Understanding Operational Resilience and its relationship with Business Continuity Management

Understanding Operational Resilience and its relationship with Business Continuity Management
 
Operational Resilience has lately been one of the most discussed topics among the Business Continuity Professionals. The UK’s financial regulators, Bank of England, Prudential Regulation Authority and Financial Conduct Authority published consultation and discussion papers in 2019 proposing their approach to strategize and implement Operational Resilience in the financial industry. The concepts however can be applied to industries of all sectors and sizes to strengthen the underlying fabric of existing Business Continuity Management Programs and develop a more resilient system.

Following these discussion papers, several financial regulators and international standard setters across the world shared their views on Operational Resilience and its integration with Risk Management and Business Continuity Management. In Canada, the Office of the Superintendent of Financial Institutions (OSFI), an independent federal government agency, published a consultation paper titled ‘Developing Financial Sector Resilience in a Digital World[1]’ in September 2020. OSFI supervises more than 400 Federally Regulated Financial Institutions and many more pension plans in Canada. In this paper OSFI touched upon three priority risk areas – Cyber Security, Advanced Analytics, Third Party Ecosystem, along with technology risks and reinforced Operational Resilience as an area of focus in relation to established Risk Management Frameworks. 

Today the business eco-system has complex inter-dependencies and rely heavily on technology as well as third parties. A small incident anywhere in this ecosystem can lead to a major impact just like a butterfly effect. Therefore, understanding the intricate relationships, taking steps to prevent such incidents, and proactively adapting to changes is necessary to continue providing key products and services to end customers. The solution lies in the effective management of operational risks resulting from third party service providers, technological changes, and pervasive cyber threats.


Figure 1: Key Drivers for Operational Resilience

Defining Operational Resilience

 
Several agencies and regulatory bodies such as the Basel Committee, FFIEC, NIST etc. have defined Operational Resilience in their latest guidance and publications. The primary emphasis across all these definitions is to develop a comprehensive approach for delivering operations through disruptions.

Bank of England defined Operational Resilience in their Consultation Paper[2], Operational resilience: Impact tolerances for important business Services, as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.

The Board of Governors of the Federal Reserve System, the OCC and the FDIC published an interagency paper[3] titled “Sound Practices to Strengthen Operational Resilience” in which they defined Operational Resilience as the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.

According to Gartner, Operational Resilience[4] is defined as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners).

Operational Resilience and Business Continuity Management

It shouldn’t come as a surprise that at the core the foundational concept of Operational Resilience is not entirely new. Operational Resilience shares the same basic principles as Business Continuity Management and builds upon it by integrating multi-disciplinary Cyber Security and Risk Management practices to get a holistic view of the pervasive threat landscape, understand impact and provide an adaptive response. Operational Resilience assumes that disruption will occur and advises to prepare and adapt accordingly.

Operational Resilience requires a shift in the mindset from the traditional business continuity management from being just focused on firm’s recovery to following a more integrated approach of ensuring client’s ‘important’ needs are continuously addressed no matter ‘when’ the disruption happens.
 
Operational Resilience is not just a standalone transformational program, but a risk-aware enhanced business continuity culture. One of the first critical steps necessary for an organization embarking operational resilience journey is to develop a clear and robust framework encompassing operations management, risk management, cyber security, and business continuity management programs. In medium and large-scale organizations these individual programs already exist in silos. The need of the hour is to integrate them to get a holistic view of risks and understand how these risks impact the delivery of products and services to end customers. Remember - Operational Resilience is not a sprint but a marathon of continuous learning and adaptation.