New from the Business Continuity Institute (BCI) is its Operational Resilience Report, sponsored by the software firm Riskonnect.
In a foreword, Rachael Elliott of the Institute notes that while โdefinition confusionโ is still very much present when it comes to business continuity, operational resilience, organizational resilience, and operational risk, the key principles of operational resilience are now extending beyond the financial services sector (to data centres, for example) due to the perceived value in protecting both customers, reputation, and, ultimately, their balance sheets. Regulation – such as the EU Digital Operational Resilience Act (DORA) covering the European Union, and in Australia the APRA CPS 230 standard – is the primary driver to building an operational resilience, she adds.
As for definitions, the report suggests that operational resilience is more proactive, while business continuity is more reactive; a part of resilience. It quotes the international standard ISO 22316:2017, that describes organizational resilience as โthe ability of an organization to absorb and adapt in a changing environmentโ.
Of those who completed the survey, two-thirds comply to between one and five regulatory schemes, while nearly a fifth (18.4pc) say they are having to meet the requirements of more than five. After regulatory compliance, good practice is given by those surveyed as the second most reason for developing an operational resilience programme. Although a set definition of operational resilience across all sectors and countries still yet to be clearly defined, the idea has long been around, the report points out, in sectors such as aviation. Managerial support and discussions around operational resilience, especially within the technology function, are due to the digital risk behind regulations such as DORA.
What role should be accountable for operational resilience? It should be a member of the c-suite, according to the report, and so it often is, whether the chief exec or a chief operations officer; or, there’s a specific head of resilience role, ‘which typically takes ownership of the daily management’. The report acknowledges that some in management are ‘still reluctant to invest in a programme which, in their eyes, offers little financial return. This issue is particularly relevant as organizations struggle to recruit and retain qualified personnel to build and maintain operational resilience programmes …” Among other problems are ‘legacy infrastructure’ and not knowing the risks in the supply chain.
The report airs the concern that resilience regulation could become a ‘tick box exercise’, and that businesses go for minimal compliance. Those surveyed spoke of interest in ‘plausible scenarios’; ‘perhaps because implementation deadlines are approaching, and regulators are increasingly requiring demonstration that organizations are able to meet their impact tolerances in the face of significant disruption’. Other processes or tools important to doing operational resilience are identifying critical suppliers; and finding ‘impact tolerances’.
The report like others by the BCI is free to download if you sign up; you don’t have to be an Institute member. Visit https://www.thebci.org/resource/bci-operational-resilience-report-2024.html.
