Regulators have recently put an increased emphasis on operational resilience within organizations – which can be defined as the ability of an organization to withstand and adapt to any sort of emerging risks and shocks. The UK’sFinancial Conduct Authority (FCA) and the Bank of England and EU’s DORA have published guidelines on building operational resiliency, and these guidelines include a plethora of critical advice for business’ looking to be operationally resilient, including encouraging a focus on identifying critical business services and a look at the ever-growing threat from cyber risks.
The risk management model being encouraged is to identify critical business services and report any emerging risks and disruptions that could threaten the resilience of the organization and the impact on its critical business services - not an easy thing to do with Excel Spreadsheets and static siloed systems!
Gaining a complete understanding of organizational and operational resilience requires a holistic comprehension of broader organizational objectives and strategy, in order to be able to manage risk and disruption in the pursuit of achieving overall business objectives.Far too often, departments such as information security and IT focus the irreporting on the technicalities of an emerging risk and disruption without including and outlining the potential upcoming impact to critical business services, and as a result, entirely missing the context of the business, relating to the issue and point of reporting vs. the connected impact throughout the business.
Regulators such as the FCA have laid out a streamlined process that all organizations can use to build a stronger operational resiliency framework which includes:
Identify critical business services
Mapping the processes, technologies, information, and people that support critical business services
Testing the ability of organizations to remain within their impact tolerances and the overall resilience of the underlying organizational foundation such as the IT architecture
Communicate and plan with relevant stakeholders such as IT teams to prepare for any potential future incidents
Organizations have much to benefit by heeding the advice of these regulators, regardless of which industry or sector your organization operates within.
This business service approach allows the organization to manage the interconnection of risk functions such as information management and security, IT, third-party management, compliance, operations, performance etc. Since operational risk management encompasses a multitude of risk functions and departments throughout the organization, it is crucial that these functions collaborate and are integrated in order to connectORM to the bigger picture of operational strategy in order to achieve resiliency.
With the ever-growing threat from a potential cyberattack looming over the head of risk managers everywhere, resilience to an emerging cyber incident should take center stage in the operational resiliency framework. It is becoming increasingly critical for organizations to link emerging cyber risks to critical business services and report on potential disruptions.
An integrated information and technology architecture is critical for organizations to build a more thoughtful and strategic approach to this operational risk strategy.Organizations need complete situational awareness and vision into risk scattered across systems, operations, processes, relationships, and data in order to fully achieve operational resiliency, and to gain an understanding of the full impact of risk throughout the organization holistically and its impact on strategy, objectives, and performance.