As part of a global company that helps organizations prepare for disruption, we get the unique opportunity to hear about hundreds of approaches and perspectives on getting readiness “right.” Naturally, we are spending a lot of time talking about COVID-19 lessons learned and preparing in case the situation escalates even further. We are also spending a lot of time discussing operational resilience.
If you’re in the financial services industry (especially in the UK), this is a term you’re getting more and more familiar with given the multitude of regulatory and private sector perspectives being shared. However, as we’ll discuss in this article, all sectors in all geographies should understand its core tenets and how operational resilience thinking can add value through a perspective which truly resonates with executive leaders and boards of directors.
But here’s the catch: Our thinking is that operational resilience is “business continuity done right.” Sure, there are some new terms, but for many of the organizations around the world with advanced business continuity programs and capabilities, foundational elements were already in place. Perhaps the most interesting thing is that implementing operational resilience thinking solves many of the COVID-19 lessons learned which were identified during the past few months. Issues such as planning for the disruption of product/service delivery channels and addressing customers’ most aggressive expectations can be highlighted and addressed via operational resilience philosophy.
Beyond summarizing the operational resilience value proposition and what makes it resonate, let’s look at some recommended approaches to help you achieve alignment with its core philosophy and increase readiness for disruption.
Operational Resilience Defined
At its core, operational resilience is your organization’s ability to continue to provide important business services during adverse operational events by anticipating, preventing, recovering from, and adapting to such events and learning from them.
It’s also important to define “business services.” For those familiar with ISO 22301, business services are essentially the same as “products and services,” which are the outcomes that provide value to different stakeholder groups (often your organization’s customers).
Beyond business services, what else stands out as key elements of this definition? Again, for those who see business continuity as a means to decrease disruption frequency while preparing to quickly respond and recover, there’s probably not too much new here.
But let’s go a little deeper.
Our interpretation of operational resiliency philosophy is
- Major disruption is inevitable. Your organization can’t fully predict what will disrupt it, nor can you accurately establish a disruption probability (which is a departure from traditional “risk” thinking.)
- Digitizing your organization is a necessary pre-requisite for solutioning. Your organization, and the environment in which it operates, is far too complex to understand vulnerabilities, expectations, dependencies (internal and external), and the assets which deliver business services. It is essential to create and maintain a digital model of your organization to get answers to the fundamental question of “what if…”
- Impact is more than internal pain. This is another core tenet you should consider in context. Impact is much more than the pain your organization feels. It’s also about your customer’s pain, and the market impact where your organization operates. For many, traditional business impact analysis thinking fails to consider your customer’s pain and your organization’s role in the broader market. With operational resilience, think the opposite. It’s all about your customer, their expectations and changing behaviors, and the channels through which they receive business services outcomes.
Let’s Start with Myth Busting
We just introduced a common definition of operational resilience and summarized three elements of its philosophy, so now let’s talk about the “Top 10” value-adding elements of operational resilience.
- Board engagement and leadership (governance, or said another way, getting appropriate organizational elements fully engaged to achieve a more resilient state, starting with your most senior leaders delivering “tone at the top”)
- Digitizing your business model (a prerequisite for No. 6)
- Identification of important business services
- Plausible scenario identification and use
- Business service-specific impact tolerance
- End-to-end mapping (the processes and assets which deliver business services)
- End-to-end testing (testing continuity or recoverability of your entire business service)
- Measurement (can your organization continue a business service consistent with impact tolerance?)
- Incident management (the ability to respond, communicate, adapt, recover, and then plan ahead for more)
- Learning (reflecting on what worked and what didn’t during disruption response and working to drive continual improvement over time)
Although we haven’t defined the three items in bold, is any of this really different than what the best business continuity programs deliver?
That’s the myth … it’s not! It’s just business continuity done right.
But let’s go a little deeper.
Why Operational Resilience Thinking is Compelling (and Resonates with Executive Leadership)
Have you ever observed a board of directors meeting? What about a quarterly investor briefing led by the CFO of a publicly traded company? Even if you haven’t heard either firsthand, you might be able to recognize themes. Which of the following do you think is more accurate?
Option 1: During the past quarter, Specialty Metal X returned revenues of $450M, Specialty Metal Y had revenues of $390M, and Specialty Metal Z earned $380M. Revenue was 43% greater Q3 last year and 38% greater than last quarter. Overall, gross margin surged to 83% this quarter and 48% overall year-to-date.
Option 2: During the past quarter, we saw increased demand from our manufacturing customers for three of the five specialty metal products we supply to the market. This increased demand was the result of an unexpected surge in automobile manufacturing and sales in Europe and North America as concerns about a global recession subsided. Specialty Metal X returned revenues of $450M, Specialty Metal Y had revenues of $390M, and Specialty Metal Z earned $380M. Revenue was 43% greater than Q3 last year and 38% greater than last quarter. We expect this buying behavior to stay consistent for at least the next six months. Overall, gross margin surged to 83% this quarter and 48% overall year-to-date.
There’s a not-so-subtle difference here between options 1 and 2. Option 2 explained “the why,” and this is all about the customer and what led to results.
As an investor, wouldn’t you be more comfortable investing with an organization that demonstrated an understanding of the “why?” From an executive leadership perspective, investing in operational resilience – or business continuity – isn’t any different. Putting your customer, your organization’s business model, and business services at the foundation are essential steps to achieving great resilience outcomes. These tie the resilience effort directly to revenue streams which should be protected.
With operational resilience’s focus on your customer, your market, and business services, the resulting language resonates with your board and executive leadership (as opposed to “just” products and services, or even worse, the recoverability of business processes and resources without tying them back to the impact on product/service delivery).
Business continuity programs with the best leadership engagement focus on business services and the customer. Operational resilience thinking now demands the “and.”
Operational Resilience Challenges
If some organizations were already driving disruption readiness based on products/services and their customers, it should be easy for everyone, right?
Not so fast.
In the dozens of conversations, we’ve had with organizations – in and outside of financial services – there’s a struggle to achieve what emerging regulatory guidance and proposed best practice describes.
Here’s what we’re seeing:
- There’s a struggle to narrow it down to the critical few “important business services.”
- What’s a plausible scenario and how do we use them as part of operational resilience?
- How do we set “impact tolerance,” and what does it really mean?
Getting Started on Your Operational Resilience Journey
As part of our inventory of the “Top 10” value-adding elements of operational resilience, we highlighted three items in the list, all of which require a little further explanation. Solving for these three elements will relieve most of the stress business continuity program leaders around the world experience as they shift toward operational resilience.
- Identification of important business services
- Plausible scenario identification and use
- Defining business service-specific impact tolerance
Let’s explore each of these, what they mean, how they’re used, and how to get outcomes for each to drive toward the right level of operational resilience.
1 . Identification of Important Business Services
We previously defined a business service as the outcome which provides value to different stakeholder groups. Internally, for organizations in the private sector, the value is often financial gain. Externally, for customers, the value is based on the pain the business service solves (or said more positively, how it creates joy or makes the customer’s life better in some way).
What we’re finding is that many larger organizations that have successfully embarked on their operational resilience journey have identified somewhere between eight and 12 important business services.
Here are two sample lists, one for a global financial services organization, and the other for smaller consumer products organization:
Financial Services Organization Examples
- Access to my money
- Ability to make an insurance claim
- Make a payment
- Receive my annuity payment
- Complete on my mortgage
Consumer Products Organization Examples
- Deliver a competitive price
- Place an online order
- Successful product delivery
- Provide support when things fail to work
How can your organization successfully identify important business services? Here’s a proposed model to consider (engage your product and leadership teams in seeking and/or endorsing answers to the following):
- Would disruption to any of your products and services create immediate harm to a vulnerable customer?
- Would any of your products or services, if disrupted, create chaos or significant disruption to a market in which you operate?
- What’s the delivery profile of the product/service? Is it transactional? is it a one-off, repeating? How often? How many in a given time period? How many customers receive the outcome?
- Would delivery of any of your products or services, if disrupted, threaten the viability or stability of your organization?
- Which products or services generate the most revenue (you can group products and services into categories)?
- Which products or services are most profitable?
- Will these answers change during the next 12-36 months (based on your knowledge of the market)? If so, how?
- What would the impact be to the customers of your products/services be (create a table with the first column as the product or service, the second column as the customer segment, and the third as a description of the expected pain–financial, health/safety, operational, regulatory/compliance, other).
Review answers to each of the eight questions. Where is the overlap? If you’re like our customers, as well as those we’ve engaged in discussions on operational resilience successes, products, and services in the answers to multiple questions are often the organization’s important business services.
We recommend focusing on our definition of a business service here, as it is easy to include internal business services in this list. There is no doubt some of these might be important, but many only in connection with the support they give to a business service and its outcomes for stakeholders.
2. Plausible Scenario Identification and Use
If you’re like us, this aspect of operational resilience might make you a little nervous.
Is this advocating threat-based planning? No, not at all.
Instead, our view is that the identification of plausible scenarios which could impact important business services give context to the identification of impact tolerance (described next) and also help make end-to-end testing more concrete by suggesting truly impactful scenarios.
What is a plausible scenario?
We define a plausible scenario as a realistic event which could disrupt business service delivery outcomes leading to unacceptable pain (market, customer, and/or internal). The plausible scenario should offer the possibility to affect activities and resources on the critical path to delivering a business service, and ideally, the scenario could affect the most vulnerable elements on the critical path.
This does not mean plausible scenarios must affect your important business services. This exercise helps your organization understand which threats make you vulnerable, and in many cases, knowing there is a severe—but plausible scenario—the organization need not worry about at the moment is good to know.
To achieve the best outcomes, consider the following:
- Understand the critical path for each business service (the activities and resources which contribute to delivery). This is where a digitized model of your organization adds incredible value.
- Based on where your organization operates, the competitive landscape, and customer delivery channels, identify scenarios which could create a business service disruption. Consider the following “loss of…” scenarios:
- Loss of workplace and/or equipment
- Loss of people (absenteeism)
- Loss of technology and/or information
- Loss of a third party
- Identify single points of failure or elements of the critical path that are difficult to recover in a timely manner against these scenarios. Be mindful not all scenarios will cause unacceptable impact to all business services. Focus on those where impact tolerance cannot be contained and will be exceeded.
- Document events and summarize based on the “loss of” categories. Seek feedback and input from leadership representatives and resource owners.
- Make a list of what your organization should worry about and what you’re comfortable with, based on strategy, business model design, and resilience capabilities.
Save some of the “worrisome scenarios” for impact tolerance setting and eventual end-to-end testing.
3. Business Service-Specific Impact Tolerance
Based on the many discussions we’ve had to date, this step in the operational resilience journey is the tough one.
Impact tolerance is generally defined by most, including regulatory bodies, as the point in time—or the decreased delivery capacity—of a business service that would cause unacceptable harm to customers or the broader market and/or irrevocably threaten organizational safety or soundness.
The challenge here is that many organizations are generally comfortable creating and seeking executive management endorsement of impact tolerance statements, but struggle with how to test viability of such statements via quantification techniques.
Many find the struggle to mathematically justify impact tolerance isn’t possible or valuable as impact tolerance demands a conversation that articulates 1) understanding of the customer or market’s use of business service, 2) the value that delivery of the business services generates for the organization, and then 3) presenting the information – together with recommendations – to executive management or the board for feedback or endorsement.
Ultimately, time will tell how to determine viable impact tolerance statements and measures (based on regulatory guidance and emerging practice), but for now, our recommendation is to create something which resembles a position paper on the topic of impact tolerance for each in-scope, important business service to help executive leadership and boards of directors make appropriate decisions. Possible inputs into the creation of the position paper, which will enable executive leadership decision-making, include the following:
- Current statements on risk appetite
- An understanding of each business service, customer segments served, and importance/scale of the role played in the broader market
- Customer segment, market, and organization impact should the business service fail and understanding when this impact causes real harm
- Other third parties that could step in to fill the vacuum following a disruption
- Current mitigation measures which could contain impact and for how long
- How impacts change over time (short-, medium-, and long-term)
Sources of information include internal audit, finance/accounting, enterprise risk management, product management, account management, procurement, and vendor risk management.
Many of the traditional elements for measuring impact through business impact analysis (BIA) will provide a useful starting point for discussing impact tolerance, even if these BIAs are based on views of organizational impacts without connecting these to the business services or outcomes they support.
The RTOs for different business activities can provide a normalized view of the point at which the impact is significant from a continuity perspective and when overlaid with the other inputs above, specifically in regard to customers, can be used to inform the impact tolerance and time at which unacceptable harm may be caused. It may even be beneficial to redefine the way impact is measured in your BIAs to bring these closer to the concepts relevant to establishing impact tolerance.
What are the takeaways when thinking about applying operational resilience principles?
- Operational resilience may be the hot topic in financial services, but it is truly relevant to all.
- Operational resilience is business continuity done right (possibly with some tweaks or additions).
- Operational resilience will engage stakeholders in a more simplified, strategic conversation.
- Understanding business service outcomes in the context of your customer and market, with impact tolerance defined for each, will connect and prioritize what you need to protect your organization’s value generation.
- A digital representation of your business model is essential to highlight end-to-end delivery mechanisms and the vulnerabilities that threaten them.
One more thought: After reading this article, reflect on how operational resilience could solve a number of the issues experienced in response to COVID-19. Many of the organizations we’ve engaged feel strongly it can solve some of the root causes of poor performance.