Operational resilience is the ability of an organization to continue to operate and deliver its essential services in the event of an operational disruption. This can be caused by a variety of factors, such as natural disasters, technology and third-party failure, cyberattacks, or human error.

Operational resilience is important for organizations of all sizes, as it can help to protect their reputation, financial performance, and ability to serve their customers by:

• Identifying and assessing risks: The first step is to identify the potential risks that could disrupt your operations. This could include natural disasters, cyberattacks, or human error. Once you have identified the risks, you can assess their likelihood and impact.
• Implementing controls: Once you have identified the risks, you can implement controls to mitigate them. This could include things like having a backup plan for your IT systems, or training your employees on how to identify and respond to cyberattacks.

Organizations of all sizes, by taking steps to improve their operational resilience, organizations can protect their reputation, financial performance, and ability to serve their customers, providing the following benefits:

• Reduced costs: By reducing the number of disruptions, organizations can save money on costs associated with downtime, such as lost productivity and revenue.
• Improved customer satisfaction: Customers are more likely to do business with organizations that they can trust to deliver their services reliably in the event of a disruption.
• Enhanced competitive advantage: Organizations that are more resilient to disruptions are better positioned to compete in the marketplace.
• Reduced risk of financial loss. Operational disruptions can lead to financial losses for organizations. By improving their operational resilience, organizations can reduce the likelihood and impact of these losses.
• Enhanced reputation. Organizations that are seen as being resilient are more likely to be trusted by customers and partners.
• Increased employee morale. Employees are more likely to be motivated and engaged when they work for organizations that are resilient.

Overall, operational resilience is an important concept for organizations of all sizes. By taking steps to improve their operational resilience, organizations can protect their ability to deliver essential services, reduce risk, and improve their reputation.

Here are some of the challenges that organizations face in improving their operational resilience:

• Lack of resources: Many organizations do not have the resources to invest in operational resilience.
• Lack of awareness: Many organizations are not aware of the importance of operational resilience or how to improve it.
• Lack of coordination: Often, different departments within an organization are responsible for different aspects of operational resilience. This can lead to a lack of coordination and a fragmented approach to risk management.

Despite these challenges, there are a number of things that organizations can do to identify and assess operational risks, implement controls, test and exercise contingency plans, and communicate with stakeholders, thereby improving their ability to withstand disruptions and continue to operate and deliver their products & services.

These include:

• Identifying and assessing risks. The first step is to identify the potential operational risks that could disrupt your operations, as well as stress testing finances against specific scenarios. This could include things like power outages, loss of a critical supplier, ransomware attack, or losses of a period of time (Maximum Tolerable Period of Disruption (MTPoD)) that could lead to dissolution of the organization.
• Developing mitigation strategies. Once you have identified the risks, you need to develop mitigation strategies to reduce the likelihood or impact of a disruption. This could include things like having backup power systems, implementing disaster recovery plans, or training employees on how to respond to types of incidents.

What Operational Resilience Regulations Exist Globally?

From a global perspective the Basel Committee on Banking Supervision (Basel Committee) published in March 2021 Principles for Operational Resilience (the Principles). The Principles build on earlier updates that the Basel Committee made to its Principles for the Sound Management of Operational Risk and draws on other previously issued principles on corporate governance for banks, as well as outsourcing, business continuity and relevant risk management-related guidance.

In the Principles the Basel Committee describes operational resilience as the ability of a bank to deliver critical operations through disruption. The bank is able to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimize their impact on the delivery of critical operations through disruption. When considering its operational resilience, the bank will need to assume that disruptions will occur, and take into account its overall risk appetite and tolerance for disruption.

Within the UK, the Bank of England has implemented an Operational Resilience Policy, which is being implemented by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA).

The following types of Financial Services (FS) “firms” are included within this regulation:

• UK banks, building societies, and PRA-designated investment firms (banks);
• UK Solvency II firms, the Society of Lloyd’s and its managing agents (insurers);
• Recognized Investment Exchanges, Senior Managers & Certification Regime Firms & Entities that are authorized or registered under the Payment Services Regulations and / or Electronic Money Regulations;

This regulation aims to improve the operational resilience of firms and protect the wider financial sector and UK economy from the impact of operational disruptions. It has laid down requirements for full implementation by the 31^st March 2025, and expects that services and the supporting chain of activities should be resilient, with the necessary resources, knowledge and management processes & procedures for:

• Important business services
• Impact tolerances
• Implementation timelines and remaining within impact tolerances
• Mapping
• Scenario testing
• Governance
• Self-assessment

The PRA expects that the failure to perform internal services need only be considered to the extent that they affect the delivery of external facing business services which have direct consequences for the PRA’s objectives. As such, any internal service that is necessary for the delivery of an important business service should be included in the firm’s mapping, scenario testing, and any remediation to ensure the firm could remain within impact tolerances in severe but plausible disruptions.

From research, the following information provides a short summary of other Global Operational Resilience regulations / standards / codes of practice / guidelines that have been found:

• Australia  Australian Securities & Investment Commission (ASIC) has issued new market integrity rules that are intended to promote Technological and Operational Resilience of securities and futures markets operators and participants, and the Australian Prudential Regulatory Authority (APRA) has released a discussion paper on a new prudential standard designed to strengthen the management of operational risks in the banking, insurance and superannuation industries.

• Canada  The Office of the Superintendent of Financial Institutions (OSFI) has identified that Federally regulated financial institutions (FRFIs) operate in a complex risk environment, with increasing threats posed to their critical operations from events such as control failures, third-party disruptions, infrastructure outages, technology failures, cyber incidents, geopolitical incidents, pandemics, and natural disasters, and has issued an Operational Resilience and Operational Risk Management, E21 Draft guideline.

• European Union (EU)  EU has agreed with all other EU Members implementation of the Digital Operational Resilience Act (DORA), as well as their Cybersecurity Directive &  Resilience of Critical Entities.

• Hong Kong (HK) Hong Kong Market Association (HKMA) has issued a new Supervisory Policy Manual (SPM) module on Operational Resilience together with a revised version of the SPM module on Business Continuity Planning (BCP).

• Ireland   The Central Bank of Ireland has issued Cross Industry Guidance on Operational Resilience.

• Malaysia  Malaysia has issued their Malaysian Technical Code for BCM & Technical Code for Information and Network Security.

• Saudi Arabia (SA)  SA Capital Market Authority (CMA) Capital Market Institutions Regulations, Saudia Arabian Monetary Authority (SAMA) have issued their Cyber Security Framework, SAMA BCM Framework, Saudi Patient Safety Center Healthcare BCM, Digital Government Authority (DGA) Standards of BCM for Digital Government, DGA Guidelines for Business Continuity (BC) in Government Entities & Communications Information Technology Commission Guidelines for Disaster Recovery Planning (DRP) for the ICT Industry.

• Singapore  Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) have produced a document titled Risk Management and Operational Resilience in a Remote Working Environment & Government Cybersecurity Act.

• United Arab Emirates (UAE) Dubai Financial Services Authority (DFSA) is maintaining its strong supervisory focus on the Operational Resilience of Firms, and this includes its ongoing focus on Cybersecurity Risk.

• United States (US)   The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the agencies) issued an interagency paper on Sound Practices to Strengthen Operational Resilience, as well as having issued Interagency Guidance regarding Third-Party Relationships / Risk Management.

Key Components for Operational Resilience

There are a number of key components that your organization should have in-place for Operational Resilience, these include:

• Leadership Commitment; Operational resilience requires the commitment of senior leadership. This commitment should be evident in the organization’s culture, policies, and procedures.
• Governance, Compliance & Risk; Organizations need to identify and assess their governance and compliance, whilst identifying risks that could disrupt operations. This assists in the development of mitigation strategies to reduce the likelihood or impact from disruption.
• Business Continuity Planning; Organizations need to have Business Continuity Plan(s) in place that outlines how the organization will continue to deliver its essential services in the event of a disruption.
• Disaster Recovery Planning; Organizations need to have a Disaster Recovery Plan in place, supported by Infrastructure Resilience, that allows them to recover Information Communications Technology (ICT) and Infrastructure within an agreed period of time.
• Cybersecurity Framework; Organizations need to have a strong cybersecurity program and framework, and incident response, in place to protect their systems and data.
• 3^rd Parties & Outsourcing Management; Organizations need to have in-place processes & procedures for Supply Chain Management, specifically where a third party delivers cloud computing services on behalf of a regulated firm – including the name of the cloud provider – this is also considered outsourcing, as well as the type of function that is being outsourced.
• Crisis Management & Communications; Organizations need to prepare their capabilities against a list of realistic scenarios that could disrupt and impact on products & services, whilst having communications plans to communicate with their stakeholders, customers, employees, and partners, should a disruptive event occur.
• Testing and exercising plans; Organizations need to test and exercise their plans regularly to make sure that they are effective, identifying any gaps or weaknesses in their plans and make sure that their employees know what to do in the event of a disruption.
• Improvement; Organizations need to take steps to address disruption and impacts from events, and show that they have improved internal & external operational resilience, whilst protecting their ability to deliver essential products & services.

It is essential that organizations identify and assess operational risks, implement controls, test and exercise contingency plans, and communicate with stakeholders.  The result will be an improved ability to withstand disruptions , to continue to operations and deliver their products & services.

##

Visit The Resilience Association 

Steve Yates is Chair of The Resilience Association.  This association was established as a not-for-profit organization, focused on connecting people, content and ideas from across the resilience spectrum with a common aim of championing and improving organizational resilience by promoting open communication, sharing best practice and extending networks, knowledge and performance.  Visit and learn more.