What Is Operational Resilience, and How to Build an Operational Resilience Framework

What is Operational Resilience?

Operational resilience is the ability of an organisation to maintain continuous delivery of essential services and minimise the impact on stakeholders regardless of the disruptive events they may face.

For a business to achieve operational resilience, it requires the alignment of common goals among the various areas of your business. Even though the risks vary from one sector to another, you should have a clear idea of what to do in case of a business disruption.

All companies are aware that risks are present, and those disruptive events could happen at any time. Your ability to identify and mitigate the risks is what will showcase your operational resilience.

In today's fast-paced business environment, building a strong and resilient operational framework is crucial for organisations to withstand disruptions and ensure business continuity.

Operational Disruptions

Operational disruptions are unplanned events that can have a negative impact on a company's ability to deliver its critical business services. These disruptions can be caused by a wide range of factors, including natural disasters, cyber-attacks, hardware failures, and human error. A few examples of operational disruptions include:

• A power outage that causes widespread system failures and renders a company's critical IT systems unavailable.
• A data breach that results in the unauthorised release of sensitive customer information and damage to the company's reputation.
• A natural disaster that destroys a company's primary data centre, causing widespread disruption to its critical business services.
• Human error that leads to deletion or corruption of important data, disrupting the normal functioning of critical business processes.

Operational disruptions can have a significant impact on a company's bottom line, from lost revenue and damage to its reputation to legal and regulatory penalties. Hence, it is essential for companies to develop robust strategies to minimise the risk of disruptions and to quickly recover from them when they occur.

Operational Risk Management

Operational risk management plays a critical role in operational resilience, as it helps organisations identify, assess, and mitigate the potential risks that could disrupt their critical business services. By proactively managing operational risk, organisations can build a robust operational resilience strategy that minimises the impact of disruptions and ensures the continuity of their critical business functions.

This includes identifying potential risks, evaluating their likelihood and impact, developing mitigation strategies, and continuously monitoring and updating the risk management plan to ensure it remains relevant and effective. As you integrate operational risk management into your overall framework, your company can effectively prepare for and respond to operational disruptions, protecting your reputation, maintaining customer trust, and minimising financial losses.

FCA and Operational Resilience

In the aftermath of a pandemic, with a global financial crisis, and a significant increase in cybercrime, it's no surprise that operational resilience has come under scrutiny by regulatory bodies and has shifted to being seen as a critical strategic priority by senior management in the UK financial sector.

Alongside the Bank of England and the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) released new guidance for financial services companies back in March 2021. The policy provided banks and other firms in the financial industry with a regulatory framework to follow in order to strengthen their operational resilience.

The framework lays out new requirements in four key areas:

1. Important business services

2. Impact tolerances

3. Mapping and scenario testing

4. Communication and self-assessments

Having come into force in March 2022, businesses are in a transition period until March 2025, at which point firms are expected to be fully compliant with robust plans and processes to ensure they remain within their set impact tolerances.

Operational Resilience Framework for All Industries

While the framework initially applied to UK financial institutions under regulation by the FCA or PRA, the same regulations are now hitting Ireland, the USA, and beyond. Indeed, other organisations outside of the financial sector are finding value in the framework as a best practice model from which to work.

So, whether you're a bank or building society working towards those regulatory deadlines or any other type of company looking to achieve operational resilience, there's good reason to make it a strategic priority. Some of the most compelling include:

• Minimising downtime and mitigating risks: A strong operational resilience framework helps minimise downtime and protects against potential losses that can result from disruption. This is particularly important for companies that rely on continuous operations to maintain their competitive edge.
• Ensuring business continuity: An effective framework ensures that a company can continue its operations even in the face of disruptions. This is critical for companies that provide essential products or services, as disruptions can result in loss of revenue, customers, and market share.
• Maintaining brand reputation: Disruptions can have a significant impact on a company's reputation, particularly in today's fast-paced and connected world. An operational resilience framework helps mitigate this risk by ensuring that the company is prepared to respond and recover from disruptions in a timely and effective manner.
• Enhancing customer trust and loyalty: Customers expect a high level of reliability and consistency from the companies they do business with. By demonstrating an ability to withstand and recover from disruptions, companies can build trust and loyalty with their customers.
• Complying with regulatory requirements: As previously highlighted, in some sectors, companies may be required to comply with specific regulations or standards related to operational resilience. Having a framework in place can help ensure that your company remains compliant and avoids potential legal or financial penalties.

Using Your Existing Business Continuity Plans to Fuel Your Operational Resilience Strategy

In most cases, companies will already have some sort of business continuity management systems and plans in place, even if developing a wider operational resilience framework is new on the agenda.

Using existing analyses from your business continuity planning to facilitate and develop an operational resilience strategy is a sound approach for companies looking to enhance their ability to withstand and recover from disruptions (and create efficiencies along the way).

Here are some reasons why:

• Maximising existing investments: Business continuity analyses provide valuable information about critical business activities and their potential impact on the company. By using this information gathered during BC practices to inform the operational resilience strategy, companies can maximise their existing investments and avoid having to conduct additional analysis.
• Identifying critical business services: Business impact analyses provide a comprehensive understanding of the critical business activities that are essential to the company's operations. As activities are intrinsically linked to services, this information can be leveraged to identify the important business services that need to be prioritised in the operational resilience strategy.
• Streamlining the process: By leveraging existing analyses, companies can streamline the process of developing their operational resilience strategy. This not only saves time and resources but also helps ensure that the strategy is based on a solid foundation of existing information.
• Enhancing risk assessment: Business continuity analyses provide a comprehensive view of potential risks to the company's operations. By using this information to inform the operational resilience strategy, companies can enhance their risk assessment and ensure that their strategy addresses the most pressing threats.
• Improving preparedness: An operational resilience strategy that is informed by BC planning helps improve overall preparedness and creates an integrated approach to managing risk, resilience, and business continuity.
• Optimisation: By gaining a deeper understanding of dependencies and linking critical activities to important services, you gain better insight into the cost of disruption and which activities are intrinsically linked to revenue generation. So working from a top-down perspective with an OKR mentality not only enhances your ability to withstand disruption and make a quick recovery, but also provides strategic insight—if it doesn't support a service or impact a strategic objective, then why is it happening?

Key Areas in Operational Resilience Framework

1. Important Business Services

One of the most crucial steps in developing any operational resilience strategy is to identify important business services. First, we must understand what constitutes an important business service. The FCA defines it as:

A service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:

(1.) cause intolerable levels of harm to any one or more of the firm's clients; or

(2.) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.

Of course, outside of the financial services sector, this definition will differ slightly, but it's a good place to start. In this instance, intolerable harm is deemed something that consumers of those services cannot easily recover from, and looks at the wider impact on financial markets. Note that this doesn't refer to inconvenience or slight harm to the firm and the end users of its services, but intolerable harm.

If we zoom out of the financial services sector to consider different types of organisations across other industries, important business services could be defined as those which, if interrupted, would cause significant detrimental effects on the company and its stakeholders—financial or otherwise.

So, how do you identify the important or critical business services?

Once you've listed every individual service provided to external clients, here are some questions you may ask to determine how critical or important that service is:

• Who are the end users/clients? Are they vulnerable?
• Is time a critical factor in the provision of this service?
• Are there alternative providers of this service?
• Does the provision of this service involve sensitive data?
• How would disruption impact the company's financial viability?
• Is there potential to cause serious damage to your company's reputation?
• Would disruption lead to a legal breach of any kind?
• Are there potential knock-on effects in your market and/or supply chain?
• Is the safety of this firm, its employees and its clients at risk in the event of a disruption?

Conducting an internal assessment and utilising financial analysis and existing business impact analysis will aid the process of identifying your important business services. Every organisation is different, and, therefore, each will have a different number of critical services. Still, it's important to note that you should be able to justify any rationale applied and have it documented accordingly.

Important Business Service vs Critical Business Activity

Critical business activities refer to the processes, tasks, and functions that are essential to the day-to-day operations of a company. They are the building blocks of a company's operations and include tasks such as data processing, customer service, and supply chain management. These activities are critical because they are essential to the company's ability to function and generate revenue.

Important business services, on the other hand, refer to the specific products or services that a company provides to its customers. These services are critical because they are the reason for a company's existence and are essential to its ability to generate revenue.

The two concepts are intertwined because critical business activities are the building blocks that enable the delivery of important business services. For example, data processing is a critical business activity that is essential to the delivery of financial services, which is a critical business service.

In the context of operational resilience, it is important to understand both critical business activities and important business services. This understanding is essential for the development of an effective operational resilience strategy. It enables the company to prioritise its resources and focus on the activities and services that are most critical to its success and recovery in the event of disruption or disaster.

2. Impact Tolerances

Impact tolerances are a key component of operational resilience. They represent the maximum level of disruption that a company can tolerate before its critical business activities and services are significantly impacted.

Impact tolerances are used to help companies understand their operational resilience needs and prioritise their resources to ensure that they are prepared to respond to disruptions. They are established by considering the criticality of business services, the impact of disruptions, and the company's overall risk tolerance.

Companies must have a clear understanding of their impact tolerances in order to effectively manage disruptions and maintain critical operations. By defining impact tolerances, companies can also better prepare for and respond to unexpected events, ensuring that they are able to continue to meet the needs of their customers, stakeholders, and shareholders.

3. Mapping and Scenario Testing

Once important business services have been identified and impact tolerances assigned, the next step is mapping and scenario testing.

Mapping involves capturing how various people, processes, activities, technology, and third parties are connected to critical business services in order to understand dependencies and potential vulnerabilities.

The mapping process then allows you to test different plausible but serious scenarios. Such simulations will highlight areas for improvement within the operational resilience strategy and lead to lessons learned that can be communicated and documented. Companies should regularly conduct mapping and scenario testing to ensure that their operational resilience strategy is up-to-date and effective.

4. The Operational Resilience Self-Assessment

The purpose of the self-assessment is to capture and document the steps taken towards operational resilience and provide a comprehensive and objective evaluation of the company's strategy and overall ability to respond to disruptions.

As financial firms document their self-assessment to acheive operational resilience, the PRA expects firms to:

• List their important business services and state why each of these have been identified.
• Specify the impact tolerances set for these important business services and why each impact tolerance has been set.
• Detail their approach to mapping important business services. The PRA expects this to include how the firm has identified the resources that contribute to the delivery of important business services and how they have captured the relationships between these. Firms should also document how they have used mapping to identify vulnerabilities and to support testing activity.
• Describe their strategy for testing their ability to deliver important business services within impact tolerances through severe but plausible scenarios. Firms should also describe the scenarios used, the types of testing undertaken, and specify the scenarios under which firms could not remain within their impact tolerances.
• Identify any lessons learned when undertaking scenario testing or via practical experience including the actions taken to address the issues encountered or risks highlighted.
• Identify the vulnerabilities that threaten their ability to deliver important business services within impact tolerances. Firms should make every effort to remediate these vulnerabilities, detailing the actions taken or planned and justifications for their completion time. The completion time should be appropriate to the size and complexity of the firm, and the PRA will expect large and complex firms to take prompt action; and
• Identify any additional risks to their ability to deliver important business services within impact tolerances arising from elsewhere in their group.

C2 Meridian: The Future of Operational Resilience

C2 Meridian is designed to automate and assist the day-to-day management of an organisation's operational resilience strategy and business continuity management system (BCMS). Our industry-agnostic solution is completely configurable to meet your organisation's unique requirements and the system was created to ensure resilience professionals across the world are able to do their jobs better, faster, and easier.

Book a demo today to find out how we can help you build operational resilience.