Protecht held a webinar on operational resilience in July 2022. The attendees asked a range of questions, some which we were able to answer during the webinar and others not. This blog contains the questions asked in the webinar and our responses.
Register here to watch the recorded webinar
Key questions
Do you think ESG/climate risk should be considered as part of operational resilience?
Who are the leaders of operational resilience in Australia?
How does scenario testing of resources help us to develop our capacity for recovery and adaptation?
Should Line 2 drive and manage the operational resilience framework?
When creating a scenario, do we have criteria or can it be challenged as to how real it can be?
Is it more effective to position resilience as a performance driver rather than a risk mitigation?
Can you link existing incidents in the new module?
Do you think ESG/climate risk should be considered as part of operational resilience?
Of itself, ESG/climate risk is not an integral part of operational resilience any more than all other risks would be. Instead, ESG/climate risk should be considered as an input into operational resilience to the extent that ESG/climate-related risks would be of the magnitude that they could cause major disruption to the organisation’s critical processes.
These risks may influence the nature and magnitude if the disruptive scenarios that could occur and as a result influence the scenarios use for testing resilience.
How does it work to link cyber security risk and capability maturity to operational resilience which is a part of enterprise risk?
Similar to the question above, cyber security risk integrates with operational resilience in terms of the disruptive events that could arise from cyber, most with the potential to cause major disruption. This will influence the severe but plausible scenarios we use to test resilience. Because this risk is a major source of disruption, being cyber resilient is a major part of operational resilience.
Can you please clarify what you mean by Line 1 & Line 2? Is that management levels in the organisation?
The “lines” come from the 3 lines of defence model that has been adopted by the financial services industry and the three lines model adopted by the Institute of Internal Auditors.
Line 1 is the business itself who are usually non risk specialists yet are responsible for the internal control framework operating within the business and are owners of any risk in their business and have primary responsibility for its management. Line 2 are risk professionals, and their role is to review, challenge and assist line 1 in the management of its risk. This may well include assistance and expertise in developing risk frameworks. They are not there to manage the risk on behalf of Line 1. Lastly is Line 3 which is internal audit responsible for providing independent assurance that Lines 1 and 2 are working effectively.
View the IIA’s definition here.
How often should you review resilience in the business: is annual enough or should it be more frequent?
In the financial services sector, the UK regulator requires an annual “self-assessment” to be performed on resilience to demonstrate the required level of resilience. Logically speaking, an organisation should be resilient at all times so that it is ready for disruption whenever it may strike.
This then leads to a management decision on how often resilience should be reviewed in order to get that level of comfort and this will depend on many things such as how dynamic the business is, how much change is occurring and the nature of the disruptive stress events to which the organisation is exposed.
Who are the leaders of operational resilience in Australia?
This is a good question. In terms of end users in financial services, the current concept of operational resilience is only beginning with the issue of the draft CPS 230 prudential standard from APRA in late July 2022. We expect some leaders to develop from within financial services due to this.
In non-financial services, we would expect owners of critical infrastructure such as essential services to be leaders in resilience and business continuity due to the criticality of their services.
In terms of service providers, Protecht is focussed on being a leader in operational resilience, not just locally but globally. Our EMEA team is a great assister here due to the maturity of the UK regulator and as such we are leveraging this knowledge locally. Our focus is thought leadership, to develop an operational resilience framework and methodology as well as a technology solution with the Operational Resilience module within our Protecht.ERM system.
Watch this space as resilience becomes a more prominent part of ERM.
How does scenario testing of resources help us to develop our capacity for recovery and adaptation?
Critical processes or Important Business Services are driven by the resources needed to make them operate. When those resources fail or are unavailable, the process degrades and/or fails. This leads to a drop or failure in the service objective, the end impact of a lack of resilience. Running scenarios that involve impacts on these critical resources and the resulting testing of our ability for timely recovery of the resources and/or the adaption of the required resources (e.g. substitution) may identify weaknesses/improvements.
Should Line 2 drive and manage the operational resilience framework?
It is early days to know where operational resilience frameworks should sit. A recent survey that Protecht carried out asked the following question: “Where does the responsibility for operational resilience sit in your organisation?”.
The options with responses were as follows:
The results show that there is no one specific home. Naturally, operational resilience aligns closely with BCP and DRP so could sit well with this existing function. That said, it makes sense for all of these risk related frameworks, ERM, BCP/DRP, operational resilience etc. to be brought together under an overarching ERM banner which is where the majority are placing the function. From this perspective, Line 2, as the ERM experts should ideally have major input in the frameworks and be able to challenge them. However, risk and its management should be owned by the Line 1 business and ultimately it makes sense that risk frameworks are owned by Line 1.
When creating a scenario, do we have criteria or can it be challenged as to how real it can be?
The creation of scenarios and the assumptions implicit in these scenarios is a key component of the resilience process. What scenarios should we be able to be resilient against and which scenarios are so extreme and implausible that resilience to them would not be expected?
Financial service regulators often describe the scenarios that we need to consider as being “severe enough to be material yet plausible enough to be taken seriously”. This obviously involves subjective judgement and is often backed up by confidence levels. That is, these scenarios may be deemed to include (say) 99% of possible scenarios. This means that we have 99% level of confidence as to being resilient to the range of disruptions that can be thrown at us.
Will you please share the link to APRA's recent industry consultation? When is an industry standard expected from them?
The draft APRA CPS 230 Operational Risk Management prudential standard was issued for consultation on 28 July 2022. It is open for comment until October 2022 and is expected to come into force in January 2024. It covers operational resilience as part of expected enhancement of operational risk management, disaster recovery planning and third-party risk management.
The link to the APRA site is here.
Is it more effective to position resilience as a performance driver rather than a risk mitigation?
We would like to think that we can consider resilience as one and the same. That is, it is a performance driver when we measure performance as sustainable risk-based performance. Being more direct, being resilient means:
- We will be disrupted less when disruptive events occur. This improves performance through these times as we can continue functioning
- The cost of managing and recovering from a disruptive event is less, improving financial performance
- We are more capable of capitalising on disruption if we are in a better state then our competitors
- Being resilient makes us more attractive to customers and could lead to winning work and clients
- Being resilient may make us more confident to pursue activities which have a higher level of risk and related reward, as we know we can cope with the risk
We should be considering operational resilience as a key aspect of risk management, and as risk is the “effect of uncertainty on objectives”, risk management is managing the effect of uncertainty on objectives, which is objectives/ outcome management.
All risk management is therefore performance management!
How do you ensure to keep operational resilience an ongoing exercise and not a tick box exercise, ensuring the correct focus, visibility, etc?
Great question, which probably also applies to risk management more generally! Some of the key things to consider in order to ensure operational resilience becomes an embedded repeated part of management processes are:
- Promote the value and performance aspects of resilience. Some of these are set out immediately above
- Ensure that there is a regular cadence around operational resilience. The UK financial services regulators are requiring an annual operational resilience self-assessment to be carried out and reported to the regulator
- Make the resilience process an integrated and embedded process within enterprise risk management rathe than an added extra
- Attach KPIs to responsible staff around the resilience process
How would you convince an organisation that didn't do resilience planning pre-COVID but coped well during COVID that planning for operational resilience is important?
This question brings to mind a quote from Edward Smith, Captain of the Titanic, speaking a few years before his final voyage:
When anyone asks me how I can best describe my experiences of nearly forty years at sea, I merely say uneventful. I have never been in an accident of any sort worth speaking about... I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.
The key is to:
- Analyse why the organisation coped well during the pandemic. Was it by luck or design? If design, then that is resilience. If luck, then luck runs out so the next shock may be the iceberg!
- Consider the range of disruptive events that could occur and assess whether the organisation would cope as well with the range of events. A tech-based business may have been very good at coping with the pandemic due to the ease of moving to a working from home environment where a major cyber-attack or solar flare may not have such strong results!
What is the difference between business continuity management and operational resilience? In a BIA one identifies all activities and processes and then state their RTO's and RPO's for these. Seems very similar in nature?
This is a very common and very good question. The answer depends a little on how mature, comprehensive and strong is the BCP capability? If strong, then the BCP process will be well aligned with operational resilience and will form a great base from which to tweak and build the slightly wider and perhaps slightly difference focus of operational resilience.
To paraphrase the Australian financial services regulator, APRA, in the recent draft CPS 230 standard:
- Many BCP plans were developed at a time when there was a focus on physical disruptions to businesses, including such things as the need to have back-up recovery sites to allow a business to continue to operate in some limited form
- With the increasing move to digitisation, the focus of business continuity planning has shifted to maintaining critical operations and services for customers, including maintaining online capabilities
The latter shift is the focus of operational resilience.
Can you link existing incidents in the new module?
In terms of linking incidents to the new Protecht Operational Resilience module, while a link to existing incident registers is not included in the preconfigured registers, it would be possible to add a linkage to that information within the Important Business/Critical Service register through our standard register configuration process.
How has the solution sought to map/visualise cross functional risk and process in the critical services mapping? What happens where key services/BCPs are owned and managed by one BU but are the basis for meeting the objectives of another?
Protecht have designed the linkage to core risks at the scenario level. The scenario occurring would trigger a risk event. Given that one scenario may impact many resources and those resources may be used in many processes / critical services, this highlights the one-to-many risk impact.
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help: