Introduction
In today’s rapidly shifting risk landscape, resilience has become a critical priority for organisations worldwide. The interconnected nature of modern risks—ranging from cyber threats to global pandemics like Covid-19—has underscored the necessity for robust resilience and business continuity programs. These programs are essential not only for managing and mitigating disruptions but also, and perhaps even more importantly, for ensuring swift recovery. As organisations navigate this complex terrain, regulatory frameworks, particularly in the EU and UK, play a pivotal role in guiding and shaping resilience strategies. Strengthening resilience capabilities is not just about surviving the next crisis but about building a foundation for sustained stability and growth in an unpredictable world.
Operational Resilience
Operational resilience encompasses initiatives that go beyond traditional business continuity management. Unlike conventional approaches, operational resilience considers an organisation’s risk appetite and tolerance levels, ensuring that disruptions—whether minor or catastrophic—are managed in a way that minimises harm to internal and external stakeholders.
The scope of operational resilience spans multiple domains critical to business operations. Security, both cyber and physical, ensures that systems and facilities are safeguarded against breaches or attacks. Safety measures protect the well-being of employees and customers. Privacy safeguards sensitive data from unauthorised access. Continuity of operations ensures that essential services remain available during disruptions, while reliability guarantees consistent service delivery. For example, during a cyberattack, operational resilience would enable a company to maintain customer services while containing and resolving the threat.
Why is it Important to Strengthen Operational Resilience?
Strengthening operational resilience is crucial for safeguarding the stability of organisations, particularly within the financial sector. In the UK and the EU, the ability to absorb shocks and maintain critical operations during disruptions is not just a regulatory requirement but a necessity in protecting consumers, firms and financial markets. Without robust operational resilience, disruptions can escalate, leading to significant financial losses, damage to reputation, and erosion of consumer trust.
The Covid-19 pandemic highlighted the vulnerabilities of organisations unprepared for large-scale disruptions. Firms that lacked strong operational resilience faced severe challenges, such as halted operations, compromised data security, and the inability to deliver essential services. Conversely, those that had invested in operational resilience were able to quickly adapt, maintaining continuity in their services despite the unprecedented global upheaval. For example, banks with resilient IT systems managed to continue offering digital services even when physical branches were closed, ensuring customers could access their funds and financial products without interruption. This experience underscores the necessity for ongoing investment in operational resilience, as it enables organisations to navigate crises effectively, protecting both their operations and the broader economy.
Regulation and Harmonisation
Regulatory frameworks in both the UK and EU play a pivotal role in shaping operational resilience strategies for financial institutions. In the UK, regulations such as those set by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) mandate that firms must maintain robust operational resilience. These guidelines require institutions to identify critical business services, set impact tolerances, and ensure they can continue to deliver essential services during disruptions.
In the EU, the Digital Operational Resilience Act (DORA) provides a comprehensive framework specifically for financial institutions. DORA sets out stringent requirements for ICT risk management, incident reporting, digital operational resilience testing and the monitoring of ICT third-party risks. It aims to ensure that financial entities can withstand, respond to and recover from operational disruptions, particularly in the digital domain.
Harmonisation of these standards is crucial, as the European Supervisory Authorities (ESAs) work to ensure that DORA is implemented consistently across the EU, reducing fragmentation and ensuring a unified approach to operational resilience. However, whilst both the regulations and a process of harmonisation are critical, they are not sufficient on their own. True operational resilience requires ongoing investment, proactive risk management, and a culture of continuous improvement within organisations, beyond mere regulatory compliance.
Strengthening Resilience Capabilities within GRC Frameworks
Integrating resilience capabilities within Governance, Risk and Compliance (GRC) frameworks is essential for organisations aiming to navigate the complexities of today’s risk landscape. GRC frameworks provide a structured approach to aligning governance, risk management, and compliance efforts with an organisation’s overall resilience strategy. By embedding resilience into GRC, organisations can ensure a more cohesive and proactive approach to risk management.
Scenario Planning and Stress Testing | One of the critical tools within GRC frameworks is scenario planning. This process allows organisations to anticipate and prepare for potential disruptive events. For instance, a major UK bank regularly conducts stress tests that simulate various financial crises, such as market crashes or cyber-attacks. These tests are integrated into their GRC framework, enabling the bank to evaluate its risk appetite and identify weaknesses in its operational resilience. The outcomes of these tests inform the bank’s crisis response strategies, ensuring that they are not just reactive but pre-emptive in mitigating potential impacts.
Crisis Response Exercises | Crisis response exercises are another vital component of strengthening resilience within GRC frameworks. In the EU, a large financial institution implemented a comprehensive crisis management exercise as part of its compliance with the DORA. This exercise involved simulating a significant cyber incident that affected multiple systems across the organisation. By embedding this exercise into their GRC processes, the institution was able to refine its incident response plans, enhance coordination across departments, and ensure compliance with EU regulations. The exercise also provided valuable insights into the organisation’s communication strategies, ensuring that all stakeholders, including regulators and customers, are informed promptly and effectively during a crisis.
Proactive Risk Management | Strengthening resilience within GRC frameworks also involves forecasting and pre-emptively addressing potential risks. Organisations must actively manage these risks, not just during a disruption but as part of their ongoing operations. This proactive approach ensures that when disruptions occur, recovery is swift, minimising impact and protecting both the organisation’s interests and those of its stakeholders. In both the UK and EU, these integrated approaches within GRC frameworks are crucial for building a resilient and adaptable operational environment.
The Future of Operational Resilience
As organisations look to the future, the role of cyber resilience within the broader operational resilience strategy is becoming increasingly critical. With cyber threats growing in both frequency and sophistication, firms must bolster their defenses to protect against potential breaches that could disrupt operations. This requires a multi-layered approach, including advanced cybersecurity measures, regular vulnerability assessments, and incident response planning. Given the interconnected nature of today’s risk landscape, a cyber incident in one area can quickly cascade across the entire organisation, making robust cyber resilience indispensable.
But operational resilience is not a one-time effort. It demands continuous improvement, where organisations must regularly review, adapt and refine their resilience strategies to stay ahead of emerging risks. This proactive stance is crucial for navigating an unpredictable future, where new threats and challenges can arise without warning.
Be Proactive
To ensure long-term stability, organisations must take proactive steps in enhancing their operational resilience. This involves deeply integrating resilience within their GRC frameworks, staying compliant with evolving regulations, and prioritising continuous improvement. Investing in resilience is not merely about regulatory compliance; it is about safeguarding the future of the organisation in a world where unpredictability is the only constant.
And what about you…?
- Can you identify any recent disruptions your organization faced, and how effectively did your resilience capabilities respond to these challenges?
- In what ways do you think your organization could improve its scenario planning and stress testing practices to better prepare for future crises?