Operational resilience has become a cornerstone of sustainable success. Organizations are increasingly required to demonstrate not just their ability to respond to disruptions but also their compliance with rigorous international standards and regulations.

This blog article delves into the processes and tools that organizations can use to effectively track, manage, and demonstrate their resilience capabilities. By doing so, they can ensure they are prepared for, can respond to, and recover from disruptive events.

Please keep in mind that we will be using terminology that may differ from yours, so feel free to adapt the concepts to your context.

Keep reading to discover more about:

  • The definition, context and regulations of operational resilience
  • The key pillars and challenges of operational resilience
  • The strategies and actionable tips to increase resilience

Definition and Context of Operational Resilience

As defined by the Bank of England, operational resilience refers to a firm’s ability to absorb and adapt to shocks and disruptions. Beyond business continuity and disaster recovery, organizations must anticipate risks, develop strategies, and implement measures to strengthen their operations’ resilience in the face of unforeseen events.

Historically, the concept of operational resilience has gained momentum over the past 15 years, particularly in the aftermath of the 2008 stock market crash. Governments and other global institutions have sought to protect people and markets by making organizations more resilient, especially financial institutions and critical infrastructure sectors.

Developing and maintaining an operational resilience program is mandatory for some sectors, such as finance, insurance, and healthcare, while for others it is not. This situation may appear similar to business continuity, where some organizations need to comply with industry regulations while others are only looking to implement sound practices.

In any case, whether mandatory or not, operational resilience should be considered an opportunity to proactively develop resilience.

According to the Business Continuity Institute (BCI) Operational Resilience 2024 Report, 58.5% of organizations implemented operational resilience for good practice purposes in 2024.

What About Operational Resilience Regulations?

In short, there is no universal playbook for operational resilience. Although the financial market could be considered the pioneering industry, regulations vary and compound from country to country, region to region and industry to industry.

For example, financial sector regulators around the world have introduced guidelines and requirements to ensure that organizations identify their critical business services and implement measures to help them withstand disruptions while remaining operational.

2024, 66.2% of organizations reported they must comply with up to five different regulations, and 18.4% more than five (source: The BCI Operational Resilience Report 2024).

Important operational resilience regulations:

For more details, refer to the article: “What is Operational Resilience”  

Key Challenges in Building Operational Resilience

What can you anticipate while developing operational resilience? What are the primary obstacles and stepping stones in an operational resilience journey?

Let’s explore six key challenges:

6 Operational Resilience Key Challenges

1. Defining governance and coordinating resilience program and activities

Across all sectors, developing a robust governance structure to coordinate resilience activities presents one of the first challenges and stages. Embedding operational resilience into the core operations of an organization can be daunting.

Our Advice: Strategic Integration into Existing Structures

Although each organization is unique and operates within its specific context, standardizing the definition of roles and responsibilities according to the organization’s existing governance structure is useful in many cases.

Marie-Helene Primeau, Executive Vice President of Premier Continuum/ParaSolution, advises, “The key to successful operational resilience lies not in creating new frameworks from scratch but in effectively leveraging existing structures that are supported by organizational leadership.”

One practical approach is to incorporate operational resilience into existing governance structures such as a business continuity, operational risk or InfoSec steering committee. Often, these committees are only missing a few key roles. By sharing responsibility or bringing additional stakeholders to the table, organizations can enhance overall accountability. The reality is also that not every organization can afford to allocate dedicated teams exclusively for resilience due to budget constraints.

Governance isn’t just about who is involved; it also encompasses internal processes, coordinated activities, management reviews and documentation structures. Effective governance thus demands continuous evaluation and adaptation, ensuring that processes not only comply with current standards but also evolve in response to new challenges and opportunities. This adaptive approach requires collaboration and commitment across all levels of the organization, not just to develop but also to dynamically maintain and improve resilience.

Ultimately, leveraging sectorial collaborations through “benchmark meetings” could be valuable for enhancing organizational resilience. These meetings offer a platform to stay informed about common challenges and innovative solutions within the industry, exchange best practices, and discuss risk trends.

2. Identifying Important Business Services (IBS)

With no surprise, organizations often have increasingly complex and interconnected operational structures. Identifying critical services can definitely be challenging as it requires a deep understanding of an organization’s core functions and their dependencies, both internally and throughout the supply chain. While all services may contribute to business continuity, not all are critical from a regulatory perspective.

Broadly, we consider that:

  • Prioritized activities are activities that, if interrupted, would have a high or very high impact on the organization and, therefore, an indirect impact on clients and interested parties.
  • Important Business Services (IBS) are services that, if interrupted, would impact the integrity of the market and directly affect clients.

For instance, we could consider payroll as a prioritized activity. It is essential for day-to-day operations but doesn’t qualify as an Important Business Service (IBS) because its disruption wouldn’t directly affect the market or the clients’ core services. In contrast, claim processing in an insurance company is critical to its function and directly impacts clients, making it a clear example of an IBS.

Diagram comparing a prioritized activity versus an Important Business Service

Our Advice: Use Practical Tools to Measure Impact Tolerances

Impact tolerances

To better define your impact tolerance in an operational resilience context, we usually advise starting with your organization’s impact matrix. In many organizations, the impact matrix is already approved and known. You can then add a category related to client-facing services. This approach enables you to directly eliminate services that are not client-oriented and align recovery strategies with organizational priorities and client expectations.

End-to-end mapping

End-to-end mapping is key to operational resilience. This approach involves starting with the defined Important Business Services (IBS) and then systematically mapping out all the activities and processes that contribute to these critical services. This comprehensive mapping helps in understanding the full scope of each service’s impact and dependencies.

For instance, let’s consider a high-level example of end-to-end mapping: Financial Transaction Processing.

Starting from the initial customer interaction to the final transaction posting, every step, including verification, processing, and reporting, is mapped to highlight dependencies on technology, personnel, equipment, and site.

By utilizing end-to-end mapping, organizations can pinpoint vulnerabilities, assess the impact of potential disruptions on service delivery, and enhance their overall strategic response to incidents.

Dependency mapping

Dependency mapping is a process that involves identifying and documenting the connections to various components of an organization’s operations: the stakeholders, the suppliers, the IT systems, equipment, etc.

This approach is about investigating, interviewing, and delving deep to capture the degree of reliance and strategies in place. In practice, this activity is no easy task. Depending on what’s more natural to your organization, dependency mapping could be part of a BIA or a separate Dependency Assessment document. Remember also that the identified alternate measures must be tested and practiced.

When we talk about external dependency, we refer to supply chain resilience, which goes beyond identifying our dependencies. It means going to our suppliers and asking relevant questions to attest to their resilience. This is why many organizations ask a series of questions at the very beginning of the relationship during the negotiation process. Still, warnings need to be made because it all hinges on good faith and what they’re willing to accept in terms of fallout. If the supplier is comfortable with the idea of financial penalties, then strong interim procedures are more vital than ever.

Here are some examples of questions to ask when examining supply chain dependencies:

  • The services delivered
  • The Maximum Tolerable Period of Disruption (MTPD)
  • The measures according to identified incident scenarios, the resilience measures in place, the preparedness level, the time to activate
  • The name of the alternate qualified site or supplier that may be used (if applicable)
  • The level of impact on operations

Of course, evidence of this should be provided whenever possible.

Similar work will then be done for all important dependencies.

3. Performing Threat Assessment

Threat assessment may be well known to your integrated risk management team, but in our situation, consideration of market and customer impacts must be predominant, especially in terms of operational risk.

Reassessing our risk appetite for operational risks becomes essential. For example, while an organization might be willing to accept certain climate-related risks, the direct influence of market conditions and customer interactions on operational risks necessitates a much more conservative risk appetite.

Threat assessment must be addressed across different timelines, addressing both short-term and long-term inherent and residual risk levels, and across an organization’s various locations or sites. While the risk profile can be built by the risk management team, SMEs’ input from identified IBS should also be leveraged to better understand the “whys and wherefores.”

Our Advice: Visualizing Threat Assessments

Visualizing threat assessments can be particularly powerful, providing a clear and actionable overview for leadership and auditors, and demonstrating a thorough understanding of the organization’s current risk landscape.

Tools for visualizing threats: site risks summary and matrix

To effectively assess these risks, tools such as the likelihood and consequence matrix are essential, especially when operations span multiple locations. It is important to recognize that risk assessments may vary significantly between sites, necessitating a tailored approach to each location. This process helps in crafting a nuanced risk profile that integrates these findings with the organization’s strategic objectives.

4. Strategies and Response Planning

When discussing vulnerabilities and risk assessment, it is crucial that our approach is driven by specific incident scenarios.

Here are some examples of scenario modeling:

Examples of scenario modeling

Scenarios should be more precise and detailed depending on specific sectors and operating model.

One challenge in strategies and response planning for operational resilience lies in deciding whether to develop separate plans specifically tailored for operational resilience and determining the level of detail these strategies should encompass.

The strategies and solutions in our plans must be specifically tailored to these scenarios and must carefully consider the captured dependencies.

Our Advice

To make your actual plans more accurate and specific:

  • Start by evaluating the strategies and solutions already in place.
  • Ensure that your solution is not only implemented but also rigorously tested, validated, and documented. These three crucial elements are indispensable for accurately determining your level of preparedness.
  • Provide more detailed information outlining specific solutions for each stage of an event and for different timeframes. A high-level strategy identification often proves insufficient; therefore, it is vital to meticulously list the solutions to be undertaken for each phase to ensure effective and tailored management of situations.

5. Scenario testing

Scenario testing is another important pillar of an operational resilience program. We can identify three challenges related to this requirement:

  • Severe yet plausible scenarios
  • Cross-referencing data
  • Proof of testing

Our Advice

Scenario testing in an operational resilience context involves evaluating “severe yet plausible scenarios” that could potentially impact our organization.

To ensure conducting exercises that are severe by their impact but plausible by their realism, is to take into consideration:

  1. The impact tolerances set for IBS
  2. The incident scenario
  3. The solutions and dependencies mapped

Tests could involve reverting to manual paper-based processes within 12 hours with the aim to reintegrate data into the system once it is operational. This allows us not only to test the scenario but also to document the outcome and identify any gaps that require improvements. These findings should then be integrated into the review cycle.

On a more granular level, tests should ascertain whether specific actions can be executed as planned.

Cross-referencing data

Cross-referencing data involves validating consistency and completeness across multiple datasets, including past exercises and crises. This method is essential for crafting more realistic scenarios and optimizing resource allocation by comparing historical data with current operational capabilities. While handling large amounts of interconnected information, employing automation tools for data integration can significantly reduce time and improve precision.

Prioritize cross-referencing past exercises that were adequately documented or require repetition, or those that were the least successful, to ensure preparedness is elevated to an acceptable standard.

Proof of testing

Proof of testing refers to the comprehensive documentation and evidence demonstrating that testing activities have been conducted and evaluated, often for audit purposes or to meet specific regulatory requirements.

For example, this method may record corrective actions taken when failures are identified, ensuring all modifications are effective and verified, or formal approvals and signoffs from relevant stakeholders to validate that all required standards are met.

Proof testing is a methodology where documentation is key. Be thorough and meticulous!

6. Compliance Tracking

In the context of operational resilience, compliance involves diligently adhering to relevant standards and regulations, such as ISO 22301[MP2] , which are critical for establishing a robust framework within an organization.

To effectively demonstrate compliance, it is essential to maintain comprehensive documentation of adherence to these standards.

Our Advice

Establish and Track Key Indicators and Metrics

Tracking compliance entails using Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and other operational resilience-specific metrics to gauge the organization’s progress in embedding resilient practices. This not only helps in monitoring the effectiveness of the implemented strategies but also in adjusting them as needed.

Keep Audit Trails

Furthermore, maintaining a detailed and up-to-date audit trail that records all reviews, approvals, and updates is crucial for transparency and accountability in demonstrating compliance. Presenting this information graphically can significantly enhance clarity, providing stakeholders with an immediate understanding of the organization’s compliance status.

Flexible reporting tools that adapt to various compliance and conformity needs are also vital, as they allow for the efficient retrieval and presentation of relevant information, facilitating better management and oversight of compliance processes within the realm of operational resilience.

Ready to build operational resilience?

In conclusion, operational resilience has a broader scope but is more precise in its application than business continuity.

Managing operational resilience involves navigating familiar waters with improved tools and shared knowledge. It entails maximizing existing mechanisms and ensuring that every part of the organization moves in unison towards greater resilience.

By doing so, organizations can not only safeguard their operations but also turn potential disruptions into opportunities for growth and learning.

Interested in knowing more about Operational Resilience and its practical application? Feel free to contact us on our website | Premier Continuum.

ABOUT THE AUTHOR

Marion Escriu

Marion Escriu is a Business Continuity and Organizational Resilience Consultant at Premier Continuum and graduated in Major Risk Management in Canada. Passionate about resilience, she advises dozens of major North American organizations on the management of their resilience programs. She also actively participates in the development of ParaSolution, Premier Continuum's award-winning continuity automation software, notably by leading presentations and representing the company at the industry's largest trade shows. A go-getter, Marion is known for her in-depth knowledge of ISO 22301, IT DR skills, professional rigor, and contagious enthusiasm.

Rehearsing Plan B: The Importance of Mastering Your Workarounds
In terms of bang for the buck, not all business continuity activities are created equal. One of the most valuable...
READ MORE >
Using Podcasts To Reach Your Business Goals
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
READ MORE >
Celebrating Our 100th Episode
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
READ MORE >
Count Me In: Why I Value Face-to-Face Collaboration
Do you remember that line kids say when they’re playing hide and seek? “Ready or not, here I come?” That’s...
READ MORE >