Operational resilience has become paramount for firms to navigate uncertainties and disruptions effectively. We examine the cornerstones to consider.
As regulatory requirements tighten, ensuring compliance with operational resilience frameworks is essential. To achieve this, companies must understand operational resilience, its importance and how to implement its cornerstones.
Operational resilience as a regulatory topic evolved out of several strands of thought that have developed over the past decade. In 2012, Nassim Nicholas Taleb – the author of "The Black Swan" – published a book called "Antifragile", which explored the concept of resilience and its relationship with risk management.
He argued that companies should put more effort into resilience to recover better from the risks that materialise. At the same time, both financial firms and regulators began discussing two topics – cyber risk and third-party risk.
This is why information security evolved into cyber risk management, particularly as the number of cyberattacks on financial services firms accelerated, driven by a rise in criminal activity as well as state-sponsored cyber warfare. As firms were attacked, both the industry and regulators grew concerned about how firms and the financial system would respond to these attacks.
Meanwhile, the US Office of the Comptroller of the Currency published its first guidance about managing third-party risk in October 2013. This discipline involves managing the risks in an organisation's relationships with other entities, such as suppliers and outsourcing providers. The topic has grown significantly over the past decade, and now, many regulators have rules and guidance covering third-party risk management areas.
At the heart of operational resilience lies robust risk management. Identifying, assessing, and mitigating risks across all operational facets is crucial. This involves not only recognising potential risks but also understanding their potential impact on business operations. Implementing risk management frameworks enables organisations to proactively address risks and develop resilience strategies.
Read our Risk Management Roadmap
Business continuity planning is about preparing for the unexpected. It involves developing strategies and procedures to ensure critical business functions can continue during and after a disruption. Compliance with operational resilience standards requires comprehensive BCP that addresses various scenarios, including natural disasters, cyber-attacks, and supply chain disruptions. Regular testing and updating of BCPs are essential to ensure effectiveness.
Despite proactive measures, incidents and crises may still occur. Effective incident response and crisis management are vital components of operational resilience. Establishing clear protocols for detecting, reporting, and responding to incidents minimises their impact and facilitates swift recovery. Compliance entails having well-defined incident response plans, trained response teams, and communication strategies to manage crises effectively.
In today's dynamic environment, adaptability is key to resilience. Organisations must remain agile and flexible to swiftly adapt to changing circumstances. This involves continuously monitoring internal and external factors, evaluating risks, and adjusting strategies accordingly. Compliance with operational resilience mandates necessitates a culture of adaptability where innovation and learning thrive, enabling organisations to anticipate and respond to emerging challenges proactively.
An operational resilience framework brings all of this together. As a discipline, it requires firms to think beyond managing risks and consider how to ensure they can continue delivering important business services if a risk materialises.
Significant risks that would need an operational resilience response include cyberattacks and the failure of a third-party relationship, such as a key outsourcing arrangement, like the use of cloud data storage.
Other kinds of risk events could require an operational resilience response too, such as fires and floods, a crash in the financial markets, or a terrorist attack such as 9/11. Overall, operational resilience represents a significant evolutionary step in firms' preparedness and response to substantial challenges to their ability to conduct business.
Achieving compliance with operational resilience frameworks is not a one-time effort but an ongoing commitment. It requires a holistic approach that integrates risk management, business continuity planning, incident response, and adaptability into the organisation's DNA.
Our comprehensive Risk Management library features a range of IIRM-accredited e-learning courses designed to facilitate your operational resilience framework. The IIRSM approves quality content and integrates risk decision-making to help keep people and organisations safe, healthy and resilient. Recognising the critical need for resilience in times of disruption or change, our courses focus on key aspects of risk management. These include:
We’ve also created an Enterprise Risk Management roadmap to help you navigate the compliance landscape, supported by our Risk Management and DORA Training Packages, which offer a complete solution for your compliance programme.
If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection