We’ve defined important business services, designed impact tolerances and mapped the processes and resources that support them. We’ve run through scenario testing, and how to address managing vulnerabilities and actions. Congratulations, you’ve got your operational resilience program up and running!
But how do you report on your operational resilience program, whether you are involved in the day-to-day running or have an oversight role? What do stakeholders need to know, and what information provides value?
In this blog we cover:
- Who wants reporting
- Types of reports to consider
- How to collect and prepare the information
Who wants reporting?
There are a range of roles who will either request reporting, or should be provided with reporting on the performance of your operational resilience program.
Here are some roles you might want to consider, and some of the key questions that reporting should help them answer.
Identified owners of important business services
Is my important business service vulnerable? If so, where? Is action being taken?
Identified owners of processes or resources that support important business services
Which services do my resources or processes support? Based on their importance and current vulnerability or health, should I be changing the control environment? Do I need to inform important business service owners of any planned changes related to resources or processes?
The Chief Operating Officer or equivalent
Have we performed our scenario testing program in accordance with our planned schedule? Have we met impact tolerance for all scenarios tested? Are there any overdue actions I need to investigate?
Committees, boards and governing bodies
For each identified important business service, have we documented our impact tolerance and the justification for that impact tolerance?
Is our testing plan sufficient and up to date? Have lessons learned been documented?
For any identified vulnerabilities in our operational resilience, is there clear action and accountability for resolution?
Reporting and vendor relationships
You might also want to consider tailored reports to vendors who supply resources or services that support your important business services. While it is more likely you want to request assurance from them, they may benefit from specific reports, such as individual results of scenarios where their resources are implicated.
If you provide services to other businesses, your important business service may be considered a resource in your customers own important business services. If this is the case, you may want to provide them with them your mapping, or results of your scenario testing (filtered or censored where applicable for commercial sensitivity).
Types of reports to consider
Reports and dashboards should be tailored to the needs of the specific audience. We will explore some suggested reports here, who may benefit, and some tips when preparing the reports.
Summary report of Important Business Services
This report would include a list all your important business services, and a summary of the most important information, such as who owns it, the impact tolerance, how many processes and resources are connected to it, whether any vulnerabilities have been identified, and whether any reviews related to that important business service are due.
This report can be useful for senior management to have a snapshot of operational resilience, and may prompt more direct questions to owners of important business services or those responsible for overseeing the operational resilience program.
Reporting on interdependencies
Reporting on interdependencies is positioned at more operational users. When designed well, it highlights which resources are the most important to deliver your important business services, and which resources may be the most vulnerable or at risk of disruption.
This type of report provides insight on where to focus diversification of resources or improve the health of those resources. It can also highlight which resources may warrant additional controls or resources attached.
Consider a report that shows the status of the scenario testing program. This can include the performance of the program itself; whether defined scenarios are being performed or are overdue. It should also include the results of those scenarios; whether the impact tolerances are expected to be met.
This report is useful for senior management or boards to provide assurance that the scenario testing program is being completed as expected – or to direct more specific questions and requests for information if impact tolerance has not been met and no action has been noted to rectify.
Reporting for specific audience needs
While we’ve covered some of the key reports that we see our customers using or considering as part of their operational resilience programs, the most important is to collaborate with your key stakeholders. What do they want to see? What will provide them additional assurance or help them make decisions?
How to collect and prepare the information
As noted earlier, different audiences will gain value from different levels of information and will require it to be presented in a particular way to support their needs and decision-making processes.
We recommend having a single source of truth for all information in your operational resilience program. Using the same data – but aggregated, filtered or presented in different ways to meet differing needs – increases efficiency while ensuring everyone is talking the same language and relying on the most up to date information.
Dashboards are an excellent way to view and analyse data in real time, and allow for filtering and reporting that can be tailored to the specific user that is simply not possible with static reports. The one downside of dashboards is that it requires the user to actively seek them out – avoid creating dashboards that don’t get used! This makes them more suitable for employees that are more engaged with ongoing operational resilience processes. However, they can also be great for presenting in Executive and Board meetings, allowing for drilling down into detail where required and ensuring you are using up to date data.
While dashboards and reports may be available ‘on demand’, you should identify reports that should be actively distributed, rather than passively accessed. Where possible, this delivery should be automated. Be intentional regarding the timing of scheduled reports. Deliver them at a time that allows the recipient enough time to digest the information, while also allowing them to incorporate the information into other operational or decision-making processes.
About this series
We’ve covered some potential reporting today, and who the audiences are. We will tie up this series in the next blog, where we will cover the self-assessment process. While there are specific requirements for a self-assessment for those covered under the FCA Rules in the UK, it can be applied to all organisations to provide an overall assessment of their operational resilience program.
- What is operational resilience?
- What are your important business services?
- Designing your impact tolerances
- Mapping your important business services
- Design and running of a scenario
- Identifying vulnerabilities and actions
- What reporting do management want to see? [this blog]
- Designing a good self-assessment process
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
Note on regulation and terminology
While this series primarily discusses regulated entities, the guidance can apply to any organisation seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry.
We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. For Australian financial service providers, we recommend replacing ‘important business services’ with ‘critical operations’, and impact tolerance with ‘tolerance levels’ to align with APRA draft standard CPS 230 on Operational Risk.
We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide.