Operational Resilience: The Outcome of an Effective ORM Program

Introduction

In July this year, the Microsoft-CrowdStrike IT outage brought the world to a standstill. Flights were grounded, banks were knocked offline, stock markets were disrupted, and healthcare systems were paralyzed for several hours – all because of a faulty software update.

This wasn’t the first time an operational failure caused such widespread disruption.

In 2018, an IT outage at British Bank, TSB, left nearly two million customers locked out of their accounts. A year earlier, the NotPetya cyberattack devastated the systems of some of the world’s biggest corporations, while WannaCry ransomware cost the UK’s National Health Service (NHS) a whopping £92 million after 19,000 appointments were canceled.

Then, of course, came the pandemic which upended life as we knew it. Organizations were forced to suddenly adapt to remote work, scale up digital services in days, and navigate supply chain disruptions – all while facing an unprecedented threat to human health.

Thankfully, the worst of the pandemic is behind us. But it won’t be the last major crisis we face. Risks are growing in volume, velocity, and interconnectedness. Simultaneously, cyber threats and vulnerabilities across legacy systems, new technologies, and third parties are constantly evolving.

So, when another disruption does occur – because it will – what can organizations do to withstand, adapt to, and recover from it faster?

Up the Focus on Operational Resilience

Operational resilience isn’t a new concept – it’s been on the regulatory radar for years. In 2018, the Bank of England, UK’s Prudential Regulation Authority, and Financial Conduct Authority published a joint discussion paper on how to improve the operational resilience of firms and financial market infrastructures.

That was followed in 2021 by the Basel Committee on Banking Supervision’s (BCBS’s) ‘Principles for Operational Resilience’. The Principles assert that while it may not be possible to avoid certain operational risks like a pandemic, it’s certainly possible to improve one’s resilience to such events.

Resilience is about building the capacity to anticipate, respond to, and bounce back from a disruption with minimum damage. It doesn’t just involve backing up data, or establishing emergency protocols – it also focuses on preventing and detecting potential issues before they escalate.

Resilient organizations are better-prepared for eventualities in both the short and long term. They have robust business continuity, incident management, and recovery plans in place. More importantly, they’re proactive about assessing, monitoring, and mitigating operational risks – thereby, lowering the likelihood of a disruption even occurring.

With operational resilience becoming increasingly critical to the health of organizations and industries at large, a host of new regulations around the subject have emerged:

• The US Federal Reserve Board’s operational resilience guidance
• The Australian Prudential Regulation Authority’s Prudential Standard CPS 230 Operational Risk Management
• The EU’s Digital Operational Resilience Act
• Canada’s Office of the Superintendent of Financial Institutions’ Guideline E-21 on operational risk and resilience
• The Central Bank of Ireland’s Cross-Industry Guidance on Operational Resilience
• The Monetary Authority of Singapore’s operational resilience guidelines
• The Hong Kong Monetary Authority’s Supervisory Policy Manual on Operational Resilience

While each of these regulations has its own set of requirements, the one aspect many of them share is a focus on operational risk management (ORM) as a key driver of operational resilience.

The Better Your ORM, the Better Your Resilience

At the 2019 Annual Operational Risk Europe Conference in London, the then Director of the Supervisory Risk Specialists, Nick Strange, said, “…operational resilience is the outcome we are seeking, and to do that we must manage operational risk effectively.”

BCBS echoed this sentiment in their Principles saying, “Operational resilience is an outcome that benefits from the effective management of operational risk.”

If that’s the case, how can organizations manage operational risks better?

• Get the basics right: Ensure that there are ORM frameworks and processes in place to:
  • Define the organization’s operational risk appetite and tolerance for disruption
  • Identify critical business operations, services, and assets – along with the risks that could impact them 
  • Conduct risk-control self-assessments (RCSAs) to evaluate and prioritize the above risks; then, implement appropriate controls and contingency plans
  • Continuously monitor the operational environment to detect emerging risks and changes
  • Regularly review and update ORM practices based on lessons learned from past incidents
• Quantify risks to better gauge their impact: Risk quantification – the process of measuring operational risks in monetary terms – is becoming increasingly important. When done right, it can transform traditionally subjective assessments into objective, data-driven insights. So, organizations can then make informed decisions about risk mitigation, resource allocation, and strategic planning.
• Understand risk interconnectedness: Operational risks rarely exist in isolation. An IT outage, for example, might not just halt business operations, but also lead to financial losses, dissatisfied customers, regulatory issues, and negative publicity. Understanding these interconnections can help organizations be better prepared for a disruption with comprehensive risk response strategies.
• Proactively plan risk scenarios and incident responses: By simulating various risk scenarios – and then developing tailored incident response plans – organizations can be ready to handle unexpected events. In scenario planning, roles, responsibilities, and corrective actions are pre-defined. So, when a disruption does occur, organizations can proactively respond, reducing downtime and financial losses.
• Align ORM with business continuity management: A resilience-focused ORM strategy goes beyond risk management to encompass vendor risk management, regulatory risk management, IT security risk management, cyber risk management, business continuity management (BCM), and disaster recovery (DR). BCM and DR are particularly important in ensuring that organizations continue to function and deliver essential services during and after a disruption. A robust BCM plan includes a business impact analysis, crisis communication plans, and regular testing exercises.
• Build a culture of risk awareness: ORM is truly effective when everyone in the frontline is trained to recognize potential operational risks, and understand their role in managing these risks. Many organizations have platforms where employees can intuitively flag and report potential risks, anomalies, or issues. This ensures that critical information flows swiftly to the right channels for timely action. Rewards and incentives also go a long way towards encouraging risk aware behaviors.
• Toss out the spreadsheets and break down the silos with technology: As the range of operational risks continues to grow, it no longer makes sense to manage them through laborious spreadsheets. Point solutions can also hinder ORM by fragmenting the organization’s view of risk. On the other hand, a centralized ORM platform can consolidate risk data from across the enterprise into a single source of truth, helping organizations make better-informed decisions. Automated risk assessments can save time and resources, while enabling teams to respond to risks faster. Meanwhile, AI and analytics can make it easier to predict risk trends and patterns that might otherwise go unnoticed.

Reduce Operational Risks and Heighten Resilience with MetricStream

MetricStream Operational Risk Management provides a comprehensive set of capabilities to identify, assess, mitigate, monitor, and report operational risks. Packed with powerful risk quantification tools and analytics, our ORM software delivers a single, real-time view of risks and controls to help you make risk-informed decisions. With MetricStream, you can establish a strong ORM framework, manage RCSAs with ease, and stay ahead of potential losses with predictive risk indicators.

Our MetricStream Operational Resilience Management software provides a single view of risk insights across operational risk, business continuity, third-party, and cybersecurity risk areas. With automated workflows and real-time reporting capabilities, the operational resilience software embeds risk management into business continuity and crisis recovery processes. So, you can efficiently anticipate, tolerate, and bounce back faster from an adverse event.

Ready to find out more? Request a personalized demo now.