Resilience is a watchword for every risk management team and every governing board. Resilience represents the ability of entities to avoid, prevent, adapt, respond to, recover from, and learn from operational disruptions.[i] While ensuring business continuity is a key aspect of business resilience, resilience, and continuity are related but are not the same.[ii] Understanding your own organization’s resilience requires close and ongoing examination of your organization’s internal AND external business operational procedures and continuity plans and processes.
Anticipating, responding to, adapting, and recovering from disruptions is an everyday part of the ongoing quest for improved organizational resilience. The rise in ransomware, the pandemic, and increasing Environmental, Social, and Corporate Governance (ESG) concerns have expanded the necessary awareness of disruptive events and placed increased emphasis on the costs and other impacts of disruptions. Building strategies to improve resilience is a means of hedging the bet against such events, especially those that can cause significant disruption.
Resilience requires a complete understanding of the interdependencies with other organizations, whether they be third parties or competitors. Robust risk management anticipates where problems are most likely to occur and develops approaches to minimize disruptions. Organizations need to design and exercise a repeatable process to guide the review of their own and their vendors’ business operational procedures, controls, and continuity recovery plans. Mapping business processes end-to-end is critical.
A robust review should include:
- Perform a Business Impact Analysis (BIA). This plan provides insight into critical processes, people, technology, and other supply chain components and evaluates the possible impacts of potential events. This analysis should be conducted as appropriate for your organization’s risk exposure. Mature risk management programs conduct this type of analysis regularly to understand their exposure within the changing risk landscape and update the resilience playbooks in light of changing conditions.
- Maintain up-to-date mapping of your supply chain. Procurement is an important partner in any process that seeks to build and maintain an accurate, current picture of all business processes. Accurate mappings support a rapid response to events when they do occur.
- Match your strategy to your operational goals. Business units must be involved in this analysis. Recovery time objectives should be realistic and documented and paths to identify redundant services or processes required to improve business continuity should be adopted where feasible.
- Incorporate learnings from past events into your planning processes. Enhanced reporting can improve your understanding and bolster your response to an event when one occurs. Document those learnings by incorporating them into your policies, response plans, and processes. Be sure to communicate and test changes with appropriate departments throughout your organization AND with your vendors.
- Use continuous monitoring to ensure current risk intelligence is available to support resilience and to provide insight into issues as they arise. Monitoring will also enhance tracking of control-related remediation efforts with vendors. Remember to consider the location where a vendor or service provider is operating, to ensure you have a complete Risk view.
- Move toward secure, sanitized, tamper-proof immutable storage in keeping with best practices to help ensure faster recovery from a range of cyber-attacks, including ransomware. Immutable storage enables adopters to protect specific data that will be stored in a form that can never be altered or removed. If your hosted provider has immutable data storage capability it might make sense to explore the utility of this approach to your specific business.
- Conduct incident response testing and training. Require participation of all outside parties who provide support of critical business processes. Even if your organization is not in a regulated industry, test and document your results.
- Don’t rely on insurance to shield your organization from sub-par business continuity processes Insurance will not enable faster recovery time or mitigate customer fall-out from poorly executed business recoveries. Insurance may, however, provide useful coverage for forensic work after an incident and defer some recovery costs.
- Use automated workflows that are backed by pre-specified triggers that bring issues to the attention of practitioners so that a qualified expert can intervene when needed to prevent or respond to an incident.
- Make Service Level Agreements (SLAs) work for you. You should institute SLAs that set expectations for resilience with all vendors before monitoring for performance against these expectations over time and adjust as appropriate.
- Implement a robust Risk & Control Self Assessment (RCSA) program with appropriate review cadence and corrective action plan protocols to provide early-stage awareness.
Adopt a holistic approach to resilience. Even without a global pandemic impacting supply chains, vendor business resilience and availability should be top-of-mind for all organizations. Determine where the weakest links in your supply chain may put your organization at the greatest risk and establish and work with those parties to strengthen their resilience. When an event occurs affecting your industry peers, examine what happened, observe what the response was, and determine its effectiveness. Explore what your organization can do differently to enhance your organization’s continuity and become more resilient going forward.
Resilience planning and programs are living processes that must incorporate today’s challenges and anticipate the uncertainty and changes that emerge as risk environments evolve. Strong resilience demands that practitioners and boards understand and anticipate organizational needs, which requires firms to have a comprehensive understanding of both the state of internal operations and across vendor ecosystems. As ESG, insurance, and other stakeholder challenges continue to evolve, organizations will be held to a higher standard for building robust and dynamic strategies that support operational resilience.
With the right support from executive management and boards, improved resilience is in reach!
[i] Shared Assessments Glossary. 2020-2021. Adapted from: Bank of England – Consultation Paper | CP29/19 Operational resilience: Impact tolerances for important business services. December 2019. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/consultation-paper/2019/cp2919.pdf
[ii] The ISO 22300:2018 standard defines business continuity as: “The capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption”. ISO. 2021. https://www.iso.org/standard/68436.html. The ISO 22316:2017 standard defines organizational resilience as: “The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.” Good risk management is an essential part of resilience. Learning feeds both sides of the equation. How the business prepares for something vs how it responds.