Operational resilience is your business’ ability to withstand a sudden disruption, or shock to business operations. More specifically, it is the set of techniques that allow people, processes and regulatory information systems to respond to changing forces — to keep critical business functions running, or to restore them to some predetermined level of performance as quickly as possible.
Using risk management and incident response processes, operational resilience is critical to doing business. Your enterprise’s resilience can mean the difference between its success and failure.
Gartner defines operational resilience as “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners).” These initiatives include:
- Security (cyber and physical)
- Continuity of operations
Recognizing that business; operations; finance; information security; and governance, risk, and compliance (GRC) are all interconnected, operational resilience is a strategic framework that not only prepares your organization for the unexpected; it helps you to succeed during unpredictable times.
Without operational resilience, internal and external disruptions might derail your business operations entirely. Operational resilience supports business services and functions while minimizing the risk associated with a variety of scenarios: climate disaster, sophisticated cyber-attacks, global pandemic, and more.
In technology, operational resilience gives your organization the ability to protect and sustain core business functions during a digital or operational disruption. As insider threats, cyber-attacks, geo-political events, weather events, and pandemics occur more frequently, your organization must assume that its technology and critical business functions can, and will, be disrupted.
Examples of operational resilience
Organizations are investing more in operational resilience in a variety of ways, from cyber-attack preparedness to pandemic planning and more. Here are some examples of where operational resilience matters most to an organization’s crisis management efforts.
Operational resilience and COVID-19
As the world continues to grapple with conducting business during COVID-19, operational resilience is perhaps more relevant than ever before. Suddenly, a pandemic preparedness plan is critical to maintain critical business functions. For example, with employees suddenly ill or working from home, many businesses scrambled to maintain critical functions while transitioning to a new model.
Operational resilience and financial services
In financial services, operational risk is the loss that stems from inadequate or failed internal systems, internal controls, procedures, or policies due to employee errors, breaches, fraud, or any external event that disrupts a financial institution’s processes. Including cybersecurity risk, third-party risk, internal fraud, external fraud, and business disruption and systems failures, operational risk is one of the most critical risks that financial institutions need to manage and evaluate.
The global, interconnected nature of financial services emphasizes the importance of being able to continue services, or to quickly restore services knocked off-line. Regulators have begun to provide guidance on this issue. British regulators, for example, recently released an operational resilience discussion paper. U.S. fregulators updated their business continuity management handbook to include operational resilience principles, and the Basel Committee on Banking Supervision (BCBS) released its own set of principles.
Despite those outbursts of regulatory guidance, a single framework for operational resilience has yet to be formalized into new requirements. Financial institutions should closely review the guidance that does exist against their current operational resilience strategy, and make any changes before agencies integrate regulations into a single framework and approach.
Operational resilience, business continuity planning (BCP), and disaster recovery (DR)
While operational resilience focuses on the continuity and recovery of critical business processes spanning all of the functions and systems within an organization, business continuity plans (BCP) and disaster recovery plans (DRP) are typically designed and performed within each organizational department.
In the event of an interruption, business continuity plans assure that critical business can continue with minimal downtime. A BCP usually begins with a business impact analysis (BIA) to determine the scope of the plan, and is often conducted in tandem with a risk assessment. Your BCP should also include alternatives that allow you to continue operating during a catastrophe and immediately afterward.
Disaster recovery helps you transition from those alternative, short-term business processes activated during an incident, back to your regular processes.
To identify business continuity risks, it’s important to understand your IT infrastructure fully. Create a list of critical IT systems, networks, software, or third-party service providers whose sudden failures would cause disruption; incorporate those concerns into your DRP. Using a cloud-based software to help manage your operational resilience can save you even more time and money.
For example, Amazon Web Services (AWS) helps organizations improve operational resilience through infrastructure, operations, security and software. AWS also protects against ever-evolving threats by applying protections to its global infrastructure, and AWS automation and tools help mitigate security risks such as denial-of-service attacks. AWS Identity and Access Management (AWS IAM) allows organizations to control access to AWS service and resources and eliminates threats created by rogue servers or unauthorized users.
In a recent study, IDC found a 94 percent reduction in unplanned downtime for AWS customers versus their previous on-premises implementations. Overall, AWS provides a solid foundation for building compliance-ready applications and services, with more than 30 certifications and accreditations—and it integrates easily with our GRC software-as-a-service, ZenGRC.
Operational resilience and you
Operational resilience is critical to success in any business, since our increasingly volatile business landscape means your ability to weather adversity becomes more and more important.
GRC software such as ZenGRC lets you identify risks quickly, get intelligent and useful insights, collect critical data, and put your action plans into action for a shared, enterprise-wide view of your entity’s operational resilience.
Contact us today for a free demo and begin your journey toward building your organization’s operational resilience.