Resilience
Resilience is the ability of an organization
to deliver critical operations and achieve intended outcomes through uncertainty, disruption and change.
How we can help you
Resilience is vital for an organization’s survival and success in today’s unpredictable world. It ensures that a company can withstand and quickly recover from disruptions—whether from cyber attacks, natural disasters, or market shifts. A resilient organization not only protects its assets and reputation but also maintains customer trust and employee morale. By embedding resilience into its culture, an organization can adapt to changes, minimize downtime, and maintain continuity. This proactive approach leads to sustained performance and competitive advantage, making resilience not just a safeguard but a strategic asset for long-term growth and stability.
Agility to withstand disruption
Break the silos. Work together.
Operational resilience requires a concerted approach with all risk functions.
Isn’t Operational Resilience just “BCM done well”??
Ask 20 managers for their definition and scope of Business Continuity Management, and you will get 25 different answers. Over the decades, different organizations have interpreted and implemented BCM in different ways. For some, the scope was limited to “Evacuate the building and move staff to a recovery site”. For others, it was purely about disaster recovery of IT systems and data backups. And then there were those who took a more literal definition, to focus on the continuity of business in a more comprehensive way, including the concern for unavailability of vendors, pandemics, and other operational threats. The situation was not much different in Operational Risk Management, where some organizations had BCM report to ORM, for example, whereas in other organizations such teams worked largely independently.
This inconsistent and often fragmented approach to continuity risk management left much to desire. There was the risk that various plans were overlapping, inconsistent, having gaps and/or even contradicting each other. It was therefor time to introduce a new concept to cover all continuity risk controls in a consistent way. That new concept is called “Resilience“.
Operational Resilience is further defined in standards by authorities around the globe, such as ISO, Basle Committee for Banking Supervision, IOSCO, PRA, HKMA, etc. etc.
Operational Resilience requires a concerted approach with all risk functions:
Information Security
Protect data from unauthorized access, alteration, and destruction, ensuring CIA: Confidentiality, Integrity, and Availability of information systems. Threats include cyber attacks, system failure, rogue it staff, etc
Operational Risk Mngt
ORM, part of Enterprise Risk Management, involves identifying, assessing, mitigating and monitoring risks in processes, people, systems, and external events.
ORM as a standard method of evaluating internal controls and risks originated in the financial sector, and was given a significant boost following the Enron and WorldCom financial fraud, and Rogue trader events.
Business Continuity Mngt
BCM is the process of identifying, planning, and implementing measures and alternative solutions to protect the organization from the potential impacts of disruptive incidents.
BCM starts with a Business Impact Analysis to identify the most time-critical processes. A focus point of BCM is to have alternative solutions and a BC plan ready whenever a disruption occurs, especially unavailability of People, Buildings, IT or Vendors.
Vendor Risk Mngt
Vendor Risk Management involves assessing, monitoring, and mitigating risks posed by third-party vendors to ensure compliance, security, and continuity.
Manage and control the risk of vendor service disruption. A contractual SLA may not suffice, and you can never outsource responsibility.
Outsourcing partners, market data providers, offshore centers, logistics services, IT software or hardware suppliers, laundry, cleaning, archive services, white label partners, call centers, etc.
Building a Resilience framework
Practical, pragmatic and based on best practice
Key steps in building Operational Resilience
Our approach to resilience is inspired by, and closely aligned with he most recent standards, published by the (inter)national authorities for the financial world and other critical industries, as well as ISO and global specialist peer organizations like the BCI, ISACA, ASIS
01
Governance
It may sound obvious, but he Board of Directors and senior management is accountable for business services.
But how can they shape this overall control? What reports, KPIs and other information and training do they need to effectively take ownership and exercise governance.
02
Prioritize
In this stage, we help you identify your important business functions and essential or critical operations. The focus is first and foremost external: what do your customers need and expect from you.
03
Tolerance
Impact Tolerance is different from Risk tolerance. Where Risk is based on Likelihood x Impact, this tolerance only looks at Impact. The risk of each individual threat may be small, but taken all together it may be quite unacceptable .
So rather than trying to predict a specific incident, focus on limiting the impact by building agility, and plan for alternative ways of meeting customer needs.
04
Scenarios
Severe but Plausible scenarios is not about predicting the future. Nobody predicted the attack on the NY Trade Centre, the Fukushima series of events, or COVID. Yet they happen. And you can certainly prepare for the consequences of such events.
We will guide you through the process of creating scenarios that are impactful and will help focus and guide pragmatic planning and preparation.
05
Prepare
Now that we know our priorities and what is unacceptable impact, we can prepare for severe but plausible scenarios.
What would we do if all our IT systems are unavailable for a prolonged period of time? And what can we do to prepare ourselves to make the impact tolerable. For example, perhaps a manual workaround. Or let people work from home. It may not be pretty, but is is better than nothing.