We’ve defined important business servicesdesigned impact tolerances and mapped the processes and resources that support them. We’ve run through scenario testing, and how to address managing vulnerabilities and actions. Congratulations, you’ve got your operational resilience program up and running!

But how do you report on your operational resilience program, whether you are involved in the day-to-day running or have an oversight role? What do stakeholders need to know, and what information provides value?

In this blog we cover:

  • Who wants reporting
  • Types of reports to consider
  • How to collect and prepare the information

Who wants reporting?

There are a range of roles who will either request reporting, or should be provided with reporting on the performance of your operational resilience program.

Here are some roles you might want to consider, and some of the key questions that reporting should help them answer.

Identified owners of important business services

Is my important business service vulnerable? If so, where? Is action being taken?

Identified owners of processes or resources that support important business services

Which services do my resources or processes support? Based on their importance and current vulnerability or health, should I be changing the control environment? Do I need to inform important business service owners of any planned changes related to resources or processes?

The Chief Operating Officer or equivalent

Have we performed our scenario testing program in accordance with our planned schedule? Have we met impact tolerance for all scenarios tested? Are there any overdue actions I need to investigate?

Committees, boards and governing bodies

For each identified important business service, have we documented our impact tolerance and the justification for that impact tolerance?

Is our testing plan sufficient and up to date? Have lessons learned been documented?

For any identified vulnerabilities in our operational resilience, is there clear action and accountability for resolution?

Reporting and vendor relationships

You might also want to consider tailored reports to vendors who supply resources or services that support your important business services. While it is more likely you want to request assurance from them, they may benefit from specific reports, such as individual results of scenarios where their resources are implicated.

If you provide services to other businesses, your important business service may be considered a resource in your customers own important business services. If this is the case, you may want to provide them with them your mapping, or results of your scenario testing (filtered or censored where applicable for commercial sensitivity).

Types of reports to consider

Reports and dashboards should be tailored to the needs of the specific audience. We will explore some suggested reports here, who may benefit, and some tips when preparing the reports.

Summary report of Important Business Services

This report would include a list all your important business services, and a summary of the most important information, such as who owns it, the impact tolerance, how many processes and resources are connected to it, whether any vulnerabilities have been identified, and whether any reviews related to that important business service are due.

This report can be useful for senior management to have a snapshot of operational resilience, and may prompt more direct questions to owners of important business services or those responsible for overseeing the operational resilience program.

1-ibs-summary-large

Reporting on interdependencies

Reporting on interdependencies is positioned at more operational users. When designed well, it highlights which resources are the most important to deliver your important business services, and which resources may be the most vulnerable or at risk of disruption.

This type of report provides insight on where to focus diversification of resources or improve the health of those resources. It can also highlight which resources may warrant additional controls or resources attached.

2-interdependency-summary-large

Scenario testing

Consider a report that shows the status of the scenario testing program. This can include the performance of the program itself; whether defined scenarios are being performed or are overdue. It should also include the results of those scenarios; whether the impact tolerances are expected to be met.

This report is useful for senior management or boards to provide assurance that the scenario testing program is being completed as expected – or to direct more specific questions and requests for information if impact tolerance has not been met and no action has been noted to rectify.

3-scenarios-tests-large

Reporting for specific audience needs

While we’ve covered some of the key reports that we see our customers using or considering as part of their operational resilience programs, the most important is to collaborate with your key stakeholders. What do they want to see? What will provide them additional assurance or help them make decisions?

How to collect and prepare the information

As noted earlier, different audiences will gain value from different levels of information and will require it to be presented in a particular way to support their needs and decision-making processes.

We recommend having a single source of truth for all information in your operational resilience program. Using the same data – but aggregated, filtered or presented in different ways to meet differing needs – increases efficiency while ensuring everyone is talking the same language and relying on the most up to date information.

Dashboards are an excellent way to view and analyse data in real time, and allow for filtering and reporting that can be tailored to the specific user that is simply not possible with static reports. The one downside of dashboards is that it requires the user to actively seek them out – avoid creating dashboards that don’t get used! This makes them more suitable for employees that are more engaged with ongoing operational resilience processes. However, they can also be great for presenting in Executive and Board meetings, allowing for drilling down into detail where required and ensuring you are using up to date data.

While dashboards and reports may be available ‘on demand’, you should identify reports that should be actively distributed, rather than passively accessed. Where possible, this delivery should be automated. Be intentional regarding the timing of scheduled reports. Deliver them at a time that allows the recipient enough time to digest the information, while also allowing them to incorporate the information into other operational or decision-making processes.

About this series

We’ve covered some potential reporting today, and who the audiences are. We will tie up this series in the next blog, where we will cover the self-assessment process. While there are specific requirements for a self-assessment for those covered under the FCA Rules in the UK, it can be applied to all organisations to provide an overall assessment of their operational resilience program.

Next steps for your organisation

Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.

Find out more about operational resilience and how Protecht.ERM can help:

 

Note on regulation and terminology

While this series primarily discusses regulated entities, the guidance can apply to any organisation seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry.

We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. For Australian financial service providers, we recommend replacing ‘important business services’ with ‘critical operations’, and impact tolerance with ‘tolerance levels’ to align with APRA draft standard CPS 230 on Operational Risk.

We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide.

Related Articles

feature image
Operational Resilience

Operational Resilience Series #8: Designing a good self-assessment process

You’re well on your way in implementing an operational resilience program; you have identified your important business services, defined impact...
Read more
feature image
Operational Resilience

Operational Resilience Series #6: Identifying vulnerabilities and actions

In this series we’ve defined important business services, designed impact tolerances and mapped the processes and resources that support them. In our...
Read more
feature image
Operational Resilience

Operational Resilience Series #5: Design and running of a scenario

So far in this series we have identified important business services, designed impact tolerances and mapped the processes and resources that support...
Read more