How prepared are organisations for resilience?
Let’s cover the top-line data first. The survey of risk professionals found that nearly all surveyed (96%) believe operational resilience should be an important priority for their organisations, but only a bit under half (46%) currently rate their organisation’s operational resilience capacity as “high/very high”. This isn’t surprising for a hot topic that is already being pushed hard by regulators in the UK with those in the EU, Australia and the US set to follow.
In your personal view, should operational resilience be important for your organisation?
Thinking about your organisation’s overall approach, resources and processes, how do you rate its capability in operational resilience?
As you’d expect and hope from a topic with such a sizeable gap between importance and current execution, risk professionals are seeking to close the gap. More than half (56%) of survey respondents rate operational resilience as a “high/very high” priority for the next 12 months, and only 10% rate it as low or very low.
How do you rate the priority of operational resilience for your organisation over the next 12 months?
The levels of preparedness vary substantially across between organisations, with 8% of organisations having completed their operational resilience initiatives, and another 34% with programs underway at either a detailed business case or an implementation phase. However, 57% of organisations either haven’t done anything yet, or are still working on concept design. Among the organisations surveyed, just under half (48%) think that their existing risk management setup is capable of implementing operational resilience, while the rest believe that either some additional effort (38%) or extensive development to accommodate the new concept (15%) will be necessary.
If you have an initiative or project on operational resilience, what stage is it?
What impact does operational resilience have on your existing risk
management capabilities?
Drivers and responsibilities vary widely between organisations
Although the vast majority of respondents believe that operational resilience is vital to their business, the reasons why they believe this vary significantly between organisations. There is very little consensus on why operational resilience is important. Just over a third of respondents (35%) believe the main driver is to meet regulatory requirements, while 26% believe it’s an essential part of risk management best practice, and another 26% were inspired by their organisation’s response to COVID. The fact that motivations vary so significantly is an interesting indicator of how much different risk professionals’ understanding of the concept can be.
What are the main drivers of operational resilience for your organisation?
This divergent understanding of what operational resilience means and why is made even clearer when we look at the detail of how organisations are implementing their operational resilience programmes. Between them, the companies we surveyed are following almost every possible model of how to allocate primary responsibility for operational resilience.
The most popular choice (33%) is to make it a function of the Business Continuity Management (BCM) team, followed by a responsibility falling directly onto the executive management team (27%), but the Line 2 risk management team (17%), the IT/technology department (9%), and Line 1 business unit risk teams (7%) are all also represented. Only 4% of organisations have or plan to have a dedicated operational resilience team independent from their existing operations.
Who is/will be responsible for the development and implementation of operational resilience in your organisation?
There are similar levels of divergence when we look at the practicalities of how operational resilience is or will be implemented. By business unit/division (29%), by each critical process (20%), by each product or service (14%), and by high-level process (13%) are all popular models. Also tellingly, 25% of respondents didn’t know at the time of responding how their business would structure this implementation.
How is/will be operational resilience implemented in your organisation?
Awareness and understanding are the biggest challenge
It is not surprising, given the widely differing views of why and how to implement operational resilience that our survey has revealed, that risk professionals are also struggling to reconcile the topic within their organisations.
More than half of survey respondents (52%) said that the biggest challenge they faced in their implementation of operational resilience was the inconsistent understanding of operational resilience among different stakeholders within the business. Other challenges lagged far behind, with 17% primarily concerned about low resourcing and 13% finding that regulatory demands were unclear.
What challenges do you face in your implementation of operational resilience?
This lack of consistent understanding is also visible when considering the levels of detail at which operational resilience will be applied and the ultimate use of the outputs of operational resilience programs. Half of organisations intend to apply operational resilience to critical processes, while 17% intend to apply it to all processes within their business, 13% think operational resilience can be applied at a high level only without a focus on specific processes, and 21% haven’t yet worked out how this will apply for their organisation.
At what level of detail will operational resilience be applied in your organisation?
When it comes to primary outputs, the picture is similarly inconsistent. Just over a third (34%) think that the main output will be to satisfy regulatory requirements, with another third (33%) primarily focusing on providing the board or executive management with assurance. 10% think the main benefit will be to recovery plans, while 8% think that the outputs will primarily drive board and executive management decision-making.
How do you see your organisation using operational resilience outputs?
What are the key take-outs?
A combination of regulatory action, the impacts of COVID on business, and an understanding that it is an important part of wider enterprise risk management, have all been factors that have driven the update of operational resilience as a concept among risk professionals. However, at the moment many organisations appear to be struggling to understand the details of the concept, how to build a consistent internal understanding of what it means, and even what the benefits and outputs of building an operational resilience program will be.
This isn’t surprising: whenever there is a new concept gaining traction, the knowledge that it’s there and important often races ahead of the understanding of how to best approach it in a holistic way that aligns with your organisation’s core needs. But it highlights the importance of ensuring that your risk and BCM teams have a strong and consistent understanding of operational resilience, and that they are able to communicate this effectively to other stakeholders, both internal and external.
Download this report as a printable PDF
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
* Global survey of 142 risk management, compliance, business continuity and other key risk professionals carried out in 2021 by Protecht.