What is operational resilience?

Operational resilience is a company’s ability to serve its customers, provide products and services, and protect its workforce despite adverse events.

Demo GRC

An organization can be operationally resilient when they anticipate, prevent, recover from, and adapt to adverse operational events. Such events may include hacks, fires, pandemics, weather, and network outages.

We live in an unpredictable world. In today’s challenging business landscape, operational risks abound, and may come at completely unanticipated times. The COVID-19 crisis is a clear example—the emergence of a world-wide pandemic during the early months of 2020 threw worldwide business into complete disarray, and many once-growing businesses stalled; others failed completely.

But amid these cautionary tales, there are those businesses that have been able to effectively batten down the hatches and weather the storm. What set these companies apart for success when so many other saw devastating loss? In many cases, the answer is operational resilience.

Business setbacks are inevitable. Systems will fail, cyberattacks will occur, local disasters will arise. And while worldwide pandemics may not be everyday (or every-generation) occurrences, other kinds of disruptions can and will arise. By identifying where your organization’s vulnerabilities lie and taking the time to develop your foundational elements, you can help your organization prepare for and recover from disruptions quickly, and with minimal impact on your customers.

Every function of business plays an important role in maintaining and promoting operational resilience. However, executive-level managers within a company face unique pressures and perspectives. Consider the following:

Risk

It’s important to have the right governance in place to quickly identify and respond to operational risks.

IT

The IT team needs to identify and address existing and unknown threats, especially as companies move to the cloud and digitize DevOps.

Finance

Operational resilience is strongly dependent on revenue and cash flow. Keep a constant eye on issues and problematic contracts to ensure that the business can access funding when new projects are arising.

Security

There needs to be visibility and reporting from multiple places to help security teams respond to emerging threats proactively.

Facilities

Getting the right data together and navigating through geopolitical nuances is challenging, especially when facilities teams need instant view into the strengths and weaknesses of any global sites.

HR

The human resources team needs to collect, request, and collate data as employees and contractors join or switch teams to make sure that people have the proper access and rights.

When working to counter a disruption, the same caution applies as with any emergency: Follow a plan and don’t panic. To counter emergent events and come through in a position of strength, successful businesses follow a four-stage resilience lifecycle.

Anticipate

In the wake of disastrous events, it can be difficult to identify which services, people, and processes are critical for ongoing operations—anything from organizational silos, to poor data, and different tools. Perform what-if scenario analysis, and create plans for best outcomes, worst outcomes, and the most likely outcomes.

Four-stage resilience lifecycle

Prevent

Operational procedures tend to be designed for efficiency rather than risk and compliance—they also tend to rely on corrective tools rather than more automated preventative measures. Unfortunately, this can leave gaps in a business’ defenses and make response much more difficult. Instead, incorporating risk and compliance activities into everyday processes, automating where possible, using a common data source across your organization, and continuously monitoring for incidents, you can optimize incident response to the point where many emergent events can be countered before they make any negative impact.

Respond and recover

Perhaps the worst approach to operational continuity is waiting for disaster to strike before deciding how to respond. Poor communication between vendors or suppliers, inaccurate or incomplete information, and insufficiently trained personnel may lead to businesses making uninformed, split-second decisions that may actually cause more harm than good. By creating a detailed continuity plan, you provide your organization with a blueprint for remaining calm, reducing risks, and recovering quickly. Make sure that your plan is reviewed and approved by key decision makers, and test it for effectiveness before implementation.

Adapt

Effective operational resilience allows an organization to bounce back from disasters. But with so much focus on survival, organizations can lose sight of the unique learning experiences disruptions provide. The ability to adapt and take away key insights means that you have the opportunity to improve your organization and response plan to better counter disruptions in the future. In the event of an emergency, have programs in place to collect relevant data, review and analyze results, and communicate vital conclusions to your teams.

Operational resilience is the ability to detect, prevent, respond to, learn, and/or recover from disruptions in operations that could possibly impact delivery of important business products or services. Business continuity management (BCM) designs, develops, maintains strategies, and implements plans of action that provide protection for or alternative methods of operation for a business when they are interrupted.

Form a holistic view

It’s important to account for internal and external factors that will influence your organization, such as systems, processes, business lines, assets, people, and third parties. A resilient operation sees the interconnection and interdependence of risk and how it impacts an organization. An effectively managed risk management portfolio looks across divisions and operations to assess, in a holistic manner, all potential threats.

Design an approach to risk assessment

Translate risk into terms that everyone can comprehend. Common language provides the opportunity for a more comprehensive analysis and documentation of potential risks within the organization; it also provides a more robust series of discussions around risk and returns on risk as your organization takes the time to consider adapting to risk and changing conditions.

Assess for critical points of failure

There are no two events that are the same, but there is plenty to be learned from each event. Assess where your key risks are across your organization and implement potential workarounds to assist your organization with its adaptation of changing conditions. Robust systems, flexible processes, resilient culture, and a collaborative environment are all key.

Technology

Your organization depends on vital technologies and systems. Operational resilience demands a complete view of these critical assets and services, as well as information regarding major open incidents, and a record of assets that are currently without reliable plans. Identify your most important asset as well as the key risks they face. These risks may include authentications, connectivity, encryption, and vulnerability response.

Four Pillars of Operational Resilience

People

Your employees well being should be your primary concern in the event of a disaster or other emergency. Ensure their safety and help maintain their productivity by focusing on proactive collaboration, communication, and leadership. Verify compliance with established controls by leveraging HR-system and app data, and provide alerts, training, and policies to better prepare your workforce for potentially dangerous or disruptive situations.

Facilities

Facility disruption, in the form of power outages, flooding, fires, etc., can grind your business to a halt. Operational resilience helps preserve safety and compliance within your facilities, and ensure reliable access to status information and essential controls.

Third Parties

Even if your organization is well prepared and extremely resilient, the third parties you do business with can introduce potential issues. Risk and compliance assessments help evaluate business continuity and risk management programs from you suppliers, consultants, and vendors. When necessary, include policy compliance in contracts, and improve diversification through second sourcing.

Arm your organization with operational resilience

Overcome the gaps, delays, and overhead imposed by typical organizational and data silos.

Explore GRC
Contact Us

Resources

Analyst Reports

Forrester Study: Total Economic Impact™ for ServiceNow® Risk and Compliance

Webinars

Deconstructing enterprise security response

White papers

Operational Resilience for Financial Services

A Single View of Operational Resilience

Governance, Risk, and Compliance Use Case Guide

Contact
Demo