Operational resilience is the ability of an organization to continue to provide business services in the face of adverse operational events by anticipating, preventing, recovering from, and adapting to such events. The fundamental principle is “bend, but don’t break.”
Achieving operational resilience is inherently challenging given the increasing complexity of processes, technology infrastructure, and organizational silos. However, the business benefits go beyond pure risk and compliance, often forming an inherent part of a firm’s value proposition.
- It requires organizations to understand how all domains (technology, data, third parties, facilities, operations, and people) impact critical service delivery and to build a consistent set of resilience capabilities and controls across these domains.
- It depends on cross-functional, specialized expertise to evaluate and measure the resilience of the organization in light of the specific risks it faces.
- It relies on extensive coordination, collaboration, and preparation to ensure that the organization appropriately considers resilience in all activities and is ready when the worst happens.
Resilient organizations focus on anticipation, prevention and adaptation, rather than recovery actions once the “horse has bolted.”
Resilient organizations have creative ways to provide critical business services in the event of a disruption, beyond simply getting the technology up and running again.
Our paper explores the key questions that boards and senior management should ask about their organization’s level of operational resilience.
KEY CHARACTERISTICS OF OPERATIONAL RESILIENCE
Boards and senior management should focus on understanding the risk levels of their firms, assessing their firms’ readiness for disruptive scenarios, and gaining comfort that their firms have a robust approach to resilience.
- What is our risk appetite for resilience risk?
- What KRIs and KPIs provide us with a comprehensive view of our maturity and uplift program?
- Who is accountable in the 1st and 2nd lines of defense for managing, monitoring, and reporting on resilience?
- Does the organization understand the dependencies of critical business services on organizational assets?
- What are our most critical assets that impact service delivery?
- How does our approach to resilience change the way we manage operations, technology, and third parties?
- What is our measure of criticality?
- What are our critical business services and why?
- How are we leveraging existing definitions of criticality and critical business services (e.g., from resolution planning)?
- What is our impact on customers and the financial system?
- What are the most important resilience risks for the organization?
- How do we monitor and manage the level of resilience of the organization?
- How is risk appetite reflected in our impact tolerances?
- In which scenarios are we outside of our defined impact tolerances?
- How do we make sure we are effectively prepared for different disruption events?
- How frequently are we testing our response and recovery capabilities for different disruptive scenarios?
Organizations that manage to establish effective operational resilience programs will be able to realize the benefits of better resilience as well as related business benefits.
Boards and senior management can help their organizations overcome these challenges. They can encourage the right level of investment, drive a “tone from the top” to break siloes and change culture, and set clear expectations for progress. Ultimately, by asking the right questions and demanding accountability when the answers are unsatisfactory, boards and senior management can play a pivotal role in enabling their organizations to achieve resilience.
With the growing complexity in financial services, it is incumbent on every organization to take resilience seriously, and it is incumbent on boards and senior management to make sure their organization’s resilience program is on track.