Operational resilience refers to the ability of an organization or a system to continue its core services, maintaining acceptable levels of operations even in the face of adverse events, disruptions, or shocks.
Operational resilience takes a holistic approach to managing a wide range of risks and uncertainties, including those related to the organization’s technology, processes, people, and suppliers; as well as external events that impact upon the organization.
Operational resilience is especially important in sectors such as financial services, where failures could have broader systemic implications. However, the concept is relevant to any organization that must maintain operations in the face of challenges.
Key elements of operational resilience include:
- Identification of important business services: not all services that an organization offers are of equal importance. A critical first step is to identify which services are crucial to customers or the broader market.
- Development of impact tolerances: organizations need to assess the impacts of disruption and the thresholds beyond which an impact becomes ‘intolerable’.
- Scenario testing: this involves considering various probable disruption scenarios (termed plausible scenarios) and assessing how the organization would handle them. It’s not about trying to predict specific events but understanding the vulnerabilities and impact of different types of disruptions.
- Change management: as the business environment and the nature of threats evolve, the organization’s approach to operational resilience needs to adapt.
- Communication: keeping internal stakeholders informed and having a clear external communication plan for customers and regulators is crucial during disruptions.
- Recovery and response: organizations need to have clear plans on how to recover from disruptions and how to respond in the immediate aftermath.
- Learning and adapting: after any disruption, an organization should evaluate its response and look for lessons learned. This helps in refining the resilience strategies.
- Investing in technology and infrastructure: this might include redundancies, cloud storage, cyber resilience measures, and other technological solutions that can help maintain operations during disruptions.
Operational resilience involves a variety of strategies and practices, including but not limited to:
- Business continuity planning: establishing plans to maintain or quickly resume business operations in the case of outages or disruptions.
- Cyber resilience: protecting the organization against cyber threats and ensuring the confidentiality, integrity, and availability of critical data and systems.
- Supply chain resilience: ensuring that the organization’s supply chain can withstand and recover from disruptions, through measures such as diversifying suppliers and maintaining sufficient inventory levels.
- Financial resilience: maintaining strong financial health to absorb shocks, including through prudent management of liquidity, debt, and capital.
- Workforce resilience: developing strategies to ensure that the organization’s workforce can continue to function effectively in the face of disruptions, including through remote working arrangements and flexible work policies.
- Infrastructure resilience: ensuring that critical infrastructure, including facilities, equipment, and IT systems, can withstand disruptions and recover quickly from damages.
- Crisis management and communication: establishing crisis management teams and communication plans to manage and respond effectively to emergencies, including through regular training and drills.
- Regulatory compliance: ensuring compliance with relevant laws and regulations, including those related to operational resilience, to avoid legal and reputational risks.
- Scenario analysis and stress testing: conducting scenario analyses and stress tests to understand potential vulnerabilities and to plan mitigative strategies accordingly.
- Monitoring and Reporting: Setting up mechanisms to continuously monitor the operational resilience framework and report on its effectiveness to stakeholders, including management, board of directors, and regulators.
By adopting an operational resilience framework, organizations can not only safeguard themselves against disruptions but also gain a competitive advantage by being able to recover more quickly than others when disruptions occur.
Operational resilience and business continuity
Operational resilience both goes beyond and requires business continuity. It is certainly possible to manage business continuity as a discipline in its own right, however it is more effective when this is incorporated into a wider operational resilience strategy. On the other hand, operational resilience cannot be managed without including business continuity, as the latter is an essential element of every operational resilience program.