Evolving from Business Continuity to Full Operational Resilience
From recovery to resumption to resilience, a journey from "simply a set of actions" to a new comprehensive mindset
Friday, April 9, 2021
By David LaFalce
If business continuity is the immediate plan to ensure that a business is able to continue providing services and survive, then operational resilience is the larger strategy that business continuity supports. Just about every organization has a business continuity plan, and if they didn't before 2020, they certainly have one now.
While business continuity plans serve as an important backstop in the event of an unplanned incident or emergency, it is actually just the beginning of a set of best practices that ultimately lead to operational resilience.
Imagine business continuity as a central point, radiating out in concentric circles toward achieving full operational resilience. Each step detailed below is one of those rings in an organization's journey to achieving operational resilience.
1. Achieving integration
Resilience is the newest “R word” out there. First there was recovery (which is essential for business continuity); then there was resumption; and now, resilience. Each iteration has matured to encompass and integrate more strategic considerations, moving from being simply a set of actions to representing a new mindset.
As part of the evolution to resilience, a key metric of success is integration - bringing together what were previously siloed functions into one, comprehensive view.
After all, businesses today have to safeguard against a wide range of technical, social, financial and natural disruptions which can impact everything from the availability of technology, to employees, supplies, and even time. Having a holistic and integrated view, which looks at all of these areas collectively, is paramount to ultimately delivering operational resilience. Firms must consider key processes, how they interact with each other, and a holistic approach to moving these processes forward together.
2. Having the right “maps”
While there is no magic set of metrics, there are three important “maps” that must be in place to get a firm closer to achieving operational resilience: operational processes; critical assets, including their location and how they support operational processes; and an understanding of supply chain implications. Within these maps, you've identified your critical infrastructure, your people, your vendors and how they support each other.
A map of operational processes enables you to see all the cogs that make up process flows, and where asset dependencies and relationships lie. This can help identify which processes are critical, what inputs affect those processes, and how those processes affect each other.
When it comes to people, recent events have prioritized the ability to operate anywhere, rather than in a distributed somewhere. For example, having regional operational centers away from headquarters was once considered best practice. There was - and still is - a philosophy that no single event should be able to impact the organization, so the “out-of-region” approach became a core tenet.
During the COVID-19 pandemic, however, organizations realized there was no way to redirect activity to other regions, because all locations were equally affected. The lesson here is that it is now more useful to arm people with the right tools and resources, making them their own operating centers.
And finally, supply chain management - in other words, identifying your outside dependencies, determining how far down the supply chain you want to manage and set your risk tolerance. Typically, firms are only able to manage as far as two degrees of separation. Managing a catalog of third parties much past that can become unwieldy.
3. Managing internal and external environments
While business continuity focuses exclusively on the firm itself, its evolution to resilience means that it is equally concerned with internal factors as with external influences. A resilient firm is, in fact, especially cognizant of its role in its industry ecosystem, and understands the spillover effects that one institution can have on another.
The broader industry ecosystem has its own interconnections and dependencies, and it must be looked at holistically. It's important to consider not only employees and customers, but also vendors, regulators, industry associations, and other partners. Furthermore, in the same way that some processes are more critical to resiliency than others, some external relationships, such as those with regulators, are especially important, as they can have a significant impact on the firm.
In order to organize internal and external factors within a resilience framework, organizations can utilize maturity models that incorporate a number of weighted measurements covering factors including planning, people, governance, technology and reporting. They can also look at resilience on different levels, from product, to legal, to enterprise. This becomes a visual representation of resilience for the firm, cutting across levels and factors.
Operational resilience transcends discrete disciplines. It exists as a holistic and strategic framework that is embedded across an entire organization. This supports a better integration of functions, the use of proper operational maps, and the effective management of both internal and external factors. Examining business processes through such a comprehensive lens is essential for firms looking to shift from continuity to ongoing resilience, which will allow them to better adapt - and continuously evolve - in the face of external change.
David LaFalce is managing director - global head of business continuity and resilience, Depository Trust & Clearing Corp. (DTCC)