Despite the catchy title, we should be honest and say that there isn’t really any ‘versus’ between Operational Resilience, Business Continuity and Disaster Recovery (not to mention Crisis Communication, Incident Management, and Emergency Management). It’s about integration, working together and leveraging information, processes and resources to achieve operational outcomes.
But where are the differences? Where should lines of distinction be drawn, if at all? And who is responsible for what? That last point is probably the sticking point that might undermine programmes (whatever they are called), with confusion over responsibility potentially contributing to:
- Duplication of effort
- Different methodologies or data that isn’t compatible, reducing efficiency
- Lack of cohesion, where parts don’t come together to form a whole
- Conflict between departments or subject matter experts on ownership or accountability
- Failure to achieve effective continuity or recovery when there is a disruption
Operational resilience is the newest kid on the block, but isn’t separate from the other two; it’s the union with operational risk:
Let’s look at the core of each, and then we will investigate how they overlap and come together to achieve Operational Resilience.
What is operational risk?
Operational risk is the effect of uncertainty on operational objectives. An operational risk framework includes:
- Communication and consultation with stakeholders on its risk management processes
- Defining the types of risk an organisation is willing to take in pursuit of its objectives, tailored to the context of the organisation and its objectives
- Identification of risks that could affect the pursuit of defined objectives
- Analysis of identified risks to understand their causes, likelihood of occurrence, and potential impact on objectives
- Evaluation of risks against risk appetite or criteria to determine if action is required
- A framework for risk responses (or treatments), which includes the implementation of controls that reduce likelihood and / or impact of risks
- Monitoring and review of risk management processes to provide assurance and improve processes
- Recording and reporting to provide information to stakeholders and support decision making.
What is business continuity management?
Business continuity focuses on the critical business functions or services that, if disrupted, would cause significant impact to the organisation or its stakeholders. A business continuity framework includes:
- A Business Impact Analysis to identify the impact of disruption on critical functions, and identifying the resources required to support them, such as systems, third parties, people, locations and data
- Determining the Maximum Allowable Outage for identified critical functions (above which the organisation starts experiencing unacceptable impact)
- Structures and escalation processes to enable effective communication and activation of business continuity plans when disruption occurs
- Developing business continuity plans to recover and resume critical functions or operations if resources are disrupted
- Exercising and testing of business continuity plans to assess their effectiveness, embed roles and responsibilities, and develop capability
- The activation and use of plans during a disruptive event
The focus of business continuity is on preparing to respond to plausible events that could threaten the existence of the organisation if they were to occur, even if they are highly unlikely. Many business continuity plans were developed at a time when there was a focus on physical disruption.
What is disaster recovery?
Disaster recovery is a sub-set of business continuity that focuses specifically on the recovery and restoration of IT assets. This can include infrastructure, systems, or data that those systems rely on. It includes:
- Establishing Recovery Time Objectives for individual assets or systems – the time it aims to recover those assets and systems to support critical functions
- Determining Recovery Point Objectives for data – how much data will we accept to be lost for a given system or asset
- Developing Disaster Recovery procedures for individual assets
- Developing ongoing controls and processes to enable the Disaster Recovery procedures, such as back-up processes or redundancies
- Exercising and testing of disaster recovery plans to assess their effectiveness, embed roles and responsibilities, and develop capability
- Co-ordination with BC teams during disruption
Activation of alternate physical sites may also be included in Disaster Recovery responsibilities. The focus is on restoring IT assets, enabling the business to continue its operations.
So what is operational resilience, then?
Operational resilience is about the complete management of disruption. It includes:
- Preventing disruption to the enterprise from occurring in the first place
- Being robust and minimising impact if disruption occurs
- Recovering from impact as quickly as possible
- Adapting to changes in the operational environment
- Learning from disruption to become more resilient to future disruption
Operational resilience also moves the focus from the internal impact to the organisation to the impact on external stakeholders such as customers or the public if critical functions are disrupted; what may be acceptable to the organisation may not be acceptable to those stakeholders.
It becomes clearer how each of the disciplines contribute to operational resilience, and how removing any one of them reduces that resilience.
Operational risk processes aid in identification of risks and scenarios that would cause disruption. Of the three disciplines, operational risk has the biggest focus of prevention, not just response and recovery. This includes changing processes or dependencies altogether to eliminate risks or their causes, as well as implementing preventive controls.
Key Risk Indicators and early detective controls can also provide warning signals of changing risk exposure or imminent disruption that need to be addressed, which may either prevent disruption or provide time to absorb some of the impact if it does occur.
Business continuity plans and disaster recovery acknowledge that prevention is not always possible, and they can minimise the impact if disruption occurs while enabling effective recovery. They include sufficient rigour and testing to ensure there is internal capability to respond to disruption if it occurs.
Bringing them together
To achieve the outcome of operational resilience requires alignment and effective communication between these disciplines and sharing the same data. This can include having access to a single source of truth for:
- The definition and assessments of critical functions and the processes that support them
- Lists of resources required to support the critical functions and their interdependencies
- Agreed Maximum Allowable Outages for critical functions that can easily be compared with Recovery Time Objectives in supporting Disaster Recovery plans
- Scenario libraries that can be applied to business continuity functions as well as broader operational risk management
- Results of testing and exercising of BC / DR plans that are incorporated into risk profiles
- Key Risk Indicators that can inform response teams of potential disruption
- Assurance assessments and monitoring over preventive controls to ensure they remain effective
In the second part of this blog series, we will be considering how teams from these different disciplines can work together towards a common goal.
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help: