Like many professions, we risk managers seem to be masters at picking the latest trend and promoting it as if it’s the only thing that matters. Operational resilience and ESG currently come to mind. This technique is loved by consultants and service providers to grab the audience’s attention. This can be both good and not so good:
The good:
- Awareness of the topic is greatly enhanced and spreading of the word is greatly accelerated
- Investment is directed to the solutions which improves what is available from a product perspective
The not-so-good:
- The topic is promoted as something new and different and begs your attention and investment. This can mean you take your eye away from other important matters
- The topic requires a new standalone solution and process. This complicates your management processes and demands major resources to implement
- After the event, the topic seems to fade away and we create a perception of following the latest trend
In my memory, Y2K (yes, I’m that old!), Sarbanes Oxley (SOX) and Big Data are three major examples. I worry as to whether our approach to these was more knee-jerk than measured?
Reality or another fad?
So, on to operational resilience. Let’s make sure that we don’t follow the same path but instead make it an integral part of our overall Enterprise Risk Management (ERM) process. That way, we can leverage our existing ERM capabilities to achieve effective and efficient operational resilience, without creating something completely separate.
So how do we integrate operational resilience into our ERM framework?
Integration starts right at the beginning.
- Risk is the effect of uncertainty on objectives[1] and so it follows that risk management must be managing the effect of uncertainty on objectives.
- Operational resilience is an organisational trait that allows it to carry out its mission or business despite the presence of operational stress and disruption.[2]
‘Missions’ encapsulate the ultimate objectives of an organisation. Both ERM and operational resilience are therefore focused on ensuring that objectives are met, in the presence of uncertainty, some of which may be caused by stress and disruption. ERM and operational resilience are focused on the same thing.
How do ERM and operational resilience compare?
The following table highlights the main things that ERM and operational resilience have in common:
Feature
|
ERM
|
Operational resilience
|
Link with strategy and objectives
|
Risk is the effect of uncertainty on objectives. ERM starts with strategy and objectives and all risk and risk management is connected.
|
Operational resilience starts with understanding the objectives and risks we bring to our stakeholders.
|
Critical processes
|
Risk is connected to strategy and objectives via critical processes. i.e., what risks exist that could cause the critical process to fail which leads to failure in the achievement of objectives.
|
Important Business Services are identified which deliver the service to stakeholders, particularly customers. For each important business service, the critical sub processes need to be identified.
|
Risk and risk assessment
|
Risks are identified based on their impact on the critical processes. Risk assessment is undertaken using a range of monitoring tools including risk assessment and risk metrics.
|
Critical resources (e.g. people, physical assets, software etc.) are identified and mapped to the sub processes and important business services. These resources are then risk assessed to determine their overall resilience health.
|
Business Continuity Planning, Disaster Recovery Planning, Contingency and Recovery Planning, Incident Management processes.
|
These elements should already form part of a strong ERM framework.
|
Operational Resilience links to, and utilises, the information from each of these processes rather than duplicating the processes.
|
Scenario Analysis / Stress Testing
|
A key element of ERM to ensure adequate focus on severe events.
|
Scenarios are required to be formulated and applied against the resilience maps to test whether the impact tolerances are being met. These scenarios should be common to ERM.
|
Issues and Actions management
|
Forms a key part of an ERM framework.
|
Used to identify resilience weaknesses and improvements, formulate actions and ensure those actions are implemented.
|
Third Party Risk Management (TPRM)
|
TPRM is a critical part of a strong ERM framework.
|
Resources that are mapped to the Important Business Services need to be assessed as to whether they are reliant / dependent on third parties. If yes, the link to third party risk management to assess the resilience heath of the resources is essential.
|
Cyber Risk and Cyber Security
|
Cyber risk management and cyber security are a key element of an ERM framework.
|
Cyber attacks represent a prominent disruptive scenario that could severely damage the health of relevant data and systems resources. Resilience assessment should use the cyber risk information within the ERM process.
|
Source: The Complete Guide to Achieving Operational Resilience eBook
Learning outcomes
In practice, this means that your operational resilience capability should be built as an integral part of your ERM capability, not as a standalone, point solution. It follows the same principles as risk management, and it calls upon and integrates with a wide range of existing risk management information and functionality – BCP/DRP, TPRM and cyber just to name a few.
The key benefit of this approach is that you do not need to start from scratch. You can leverage your existing ERM capability and processes in order to create an efficient and effective operational resilience capability and process. Let them live together in harmony, not in different houses with duplicate processes and resources. Cohabiting is better than living alone for these two friends!
Financial services regulators are leading the way in driving operational resilience, but shouldn't it be a core focus of every organisation's ERM capability? Join us on Thursday 28 July 2022 for our Operational Resilience: The ultimate goal in risk management webinar to find out what it means to be resilient and how you can integrate resilience into your ERM framework.
[1] ISO 31000:2018 Risk Management Principles and Guidelines
[2] Technopedia