Despite the catchy title of our blog post, we should be honest and say that there isn’t really any "versus" between Operational Resilience (OpRes), Business Continuity (BC) and Disaster Recovery (DR) – not to mention Crisis Communication, Incident Management, and Emergency Management. They are about integration, working together and leveraging information, processes and resources to achieve operational outcomes.
But where are the differences? Where should lines of distinction be drawn, if at all? And who is responsible for what That last point is probably the sticking point that might undermine your program.
Confusion over responsibility potentially can contribute to:
- Duplication of effort
- Different methodologies or data that aren’t compatible, reducing efficiency
- Lack of cohesion, where parts don’t come together to form a whole
- Conflict between departments or subject matter experts on ownership or accountability
- Failure to achieve effective continuity or recovery when there is a disruption
Operational resilience is the newest kid on the block, but it isn’t separate from business continuity or disaster recovery; it’s their union with operational risk.
Let’s look at the core of each, and then we will investigate how they overlap and come together to achieve operational resilience.
What is operational risk?
Operational risk is the effect of uncertainty on operational objectives.
An operational risk framework includes:
- Communication and consultation with stakeholders on its risk management processes.
- Defining the types of risk an organization is willing to take in pursuit of its objectives, tailored to the context of the organization and its objectives.
- Identification of risks that could affect the pursuit of defined objectives.
- Analysis of identified risks to understand their causes, likelihood of occurrence, and potential impact on objectives.
- Evaluation of risks against risk appetite or other criteria to determine if action is required.
- A framework for risk responses or treatments, which includes the implementation of controls that reduce the likelihood and/or impact of risks.
- Monitoring and review of risk management processes to provide assurance and improve processes.
- Recording and reporting to provide information to stakeholders and support decision-making.
What is business continuity management?
Business continuity focuses on the critical business functions or services that, if disrupted, would cause a significant impact to the organization or its stakeholders.
A business continuity framework includes:
- A Business Impact Analysis (BIA) to identify the impact of disruption on critical functions, and to identify the resources required to support them, such as systems, third parties, people, locations and data.
- Determining the Maximum Allowable Outage for identified critical functions, above which the organization starts experiencing unacceptable impact.
- Structures and escalation processes to enable effective communication and activation of business continuity plans when disruption occurs.
- Developing business continuity plans to recover and resume critical functions or operations if resources are disrupted.
- Exercising and testing business continuity plans to assess their effectiveness, embed roles and responsibilities, and develop capability.
- The activation and use of plans during a disruptive event.
The focus of business continuity is on preparing to respond to plausible events that could threaten the existence of the organization if they were to occur, even if they are highly unlikely.
Many business continuity plans were developed at a time when there was a focus on physical disruption.
What is disaster recovery?
Disaster recovery is a subset of business continuity that focuses specifically on the recovery and restoration of IT assets. This can include infrastructure, systems, or data that those systems rely on.
Disaster recovery includes:
- Establishing Recovery Time Objectives (RTO) for individual assets or systems – the time it aims to recover those assets and systems to support critical functions.
- Determining Recovery Point Objectives (RPO) for data – how much data will we accept to be lost for a given system or asset?
- Developing disaster recovery procedures for individual assets
- Developing ongoing controls and processes to enable disaster recovery procedures, such as backup processes or redundancies.
- Exercising and testing disaster recovery plans to assess their effectiveness, embed roles and responsibilities, and develop capability.
- Coordination with BC teams during disruption.
Activation of alternate physical sites may also be included in disaster recovery responsibilities. The focus is on restoring IT assets and enabling the business to continue its operations.
So what is operational resilience, then?
Operational resilience is about the complete management of disruption.
OpRes includes:
- Preventing disruption to the enterprise from occurring in the first place.
- Being robust and minimizing impact if a disruption does occur.
- Recovering from impact as quickly as possible.
- Adapting to changes in the operational environment.
- Learning from disruption to become more resilient to future disruption.
Operational resilience also moves the focus from the internal impact on the organization to the impact on external stakeholders such as customers or the public if critical functions are disrupted. What may be acceptable to the organization may not be acceptable to those external stakeholders.
It becomes clearer how each of the disciplines contributes to operational resilience, and how removing any one of them reduces that resilience.
Operational risk processes aid in the identification of risks and scenarios that would cause disruption. Of the three disciplines, operational risk has the biggest focus on prevention, not just response and recovery. This includes changing processes or dependencies altogether to eliminate risks or their causes, as well as implementing preventive controls.
Key Risk Indicators (KRIs) and early detective controls can also provide warning signals of changing risk exposure or imminent disruption that need to be addressed, which may either prevent disruption or provide time to absorb some of the impact if it does occur.
Business continuity plans and disaster recovery acknowledge that prevention is not always possible, and they can minimize the impact if disruption occurs while enabling effective recovery. They include sufficient rigor and testing to ensure there is internal capability to respond to disruption if it occurs.
Bringing OpRes, BC and DR together
Achieving the outcome of operational resilience requires alignment and effective communication between these disciplines and sharing of the same data.
This can include having access to a single source of truth for:
- The definition and assessments of critical functions and the processes that support them.
- Lists of resources required to support the critical functions and their interdependencies.
- Agreed Maximum Allowable Outages (MAO) for critical functions that can easily be compared with Recovery Time Objectives (RTO) in supporting disaster recovery plans.
- Scenario libraries that can be applied to business continuity functions as well as broader operational risk management.
- Results of testing and exercising of BC and DR plans that are incorporated into risk profiles.
- Key Risk Indicators (KRIs) that can inform response teams of potential disruption.
- Assurance assessments and monitoring of preventive controls to ensure they remain effective.
In the second part of this blog series, we will be considering how teams from these different disciplines can work together towards a common goal.
Next steps for your organization
Protecht ERM's Operational Resilience module helps you identify and manage potential disruption so you can provide critical services that your customers and community rely on.
Find out more about operational resilience and how Protecht ERM can help your organization:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module