Operational resilience is the ability to deliver operations, including critical operations and core
business function, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt,
withstand, and recover from disruptions.
Any organisation that operates in a safe and sound manner is able to identify threats, respond and adapt to incidents, and recover and learn from such threats and incidents so that it can prioritize and deliver critical operations and core business lines, along with other operations, services and functions identified by the organisation, through a disruption.
Effective governance grounds operational resilience. Robust operational risk and business continuity
management anchor the good operational resilience practices, which are informed by rigorous scenario analyses and consideration of third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough audit, monitoring, review and reporting.
1. Governance
Effective governance helps ensure that organisations not only operate in a safe and sound manner and comply with applicable laws and regulations, but also maintain operational resilience. In keeping
with existing regulations and guidance, the practices outlined below promote effective governance.
- The organisation’s board of directors approves and periodically reviews its risk appetite8 for
weathering disruption from operational risks,9 at the enterprise level and for the organisation’s critical operations and core business lines. In setting the organisation’s risk appetite, the board of directors articulates the organisation’s tolerance for disruption considering its risk profile and the capabilities of its supporting operational environment, (“tolerance for disruption”). - The organisation’s board of directors works with The Management Teamto ensure that operational
resilience practices are led and staffed by individuals with relevant expertise, approve
appropriate budgets and resources, and promote a culture of effective risk management. - The board of directors oversees the organisation’s management of operational risk in its operations, its independent operational risk management function, and its independent
internal (or external) audit function. The Management Team is accountable for ensuring that each of these areas adheres to the organisation’s tolerance for disruption. - The management team are accountable for maintaining a detailed, accurate, and regularly updated overview of the organisation’s organisational and legal structure that identifies the critical operations and core business lines of the organisation and its material entities.
- The Management Team is accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the organisation’s tolerance for disruption.
- The internal (or external) audit function is responsible for independently assessing the design
and ongoing effectiveness of the organisation’s operational resilience efforts.
2. Operational Risk Management
By identifying, managing, and mitigating operational risk exposures related to internal processes,
people, systems, external threats, and third parties, a organisation is able to strengthen its operational resilience. Effective operational risk management involves close engagement by the organisation’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function. In keeping with existing regulations and guidance, the practices outlined below promote effective operational risk management.
- The organisation’s Management Team oversees the implementation of operational risk management processes, systems, and controls to identify and contain the scope of a disruption, mitigate its effects, and resolve the disruption consistent with the organisation’s tolerance for disruption.
- The organisation’s business line operations management identifies and mitigates operational risk exposures in alignment with the organisation’s tolerance for disruption.
- The organisation’s operational risk management function assesses the critical operations of the organisation and its material entities. It determines the extent of exposure to various operational risks the organisation faces or forecasts and the organisation’s ability to recover from a disruption.
- The organisation’s operational risk management function regularly reviews, tests, and updates internal controls relevant to the organisation’s critical operations and core business lines including those performed by third parties.
- e) The organisation’s operational risk management function implements and maintains risk identification and assessment approaches that adequately capture business processes and their associated operational risks, including technology and third-party risks.
- f) The organisation’s independent internal (or external) audit function provides a review and challenge of the organisation’s operational risk management function and assesses whether it is appropriately operating within the organisation’s tolerance for disruption.
- g) The organisation’s operational risk management function works closely with its business continuity management and recovery or resolution planning functions with respect to operational resilience efforts.
3. Business Continuity Management
Business continuity plans consider market- and enterprise-wide stresses and idiosyncratic risks
that can imperil the continuity of an organisation’s critical operations and or otherwise have a broader impact on the organisation
An organisation that is subject to recovery or resolution planning requirements can leverage the information in these plans for business continuity management purposes. In keeping with existing regulations and guidance, the practices outlined below promote sound business continuity management.
- The organisation’s business continuity management incorporates business impact analysis, testing, training, and awareness programs, as well as communication and crisis management policies.
- The organisation periodically reviews its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities.
- The organisation tests business continuity plans, reviews the execution of tests, and improves plans by incorporating lessons learned. Business continuity tests and exercises incorporate dependencies of critical operations and core business lines on third parties. When possible, the organisation participates in disaster recovery and business continuity testing with third parties associated with critical operations and core business lines.
- Functional testing procedures are conducted to assess the ability of an organisation’s IT
systems to deliver minimum service capacity to critical operations and core business lines and that these are consistent with the organisation’s business continuity objectives. The organisation’s business continuity management considers and incorporates scenarios in which service capacity and business continuity objectives cannot be met. - The organisation identifies and manages the availability of personnel who are essential to the execution of the organisation’s critical operations and core business lines.17 The organisation has (an) alternate site(s) that has sufficient resources (including personnel), technology capabilities, and functionality to execute the organisation’s critical operations and core business lines in the event of a disruption.
The alternate site(s) is (are) located at a sufficient geographical distance from the primary site and has (have) a distinct risk profile. - The organisation’s business continuity management includes remote-access contingencies that allow personnel to continue delivering the organisation’s critical operations and core business lines through a disruption. The management of contingencies prioritize critical operations and core business lines and provide personnel adequate connectivity, communication, and collaboration tools, essential technology resources, and access to network systems. These contingencies incorporate transitioning personnel back to normal operations following the resolution of a disruption.
- The organisation trains essential personnel who have responsibility for executing critical operations and core business lines to perform back-up roles should a disruption occur. The organisation implements an operational resilience training and awareness program to evaluate the effectiveness of personnel-related business continuity arrangements and the program is improved as shortcomings are identified.
- The organisation’s recovery or resolution planning, if applicable, is integrated into its governance and operating processes and is part of business-as-usual activities, including organisation-wide risk management processes. In the context of operational resilience, recovery or resolution planning is understood as complementary to, and linked with, existing risk management and business continuity management processes.
- The organisation leverages information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios. The organisation similarly leverages the identification of interconnections and interdependencies among critical operations and core business lines affiliates, subsidiaries, and third parties.
4. Third-Party Risk Management
In recent years, organisations have made increasing use of third parties to deliver a variety of services, including those that are integral to critical operations and core business lines. Recognition of third-party risk is vital to operational resilience, especially if outsourcing arrangements involve entities that perform critical operations or core business activities. In keeping with existing regulations and guidance, the practices outlined below promote sound management of third-party risk.
- The organisation identifies and analyses third-party risk of critical operations. It prioritizes third-party dependencies that are most significant to the organisation and understands,
manages, and mitigates its risks. - b) The organisation establishes relationships with third parties through formal agreements. The organisation manages and monitors the performance of third parties against its service requirements and its tolerance for disruption.
- The organisation periodically reviews reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It establishes processes and benchmarks for monitoring a third party’s ability to continue to deliver services during disruptions.
- The organisation verifies that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the organisation’s tolerance for disruption.
- The organisation addresses key third-party concerns to the extent that these concerns affect the organisation’s operational resilience (e.g., through due diligence, contract negotiations, ongoing monitoring, and termination of contracts).
- The organisation identifies risks of third parties that provide it with public and critical infrastructure services, such as power, water, people, building, heat and telecommunications, environmental and illness (Covid). The organisation has processes to manage disruptions of these services and updates these processes as appropriate to stay within its tolerance for disruption.
- The organisation identifies other third parties that may be available to assist in the event its current third parties are unable to continue delivering services. The organisation assesses the substitutability of third parties that provide services supporting the organisation’s critical operations and core business lines including the possibility of bringing a service back in-house.
5. Scenario Analysis
Scenario analysis helps a organisation to develop, validate, and calibrate a organisation’s tolerance for disruption. Organisations may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In keeping with existing regulations and guidance, the practices outlined below promote effective scenario analysis.
- Operational risks identified by the organisation’s operational risk management function, independent internal (or external) audit function, business continuity management, and recovery or resolution planning activities should be incorporated, as applicable, into severe but plausible scenarios affecting the organisation’s critical operations and core business lines. The organisation designs the scenarios so that they may be used to test the organisation’s tolerance for disruption.
- b) The organisation maintains a robust governance framework and independent review function to oversee the integrity and consistency of the scenario development process.
- In designing scenarios, the organisation leverages both the mapped interconnections and
interdependencies of its critical operations and core business lines including its third-party
risks, set forth in its recovery or resolution plans, as well as relevant business impact analyses. - The organisation uses scenario analysis to back-test against past instances of severe disruptions that have arisen from various disruptions. The results of back-testing are used to refine scenarios and increase their effectiveness for future.
- The organisation identifies potential risk transmission channels, concentrations, and vulnerabilities by analysing the interconnections and interdependencies within and across its critical operations and core business lines considering third-party risks. The information that is obtained from these analyses informs the organisation’s tolerance for disruption.
6. Secure and Resilient Information System Management
Secure and resilient information systems underpin the operational resilience of a organisation’s critical operations and core business lines. The appropriate implementation, use, and protection of
information systems can help a organisation identify and detect risks to operational resilience. They also enhance its ability to withstand disruptions or failures and facilitate the flow of information to
enable effective decision-making during a disruption. In keeping with existing regulations and
guidance, the practices outlined below promote secure and resilient information systems.
- Information systems, including elements that depend on third parties, supporting the organisation’s critical operations and core business lines are subject to robust risk identification, protection, detection, and response and recovery programs that are regularly tested. Information systems incorporate appropriate situational awareness and provide management with relevant
information on a timely basis. - The organisation routinely applies and evaluates the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of the organisation’s data and information systems.
- The organisation establishes controls to safeguard the integrity and availability of critical data against the impact of destructive malware, including ransomware, or other similar threats. Recovery from such incidents may include use of protocols for secure, immutable, off-line storage of critical data.
- The organisation reviews information systems and controls on a regular basis against common industry standards and best practices. The organisation also regularly reviews and updates its systems and controls for security against evolving threats including cyber threats and emerging or new technologies.
The organisation may benefit from use of a standardized tool that is aligned with common industry standards and best practices to assess its cybersecurity preparedness e.g. NIST tool.
7. Surveillance and Reporting
Operational resilience entails ongoing surveillance and reporting of operational risks and
dissemination of that information to the board of directors and relevant stakeholders across the
organisation. In keeping with existing regulations and guidance, the practices outlined below promote sound surveillance and reporting.
- The organisation identifies and monitors ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. The organisation establishes and maintains appropriate communication and coordination procedures to inform all relevant areas of the organisation’s ongoing exposures.
- The organisation detects in a timely manner anomalous activity that could lead to a disruption affecting the organisation’s critical operations and core business lines, and it assesses the potential impact of the activity together with the effectiveness of protective measures.
- The organisation conducts continuous surveillance and reporting to The Management Team and the board of directors that provides sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.