The Resilient Organization: From Business Resilience Down Into Operational Resilience
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, processes, employees, distributed operations, competitive velocity, technology, third parties, and business data make continuity a challenge.
The interconnectedness of risks requires 360° contextual awareness of the organization: from the very top-level strategy down into the bowels of processes and technology. It requires holistic visibility and intelligence of risk in the context of objectives to be resilient.
2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders.
Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.
2020 was a year of change
The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed and interconnected across a web of business relationships with stakeholders, clients, and third parties. It is dynamic as business changes day-by-day: processes change, employees change, relationships change, regulations and risks change, and objectives change.
2020 was the poster child for business and third-party disruption, and it rolls into 2021. The ecosystem of business objectives, uncertainty/risk, and integrity requires contextual awareness of operations and risk to achieve resiliency – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.
This interconnectedness of risk in the business is driving demand for 360° contextual awareness to be resilient so the organization can reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.
A new focus on resilience
The elements of distributed, dynamic, and disrupted business are driving significant changes in operational resiliency strategies in organizations in 2021. Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries.¹ This necessitates a holistic view into the objectives and performance of the organization in the context of uncertainty and risk.
Organizations are striving for business and operational resiliency that requires an integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them.
This starts from the top and works down:
- Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity, integrity, and operational resilience.
- Operational resilience is a component of business resilience focused on internal processes, services, people, systems, relationships, and external events. Operational resilience is the ability of organizations to prevent, adapt, respond to, recover and learn from operational disruptions.²
- Digital resilience is an aspect of operational resilience that delivers the ability to assure operational integrity from a technological perspective.³
Being resilient requires multiple inputs and methods of modeling and analyzing risk and disruption in context of the impact on the objectives of the organization. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. The resilient organization will have a cohesive strategy that links business, operational, and digital resilience together.
The requirements of resilience
This requires an integration of traditional enterprise and operational risk management with business continuity as well as third-party management. This is supported by the right information and technology architecture to provide 360° contextual awareness of risks, disruption, and impact on objectives.
This cannot be accomplished if these functions are approached from silos, manual processes, and a mountain of documents, spreadsheets and emails. It requires an integrated process, information, and technology architecture to enable a discipline of decision-making that has a symbiotic relationship on performance and strategy of the organization.
¹This is a particular focus of regulators in the financial services industry. The United Kingdom’s Financial Conduct Authority, Prudential Regulatory Authority, and Bank of England has been leading in operational resiliency regulation. This has now been picked up by the European Union as well as the United States Office of the Comptroller of the Currency to address operational resiliency regulations.
²Adapted from the UK FCA definition: operational resilience is the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
³Adapted from the EU Digital Operational Resilience Act (DORA): ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.