Components of Operational Resilience for Businesses
Resilience Is Good for Business
What has emerged from the organizational response to COVID is a greater focus on business resilience: not only attaining an understanding of it but also developing a desire to achieve it. With COVID, both leadership and staff saw firsthand that being resilient is good for business. Current risks, such as increased and extreme weather-related events and cybersecurity concerns, have companies looking at what made organizations more resilient during COVID and increasing their investment in resilience.
Aon surveyed 800 C-suite leaders and senior executives. One of their main findings was that “across industries, executives are reporting a greater willingness to address risk and make investments to build resiliency for the future.” A PwC survey of 2,800 business leaders found that 7 out of 10 organizations reported planning to increase their investment in building resilience; among risk leaders, that number rises to 9 out of 10.
But what is business resilience? The International Organization for Standardization (ISO) defines resilience as “the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.” In general, this is achieved by rapidly responding to business disruptions and crises and safeguarding people and assets while maintaining continuous business operations. Ernst & Young continues, “Enterprise resilience is a firm’s ability to respond to, recover from, and resume operations at acceptable levels of service to customers, clients, and counterparties through significant disruptions.”
However, it is not just about crisis management or business continuity planning; it is also about foreseeing risks and mitigating them.
Attributes of Business Resilience
Resilient companies anticipate threats. They know a crisis will come, and they prepare by looking for vulnerabilities and putting controls in place to mitigate negative impacts.
Resilient organizations prepare for crises by conducting BIAs, creating all types of plans, and raising awareness of the plans through exercising and training.
Resilient organizations rapidly respond by continually communicating with all applicable stakeholders and utilizing actionable plans.
Resilient organizations adapt by having plans that are flexible and that provide strategies to be able to quickly change course based on current conditions.
Resilient organizations continually learn from past incidents by reviewing and making changes in after-action assessments. During a longer-term incident, such as the pandemic, they assess during the incident and apply lessons earned in real time.
Operational resilience focuses on the organization’s ability to deliver its critical products and services. The Basel Committee on Banking Supervision, for example, defines operational resilience as “the ability of a bank to deliver critical operations through disruption.” A more vertical-agnostic definition is one by Protiviti, which defines operational resilience as the “ability of an organization to withstand adverse changes in its operating environment and continue the delivery of business services and economic functions.”
Organizations can accomplish operational resilience by building resilience into processes and assets, such as within personnel, third-party service providers, communications, physical infrastructure (structure and recovery), data (backup and replication), power, cyber resilience, telecommunications, change management, and resumption of operations as built into the FFIEC BCM framework.
A More Holistic Program for Greater Business Resilience
Many reported that what made their COVID-19 response successful was breaking down silos and increasing collaboration. “Crises like the COVID-19 pandemic highlight the importance of effective collaboration for long-term commercial success,” states an article in the Harvard Business Review.
Organizations are finding that there are inconsistencies and redundancies in plans and that teams are disjointed and less effective without collaboration. Companies also realized that all personnel were important in their success and concluded that business resilience must be an enterprise-wide effort.
As a result, organizations are now looking to implement or enhance strategies to ensure these elements in the next crisis. The recent BCI survey on business continuity and resilience found that “COVID-19 continues to drive better interdepartmental collaboration as well as more effective industry collaboration.” This is reinforced by C-level executives surveyed by Deloitte regarding building a resilient organization, noting that “removing silos within our organization and focusing more on cross-functional collaboration was a top strategic action that CXOs were focused on both before and during 2020.”
Build the foundation in the preparation phase. Promote collaboration and consistency by formalizing a resilience team, group, or department that brings together multi-risk and resilience disciplines. These disciplines can include crisis management, business continuity, disaster recovery, information security, emergency management, risk management, vendor management, and areas that support them, like human resources or security. Additionally, leadership must recognize that everyone in the organization is integral in a response; therefore, plans should consider everyone, not just those deemed critical.
To support these efforts, utilize technology to centralize and break down silos among the resilience and operational risk areas. Technology provides a central location for these multiple, cross-functional teams to create, maintain, and standardize plans. It also provides a holistic view and monitoring system of the organization’s resilience program.