Operational resilience goes beyond business continuity and operational risk management. It aims to minimize the impact on consumers and the wider economy. Major disruptive events such as the COVID-19 pandemic have clearly highlighted the need for organizations to ensure continuity of operations by embedding operational resilience as part of their organizational DNA.
The following reasons have highlighted how important it is for organizations to build operational resilience.
Operational incidents not only have a significant financial impact but can also disrupt entire markets and systems. Consider the examples listed below.
According to Statista, the global average cost of a data breach in 2021 was $4.24 million USD. The systemic nature of such incidents is showcased by a New York Fed study which highlighted that if the system of five of the most active US banks is disrupted, it would result in a significant spill over to other banks, affecting 38% of the network on average. These incidents can also have a long tail and result in a long-term impact on the shareholder value as well as the operational risk capital requirements.
In a study by McKinsey & Company of more than 350 operational risk incidents at financial institutions in the US and Europe, it was found that the initial declines in the total returns to shareholders (TRS were in line with the actual fines of $23 billion (from 350 events). However, over the next 120 days, the TRS of the sample taken declined by a staggering $278 billion, more than 12 times the total actual loss of $23 billion.
In the last few years, operational resilience has been a key priority for the regulatory community. Today the regulatory focus is shifting as well. Regulators don’t just want to see how effectively organizations can attempt to prevent events from occurring but also how quickly they can recover from them. As of 31 March 2022, the Financial Conduct Authority (FCA) required that firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing. Firms must also have identified any vulnerabilities in their operational resilience. In the European Union, the European Parliament has reached a provisional agreement on the Digital Operational Resilience Act (DORA) this year (2022), after the initial DORA proposal in 2020.
Regulatory authorities expect organizations to understand the firm’s vulnerabilities, invest in protecting those and themselves, their consumers, and the market, to preserve the interest of the public, and retain continuity of supply of products—even in events of operational disruptions.
Any operational resilience program needs to be aligned with the overall strategy of the organization so that it can drive and support investment decisions and day-to-day operations. To be successful with this approach, businesses require direct efficient engagement from the board, the front line, and the extended enterprise. The goal is to manage the volatility of the impact generated by problems associated with “business-threatening events.” This means a comprehensive risk program that accommodates operational risk management, business continuity management, and third-party risk management.
As organizations prepare to streamline and improve their operational resilience program, the first step is to identify relevant key business services - which, if disrupted, could cause substantial harm to the organization, consumers, and the business environment. The concept of causing potential harm is core to operational resilience and forms the crux of the program as all subsequent processes are dependent on the right identification of these CEFs.
To effectively do this, organizations will need to:
There are multiple known and unknown factors that contribute to critical disruptions, which may put the organization at risk. Trying to forecast, pre-empt, manage, or mitigate these factors are of high importance if organizations are to accurately report on the stability of the organization.
Organizations need to keep track of the following while setting impact tolerances and risk metrics:
Companies operate in a dynamic environment today. Building a relational data framework to map people, process, systems, and third parties required for delivering the business service is an important step in understanding the dependencies. Crucial to building business resilience is to understand the internal and external interconnections and points of view while ensuring that the full picture exists, is current, and that all changes are relevant.
Since organizations are increasingly dependent on third-party providers and outsourcing of some functions, such an approach can help navigate the risks presented by third and fourth parties.
The following best practices can help gain a better understanding of upstream and downstream dependencies:
While looking for points of failure it is important to ensure the real impact on the organization and to create a better understanding of the organization’s risk appetite and capabilities.
Consider the following when building scenarios for potential points of failure:
A communication plan forms an integral element in any risk management strategy.
Formulate your communication plan and stakeholder map by:
Effectively executing the above steps by integrating GRC to support business objectives can prove to be a powerful differentiator. Technology provides a scalable platform and the necessary data model to build a relational data framework and align organizational hierarchy, business services, market expectations, strategic and regulatory objectives. Leveraging the right GRC platform further helps simplify this process with a single, panoramic view that shows the hierarchy of business processes and the functionality--enabling organizations to comprehensively evaluate their impact on strategic and supervisory objectives. Organizations can easily gain tangible insights for arriving at the core/critical functions. Additionally, they are empowered with insights on risk rating or relevance rating of important services which can help identify critical economic functions. A GRC platform can also simplify the capturing, reporting, and tracking of business anomalies—empowering and equipping the front line.
Enterprise-wide risk management frameworks in many organizations are capable enough to effectively manage operational resilience. Sustaining these plans will require integration of enhanced preventative, responsive, recovery, and learning capabilities. To attain a holistic view of risks, consolidate risk identification through service mapping and stress testing. Risk data from service mapping and service risk assessment, with internal and external sources such as threat intelligence, incident data, and loss events, is an asset in operational resilience.
Leverage quality and readily available risk and control data from the cloud applications and infrastructure. This ensures the ability to streamline processes using advanced technologies and analytics, including AI and ML techniques. Enable easy understanding of large data sets to provide continuous monitoring of threats and vulnerabilities and ensure there is a more data-driven and fact-based risk assessment.
Build and implement a pervasive approach to operational risk identification, assessment, monitoring, and mitigation with MetricStream’s Operational Resilience Solution. MetricStream brings all aspects of the operational resilience framework onto a single unified platform by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for and prevent potential disruptions.