Getting started with operational resilience
- Published: Thursday, 29 October 2020 11:20
Many organizations are currently starting to move towards operational resilience. In this article Patrick Potter looks at what operational resilience is, how it differs from business continuity, and the initial steps that organizations should take to implement it.
How effectively can your organization recover from a serious disruption? This is the stuff of operational resilience — the ability to bend, but not break, in response to anything from a natural disaster to a supply chain interruption, serious cyber attack or economic downturn. Today, several of these events are striking organizations simultaneously, with potentially serious repercussions.
The truth is that, when it comes to operational resilience, the best form of defence / defense is a good offence. That means getting proactive about understanding what’s most important to your business, planning for impactful scenarios, testing, and making adjustments. With the right strategy in place, your organization could actually emerge from crises in an even stronger position than before.
Resilients and non-resilients
Operational resilience addresses the things organizations can do to build resilient practices, people, processes, systems, and third parties. It can be seen as a critical foundation of organizational resilience: defined in international standard ISO 22316 as the ability of organizations to absorb and adapt in a changing environment, in order to survive and prosper.
To illustrate what sets the leaders apart from the chasing pack, McKinsey studied a group of publicly traded companies through economic downturns between 2007 and 2011. The report evaluates their financial performance, breaking down the companies into two groups: ‘resilients’ and ‘non-resilients’. The resilients not only outpaced the non-resilients, but also the entire S&P 500 well after the financial crisis was over. The reason? These companies planned ahead, enabling them to move further and faster before, during and after the crisis, according to McKinsey.
Today, a shift is occurring: organizations, regulators and the business continuity industry are transitioning from business continuity, which focuses on recovery efforts to return operations to ‘normal’, to more holistic operational resilience.
Not ‘if’ but ‘when’
So, what does best practice in this space look like? First of all, mindset is important: disruption will inevitably come at some point, so you need to be ready. To achieve this, it is vital that you understand the organization’s most important external products and services as well as the people, systems, and third parties that support them. Perhaps more importantly though, you must understand which scenarios could impact all these factors.
As we now know from the past few months, anything can happen at any moment, and the impact could be felt for a long time to come. More disruption will certainly come in the future, so your business needs to identify what form that disruption could take and think through scenarios, risks, impacts, and probabilities: now.
One useful strategy is looking at the past to try to predict the future. Identify previous disruptions to your organization and potentially other similar organizations too. Consider any losses incurred, risks your company has listed in financial statements, regulator opinions, and other relevant information. Although this can help with planning, be aware that it won’t provide an exact blueprint for the future.
Create a playbook now
Planning for everything that could go wrong can get very expensive, especially if you have many scenarios that could significantly impact your organization. The process must therefore focus on reducing the business impacts from key risks and include cost/benefit analysis as well as measures and metrics to ensure your actions are effective.
Top-of-mind for executives and risk and resiliency teams must also be building resilience into the fabric of the company, managing ongoing risks, and not exceeding impact tolerances. One way to do this is by maintaining visibility through self-assessment and continuous monitoring, which will also help to guard against ‘scope creep’ or lack of focus. Develop balanced scorecards that include elements such as organizational objectives and strategies, resilience objectives, risk management, and communication and co-ordination across key stakeholders.
Attitude is also vital. During a major disruption, organizations often pull back, become defensive and try to protect. However, McKinsey’s report argues that one of the reasons the resilients thrive is because they continue to focus on growth, even in times of uncertainty. Before the recession, these organizations were a nose ahead of the competition because they were already planning ahead. Later in the recovery, this slight differentiation created a significant gap and fuelled growth. It’s all because they kept an eye on their goals, with resiliency playing a key part. In fact, your resilience strategies should be informed by and tied closely to your business objectives, so they support rather than distract from them.
Practice and plan
Now that you have resiliency priorities and objectives, understand risks and know your impact tolerances, it’s time to put your plan to the test. Tabletop exercises are a common, and important, way to test business recovery plans, but don’t provide deep levels of assurance that the organization will be resilient in that or other scenarios.
Instead, your goal should be to simulate each of your most critical scenarios as realistically as possible. Break down each scenario into component parts so that it’s more manageable. This will show you as accurately as possible how effective the resilience measures put in place actually are. Periodic tests and reviews should be performed to ensure the organization’s resilience continues to improve and meet expectations. In addition to any changes in strategy or objectives, reviews should consider business models, new products and services, staff changes, third parties, and any new markets entered – as well as improvement made since the previous review.
The good news is that all crises come to an end, disruptions stop, and organizations get back to normal, or whatever the ‘next normal’ is. This means you must also think about how the business will emerge from the scenarios you’re planning for, what challenges may exist, and how to move forward.
This brings us back to the beginning: the best form of defence is a good offence. The resilience you proactively develop today will enable your organization to manage disruptions more effectively, exit periods of disruption more quickly, emerge in healthier financial shape, and maintain the agility to capitalise on new business opportunities.
Patrick Potter is a Digital Risk Strategist at Archer, an RSA company.