From the BCI:
Operational Resilience, another way to call Business Continuity?
Operational resilience has been an active area of focus especially after the Covid-19 pandemic hit. To remain in business, Organizations were forced to adapt quickly and find new ways of managing their resources while continuing to respond to client needs. The sudden changes exposed organizations with no pre-thought strategy for the unexpected and highlighted the importance of readiness.
Therefore, today, more than ever, an organization is expected to be adaptable to new situations while carrying on delivering its important business services to its customers at the level that meets their requirements. In other words, organizations are expected to integrate the operational resilience framework into their organizational culture.
People often wonder if Business Continuity Planning is enough for an organization’s survival and recovery from a crisis. However, thinking just in terms of Business Continuity is limiting organizations’ efforts to (effectively) react to an incident and recover from it. Taking a step back to focus on preventing disruptions from happening is what will make the operations resilient. Thus, operational resilience is the mitigation through disruption prevention as well as the response capabilities in Business Continuity to cover important business services from end-to-end. Having an effective Business Continuity program does not mean being resilient, but it is an important step on the path to resilience.
Business Continuity is one of the pillars, however, not the only one, that underlies an operational resilience framework. Hence, to ensure operational resilience, it is necessary to consider other dimensions of analysis (pillars/disciplines), ranging from ICT Security to Third Party Risk Management, operational risk management, crisis management, etc. that pass through organizational processes. So, for example, understanding ICT Security is necessary to prepare an organization from the ever-evolving threats, or like so the collaboration with Operational Risk Management can help to uncover previously not considered risks.
This approach can help organizations to focus on higher added-value business services, which is having an important tool to direct their investment strategies.
How to embark on the Operational resilience journey?
In an increasingly complex organizational context, (guaranteeing) ensuring the continuity of services means granting (guaranteeing) the social sustainability on which we are building our future. We are a part of an ecosystem that grows and evolves around the individual (the customer) and helps to ensure social and industrial growth.
Therefore, we must return to putting the individual/customer at the center of interest, to understand the needs or the harm that a non-resilient service can cause. Companies must return to having a clear vision of the customer’s needs and work to make their journey resilient, not only by ensuring business continuity to cope with disastrous events but by working daily to improve their ability to respond to adverse events that can cause damage to the customer and the community.
End-to-end mapping of a customer’s journey enables companies to identify possible points of failure and establish workaround solutions permitting a smooth provision of service even during a disruption, Operational resilience requires a change in an organizations mindset to go beyond the business continuity planning and to prepare for operational disruptions and ongoing challenges including the technical innovation and the changing environment in which an organization operates. This requires that BCM professionals act a paradigm shift from a reactive to a proactive approach, evolving their programs in coordination with other disciplines (e.g. IT Dept., Operational Risk Management, Third-party management, etc.) towards a customer-first model. While the reactive approach is response-oriented, thus a crisis or unexpected events are dealt with once the situation is already present, a proactive approach, on the other hand, prepares before, by assessing the potential risks out there and the possible threat for business services and underlying processes.
Hence, operational resilience should take into consideration a wider type of risks including operational, regulatory, strategical, third party, IT, and security and continuity risks to build a holistic view of the risk portfolio related to the delivery of the important business services to make them more resilient by remediating the vulnerabilities that might impact the operations of your important business services.
How to implement Operational Resilience?
When thinking about operational resilience, an organization should start by adopting a business services view in its customer journey. Defining a business service should focus foremost on the customer and what their needs and expectations are, so understanding the service value proposition for your services and the business context (environment) in which they operate is the key to start your operational resilience process.
Having your Business Services clearly defined will allow you to identify the important ones (Important Business Services – IBS) that could cause intolerable harm to the customer or the market (as applicable) if these services are interrupted. Prioritizing your Business Services by their relative importance against categories such as the number of customers involved, financial stability, organizational viability, and regulatory requirements (if any) will help you define a practical scope of work and focus your efforts in making these IBS resilient.
This represents an evolution of the Business Continuity approach, focused mainly on the analysis of the internal processes, by introducing an external point of view based on the Customer Journey – CJ (e.g. needs) and applying a proactive approach to identify the vulnerabilities and resolve weaknesses or single points of failures. That is why it is important to understand the relation between the CJ and the internal key processes (e.g. the ones that are probably in the scope of your BCMS), as well as interactions, the operational dependencies, and resources such as staff, systems, data, suppliers, and locations, etc. which directly support the important business services and where disruption could have the greatest impact on the customers.
Setting your maximum tolerable level of disruption to an IBS and setting objectives to ensure that threshold is not breached is what defines Impact Tolerance. To define an accurate Impact Tolerance, it will be helpful to determine the business-as-usual service level required for your customers (that is usually measured via 3 main approaches chosen according to the sector’s needs: quantity or volume, quality, and lead time) using SMART metrics and taking into consideration a specific period (e.g., a year) and the busy seasons or peak times. By doing so, the firm’s impact tolerance applies under normal circumstances as well as in peak times.
The impact tolerance is different from the recovery time objective, and the maximum acceptable outage is defined in business continuity planning as these are time-based while the impact tolerance is also focused on outcome-based objectives, so it is thinking about how much, when, and for how long. In a turbulent environment, Impact Tolerance should be periodically revised to better identify the harms that can be caused to consumers and/or market integrity.
Organizations should test their ability to remain within their Impact Tolerance for each of their IBS in the event of a severe but plausible disruption of their operations. Testing should not only focus on preventing incidents from occurring or the probability of the incident taking place, but it should also focus on the response and recovery actions that Organizations would take to continue the delivery of an IBS assuming a disruption has occurred.
Test scenarios are defined based on different information gathered during the analysis of the CJ (Resource identification phase) since it allows identifying the main points of attention (weak points, SPOF, etc.). Testing the resilience of an IBS, it means the capability to react and recover from a disruption, is the only way to verify that adequate countermeasures are in place, that is to identify additional actions (remediation plans) to meet the defined Impact Tolerance.
Business continuity and disaster recovery testing scenarios, that usually focus on an event affecting a single asset such as premises or IT systems unavailability, can be part of the resilience scenarios, even if the latest is more probably to be performed as a table-top exercise when we first implement the framework
Why the need to implement this framework?
Several companies have already initiated their operational resilience framework especially those in the financial sector to help understand, prevent, and recover from extreme events that may impact businesses critically. Nonetheless, many organizations are still questioning why operational resilience matters. To move beyond piecemeal solutions, we recommend that four main goals that can be used within a framework to effectively implement operational resilience and highlight its importance.
- Reducing the risk exposure and enabling the company to avoid unexpected losses from adverse events and reduce the cost of disruption. Hence with operational resilience, a company can reduce both the probability and the impact of disruptions when happening.
- Moving from a siloed approach where all frameworks/disciplines are disconnected to a more holistic and integrated one that will drive resilience decisions and prioritize investments at the Board level. This will allow better use of the company’s capabilities by allocating resources more effectively and efficiently.
- Enhancing customer trust and loyalty by delivering a service that is always available and responsive during adverse events and developing a proactive approach to ensure that customers’ needs, and expectations are met.
- Gaining competitive advantage in the market by being among the first companies to adopt this new framework that helps the organization to keep up with the most recent developments in technology and security, financial, regulatory, reputational, etc.
Throughout this paper, we aimed to highlight the importance of operational resilience versus business continuity, both of which have become a hot topic for many industries, especially during Covid-19. The Covid-19 pandemic has increased operational risks and amplified economic and business uncertainty, and while business continuity is a precise methodology based on specific scenarios to reduce business disruption, operational resilience encompasses a broader range of measures to ensure that businesses can survive during challenging times.
To conclude, operational resilience is an outcome that benefits companies from effective management including the implementation of recovery measures, monitoring of risks and disruptions on local and regional levels that affect companies in a globally interconnected world. Hence, operational resilience matters because it offers mission/goal-oriented functions as part of a group of effective measures that respond to disruptions, offer recovery venues that allow businesses to navigate flexibly during turbulent times, and help build sustainable futures for individuals, companies, and the market.
Learn more at the Business Continuity Institute.
About the Authors:
Stéphane Speich, MBCI
Speich previously worked as a Group Business Continuity Manager in a leading Italian digital payments Company, has over 15 years experience in designing, developing, and evolving Business Continuity Management Systems (according to international standards) with deep experience in IT Risk Management and Security Governance. Proven technical and organizational skills developed in the field within several projects in the financial, utilities, and telco sectors.
Hiba Kahil, MBCI
Kahil is a proven leader in the business continuity and crisis management fields for the last 12 years and she is a member of the Business Continuity Institute since 2016. Hiba is currently a Business Continuity Manger at a government entity in Abu Dhabi, UAE and she was previously a business resilience consultant with Deloitte and Touche.