Strategies for Building Resilience

Strategies for Building Resilience

Jul 1, 2021 | Business Continuity, Business Resiliency

reslience

Resilience is a watchword for every risk management team and every governing board. Resilience represents the ability of entities to avoid, prevent, adapt, respond to, recover from, and learn from operational disruptions.[i] While ensuring business continuity is a key aspect of business resilience, resilience, and continuity are related but are not the same.[ii] Understanding your own organization’s resilience requires close and ongoing examination of your organization’s internal AND external business operational procedures and continuity plans and processes.

 

Anticipating, responding to, adapting, and recovering from disruptions is an everyday part of the ongoing quest for improved organizational resilience. The rise in ransomware, the pandemic, and increasing Environmental, Social, and Corporate Governance (ESG) concerns have expanded the necessary awareness of disruptive events and placed increased emphasis on the costs and other impacts of disruptions. Building strategies to improve resilience is a means of hedging the bet against such events, especially those that can cause significant disruption.

 

Resilience requires a complete understanding of the interdependencies with other organizations, whether they be third parties or competitors. Robust risk management anticipates where problems are most likely to occur and develops approaches to minimize disruptions. Organizations need to design and exercise a repeatable process to guide the review of their own and their vendors’ business operational procedures, controls, and continuity recovery plans. Mapping business processes end-to-end is critical.

 

A robust review should include:

  • Perform a Business Impact Analysis (BIA). This plan provides insight into critical processes, people, technology, and other supply chain components and evaluates the possible impacts of potential events. This analysis should be conducted as appropriate for your organization’s risk exposure. Mature risk management programs conduct this type of analysis regularly to understand their exposure within the changing risk landscape and update the resilience playbooks in light of changing conditions.
  • Maintain up-to-date mapping of your supply chain. Procurement is an important partner in any process that seeks to build and maintain an accurate, current picture of all business processes. Accurate mappings support a rapid response to events when they do occur.
  • Match your strategy to your operational goals. Business units must be involved in this analysis. Recovery time objectives should be realistic and documented and paths to identify redundant services or processes required to improve business continuity should be adopted where feasible.
  • Incorporate learnings from past events into your planning processes. Enhanced reporting can improve your understanding and bolster your response to an event when one occurs. Document those learnings by incorporating them into your policies, response plans, and processes. Be sure to communicate and test changes with appropriate departments throughout your organization AND with your vendors.
  • Use continuous monitoring to ensure current risk intelligence is available to support resilience and to provide insight into issues as they arise. Monitoring will also enhance tracking of control-related remediation efforts with vendors. Remember to consider the location where a vendor or service provider is operating, to ensure you have a complete Risk view.
  • Move toward secure, sanitized, tamper-proof immutable storage in keeping with best practices to help ensure faster recovery from a range of cyber-attacks, including ransomware. Immutable storage enables adopters to protect specific data that will be stored in a form that can never be altered or removed. If your hosted provider has immutable data storage capability it might make sense to explore the utility of this approach to your specific business.
  • Conduct incident response testing and training. Require participation of all outside parties who provide support of critical business processes. Even if your organization is not in a regulated industry, test and document your results.
  • Don’t rely on insurance to shield your organization from sub-par business continuity processes Insurance will not enable faster recovery time or mitigate customer fall-out from poorly executed business recoveries. Insurance may, however, provide useful coverage for forensic work after an incident and defer some recovery costs.
  • Use automated workflows that are backed by pre-specified triggers that bring issues to the attention of practitioners so that a qualified expert can intervene when needed to prevent or respond to an incident.
  • Make Service Level Agreements (SLAs) work for you. You should institute SLAs that set expectations for resilience with all vendors before monitoring for performance against these expectations over time and adjust as appropriate.
  • Implement a robust Risk & Control Self Assessment (RCSA) program with appropriate review cadence and corrective action plan protocols to provide early-stage awareness.

 

Adopt a holistic approach to resilience. Even without a global pandemic impacting supply chains, vendor business resilience and availability should be top-of-mind for all organizations. Determine where the weakest links in your supply chain may put your organization at the greatest risk and establish and work with those parties to strengthen their resilience. When an event occurs affecting your industry peers, examine what happened, observe what the response was, and determine its effectiveness. Explore what your organization can do differently to enhance your organization’s continuity and become more resilient going forward.

 

Resilience planning and programs are living processes that must incorporate today’s challenges and anticipate the uncertainty and changes that emerge as risk environments evolve. Strong resilience demands that practitioners and boards understand and anticipate organizational needs, which requires firms to have a comprehensive understanding of both the state of internal operations and across vendor ecosystems. As ESG, insurance, and other stakeholder challenges continue to evolve, organizations will be held to a higher standard for building robust and dynamic strategies that support operational resilience.

With the right support from executive management and boards, improved resilience is in reach!

 

[i] Shared Assessments Glossary. 2020-2021. Adapted from: Bank of England – Consultation Paper | CP29/19 Operational resilience: Impact tolerances for important business services. December 2019. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/consultation-paper/2019/cp2919.pdf

[ii] The ISO 22300:2018 standard defines business continuity as: “The capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption”. ISO. 2021. https://www.iso.org/standard/68436.html. The ISO 22316:2017 standard defines organizational resilience as: “The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.” Good risk management is an essential part of resilience. Learning feeds both sides of the equation. How the business prepares for something vs how it responds.

 

John Bree

John is Chief Evangelist & Chief Risk Officer with Supply Wisdom, the leading patented continuous risk intelligence and monitoring solution for third parties and locations. He is recognized as a global financial industry executive and risk subject matter expert, in vendor/third-party risk management, AML/CTF, KYC, and anti-fraud programs. Prior to joining Supply Wisdom, John held senior positions globally for Citi and Deutsche Bank covering corporate, investment, commercial, and consumer banking. He has managed global staff and corresponding budgets in multiple locations and delivered cost-efficient and operationally effective programs ensuring compliance with local and global regulatory requirements. Through interaction with Business Units, Internal Audit, and regulatory agencies, John resolved MRIAs, MRAs and Findings, on time and without penalty. John is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group.


Bob Jones

Bob Jones is deeply committed to contributing to the well-being of the financial services community. A well-known and sought-after expert in risk management strategy, he has 50 years of experience leading fraud risk management and risk management strategy. When not writing blogs for SharedAssessments, Bob enjoys playing with his 4 grandchildren and 2 granddogs.


Kaelyn Lewis

Kaelyn Lewis is the Senior Risk Consultant, Rochdale Paragon. She provides third-party and operational risk consulting services at RPG as well as SME support for services and software development. She manages third party programs for three large credit unions and their credit union service organization affiliates (CUSO’s).


Gary Roboff, Senior Advisor

With four decades of experience in financial services planning and management, Gary Roboff is a Subject Matter Expert in financial risk and payments. Gary leads the Shared Assessments Regulatory Compliance and SFG Risk Committees and leads the development of the Shared Assessments TPRM Framework.


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics

Business Continuity | Business Resiliency