Skip to content

Operational resilience: Webinar Q&A

Protecht held a webinar on operational resilience in July 2022. The attendees asked a range of questions, some which we were able to answer during the webinar and others not. This blog contains the questions asked in the webinar and our responses.

Register here to watch the recorded webinar

Key questions

Do you think ESG/climate risk should be considered as part of operational resilience?

How does it work to link cyber security risk and capability maturity to operational resilience which is a part of enterprise risk?

Can you please clarify what you mean by Line 1 & Line 2? Is that management levels in the organization?

How often should you review resilience in the business: is annual enough or should it be more frequent?

Who are the leaders of operational resilience?

How does scenario testing of resources help us to develop our capacity for recovery and adaptation?

Should Line 2 drive and manage the operational resilience framework?

When creating a scenario, do we have criteria or can it be challenged as to how real it can be?

Is it more effective to position resilience as a performance driver rather than a risk mitigation?

How do you ensure to keep operational resilience an ongoing exercise and not a tick box exercise, ensuring the correct focus, visibility, etc?

How would you convince an organization that didn't do resilience planning pre-COVID but coped well during COVID that planning for operational resilience is important?

What is the difference between business continuity management and operational resilience? In a BIA one identifies all activities and processes and then state their RTO's and RPO's for these. Seems very similar in nature?

Can you link existing incidents in the new module?

How has the solution sought to map/visualize cross functional risk and process in the critical services mapping? What happens where key services/BCPs are owned and managed by one BU but are the basis for meeting the objectives of another?

Do you think ESG/climate risk should be considered as part of operational resilience?

Of itself, ESG/climate risk is not an integral part of operational resilience any more than all other risks would be. Instead, ESG/climate risk should be considered as an input into operational resilience to the extent that ESG/climate-related risks would be of the magnitude that they could cause major disruption to the organization’s critical processes.

These risks may influence the nature and magnitude if the disruptive scenarios that could occur and as a result influence the scenarios use for testing resilience.

How does it work to link cyber security risk and capability maturity to operational resilience which is a part of enterprise risk?

Similar to the question above, cyber security risk integrates with operational resilience in terms of the disruptive events that could arise from cyber, most with the potential to cause major disruption. This will influence the severe but plausible scenarios we use to test resilience. Because this risk is a major source of disruption, being cyber resilient is a major part of operational resilience.

Can you please clarify what you mean by Line 1 & Line 2? Is that management levels in the organization?

The “lines” come from the 3 lines of defense model that has been adopted by the financial services industry and the three lines model adopted by the Institute of Internal Auditors.

Line 1 is the business itself who are usually non risk specialists yet are responsible for the internal control framework operating within the business and are owners of any risk in their business and have primary responsibility for its management. Line 2 are risk professionals, and their role is to review, challenge and assist line 1 in the management of its risk. This may well include assistance and expertise in developing risk frameworks. They are not there to manage the risk on behalf of Line 1. Lastly is Line 3 which is internal audit responsible for providing independent assurance that Lines 1 and 2 are working effectively.

View the IIA’s definition here.

How often should you review resilience in the business: is annual enough or should it be more frequent?

In the financial services sector, the UK regulator requires an annual “self-assessment” to be performed on resilience to demonstrate the required level of resilience. Logically speaking, an organization should be resilient at all times so that it is ready for disruption whenever it may strike.

This then leads to a management decision on how often resilience should be reviewed in order to get that level of comfort and this will depend on many things such as how dynamic the business is, how much change is occurring and the nature of the disruptive stress events to which the organization is exposed.

Who are the leaders of operational resilience?

In terms of service providers, Protecht is focused on being a leader in operational resilience, not just locally but globally. Our EMEA team is a great assister here due to the maturity of the UK regulator and as such we are leveraging this knowledge worldwide. Our focus is thought leadership, to develop an operational resilience framework and methodology as well as a technology solution with the Operational Resilience module within our Protect.ERM system.

Watch this space as resilience becomes a more prominent part of ERM.

How does scenario testing of resources help us to develop our capacity for recovery and adaptation?

Critical processes or Important Business Services are driven by the resources needed to make them operate. When those resources fail or are unavailable, the process degrades and/or fails. This leads to a drop or failure in the service objective, the end impact of a lack of resilience. Running scenarios that involve impacts on these critical resources and the resulting testing of our ability for timely recovery of the resources and/or the adaption of the required resources (e.g. substitution) may identify weaknesses/improvements.

Should Line 2 drive and manage the operational resilience framework?

It is early days to know where operational resilience frameworks should sit. A recent survey that Protecht carried out asked the following question: “Where does the responsibility for operational resilience sit in your organization?”.

The options with responses were as follows:

opres-survey-7-responsible

The results show that there is no one specific home. Naturally, operational resilience aligns closely with BCP and DRP so could sit well with this existing function. That said, it makes sense for all of these risk related frameworks, ERM, BCP/DRP, operational resilience etc. to be brought together under an overarching ERM banner which is where the majority are placing the function. From this perspective, Line 2, as the ERM experts should ideally have major input in the frameworks and be able to challenge them. However, risk and its management should be owned by the Line 1 business and ultimately it makes sense that risk frameworks are owned by Line 1.

When creating a scenario, do we have criteria or can it be challenged as to how real it can be?

The creation of scenarios and the assumptions implicit in these scenarios is a key component of the resilience process. What scenarios should we be able to be resilient against and which scenarios are so extreme and implausible that resilience to them would not be expected?

Financial service regulators often describe the scenarios that we need to consider as being “severe enough to be material yet plausible enough to be taken seriously”. This obviously involves subjective judgement and is often backed up by confidence levels. That is, these scenarios may be deemed to include (say) 99% of possible scenarios. This means that we have 99% level of confidence as to being resilient to the range of disruptions that can be thrown at us.

Is it more effective to position resilience as a performance driver rather than a risk mitigation?

We would like to think that we can consider resilience as one and the same. That is, it is a performance driver when we measure performance as sustainable risk-based performance. Being more direct, being resilient means:

  • We will be disrupted less when disruptive events occur. This improves performance through these times as we can continue functioning
  • The cost of managing and recovering from a disruptive event is less, improving financial performance
  • We are more capable of capitalizing on disruption if we are in a better state then our competitors
  • Being resilient makes us more attractive to customers and could lead to winning work and clients
  • Being resilient may make us more confident to pursue activities which have a higher level of risk and related reward, as we know we can cope with the risk

We should be considering operational resilience as a key aspect of risk management, and as risk is the “effect of uncertainty on objectives”, risk management is managing the effect of uncertainty on objectives, which is objectives/ outcome management.

All risk management is therefore performance management!     

How do you ensure to keep operational resilience an ongoing exercise and not a tick box exercise, ensuring the correct focus, visibility, etc?

Great question, which probably also applies to risk management more generally! Some of the key things to consider in order to ensure operational resilience becomes an embedded repeated part of management processes are:

  • Promote the value and performance aspects of resilience. Some of these are set out immediately above
  • Ensure that there is a regular cadence around operational resilience. The UK financial services regulators are requiring an annual operational resilience self-assessment to be carried out and reported to the regulator
  • Make the resilience process an integrated and embedded process within enterprise risk management rather than an added extra
  • Attached KPIs to responsible staff around the resilience process

How would you convince an organization that didn't do resilience planning pre-COVID but coped well during COVID that planning for operational resilience is important?

This question brings to mind a quote from Edward Smith, Captain of the Titanic, speaking a few years before his final voyage:

When anyone asks me how I can best describe my experiences of nearly forty years at sea, I merely say uneventful. I have never been in an accident of any sort worth speaking about... I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.

The key is to:

  • Analyze why the organization coped well during the pandemic. Was it by luck or design? If design, then that is resilience. If luck, then luck runs out so the next shock may be the iceberg!
  • Consider the range of disruptive events that could occur and assess whether the organization would cope as well with the range of events. A tech-based business may have been very good at coping with the pandemic due to the ease of moving to a working from home environment where a major cyber-attack or solar flare may not have such strong results!

What is the difference between business continuity management and operational resilience? In a BIA one identifies all activities and processes and then state their RTO's and RPO's for these. Seems very similar in nature?

This is a very common and very good question. The answer depends a little on how mature, comprehensive and strong is the BCP capability? If strong, then the BCP process will be well aligned with operational resilience and will form a great base from which to tweak and build the slightly wider and perhaps slightly difference focus of operational resilience.

To paraphrase the Australian financial services regulator, APRA, in the recent draft CPS 230 standard:

  • Many BCP plans were developed at a time when there was a focus on physical disruptions to businesses, including such things as the need to have back-up recovery sites to allow a business to continue to operate in some limited form.
  • With the increasing move to digitisation, the focus of business continuity planning has shifted to maintaining critical operations and services for customers, including maintaining online capabilities

The latter shift is the focus of operational resilience.

Can you link existing incidents in the new module?

In terms of linking incidents to the new Protecht Operational Resilience module, while a link to existing incident registers is not included in the preconfigured registers, it would be possible to add a linkage to that information within the Important Business/Critical Service register through our standard register configuration process.

How has the solution sought to map/visualize cross functional risk and process in the critical services mapping? What happens where key services/BCPs are owned and managed by one BU but are the basis for meeting the objectives of another?

Protecht have designed the linkage to core risks at the scenario level. The scenario occurring would trigger a risk event. Given that one scenario may impact many resources and those resources may be used in many processes / critical services, this highlights the one-to-many risk impact.

Next steps for your organization

Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.

Find out more about operational resilience and how Protecht.ERM can help:

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.