Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Business Continuity Management
Published November 24 ,2023
After an unbroken series of crises, resilience has become a mantra of the business world. The BCI Operational Resilience Report 2022i , for instance, found that operational resilience practices have risen in popularity – quickly.
Now, over three quarters of organizations report either having or developing an operational resilience program. Within tightly regulated sectors (such as finance), adoption numbers are even higher.
Organizations aren’t just being swayed by regulatory mandates. The desire to implement best practices is also driving adoption. Nearly three quarters of respondents reveal that they are developing their operational resilience programs because of good practices.
The battle for operational resilience is hardly won, though. Despite their rise in popularity, operational resilience programs themselves are struggling. Why? Too often, it’s because practitioners don’t know what those programs should do.
What’s going on? According to the survey data, many operational resilience programs over time come to resemble organizational resilience programs, following the ISO 22316 standard as a best-practice prototype. Organizations also admit to confusing operational resilience with “business continuity done well”.
In small organizations, particularly, BC professionals are being tasked to oversee operational resilience. The result: widespread concerns that staff doesn’t have the requisite knowledge and resources to lead the transition to a more strategic and customer-centric operational resilience approach.
That’s not all. Concerns have also cropped up that practices implemented might even be harmful to operational resilience: for instance, using the business impact analysis exercise to define impact tolerances. Which might be dangerous given the different focuses between operational resilience and business continuity.
Dedicated staff also admits to finding it difficult to understand, monitor, and manage supply chain risk. Concentration risk is another challenge.
And though adoption is higher in heavily regulated sectors, that adoption often comes with its own issues. Which ones? Meeting regulatory requirements often turned operational resilience into a tick-the-box exercise.
What then can be done to ensure best-practice operational resilience programs flourish in this time of compounding crises and disruption threats?
For starters, knowledge is power. Many organizations are lacking that knowledge, failing to understand what operational resilience is and the best practice measures they should implement.
Operational resilience itself, according to Gartnerii, refers to initiatives meant to expand business continuity management programs with an effort toward focus on impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., such as employees, customers, citizens, and partners.
Meanwhile, the Bank of England (BoE), one of the premier resilience regulators, defines operational resilience as “the ability of firms, and the financial sector as a whole [over which the BoE regulates], to absorb and adapt to shocks and disruptions, rather than contribute to them”iii.
In that regard, operational resilience goes far beyond business continuity and disaster recovery. And so, for companies to be resilient, they must “have robust plans in place to deliver essential services, no matter what the cause of the disruption”iv.
Potential threats they must prepare for include:
The question then turns to how. Financial regulators, such as the BoE, have put forth frameworks detailing what it means to be operationally resilient for the sake of regulatory compliance.
At a glance, regulators require firms to:
In this respect, though, regulators are seeking to establish a floor.
Businesses, facing stiff resilience challenges in this era of compounding crisis, should strive to reach the ceiling. That means implementing context-specific, operational resilience best practices – not just complying with the letter of regulators but their spirit.
Again, the entire framework propounded by financial regulators is a good place to start, even for companies outside of the financial services space. The point of this resilience framework is (1) to enable firms to prevent disruption from occurring; (2) barring that to enable firms to return to normal running promptly when a disruption, (3) as well as and learn and evolve from both incidents and near misses.
To do so, systems and processes must first be adopted, to ensure firms can continue to provide services and functions in the event of an incident. How to go about it? Best-practice operational resilience frameworks encompass four crucial areas:
When it comes to governance, Boards are responsible for prioritizing the investment and cultural change required to improve operational resilience.
It’s also the Board’s responsibility to approve the identification of their firm’s important business services, impact tolerances, and self-assessment (More later).
What other responsibilities do Board’s have in ensuring operational resilience?
Boards are expected to:
Per best-practice guidance, firms are encouraged to have effective risk management systems in place to manage threats that are integrated into their organizational structures and decision-making processes.
That means striving to reduce the likelihood that operational incidents will occur, and if they do, firms can limit losses.
Regulators, here, are often looking to see that firms have taken the public interest into consideration when building operational resilience policies. To do so, firms must take action to provide important (or critical) business services withing impact tolerances even through severe but plausible disruptions.
But what are impact tolerances? Is it a given firm’s appetite for risk?
Not, exactly. Impact tolerances assume a particular risk has already crystalized rather than focusing on the likelihood and impact of operational risks occurring.
Firms able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions. However, risk appetites are likely to be exceeded in these scenarios.
What’s more, impact tolerances are set only in relation to impact on financial stability, the firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.
Setting impact tolerances alone won’t ensure operational resilience. Business continuity and contingency planning – even though operational resilience isn’t exactly the same as business continuity – come into play, here, as well.
In fact, many regulators are likely already requiring adequate contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm is able to operate on an ongoing basis.
Other best practices include:
Best-practice operational resilience policies will also consider outsourcing. Firms should remain responsible for their obligations even when those functions are outsourced to third parties.
How then can firms avoid compromising the delivering of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?
The main measure, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities.
That policy should include:
Firms might also consider, when not required, consulting with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.
Best-practices don’t just implement themselves, though. Organizations looking to become operationally resilient will need to invest in the appropriate digital software platform, purpose-built for operational resilience.
What should the platform do?
Well, operational resilience challenges tend to be highly site-specific, dictating the measures needed to address them. The platform itself should therefore enable agility in the implementation of operational resilience programs, plans, and projects, to enable greater self-management, self-improvement, and commitment to obtaining results.
Many organizations think they have such solutions in place already. Only problem is that they have multiple, often duplicative solutions, eating away at ROI and breeding lack of familiarity among staffers who must address disruptions.
What should they do, instead?
Organizations should look to replace the multiple systems they currently use to manage various aspects of the resilience conundrum (e.g., point solutions, manual go arounds, legacy platforms, etc.).
With what, though?
Firms should consider a comprehensive resilience workspace that not only manages the interrelated fields of business continuity and resilience management but also their intricately related solution areas: work safety, operational security, emergency and disaster management, incident management, and risk.
Only these platforms will help organizations remain adaptable to the volatile business environment by expanding into new areas of operation seamlessly while still managing a wholly integrated operational resilience management program on a common information foundation.
The BIA remains a mainstay of the resilience process. And so, resilience management platforms should help forward-looking Managers to make that mainstay more agile, as well.
That they can do with digital capabilities that make the BIA process as simple and efficient as possibility to promote greater usability across the entire organization.
What would that look like? BIA-specific dashboards should boast easy step-by-step guides to help navigate stakeholders through the process. The dashboards should do the following:
When customers need to develop their resilience place, all the data they have previously entered into the platform should seamlessly come together, so that Managers don’t have to go sifting through documents to find the data they need.
The resultant plans must be exercised, though. To that end, consolidated resilience software should feature exercise dashboards that guide users and their teams through each stage of an exercise, ensuring everyone understands what needs to be completed and when.
From there, the platform’s automation capabilities should ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
Once the exercise is activated, all users should be able to see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
Personalized user workspaces, like exercise management functionality, should also enable the self-management, accountability, and agile response needed to address resilience challenges. How so?
Workspaces should allow users to visualize outstanding tasks that have been assigned to them, as well as any checklist actions items which still need to be actioned as part of the exercise or incident response.
Users should also be able to visualize relevant BIA activity, such as the owner, which BIAs they are involved in, as well as any outstanding BIA recommendations they need to action, and/or reports that require their approval.
What’s more, users should also be able to see any incidents or exercises they are involved in, as well as any outstanding improvements from incidents or exercises that they need to action.
Finally, the business world has finally found religion on operational resilience. But as the resilience threat grows, business leaders will need to do more than tout their commitment to a resilience agenda.
They will have to accelerate the establishment of a best-practice resilience program to address site-specific risks. And to that end, they will need the appropriate technology solution, such as Noggin, to ease that transition, by offering organizations the digital means to determine disruption impacts and develop plans and recovery strategies to address those risks, in the aim of developing and maintaining operational resilience.
i. BCI: BCI Operational Resilience Report 2022. Available at https://www.thebci.org/resource/bci-operational-resilience-report-2022.html.
ii. Gartner, Gartner Glossary: Operational Resilience. Available at https://www.gartner.com/en/information-technology/glossary/operational-resilience.
iii. Bank of England, Operational resilience of the financial sector. Available at https://www.bankofengland.co.uk/financial-stability/operational-resilienceof-the-financial-sector
iv. Ibid.