How to Build Operational Resilience

The importance of operational resilience has been dramatically underlined by COVID-19. Regulation is demanding. This blog demystifies resilience by highlighting how to use what you already have, clarify your goals and plan the journey.

Resilience

First diagnosis

When it comes to resilience, you may well be in a better position than you think. You probably already have several of the building blocks to achieve operational resilience. These include business continuity management, crisis management, cyber security, IT resilience, third-party risk management (Figure 1). In mature target environments, all blocks are in place, operating consistently as part of a rigorous ORM Framework.

For now, the blocks might show varying degrees of maturity, operating in silos and inconsistently. To assess your current strengths and weaknesses and highlight priorities for improvement, a good way to start is a maturity assessment of each component and of your global ORM framework.

Figure 1. Resilience Building Blocks

 

Resilience Heatmap

To help firms visualise their journey and focus on the priorities, we developed a set of assessment criteria using a 5-point scale, from foundation to best practice, applied on 4 dimensions for each resilience block: governance, maturity, resourcing and culture. Each dimension is itself subsumed into specific assessment criteria.

Results from this maturity assessment are collated in a resilience heatmap, a convenient visualisation of the strong and weak points of an organisation, with satisfactory areas marked in green and areas for improvement represented in darker shades of yellow, amber or red. Figure 2 is an example of a resilience heatmap. Criteria labels are left out intentionally for intellectual property reasons, so please contact us to know more.

Not every firm needs to score high on every dimension, block and criteria. Realistic objectives should take into account regulatory requirements and expectations for firms of similar size, nature and complexity. A proportionate approach is perfectly acceptable.

Figure 2. Resilience Heatmap

 

The path to resilience

Heatmap results may show that established disciplines such as cyber security score relatively well, while areas requiring the identification of ‘Important Business Services’ (IBS) may not yet exist.

Before beginning, use the results of this health check and gap analysis to create a clear target operating model and a roadmap to achieve it. Make sure that appropriate governance is in place for the project, using the existing change management framework if you have one.

Be clear of your desired outcomes, identify key sponsors and stakeholders and embrace operational resilience as an outcome of sound Operational Risk Management. This has numerous advantages, including, crucially, the potential to use what you already have and thereby avoiding duplication, confusion, and the needless costs of running separate activities.

An integrated approach to operational resilience under ORM helps break down existing silos, which can be a significant barrier to effective risk management. Outcomes will go beyond resilience alone, reinforcing the operational risk management practice and compliance of the whole organization.

We hope you find this blog helpful. For a full overview of our approach to framework improvements, please contact us.