As regulatory requirements tighten, ensuring compliance with operational resilience frameworks is essential. To achieve this, companies must understand operational resilience, its importance and how to implement its cornerstones.
What are the cornerstones of operational resilience?
1. Risk management
At the heart of operational resilience lies robust risk management. Identifying, assessing, and mitigating risks across all operational facets is crucial. This involves not only recognising potential risks but also understanding their potential impact on business operations. Implementing risk management frameworks enables organisations to proactively address risks and develop resilience strategies.
2. Business Continuity Planning (BCP)
Business continuity planning is about preparing for the unexpected. It involves developing strategies and procedures to ensure critical business functions can continue during and after a disruption. Compliance with operational resilience standards requires comprehensive BCP that addresses various scenarios, including natural disasters, cyber-attacks, and supply chain disruptions. Regular testing and updating of BCPs are essential to ensure effectiveness.
3. Incident response and crisis management
Despite proactive measures, incidents and crises may still occur. Effective incident response and crisis management are vital components of operational resilience. Establishing clear protocols for detecting, reporting, and responding to incidents minimises their impact and facilitates swift recovery. Compliance entails having well-defined incident response plans, trained response teams, and communication strategies to manage crises effectively.
4. Adaptability and flexibility
In today's dynamic environment, adaptability is key to resilience. Organisations must remain agile and flexible to swiftly adapt to changing circumstances. This involves continuously monitoring internal and external factors, evaluating risks, and adjusting strategies accordingly. Compliance with operational resilience mandates necessitates a culture of adaptability where innovation and learning thrive, enabling organisations to anticipate and respond to emerging challenges proactively.
What are the origins of operational resilience?
Operational resilience as a regulatory topic evolved out of several strands of thought that have developed over the past decade. In 2012, Nassim Nicholas Taleb – the author of "The Black Swan" – published a book called "Antifragile", which explored the concept of resilience and its relationship with risk management.
He argued that companies should put more effort into resilience to recover better from the risks that materialise. At the same time, both financial firms and regulators began discussing two topics – cyber risk and third-party risk.
This is why information security evolved into cyber risk management, particularly as the number of cyberattacks on financial services firms accelerated, driven by a rise in criminal activity as well as state-sponsored cyber warfare. As firms were attacked, both the industry and regulators grew concerned about how firms and the financial system would respond to these attacks.
Meanwhile, the US Office of the Comptroller of the Currency published its first guidance about managing third-party risk in October 2013. This discipline involves managing the risks in an organisation's relationships with other entities, such as suppliers and outsourcing providers. The topic has grown significantly over the past decade, and now, many regulators have rules and guidance covering third-party risk management areas.
Why is operational resilience important?
Operational resilience brings all of this together. As a discipline, it requires firms to think beyond managing risks and consider how to ensure they can continue delivering important business services if a risk materialises.
Significant risks that would need an operational resilience response include cyberattacks and the failure of a third-party relationship, such as a key outsourcing arrangement, like the use of cloud data storage.
Other kinds of risk events could require an operational resilience response too, such as fires and floods, a crash in the financial markets, or a terrorist attack such as 9/11. Overall, operational resilience represents a significant evolutionary step in firms' preparedness and response to substantial challenges to their ability to conduct business.
Achieving compliance with operational resilience frameworks is not a one-time effort but an ongoing commitment. It requires a holistic approach that integrates risk management, business continuity planning, incident response, and adaptability into the organisation's DNA.
By prioritising the four cornerstones mentioned above, businesses can enhance their resilience, mitigate risks, and ensure compliance with regulatory requirements in an ever-changing business landscape.
Want to learn more about Risk Management?
We’ve created a comprehensive Enterprise Risk Management roadmap to help you navigate the compliance landscape, supported by IIRSM-accredited e-learning in our Risk Management Course Library. The IIRSM approves quality content and integrates risk decision-making to help keep people and organisations safe, healthy and resilient.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.