The Business Continuity Institute (BCI ) has released the BCI Operational Resilience Report 2022, sponsored by Castellan Solutions. The report examines how different organizations, across many sectors, understand operational resilience while taking a look at the steps they have taken to achieve it and whether legislation is motivating organizations to implement it.
Defining Operational Resilience
More than three-quarters of organizations (77.9%) have or are developing an operational resilience program. Although these numbers are impressive, the report reveals that while many organizations believe they have an operational resilience program in place, they may actually be aligning closer to the organizational resilience standard, ISO 22316. Definition confusion may not be an issue in itself but, for business continuity (BC) professionals who have been asked to implement operational resilience programs within their own organizations, it could ultimately lead to a program failing. As a demonstration of this, 17.1% of respondents believe that there is no need for an operational resilience program in their organization as they already have a business continuity program in place. “Operational resilience is just business continuity done well” was a frequent – and concerning – sentence spoken by a number of survey respondents.
Meanwhile, many respondents were concerned that these blurred lines between operational resilience and business continuity could lead to an increase the likelihood of blind spots forming inside their own organization as the focus switches to protecting external customers and markets. The importance of having a BC programme working in tandem with an operational resilience programme is therefore of utmost importance.
The Impact of Regulation
New regulations have supported the rise of operational resilience programmes within the financial services sector, with the UK’s FCA/PRA regulation leading the way with implementation deadlines. Despite this, only one in five of the UK’s financial services institutions think regulators have done enough to help them implement the regulations. Respondents have largely pinned this to a failure in documentation, with important information spread between various sources instead of a core source document. On a positive note, however, many countries around the world are now following the lead of these operational resilience regulations and are working hard to implement their own variations.
It is also important to note the influence of the regulations on operational resilience uptake, not just within the financial services industries but also outside it. This may in part be due to organizations needing to align with the operational resilience programmes of larger organizations as they form part of the larger organization’s important business services, but some are simply using the regulations as a framework to construct their own programmes.
- When asked to what extent the risk committee, technology committee, executive committee and the board have operational resilience appearing on the agenda, respondents said most committees discuss operational resilience on a six-monthly basis at least.
- In the UK financial sector, 64% of respondents under the regulations think the impact tolerances set by their organizations are correct and will be able to be demonstrated by 31 March 2025.
- Respondents identified ‘embedding operational resilience into the fabric of the organization’ as the key challenge facing its implementation.
Read more and download the report here.