  • Business continuity planning
  • Management of outsourced relationships
The subsequent guide will survey each.

Operational resilience and governance

When it comes to governance, Boards are responsible for prioritizing the investment and cultural change required to improve operational resilience. 

It’s also the Board’s responsibility to approve the identification of their firm’s important business services, impact tolerances, and self-assessment (More later).

What other responsibilities do Board’s have in ensuring operational resilience? 

Boards are expected to:

  • Have appropriate management information available to inform decisions which have consequences for operational resilience
  • Have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience
  • Articulate and maintain a culture of risk awareness and ethical behavior for the entire organization, which influences the firm’s operational resilience

Operational risk management, risk appetite, and impact tolerances

Per best-practice guidance, firms are encouraged to have effective risk management systems in place to manage threats that are integrated into their organizational structures and decision-making processes. 

That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.

Regulators, here, are often looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.

But what are impact tolerances? Is it a given firm’s appetite for risk?

Not, exactly. Impact tolerances assume a particular risk has already crystalized rather than focusing on the likelihood and impact of operational risks occurring.

Firms able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions. However, risk appetites are likely to be exceeded in these scenarios. 

What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.

Operational resilience, business continuity planning, and outsourcing

Setting impact tolerances alone won’t ensure operational resilience. Business continuity and contingency planning – even though operational resilience isn’t exactly the same as business continuity – come into play, here, as well. 

In fact, many regulators are likely already requiring adequate contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm is able to operate on an ongoing basis.

Other best practices include:

  • Setting recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances
  • Allocating resources and communications planning for business continuity planning focusing on the delivery of important business services
  • Testing business continuity plans, complemented by the testing of disruption scenarios in relation to impact tolerances

Best-practice operational resilience policies will also consider outsourcing. Firms should remain responsible for their obligations even when those functions are outsourced to third parties.

How then can firms avoid compromising the delivering of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?

The main measure, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities. 

That policy should include:

  1. sufficient monitoring processes to manage the outsourcing of material business activities as well as 
  2. legally-binding agreements with third parties. 

Firms might also consider, when not required, consulting with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.

Become operationally resilient with consolidated resilient management software

Best-practices don’t just implement themselves, though. Organizations looking to become operationally resilient will need to invest in the appropriate digital software platform, purpose-built for operational resilience.

What should the platform do?

Well, operational resilience challenges tend to be highly site-specific, dictating the measures needed to address them. The platform itself should therefore enable agility in the implementation of operational resilience programs, plans, and projects, to enable greater self-management, self-improvement, and commitment to obtaining results. 

Many organizations think they have such solutions in place already. Only problem is that they have multiple, often duplicative solutions, eating away at ROI and breeding lack of familiarity among staffers who must address disruptions.

What should they do, instead?

Organizations should look to replace the multiple systems they currently use to manage various aspects of the resilience conundrum (e.g., point solutions, manual go arounds, legacy platforms, etc.). 

With what, though? 

Firms should consider a comprehensive resilience workspace that not only manages the interrelated fields of business continuity and resilience management but also their intricately related solution areas: work safety, operational security, emergency and disaster management, incident management, and risk.

Only these platforms will help organizations remain adaptable to the volatile business environment by expanding into new areas of operation seamlessly while still managing a wholly integrated operational resilience management program on a common information foundation. 

Business Impact Analysis 

The BIA remains a mainstay of the resilience process. And so, resilience management platforms should help forward-looking Managers to make that mainstay more agile, as well.

That they can do with digital capabilities that make the BIA process as simple and efficient as possibility to promote greater usability across the entire organization.

What would that look like? BIA-specific dashboards should boast easy step-by-step guides to help navigate stakeholders through the process. The dashboards should do the following:

  • Provide a helpful snapshot of the BIA, with key information such as status, due date, and who the owner of the BIA is. 
  • Enable the adding of a new prioritized activity. A simple, intuitive interface should guide team members, highlighting what information needs to be entered, so that users won’t find the process laborious or complicated. 
  • Ability users to easily visualize which prioritized activities support their key product(s) and services. 
  • Ability to automatically calculate the prioritized activities MTPD for the user based upon the shortest time from the impact assessments and where the impact reaches a critical level. 
  • Ability to automatically calculate the RTO based on the minimum RTO of the activities’ dependencies. 
  • Ability to automatically send notification to prioritized business activity owners whenever the RTO is changed on a business asset their activity is dependent on.
  • Make it easy to record any recommendations that have arisen as part of the BIA process, i.e., enable Managers to assign recommendations to a specific user, with a due date and priority level, and can even specify if the recommendation would be a long- or short-term resolution.
  • Ability once the BIA process has been completed to easilt create a report and easily send it off to the Approver for sign off. That Approver will automatically be notified. Reports themselves can also be given a version number for auditing purposes.

Dynamic planning and exercise management 

When customers need to develop their resilience place, all the data they have previously entered into the platform should seamlessly come together, so that Managers don’t have to go sifting through documents to find the data they need.

The resultant plans must be exercised, though. To that end, consolidated resilience software should feature exercise dashboards that guide users and their teams through each stage of an exercise, ensuring everyone understands what needs to be completed and when.

From there, the platform’s automation capabilities should ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.

Once the exercise is activated, all users should be able to see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.

Personalized user workspace

Personalized user workspaces, like exercise management functionality, should also enable the self-management, accountability, and agile response needed to address resilience challenges. How so?

Workspaces should allow users to visualize outstanding tasks that have been assigned to them, as well as any checklist actions items which still need to be actioned as part of the exercise or incident response.

Users should also be able to visualize relevant BIA activity, such as the owner, which BIAs they are involved in, as well as any outstanding BIA recommendations they need to action, and/or reports that require their approval. 

What’s more, users should also be able to see any incidents or exercises they are involved in, as well as any outstanding improvements from incidents or exercises that they need to action.

Finally, the business world has finally found religion on operational resilience. But as the resilience threat grows, business leaders will need to do more than tout their commitment to a resilience agenda. 

They will have to accelerate the establishment of a best-practice resilience program to address site-specific risks. And to that end, they will need the appropriate technology solution, such as Noggin, to ease that transition, by offering organizations the digital means to determine disruption impacts and develop plans and recovery strategies to address those risks, in the aim of developing and maintaining operational resilience.

Sources

i. BCI: BCI Operational Resilience Report 2022. Available at https://www.thebci.org/resource/bci-operational-resilience-report-2022.html.

ii. Gartner, Gartner Glossary: Operational Resilience. Available at https://www.gartner.com/en/information-technology/glossary/operational-resilience.

iii. Bank of England, Operational resilience of the financial sector. Available at https://www.bankofengland.co.uk/financial-stability/operational-resilienceof-the-financial-sector

iv. Ibid. 

New call-to-action