The COVID-19 pandemic in 2020 gave rise to the term, “resilience.” In its simplest form, resilience can be defined as the ability to recover from difficulties.
In an organizational context, “operational resilience” is the firm’s ability to prepare responses to recover quickly from disruptive events and continue to function amid challenging events.
In a post-pandemic environment, organizations worldwide are implementing strategies to create more resilient future operations. Unlike risk, which has a probabilistic component and creates significant uncertainty, operational resilience must be contemplated as an inevitability.
A recent thought paper by Protiviti titled, Operational Resilience: Considerations for Boards, the C-Suite and Enterprisewide Implementation, presents their top considerations for business leaders as they build resilience in today’s unpredictable environment—specifically including:
- Key concepts and practices for C-suite leaders
- Role of the board in overseeing operational resilience
- Checklist of practical steps for implementing a resilience plan
This summary highlights key elements in Protiviti’s thought paper.
C-Suite Expectations for Operational Resilience
C-suite leaders play a critical role in making decisions and creating strategies to support growth and success for their organizations—amid an underlying assumption of resilience under stressful conditions. However, the COVID-19 pandemic demonstrated those conditions can easily extend beyond the firm’s assumed expectations. C-suite leaders need to build operational resilience to support disruptions of an organization's ability to deliver goods and services—regardless of the severity of the event.
Key concepts for the C-suite
- Operational resilience includes, but is not limited to, business continuity management and/or disaster recovery.
- Operational resilience elevates existing business continuity and disaster recovery plans through more informed consideration of the impacts of events.
- Dedicating resources to understanding operational resilience is as significant as finding the “right answer.”
- Information about how to build resilient organizations will continue to evolve and increasingly impact an organization’s key stakeholders.
Practical steps and considerations for the C-suite
Establish a leade of operational resilience or resilience office.
- While the C-suite sets the directive, a second-line function should be designated to design, execute and report resilience efforts.
Assess and communicate about state of operational resilience.
- Pose and answer the key questions around operational resilience for your organization. For instance, “Do you know how long it will take to recover from a cyber event?” Provide the board with clear, consistent and timely information to facilitate effective oversight and guidance.
Measure operational resilience.
- Identify the important business services of the firm and set the impact tolerances (maximum acceptable level of disruption) for each service. The full article outlines key considerations when contemplating impact tolerances.
Monitor operational resilience.
- Understand and use discrete numbers—versus yellow, amber and green charts—to value the impact tolerance of the firm. Incorporate resilience into the organization’s audit plan and include a self-assessment. Monitoring should include third-, fourth- and sometimes fifth-party and beyond risks, as well as understanding potential supply-chain disruptions. Finally, consider restoring and redundancy of services to operate safely and effectively during a resilience event.
Fund your operational resilience program.
- Consider all costs ranging from cultural to technology changes required.
Fostering Cultural Change
Amid rising expectations from key stakeholders, the C-suite must take the lead on fostering an organizational culture of resilience to set appropriate expectations for key stakeholders including regulators, the board, customers and employees. To foster cultural change, the C-suite should:
- Accept the financial impact of improving operational resilience.
- Include the entire organization in the effort.
- Keep a keen eye on potential blind spots that may cause the most actual harm.
- Consider how key business decisions (e.g. project selection) will impact organizational resiliency.
Operational Resilience Considerations for Boards in the “New Normal”
Systems will fail, cyber-attacks will be successful, and—as 2020 has proven—pandemics will occur. In the case of COVID-19, many organizations were unprepared for an event that literally shut down major segments of the economy, supply chains and demand for entire industries.
What is the board’s role in overseeing operational resistance in our post-pandemic world? Protiviti offers several considerations for boards and directors:
Lessons the COVID-19 experience.
- The board should encourage a review of lessons learned during the pandemic and request a summary of actions that management plans to take.
Consider concentrations of risks.
- Most typically used in a financial services context, “concentration risk” also applies to other industries and refers to any concentrated area of potential risk (i.e. geography, information assets, sole suppliers, customer dependence, etc.). Directors should be made aware of and discuss these risks with management.
A dispersed and virtual environment may provide helpful diversity.
- During the pandemic, virtual operations were generally more successful. Going forward, firms have an opportunity to reimagine work processes to both maximize resilience amid events that restrict mobility and also to accommodate the “new normal” workplace.
Technology may offer resilience advantages.
- Reliance on “the cloud” can contribute to the efficient deployment of the technologies that enable a virtual environment and improved operational resilience.
Speed and impact of risks are priority.
- Directors should ensure that management is determining which critical business functions are most affected by each extreme, but plausible, scenario. In particular, what is the 1) velocity of impact, 2) persistence of impact, 3) extent of the organization’s agility to respond and 4) magnitude of uncompensated risks the company faces due to the loss of a business component?
Build crisis management capabilities.
- Unanticipated crises will occur, and thus building a reliable crisis management capability is a management imperative for operational resilience.
Board engagement is critical.
- Disruption is the new normal. As such, the board should both understand and offer input on the operational resilience strategy. The board should also identify criteria to determine when management should notify directors of events that could adversely impact business operations. And, the board and management should agree on the organization’s targeted recovery time following such an event.
Operational resilience is a strategic imperative.
- “What would happen to the organization’s ability to execute its business model if any of the model’s underlying components are taken away through an unexpected catastrophic event or altered in such a significant way as to place the company at a strategic disadvantage?” According to Gartner, business continuity management and organizational resilience programs are not keeping pace with complex emerging threats. Boards, directors and management should take a comprehensive of operational resilience efforts to ensure they encompass a full enterprise view of the value chain.
Essential Checklist: Implementing Operational Resilience Across the Organization
Creating and implementing an operational resilience program is hard work. To support your organizational success, the Protiviti article provides a full checklist that details the practices, processes, systems and potential challenges leaders should consider.
Critical considerations are highlighted here:
- Develop a formal resilience strategy.
- Create a resilience implementation team to champion the cause.
- Review business resilience practices, including a full assessment of current business continuity management (BCM) and disaster-recovery (DR) programs.
- Identify important business services and processes, or, as a U.S. federal bank regulatory agencies paper describes as “critical operations” and “core business lines.”
- Measure impact tolerance/tolerance for disruption. Note: The Factor Analysis of Information Risk (FAIR) methodology can be used to quantify different forms of loss.
- Embed resilience into the culture.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.