Operational Resilience is a term that is being used more and more frequently by organisations wishing to implement some form of programme to protect themselves from operational risks. But what is Operational Resilience?
The Financial Conduct Authority define it as the ‘ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption’, whilst BSI defines it as ‘the embedding of capabilities, processes, behaviours, and systems which allow an organization to continue to carry out its mission, in the face of disruption regardless of its source’. However it is defined, Operational Resilience has gained visibility within the finance sector and is gradually being recognised as a discipline more widely.
As can be seen, a set definition of operational resilience across all sectors and countries still has yet to be clearly defined and universally utilised, but there are some common trends as to what good Operational Resilience would involve. A starting point is that it tends to be more customer focussed, with some suggesting that it is ‘outward-looking’. It also tends to encompass:
- an understanding about which of your important business services that, if disrupted, could cause intolerable harm to your customers as well as to your own organisation;
- establishing impact tolerances for the maximum tolerable disruption to these services;
- mapping and testing the important business services, and identifying vulnerabilities, including any cyber risks;
- managing supply chain risks;
- conducting exercises;
- implementing communication plans; and
- implementing effective governance.
Operational Resilience and Business Continuity
There is still significant debate as to the overlap between Operational Resilience and Business Continuity, with the Finance sector suggesting that Business Continuity is one of the tools under the Operational Resilience umbrella and the Bank of England stating that Operational Resilience ‘extends beyond business continuity and disaster recovery’, whereas Business Continuity purists suggest that the way Operational Resilience is framed is actually just Business Continuity under another name. Either way, Operational Resilience is not a term that is going anywhere soon! As an aside, in a BSI discussion of Operational Resilience standards, no mention is made of ISO 22301 – Security and Resilience – Business Continuity Management Systems – Requirements, which is the international standard for Business Continuity Management, highlighting the complexity of the debate.
Operation Resilience Implementation
Interestingly, the recent BCI Operational Resilience Report 2024 suggests that 64.8% of the survey respondents have an operational resilience programme or project, whilst 16% were in the process of developing one. Taking aside the fact that 67% respondents were under regulatory requirements to implement such a programme, and there were only 202 respondents, the survey highlights some interesting points, such as the differences in what the responders felt were critical elements of the programme, and the spread of opinions as to the relationship between Operational Resilience and Business Continuity. Moreover, when questioned about challenges to implementing Operational Resilience, there is no mention of the complete lack of consistency in definitions or approach.
Without a universally accepted set of guidelines, it is going to be difficult to implement Operational Resilience across an organisation, except in those sector where clear requirements have been outlined. As an example, the Finance sector in the UK have requirements as laid out by the Prudential Regulation Authority, Financial Conduct Authority and Bank of England. The Digital Operational Resilience Act, an EU Regulation, will have an impact for any UK business provides financial or ICT services to entities in the finance sector in the EU. Meanwhile, the NHS has an annual assurance process for NHS England » Guidance and framework (EPRR), but the framework document only mentions Business Continuity Management and emergency planning under the ‘Operational Resilience’ heading.
With such a lack of consensus, for non-finance organisations that want to implement Operational Resilience, we suggest an approach remarkably similar to Business Continuity which should at least include the following actions:
- Identify key products and services, taking into account the needs and expectations of all interested parties, but particularly customers.
- Identify impact tolerances for these activities
- Understand what underpins those activities, in terms of people, technology, facilities (including equipment) and third parties (particularly suppliers), and identify what would be needed in the event of an impact
- Evaluate the risks and implement mitigations wherever possible and cost-effective
- Develop plans for response and recovery, including internal and external communications
- Ensure that all staff are aware of the project
- Implement an exercising programme to test all elements of the plans
- Implement governance to ensure that all of the programme is successfully implemented, followed and maintained