Senior leadership is incorporating operational resilience discussions and assessments into their core business conversations with the board and across the C-suite. The discipline of operational resilience is maturing rapidly and is a multidisciplinary effort.
The first step for an organization is to understand the scope of operational resilience and then determine who needs to be involved.
Enabling Your Business to Deliver Its Market Promise
The starting point on the operational resilience journey is to identify and understand its critical business services – those key services delivered to the market and the critical internal operations which cannot fail in order to deliver to customers. Within the financial industry critical services may include payments clearing and settlements, funding and liquidity, and mortgage origination as examples. For the manufacturing industry, these are a subset of mission essential services required to conduct manufacturing operations. This includes function or capability which is required to maintain health, safety, the environment, and availability for the equipment under control.
These critical services help drive and define the scope of operational resilience for an organization, typically determined by the businesses and approved at the C-suite level.
In the financial industry, one of the common constructs is to establish a separate operational resilience team from the separate domains such as business continuity or disaster recovery. Given this new discipline, it would be beneficial for the makeup of the team to have people from traditional BC, DR, risk, and third-party backgrounds. Many firms have established firmwide operational resilience teams to lead and drive regulatory requirements across the organization; this same structure has begun to occur across non-financial industry sectors as well.
The operational resilience team is an integral part of the firm, and some organizations typically do not have the scope or mandate to connect the domains which support the organization’s resilience posture. In other organizations, there is a model where the operational resilience team is an umbrella and does connect the outcomes for separate domains to identify key risks and disruptions.
The approaches are developing as the focus by boards, management, regulators, and industry governing bodies – on the heels of the experiences of the past few years – are are pushing organizations to have strong resiliency capabilities which will sustain disruptions and/or crisis events.
Evolving World of Operational Resilience
As the operational resilience discipline matures across industries, more firms are looking at operational resilience more holistically and are working to integrate the function into the foundations within the organization. An integration between not only business continuity teams, but also with the technology, cyber and more importantly, third-party/supply chain management functions, has begun to emerge in business divisions, creating valuable insights and not defining operational resilience as just a “corporate” effort at the top of the organization.
Operational resilience requires continuous monitoring and oversight. It is crucial to establish the governance structure to support the operational resilience function, in order to define escalation paths, communication mediums, and outline clear roles and responsibilities. Ensuring who/what bodies are empowered to make what decisions is clear and communicated is critical.
Once critical services are defined for the operational resilience mandate, the next step is to identify the areas to be involved and how best to organize.
First or Second Line Function?
Operational resilience is best suited within the first line of an organization’s overall control framework. The first line typically constitutes the business-related activity and functions, second line includes risk and compliance functions, while the third line is primarily the internal audit function. Collectively they make up an organization’s control framework with there being more independent oversight and governance across the framework.
As companies mature their risk and control framework, more companies are moving accountability of operational resilience to the first line (i.e., out of risk to operations, administrative office, or technology). The role of the first line is to manage the business and the risk it creates. The role of the second line (i.e., the risk function) is to exercise independent oversight and issue policies/standards in support of the organization’s risk standards (and appetite).
Where Should Operation Resilience Report?
There is no correct answer to this question.
There are many examples of CTOs, CAOs, COO or CROs, and different organizations have had success with different models. The most appropriate structure is defined by two key aspects: 1) the leadership, their individual experience and the mandate of the function, and 2) the level of maturity of operational resilience across the organization.
That said, there are several pitfalls to be aware of: business continuity under COO, disaster recovery under CTO, operational risk under CAO and operational resilience under CRO won’t likely lead to success as the functions are siloed and may result in duplication or even worse, a misrepresentation of risk at the organizational level. (See illustrative examples below.)
Basic Principles for Organizing the Disciplines
Operational resilience is a multi-player game requiring collaboration across an organization. The program should be driven top-down within an organization with the operational resilience function establishing the strategy and the roadmap. This is typically supported by governance committees and/or forums which includes representation by key stakeholders with objective for overseeing progress, course correction, and decision-making.
Key stakeholders include head of technology, COO, CISO, third-party/procurement, crisis management, and operational risk in addition to the divisional heads of business areas.
The question is not just one of reporting lines but more so, of governance.
In order to understand an organization’s resiliency posture, management will require updates and info from each functions, and preferably using a consistent lens (i.e., service, process etc.). The financial services industry is currently defining and managing to critical business services as a result of regulation. As a result, information is assessed from a horizontal perspective that will provide a more comprehensive view of the organization’s posture and its vulnerabilities. Additionally, a common data structure across an organization is required in order to manage the information needed. Have a common tools set to manage operational resilience can drive more efficiency across the organization.
As a result, matrix reporting is best suited to support these efforts in concert with a forum/governance committee responsible for reviewing the information, making decisions, and driving the strategic agenda.
Siloed Reporting Creates Potential Pitfalls
A More Integrated Structure Creates Aligned Insights
Role of Second & Third Line
The role of the second (i.e., risk, compliance) and third (i.e., internal audit) lines has changed significantly over the last few years. Each are expected to be engaged with the first line (i.e., front office, customer facing) while maintaining their independence and exercising oversight. Internal Audit serves a critical role and should have a seat at the table in key governance forums and committees in order to …
C-Suite and Boards
Corporate boards are now more engaged than ever before. Such is the importance of understanding the resilience posture, some organizations have now created a role at the C-suite for a chief resiliency officer in recognition of the regulatory requirements and senior executives’ responsibility. (Forbes: “Rise of the Chief Resilience Officer,” Sept. 2021)
Measurements, Metrics & Ongoing Monitoring
The effectiveness of an organization’s operational resilience work and insights can only be managed if there is robust reporting with metrics and ongoing monitoring, ideally across each identified critical service.
While there are no defined regulatory standards, there are best practice sample dashboards which can be used to monitor the resilience health across an organization. There is a multi-player effort across multiple domains using common data structure and near to “real time” feeds to bring information together so it can be easily monitored and used to drive strategic decisions to improve the resiliency posture.
Impact of Operational Resilience
Operational resilience cannot be addressed without noting it is changing the mission of separate functions and forcing a greater level of collaboration across these domains than previously actioned. While this article focuses on how the groups need to come together and matrix into operational resilience, there also needs to focus on the underlying data structures within an organization which can enable a common and consistent interpretation of data to drive strategic decisions and manage risk in order to manage this effectively.
Final Word
- There is no one organizational structure that is correct, but more important how functions collaborate and are governed.
- Organizations are reorganizing to manage their operational resilience programs and insights efficiently and effectively – recognizing it is improving how they manage their businesses and critical business functions as a priority.