January 13, 2021
Businesses today must take a new approach to operational resilience so that they can be more adept at anticipating disruptive events and agile in responding to and recovering from them.
In a world where risks and compliance requirements rapidly expand and evolve, it’s not a question of if there will be a disruption to your services, systems or processes but when.
An organization that improves its approach to operational resilience can greatly minimize its risk when business disruptions occur. That includes external disruptions such as natural disasters, extreme weather conditions and far-reaching medical crises. It also includes internal disruptions such as system outages.
Until quite recently, operational resilience was developed with a risk-avoidance mindset. It was focused on the likelihood of a particular type of disruption occurring, then planning accordingly for that. Given finite resources, disruptions that seemed relatively unlikely to occur were considered low risk and might not be planned for at all.
One size doesn’t fit all
That way of thinking no longer makes sense. Today, organizations face operational disruptions from more sources than ever before, and businesses must widen their planning scope. For instance, companies affected by the supply chain upsets we saw in the past year know now that they have to develop operational resiliency plans to handle those business disruptions. Cybersecurity threats, natural catastrophes, new laws and regulations and even such changes as new competitors entering the market continue to pose their own risks to operational resilience.
There is no one-size-fits-all solution for responding to such a wide range of operational risks. The capabilities needed to respond to a ransomware attack are different from those needed to recover from a massive wildfire.
Responses must also be tailored to align with organizations’ different requirements. A bank that survives a highly publicized cyberattack needs to repair its reputation. An online retailer whose site is shut down after a hurricane needs to restore 24×7 service availability. And a manufacturer with factories in a medical-crisis hot spot needs to provide a safer workplace for employees.
The operational resilience framework
Given all this, what should organizations do to improve their approach to operational resilience? We’ve developed a framework that identifies 12 management disciplines that can be grouped together in different ways to ensure appropriate operational resiliency responses for different risks. The core solutions and services that are available as part of the Operational Resilience Framework combine applications, security, ITO and other services.
You don’t have to tackle implementing these disciplines all at once. But together, they can enable and strengthen your organization’s operational resilience.
Here’s a quick rundown of the framework’s 12 disciplines and the actions they enable:
- Continuity management: Analyze business impacts, set return-to-work tactics
- Corporate incident response: Manage health, safety and environmental risks, proactively mitigate risk
- Crisis management and communications: Orchestrate response plans, achieve a 360-degree of the current crisis status view
- Critical enterprise assets: Discover, map and apply governance to key assets
- Cyber and information security: Respond and recover from attacks
- Governance, audit and compliance: Continuously monitor compliance, apply industry guidelines
- IT disaster recovery: Minimize the impacts, structure and test recovery plans
- Operational risk management: Identify and assess business risks, monitor and minimize issues
- Organizational behavior: Drive and measure effective attitudes and practices
- People and culture: Encourage an operating model for resilience
- Service operations: Assure operational excellence and efficiency
- Supply-chain management: Manage vendor risk, assure continuity
How do you apply this framework? Remember, different risks require different capabilities and responses.
In the case of cyber incidents, for example, your primary focus should be on bringing together capabilities including cyber and information security, IT disaster recovery, critical enterprise assets and governance, audit and compliance.
For business interruptions, you should focus first on building capabilities in areas including continuity management, crisis management and communications, and supply chain management.
Among the main areas of focus for ensuring compliance with new laws and regulations will be continuity management, operational risk management, and governance, audit and compliance.
What’s needed today is an approach to operational resilience that is holistic, free of functional silos and driven by a mindset of “not if, but when.” Organizations that develop this new resilience mindset and practices will be ready for just about anything.