By Richard Cooper
When it comes to business continuity management, the bellwether for many industries and businesses is often the financial sector – specifically banking regulators – and a recent discussion paper issued jointly from the Bank of England (BOE) and the U.K.’s Financial Conduct Authority has sounded the call: build operational resilience, or risk failure.Operational resilience refers to a business’s ability to prevent, respond to, recover and learn from operational disruptions; in other words, being able to absorb shocks rather than snap under them.
This requires a foundation of operational risk management that, according to the paper, “includes preventative measures and the capabilities – in terms of people, processes, and organizational culture – to adapt and recover when things go wrong.” Without operational risk management, operational disruption to a business can impact financial stability, threaten the business’s overall viability, and/or harm consumers and other businesses.
Yet challenges to ensuring resilience and continuity abound, and they grow more complex each year. These include ever-evolving technologies; changing consumer behaviors; challenging business environments; outsourcing services; IT system complexities; cyber threats; cost pressures; international expansions; location-based regulations, and more.
But here is the good news: Solutions exist, and they’re less onerous than one might assume.
This article will explore the takeaway concepts from the BOE/FCA paper that are relevant to all businesses; the regulators’ recommendations for what an operationally resilient business should have in place; and a way to solve an organization’s operational resilience problems.
Important Takeaways from the BOE/FCA Paper
While the paper specifically addresses the financial sector, it offers lessons that businesses in every industry should take to heart, from pharmaceuticals to manufacturing to business services, and beyond.
Some of these include:
- The continuity of business services is an essential component of operational resilience, and thus, organizations must focus on this outcome when designing for operational resilience. While avoiding disruption to a particular system or department supporting a business service is important, ultimately, it is the business service itself that needs to be resilient and continuous. Leadership should assume that, despite best efforts, the individual systems, departments, people, and processes that support a business service will be disrupted at one time or another, and focus heavily on backup plans, responses and recovery options.
- An organization’s leadership must define their own tolerances for operational disruption in the event of an incident, as this will help to set operational resilience standards and priorities. Prioritize those business services that, if disrupted, most affect a business’s viability, customers or financial stability. One example of a tolerance that should be set is the maximum acceptable outage time for a specific business service. An organization then could test its ability to stay within its impact tolerances in “severe but plausible scenarios in order to identify vulnerabilities and take mitigating action,” according to the paper.
- How an organization manages its response to operational disruptions is critical to maintaining confidence in the business services it provides. An important part of this is the speed and effectiveness of communications with affected customers. While it is obviously better to avoid an issue (e.g., a data breach) in the first place, the way an issue is communicated can help maintain and/or restore customer confidence in the business.
An operationally resilient firm should have the following seven pieces in place:
- A clear understanding of their most important business service(s).
- A comprehensive mapping of the systems and processes that support these business services, including those over which the organization may not have direct control. This would include an understanding of the resilience of outsourced providers or entities (e.g., third-party vendors that provide an essential service or product).
- In-depth knowledge of how the failure of an individual system or process could impact the organization’s ability to provide the business service.
- Understanding of which systems and processes can be replaced during disruption, as well as how, so that business services can continue to be delivered.
- Tried-and-tested plans that would enable an organization to continue or resume business services when disruptions occur.
- Effective internal communication plans, escalation paths and identified decision makers.
- Specific external communication plans for the most important business services, which provide timely information for customers, other market participants and regulatory bodies.
So what kind of approach will help steer an organization toward becoming operationally resilient? By prioritizing data over documents and pairing consultative services with technology.
A Better Approach
Knowledge is power, as the old adage goes, and in the digital age, knowledge takes the form of data and metrics.
Businesses can choose to prepare for a potential recovery using either data or documents – and anyone trying to contain a disaster is not going to waste time frantically leafing through page after page of potentially outdated information, or searching folders of files on a network drive, to try to figure out the next step. It is inefficient, ineffective, expensive, and risky to rely on documents when the fate of the company can lie in the balance.
Instead, organizations need a store of recent data housed in an accessible technology solution, with everything that leadership needs to know contained in a virtual one-stop shop where data is constantly updated, redundancies are eliminated, and roles are clearly defined.
Newer, more agile solutions allow operational risks to be assessed both quantitatively and qualitatively, using visualizations like heat maps, dashboarding, and reporting customized to different internal audiences. A technology solution can digest risks and update data in real time, so processes are always current. The ability to use that information to provide visual insights and deep analysis can materially change not only the effectiveness and efficiency of an organization’s response, but also the outcomes it can achieve.
In the face of a threat, an enterprise needs to be able to immediately contact key decision-makers, review all assets, and determine which locations have been affected, and leaning on documents is neither fast nor effective, and a nimble technology solution can do much of the heavy lifting here. Pairing technology solution with the human element – experienced business continuity consultants who have worked with other businesses on their operational resiliency – is an ideal way for a modern organization to ensure disruptions don’t cripple the company.
Organizations should not rely on either technology or consulting alone – the combined approach is key to ensuring operational resiliency and business continuity.
An Ounce of Prevention
Banking regulators have long acted as the proverbial canary in a coal mine by sounding the alarm regarding the myriad risks businesses face these days. This is particularly true in the United Kingdom, where issues arising from the Troubles in the late 20th century often targeted the banking industry; attacks in the London “square mile” forced the regulators to look at business continuity before many other regions and industries.The banking regulators in the United Kingdom and United States continue to provide regulatory leadership that is often followed by other industries, which means organizations should pay close attention to the stringent recommendations of the banking regulators, as laid out in the recent U.K. paper. In other words, if the bankers care about operational resilience, you should, too.
And it cannot be emphasized enough: Incidents and disruptionswill
occur. The challenges are too expansive and the threats are too numerous; it is unrealistic to pin a business’s future on the hope that everything will always be just fine. It’s not possible to prevent every risk from materializing; instead, assume operational disruptions will arise, and turn fears into strategies and resources.With an approach that combines consulting experts and technology, and puts data ahead of documents, organizations across all industries will be ready when an issue impacts their services. No one is immune to the risks, but the prepared will survive even the worst.
Richard Cooper is Director of Global Accounts for
Fusion Risk Management. Cooper can be reached at
[email protected].