Building an Operational Resilience Framework

What is Operational Resilience?

Operational resilience is the ability of an organisation to quickly adapt and recover from disruptive events, maintain continuous delivery of essential services, and minimise the impact on stakeholders.

For a business to achieve operational resilience, it requires the alignment of common goals among the various areas of your business. Even though the risks vary from one sector of your business to another, you must have a clear idea of what to do in case of a business disruption.

All companies are aware that risks are present and those disruptive events could happen at any time. Your ability to identify and mitigate the risks is what will showcase your operational resilience.

In today's fast-paced business environment, building a strong and resilient operational framework is crucial for organisations to withstand disruptions and ensure business continuity.

Operational Disruptions

Operational disruptions are unplanned events that can have a negative impact on a company's ability to deliver its critical business services. These disruptions can be caused by a wide range of factors, including natural disasters, cyber-attacks, hardware failures, and human error. A few examples of operational disruptions include:

• A power outage causing widespread system failures and rendering a company's critical IT systems unavailable.
• A data breach that results in the unauthorised release of sensitive customer information and damage to the company's reputation.
• A natural disaster that destroys a company's primary data centre, causing widespread disruption to its critical business services.
• Human error leading to accidental deletion or corruption of important data, disrupting the normal functioning of critical business processes.

Operational disruptions can have a significant impact on a company's bottom line, including lost revenue, damage to its reputation, and legal and regulatory penalties. It is essential for companies to develop robust operational resilience strategies to minimise the risk of disruptions and to quickly recover from them when they occur.

Operational Risk Management

Operational risk management plays a critical role in operational resilience, as it helps organisations identify, assess, and mitigate the potential risks that could disrupt their critical business services. By proactively managing operational risk, organisations can build a robust operational resilience strategy that minimises the impact of disruptions and ensures the continuity of their critical business functions.

This includes identifying potential risks, evaluating their likelihood and impact, developing mitigation strategies, and continuously monitoring and updating the risk management plan to ensure it remains relevant and effective. By integrating operational risk management into their overall operational resilience framework, companies can effectively prepare for and respond to operational disruptions, protecting their reputation, maintaining customer trust, and minimising financial losses.

FCA and Operational Resilience

In the aftermath of a pandemic, with a global financial crisis, and a significant increase in cyber crime, it's no surprise that operational resilience has come under scrutiny by regulatory bodies and has shifted to being seen as a critical strategic priority by senior management.

Alongside the Bank of England and the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) released new guidance for financial services companies back in March 2021. The policy provided banks and other firms in the financial industry with a regulatory framework to follow in order to strengthen their operational resilience.

The framework lays out new requirements in four key areas: important business services, impact tolerances, mapping and scenario testing, and communication & self-assessments. Having come into force in March 2022, businesses are in a transition period until March 2025, at which point the FCA expect firms to be fully compliant with robust plans and processes to ensure they remain within their set impact tolerances.

An Operational Resilience Framework for All Industries

While the framework initially applied to UK financial institutions under regulation by the FCA or PRA, the same regulations are now hitting Ireland, the USA, and beyond, and other organisations outside of the financial sector are finding value in the framework as a best practice model to work from.

So, whether you're a bank or building society working towards those regulatory deadlines or any other type of company looking to achieve operational resilience, there's good reason to make it a strategic priority. Some of the most compelling include:

• Minimising downtime and mitigating risks: A strong operational resilience framework helps minimise downtime and protects against potential losses that can result from disruption. This is particularly important for companies that rely on continuous operations to maintain their competitive edge.
• Ensuring business continuity: An effective operational resilience framework ensures that a company can continue its operations even in the face of disruptions. This is critical for companies that provide essential products or services, as disruptions can result in loss of revenue, customers, and market share.
• Maintaining brand reputation: Disruptions can have a significant impact on a company's reputation, particularly in today's fast-paced and connected world. An operational resilience framework helps mitigate this risk by ensuring that the company is prepared to respond and recover from disruptions in a timely and effective manner.
• Enhancing customer trust and loyalty: Customers expect a high level of reliability and consistency from the companies they do business with. By demonstrating an ability to withstand and recover from disruptions, companies can build trust and loyalty with their customers.
• Complying with regulatory requirements: As previously highlighted, in some sectors, companies may be required to comply with specific regulations or standards related to operational resilience. Having a framework in place can help ensure that your company is remaining compliant and avoid potential legal or financial penalties.

Using Existing Business Continuity Plans to Fuel your Operational Resilience Strategy

In most cases, companies will already have some sort of business continuity management systems and plans in place, even if developing a wider operational resilience framework is new on the agenda. Using existing analyses from your business continuity planning to facilitate and develop an operational resilience strategy is a sound approach for companies looking to enhance their ability to withstand and recover from disruptions (and create efficiencies along the way). Here are some reasons why:

• Maximising existing investments: Business continuity analyses provide valuable information about critical business activities and their potential impact on the company. By using this information gathered during BC practices to inform the operational resilience strategy, companies can maximise their existing investments and avoid having to conduct additional analysis.
• Identifying critical business services: Business impact analyses provide a comprehensive understanding of the critical business activities that are essential to the company's operations. As activities are intrinsically linked to services, this information can be leveraged to identify the important business services that need to be prioritised in the operational resilience strategy.
• Streamlining the process: By leveraging existing analyses, companies can streamline the process of developing their operational resilience strategy. This not only saves time and resources but also helps ensure that the strategy is based on a solid foundation of existing information.
• Enhancing risk assessment: Business continuity analyses provide a comprehensive view of potential risks to the company's operations. By using this information to inform the operational resilience strategy, companies can enhance their risk assessment and ensure that their strategy addresses the most pressing threats.
• Improving preparedness: An operational resilience strategy that is informed by BC planning helps improve overall preparedness and creates an integrated approach to managing risk, resilience and business continuity.
• Optimisation: By gaining a deeper understanding of dependencies and linking critical activities to important services, you gain better insight into the cost of disruption and which activities are intrinsically linked to revenue generation. So working from a top-down perspective with an OKR mentality not only enhances your ability to withstand disruption and make a quick recovery, but also provides strategic insight - if it doesn't support a service or impact a strategic objective, then why is it happening?

Important Business Service vs Critical Business Activity

Critical business activities refer to the processes, tasks, and functions that are essential to the day-to-day operations of a company. They are the building blocks of a company's operations and include tasks such as data processing, customer service, and supply chain management. These activities are critical because they are essential to the company's ability to function and generate revenue.

Important business services, on the other hand, refer to the specific products or services that a company provides to its customers. These services are critical because they are the reason for a company's existence and are essential to its ability to generate revenue.

The two concepts are intertwined because critical business activities are the building blocks that enable the delivery of important business services. For example, data processing is a critical business activity that is essential to the delivery of financial services, which is a critical business service.

In the context of operational resilience, it is important to understand both critical business activities and important business services. This understanding is essential for the development of an effective operational resilience strategy because it enables the company to prioritise its resources and focus on the activities and services that are most critical to its success and recovery in the event of disruption or disaster.

Identifying Your Important Business Services

Identifying important business services is a crucial step in developing an operational resilience strategy. First, we must understand what constitutes an important business service. The FCA defines it as:

"a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:

(1) cause intolerable levels of harm to any one or more of the firm's clients; or

(2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets".

Of course, outside of the financial services sector, this definition will differ slightly, but it's a good place to start. In this instance, intolerable harm is deemed as something that consumers of those services cannot easily recover from and looks at the wider impact on financial markets. Note that this isn't referring to inconvenience or slight harm to the firm and the end users of its services, but intolerable harm.

If we zoom out of the financial services sector to consider different types of organisations across other industries, important business services could be defined as those which - if interrupted - would cause significant detrimental effects to the company and its stakeholders, financial or otherwise.

So how do you identify the important or critical business services?

Once you've listed every individual service provided to external clients, here are some questions you may ask to determine how critical or important that service is:

• Who are the end users/clients? Are they vulnerable?
• Is time a critical factor in the provision of this service?
• Are there alternative providers of this service?
• Does the provision of this service involve sensitive data?
• How would disruption impact the company's financial viability?
• Is there potential to cause serious damage to your company's reputation?
• Would disruption lead to a legal breach of any kind?
• Are there potential knock-on effects in your market and/or supply chain?
• Is the safety of this firm, its employees and its clients at risk in the event of a disruption?

Conducting an internal assessment and utilising financial analysis and existing business impact analysis will aid the process of identifying your important business services. Every organisation is different and therefore each will have a different number of critical services, but it's important to note that you should be able to justify any rationale applied and have it documented accordingly.

What are Impact Tolerances?

Impact tolerances are a key component of operational resilience. They represent the maximum level of disruption that a company can tolerate before its critical business activities and services are significantly impacted. Impact tolerances are used to help companies understand their operational resilience needs and prioritise their resources to ensure that they are prepared to respond to disruptions. They are established by considering the criticality of business services, the impact of disruptions, and the company's overall risk tolerance.

Companies must have a clear understanding of their impact tolerances in order to effectively manage disruptions and maintain critical operations. By defining impact tolerances, companies can also better prepare for and respond to unexpected events, ensuring that they are able to continue to meet the needs of their customers, stakeholders, and shareholders.

Mapping and Scenario Testing

Once important business services have been identified and impact tolerances assigned, the next step is mapping and scenario testing. Mapping involves capturing how various people, processes, activities, technology, and third parties are connected to critical business services in order to understand dependencies and potential vulnerabilities.

The mapping process then allows you to test different plausible but serious scenarios. Such simulations will highlight areas for improvement within the operational resilience strategy, and lead to lessons learned which can be communicated and documented. Companies should regularly conduct mapping and scenario testing to ensure that their operational resilience strategy is up-to-date and effective.

The Operational Resilience Self-Assessment

The purpose of the Self-Assessment is to capture and document the steps taken towards operational resilience and provide a comprehensive and objective evaluation of the company's strategy and overall ability to respond to disruptions.

While there's no set format for the self-assessment, and the length and level of detail should be proportionate to the company's operations, the content covered in the self-assessment should document the areas covered in this article:

Operational Resilience Self-Assessments should be conducted regularly to support the overall strategy and companies should consider what measures they will take to make sure the documentation is kept up-to-date and that any organisational changes are reflected in updates of the self-assessment.

Conclusion

In conclusion, building an effective framework for operational resilience is key to minimising the impact of disruptive events on an organisation and ensuring business continuity. The Financial Conduct Authority (FCA) has released a regulatory framework for financial institutions to strengthen their operational resilience.

However, this framework can also be useful for all types of organisations as it helps to minimise downtime, maintain business continuity, protect brand reputation, enhance customers' trust and loyalty, and comply with regulatory requirements. Existing business continuity plans can be used to fuel an operational resilience strategy, maximising existing investments and creating efficiencies. By integrating operational risk management into the operational resilience framework, organisations can effectively prepare for and respond to disruptions, minimising their impact and ensuring the continuity of critical business functions.

C2 Meridian: The Future of Operational Resilience

C2 Meridian is a web-based tool (SaaS) designed to automate and assist the day-to-day management of an organisation's Operational Resilience Strategy & Business Continuity Management System (BCMS). Our industry-agnostic solution is completely configurable to meet your organisation's unique requirements and the system was created to ensure resilience professionals across the world are able to do their jobs better, faster, and easier. Book a demo today to find out how we can help you build operational resilience.