Glossary

Operational Resilience

Endurance in an Era of Uncertainty

Operational resilience can be explained as the ability of a system to maintain operations through disruption from an extreme, but plausible risk scenario such as:

  • Global pandemic
  • Climate disaster
  • Cyber attack
  • Supply chain disruptions

Covid-19 slammed the topic of resiliency on the table of companies worldwide and demonstrated the direct relationship between operational resilience and business continuity.

Mr. David Bailey, of the Bank of England, during a webinar titled “Operational Resilience Beyond”, explained: “The need to focus on this topic has never been more pressing… The covid pandemic, the ongoing shift of services to the cloud, and more recently, the terrible events in Ukraine have all brought fresh challenges to the overall operational resilience of the (financial) sector. This has included the need to shift to remote working at short notice, address the risk posed by dependencies on services and third-party providers (including those located in highly disrupted areas of the world), and highlighted an increasing need to focus on cyber resilience.”

It’s no surprise that successful companies are looking for strategies to build new levels of resilience. The capacity of an enterprise to look around the corner and foresee points of failure is key to long-term resilience, success, and sustainability.

Operational Resilience

In 2019 The Bank of England, in conjunction with the PRA (Prudential Regulation Authority), proposed wide-ranging changes to how financial firms approach their operational resilience. Although these policy proposals were drawn up for financial institutions, they can be applied to operational management strategies in other industries. It’s fascinating that the proposal was written before the pandemic hit. The lessons learned during the pandemic years and during the recovery period further emphasized the importance of a solid operational resilience framework.

The expectations listed in the policy outline a general structure of operational resilience management. Below are four practical policy guidelines to achieve operational resilience:

  1. Identifying Important Business Services

Businesses must identify their IBS (important business services). IBSs are services whose disruption could:

  • cause intolerable levels of harm from which consumers cannot easily recover. 
  • pose a risk to the safety and soundness of the organization
  • impact on market stability of the sector

Organizations should list the full suite of services they offer, and then select which of those would be categorized as “important”. The definition of “importance” should be based on a service being provided to an external end user (not an internal service such as payroll) and have the potential to threaten business objectives in the event of a disruption. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

  1. Mapping IBS

Following the selection of important business services, organizations must map all IBSs to the resources that support and assist in the operation of each service. For example:

  • People: suppliers, consultants, developers, third and fourth-party vendors
  • Processes:  product development, shipping, logistics, programming, recruitment
  • Technology: cloud-based services, software, applications, digital systems
  • Information: databases, internal records, documentation

Third-party vendors that support IBSs are included in the mapping process and must comply with requirements regarding operational resilience policies. Vendor risk management and supply chain assessment should be explored at this stage of resilience development. 

  1. Impact Tolerance Levels

Once business services have been established and mapped to supporting resources, the logical next step would be to delineate how and to what extent a given IBS and its underlying resources will be tolerant of a disruption to normal operation. Impact tolerance is an expression of the endurance level and time duration that a service is prepared to be able to continue operations while tolerating the disruption. 

An impact tolerance statement refers to the amount of impact that can be tolerated by the company before irredeemable harm is caused to customers, markets, or the organization itself. Impact tolerance (unlike risk appetite) does not measure the likelihood of specified risks since it assumes the disruption has already materialized.

  1. Scenario Testing

Testing must be performed to demonstrate the organization’s ability to stay within its impact tolerances. A solid testing strategy should incorporate the risks and vulnerabilities that will surface in the event of severe but plausible scenarios and then demonstrate how they will be remediated promptly. The experience gained from this testing can then educate the enterprise on how to further monitor operational risk resilience and increase their overall endurance. Threat modeling can be implemented for scenario testing in cyber security operations.

When it comes to strengthening fortitude in the face of uncertainty, a great place to start is by ensuring that an enterprise complies with regulatory standards that fit the industry. Standards and mandatory compliance frameworks ensure that businesses are meeting baseline practices to ensure cyber operational resilience. It’s no secret that of all plausible risk scenarios, cyber risk tops the charts in likelihood and inevitability. Developing an incident response plan and performing comprehensive risk assessments will get you started on your journey to resilience.

Centraleyes enables security teams to choose from tens of pre-populated integrated risk and compliance frameworks. By automating data collection across integrated frameworks and streamlining risk assessment and mitigation, Centraleyes is built to empower you with real-time insight so that you can survive and thrive with resilience.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Related Content

Cyber Attack Vector

Cyber Attack Vector

What is an attack vector? We’ll start with a biology lesson. Vectors are small organisms such…
Information Security Governance

Information Security Governance

The overarching concepts and values that govern how you operate your organization are known as governance.…
Risk Prioritization

Risk Prioritization

Risks may be infinite, but our time and budget (sadly) are not. Risk prioritization is the…
Skip to content