By Richard Cooper When it comes to business continuity management, the bellwether for many industries and businesses is often the financial sector – specifically banking regulators – and a recent discussion paper issued jointly from the Bank of England (BOE) and the U.K.’s Financial Conduct Authority has sounded the call: build operational resilience, or risk failure.
Operational resilience refers to a business’s ability to prevent, respond to, recover and learn from operational disruptions; in other words, being able to absorb shocks rather than snap under them.
This requires a foundation of operational risk management that, according to the paper, “includes preventative measures and the capabilities – in terms of people, processes, and organizational culture – to adapt and recover when things go wrong.” Without operational risk management, operational disruption to a business can impact financial stability, threaten the business’s overall viability, and/or harm consumers and other businesses.
Yet challenges to ensuring resilience and continuity abound, and they grow more complex each year. These include ever-evolving technologies; changing consumer behaviors; challenging business environments; outsourcing services; IT system complexities; cyber threats; cost pressures; international expansions; location-based regulations, and more.
But here is the good news: Solutions exist, and they’re less onerous than one might assume.
This article will explore the takeaway concepts from the BOE/FCA paper that are relevant to all businesses; the regulators’ recommendations for what an operationally resilient business should have in place; and a way to solve an organization’s operational resilience problems.
Important Takeaways from the BOE/FCA Paper
While the paper specifically addresses the financial sector, it offers lessons that businesses in every industry should take to heart, from pharmaceuticals to manufacturing to business services, and beyond.
Some of these include:
- The continuity of business services is an essential component of operational resilience, and thus, organizations must focus on this outcome when designing for operational resilience. While avoiding disruption to a particular system or department supporting a business service is important, ultimately, it is the business service itself that needs to be resilient and continuous. Leadership should assume that, despite best efforts, the individual systems, departments, people, and processes that support a business service will be disrupted at one time or another, and focus heavily on backup plans, responses and recovery options.
- An organization’s leadership must define their own tolerances for operational disruption in the event of an incident, as this will help to set operational resilience standards and priorities. Prioritize those business services that, if disrupted, most affect a business’s viability, customers or financial stability. One example of a tolerance that should be set is the maximum acceptable outage time for a specific business service. An organization then could test its ability to stay within its impact tolerances in “severe but plausible scenarios in order to identify vulnerabilities and take mitigating action,” according to the paper.
- How an organization manages its response to operational disruptions is critical to maintaining confidence in the business services it provides. An important part of this is the speed and effectiveness of communications with affected customers. While it is obviously better to avoid an issue (e.g., a data breach) in the first place, the way an issue is communicated can help maintain and/or restore customer confidence in the business.
An operationally resilient firm should have the following seven pieces in place:
- A clear understanding of their most important business service(s).
- A comprehensive mapping of the systems and processes that support these business services, including those over which the organization may not have direct control. This would include an understanding of the resilience of outsourced providers or entities (e.g., third-party vendors that provide an essential service or product).
- In-depth knowledge of how the failure of an individual system or process could impact the organization’s ability to provide the business service.
- Understanding of which systems and processes can be replaced during disruption, as well as how, so that business services can continue to be delivered.
- Tried-and-tested plans that would enable an organization to continue or resume business services when disruptions occur.
- Effective internal communication plans, escalation paths and identified decision makers.
- Specific external communication plans for the most important business services, which provide timely information for customers, other market participants and regulatory bodies.
So what kind of approach will help steer an organization toward becoming operationally resilient? By prioritizing data over documents and pairing consultative services with technology.
A Better Approach
Knowledge is power, as the old adage goes, and in the digital age, knowledge takes the form of data and metrics.