2021 will bring in legislation from both the UK’s financial regulators and the EU on operational resilience.
Ensuring an organisation is resilient benefits both the organisation and its customers but building an operational resilience framework is daunting.
By understanding the four key principles that underpin operational resilience, building a framework for resilience becomes easier to manage.
The main steps we will review in this article are:
- The key principles
- Defining important business services
- Map the requirements to fulfil these services
- Agree impact tolerance
- Review how to close the gap to the desired future position
Four Principles of Operational Resilience
Each operational resilience framework will be individual to each company, but should be founded on four key principles:
- Knowledge of risks
- Embedded company-wide
- Communication (internal and external)
- Continuous learning and improvement
To have a successful operational resilience framework, an organisation needs to have knowledge of risks to its operations. An organisation cannot be resilient if it doesn’t have an awareness of the threats that could cause disruption to its operations and its delivery to customers.
Operational resilience needs to be embedded company-wide. Whilst business continuity policies are often managed by a small team, resilience needs to be threaded through each department.
Communication is critical to operational resilience. Firstly, the policy itself needs to be communicated and understood at all levels of the organisation. Secondly, communication needs to be upheld in the event of any disruptive event so that operations continue. And finally, the UK regulators are expecting financial services to have a plan to communicate with consumers.
The final principle is continuous learning. This is in part because impact tolerances should be set each year but also because the business landscape constantly shifts, moving the threats and challenges with it. Additionally, part of operational resilience is that it needs to be continually improved. The current position and the desired position should be defined and steps identified for how to close the gap between the two.
Identifying Important Business Services
Important Business Services is a phrase used by the Financial Conduct Authority (FCA) in the UK to mean the services in the financial sector that, if disrupted, would cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system.
Outside of financial services, it could mean the actions that an organisation undertakes which are critical to fulfilling customer needs.
An organisation will undertake many tasks that don’t directly add value to the customer. The operational resilience plan should consider only those services which are critical to customers.
As an example, if a drinks manufacturer were starting its operational resilience framework, one important business service identified would be to apply the labels onto the bottle.
Other tasks will be required by the organisation but wouldn’t be considered important business services in this context. For example, the organisation is required to file annual accounts on time, but a delay to this wouldn’t threaten consumers or market integrity. Other tasks could be maintenance regimes, supplier audits and IT upgrades.
How to Map
Once important business services have been identified, an organisation needs to ‘map’ the technology, people, processes, facilities, supplies, and information required to fulfil those services. This can include requirements internally within the organisation and externally with the supply chain or business partners.
In the financial services sector important business services could be the ability to withdraw cash, make online payments or alter investments. Some of these services inevitably rely on third parties, such as those which manage ATMs, as well as internal departments and technology.
To start the map, it may be easier to define the process steps for delivering the service and then identify which resources are needed to enable each step. This is similar to building a ‘critical path’ for a project.
The map is a critical part of the operational resilience framework because the people and internal departments required will need to be made aware of their role in fulfilling important business services. They will have individual responsibility for continuing operations and will be mentioned in the framework. Additionally, risks to each resource will need to be identified and mitigated where possible.
In our example of applying labels onto drinks bottles, here are the assets required to fulfil the task:
Technology: Labelling machine, control system, label design program
People: Machine operator, quality assurance
Facilities: Electricity, sheltered factory space
Supplies: Labels, adhesive
Information: Customer demand, transport information
How to Set Impact Tolerances
Once the important business services have been identified and mapped an organisation can set the impact tolerances for disruption. Impact tolerances are the maximum levels of disruption that are tolerable to an important business service, measured as the maximum duration of this disruption.
The first stage of this is to analyse the standard operational outputs. This enables the organisation to determine the starting point before any disruption takes place. From there, the organisation can determine how long any disruptive event can endure before the important business service reaches a critical point for delivery to customers.
The tolerances are unique to the organisation. Regulators won’t have a specified time that they are expecting organisations to stay within. Rather, they will want to understand how each tolerance has been set and its impact on consumers.
Our drinks manufacturer usually applies 100 labels per minute. In every hour, 6000 bottles are labelled and ready for transport to customers.
Transport comes every 4 hours to collect 24,000 bottles. The factory always keeps this many finished units in stock ready for collection.
Using this information, the organisation can know that any full outage of the labelling machine of more than 4 hours will affect onward delivery to customers.
Businesses, their important business services and their potential disruptors constantly change. Due to this, flexibility and continuous improvement run through the core of operational resilience for two reasons:
- An out of date policy won’t keep the organisation running through adversity
- The organisation should look to continually improve its tolerances to disruptive events
The review of an operational resilience framework can be structured by considering the organisation’s current position compared to a desired future position. The learning should be embedded within all departments of the organisation.
Once the risks and potential disruptors have been identified, the desired future position could include ways in which threats are mitigated. For example, if dependence on a number of single-sourced raw materials had been identified as a threat, the organisation could set a goal to improve this by sourcing more suppliers.
Operational resilience will be heard increasingly often in the coming years, but it’s more than just a buzzword. In an increasingly global, connected economy, organisations need to ensure they can continue to operate and fulfil customer needs through adversity.
Covid-19 has been perhaps the largest global challenge to date and one of its side effects to business has been an increase in fraud and cyber attacks. Regulators want to be confident that organisations can withstand any threat to their operations.
Building a framework around the four key principles, and embedding it within the organisation, will please the regulators and, more importantly, protect the organisation’s customers from disruption.