In today’s high-risk environment, businesses must not only be able to respond effectively to disruptions, but they must also be able to return to operations faster and more confident than before.
Over the past decade, as natural disasters, geopolitical tensions, and cyber threats have increased, so too have expectations among shareholders, boards, customers, and regulators that companies will withstand disruptions, meet their obligations to stakeholders, and demonstrate resilience.
Various definitions of resilience have also evolved–some of which have been defined by government entities and others that emerged from the industry. But confusion still exists regarding what this term refers to and which interpretation is appropriate for a given organization.
With this in mind, my colleague Bryce Mattson and I recently conducted a seminar, “Beyond BC: Achieving Operational and Enterprise Resilience,” that discussed the resilience continuum and a roadmap for achieving the highest level: enterprise resilience. Here are the key takeaways:
The tiers of resilience
Starting out
The most basic level of planning is risk management, which refers to activities that organizations undertake to prevent, anticipate, and avoid a disruption. Businesses have been conducting risk management, at various levels of sophistication, for decades.
Business continuity planning focuses on activities after a disruption begins and includes procedures to restore normal operations. Although companies in some sectors created these plans for some time, the practice became considerably more widespread after 9/11. Today, most mid- and large-sized business have at least a business continuity plan in place.
Operational resilience
Regulations issued by the UK Financial Conduct Authority and the Prudential Regulatory Authority, effective March 31, 2022, set requirements for financial and investment firms to maintain a level of service to clients in the event of an incident.
Although these requirements apply to these specific industries in the UK, the underlying principles could apply to any business in any country. They include three key processes necessary for organizations to achieve operational resilience:
Service mapping. Identifying how something that happens in one aspect of an organization can affect another. By mapping these dependencies, an organization can identify those risks that could escalate into larger problems, set thresholds, and spot gaps.
Impact tolerances. UK regulations require organizations to set impact tolerances, or thresholds for the level of disruption that it is willing to accept before taking action. Unlike previous recovery time objectives, impact tolerance can be based on a variety of metrics, such as a number of transactions, staff absences, customer wait times, a level of reputational damage, and/or financial loss.
Scenario exercises. Organizations are required to conduct scenario tests to determine if and how it can continue to operate within its impact tolerances. The scenarios should be severe but plausible. Typically, the events that do the most damage to a business consist of a combination of smaller events happening concurrently, so the tests should contemplate these types of scenarios as well.
Enterprise resilience
Today, a small but growing number of organizations are striving to achieve enterprise resilience, the highest level of preparedness. Although the term has not been defined in regulation, it is commonly used to refer to an organization’s ability to:
- Plan, prepare, and understand risks and critical functions
- Anticipate disruptions and potential downstream impacts
- Respond in a coordinated, organized, and controlled manner
- Recover, adapt, and evolve to be able to manage challenges even more effectively in the future
Enterprise resilience encompasses all domains, including cyber and physical across all geographies that support the operation of the organization. It also includes all of the following disciplines:
- Governance
- Business continuity
- Operational resilience
- Risk management
- Supply chain resilience
- Infrastructure resilience
- Training and awareness
The resilience hierarchy
The future of enterprise resilience
Recently enacted regulations in the UK defined a clear, multistep process for organizations to plan, prepare, and test their resilience programs. This is a higher standard than many businesses have previously followed and, while it applies only to financial, investment, and insurance companies in Britain, it provides a roadmap for organizations everywhere.
But is it enough? Operational resilience is only one component within enterprise resilience–the most comprehensive approach to planning, responding to, and recovering from incidents to date. As virtual and physical threats continue to increase, boards of directors, investors, employees, and customers will likely demand the highest level or preparedness available.
To learn more, watch the webinar replay, “Beyond BC: Achieving Operational and Enterprise Resilience.”