Investing in Operational Resilience – the most lucrative investment you will ever make!

The World Economic Forum has estimated that “Fighting COVID-19 could cost 500 times as much as pandemic prevention measures”^[1]. This means that an investment in prevention measures would yield a staggering 50,000 % return. There are not many rational humans that would turn that business case down!

The case for “Prevention is better than cure” has never been stronger!

Operational Resilience seems to be the hot “new” topic in risk management. Yet, is it new? Erasmus^[2] thought that this principle of “Prevention is better than cure” was key back in the 1500’s! It’s not so new!

Operational Resilience is “the ability of an organisation to absorb and adapt in a changing environment”^[3] or as the global banking regulator, the Basel Committee, states “the ability of a bank to deliver critical operations through disruption”.

Operational Resilience is more than Disaster Recovery and Business Continuity although it encompasses these critical functions. Operational Resilience is both a process and a characteristic of an organisation.

It is a process that amalgamates all aspects of the organisation aimed at managing the risks of extreme shock events.

The focus of Operational Resilience should be:

1. Prevention: Prevent your organisation from being affected or impacted by the shock
2. Robustness: If you are impacted, be robust by minimising how the shock affects you
3. Recovery: If you are severely impacted by the shock, recover quickly
4. Adaption: If a new normal arises from the shock, be able to adapt.
5. Learning: Learn from the experience to become more resilient

So, what is required to build a strong Operational Resilience capability:

1. Stakeholders and Objectives: Fully understand your stakeholders and what value and risk you bring to them. This defines your outcome / service-objectives.
2. Impact Tolerances: Set Impact Tolerances over the negative impacts you may bring to the key stakeholders. For example, this may include such things as financial hardship or quality of life.
3. Important Business Services: Identify your Important Business Services that are required to deliver the required services to your stakeholders and which, if they fail, will result in negative impacts on the stakeholders.
4. Sub Processes: Identify the various sub processes that make up the Important Business Service.
5. Critical Resources: Identify and map the critical resources (e.g., People, Physical Assets, Technology Assets etc.) to each process, and by default, each important business service.
6. Resource Health: Assess the health of each resource in terms of its ability to withstand stress (prevention) and also the ability to recover from stress (cure).
7. Scenarios: Identify a range of extreme, yet plausible, shock scenarios that impact the resources required to deliver your important business service. These may include such things as natural disasters, pandemics, social unrest, conflict or infrastructure issues. Understand how these scenarios would play out and whether we would meet the impact tolerances.
8. Learnings and Resilience Improvements: Where the scenarios are outside of tolerance, identify where you can make the processes more resilient focussing in prevention and robustness before cure!

What do you need to do next?

The building of resilience within your organisation requires a few key steps:

1. Change Management: Humans often think “It won’t happen to me!” The optimistic human bias may make us smile but will not make us resilient! We need to create a culture of “chronic unease” so that Board and Executive Management understand the value of investing in resilience. Put your business case up with a 50,000 % return!
2. Design an overarching resilience process to deliver the 9 steps above. This does require:
    

1. 1. Mapping your services, processes and resources.
   2. Incorporating and bringing together your various existing resilience related functions such as Business Continuity / Disaster Recovery, Contingency Planning, Insurance, Third Party Risk Management etc.
   3. Extending the focus of these existing functions to focus on prevention rather than just cure.
   4. Implementing a fit for purpose system that will deliver on this consolidated approach and that will be repeatable and management on an ongoing basis so that resilience becomes part of your DNA.
   5. Deliver information that escalates and commands response from decision makers so that ongoing resilience improvements can be made.

What are we doing at Protecht?

We are building that dedicated Operational Resilience Process that is part of our wider Protecht.ERM solution. As a result, it is able to draw on all of the existing Protecht.ERM functionality and better visualise that information through a visualisation tool.

Processes, their related resources and recovery time objectives can be visualised as per fig 1. Users are able to see more clearly dependencies and possible weaknesses in the service

Fig 1: Protecht.ERM

Want to know more?

Watch this webinar recording on operational Resilience:  this webinar explores what it means to be resilient and what is required to make operational resilience an integral part of your Enterprise Risk Management Framework.

[1] Jeremy Schwab August 2020 Boston University.

[2] Desiderius Erasmus – Dutch Philosopher. Attributed to this saying.

[3] ISO 2236 (2017): Security and resilience – organizational resilience - principles and attributes.