Nobody wants the worst to happen. But, as the cases of TSB, Equifax, Royal Mail and others have shown us, critical incidents can and will occur. Businesses big and small are not immune from threats to their Operational Resilience. What we can be is prepared.

Being ready for a critical incident is essential for any business that wants to maintain Operational Resilience and minimise the impact of disruptions to its operations. We need to consider whether we have the necessary strategies and resources in place to survive a critical incident. This includes documenting and testing workarounds and having developed effective playbooks to utilise in the event of an incident.

By taking these steps, we can enhance our ability to respond to and recover from critical incidents, ensuring the continuity of our business operations and protecting our customers, employees, and stakeholders.

To help you determine whether your organisation is ready to face unexpected disruptions, we’ve compiled a list of eight essential questions that you should consider when evaluating your preparedness for critical incidents. These questions cover various aspects of Operational Resilience including resource mapping, scenario testing, Playbooks, and organisational culture.

By answering these questions, you can identify potential gaps in your business’ preparedness and take proactive steps to improve your resilience:

1. Is your review cadence in place?

Regular reviews of all elements of Operational Resilience are crucial to ensure that you are prepared for a critical incident. A review of your Operational Resilience should be completed bi-annually, or annually (at the very least) to ensure that all information and workarounds are accurate and tested.

By maintaining a regular review cadence, businesses can identify and address any gaps or weaknesses in their resilience strategies, improving their ability to respond to and recover from critical incidents.

2. Do you know your Important Business Services?

Identifying and understanding the importance of those client facing business services, which if disrupted will result in material harm, will help businesses prioritise resources and focus on maintaining the continuity of critical operations in the event of a disruption. It is recommended that you document and store information regarding your Important Business Services, alongside a justification and the process for how they were identified.

3. Have intolerance thresholds been applied?

Businesses must understand the impact of losing a system or service to their clients/customers and setting impact tolerance thresholds based on this information is an essential part of Operational Resilience planning.

Your impact tolerance thresholds should be documented, along with justification for why they were chosen, and a method for monitoring them should be established. Setting tolerance thresholds and monitoring them regularly can ensure you identify potential issues before they escalate and implement appropriate measures to minimise their impact.

4. Have you mapped your resources?

Mapping out all business resources is an essential step in developing a comprehensive Operational Resilience plan. Map your Important Business Services against various factors, including people, processes, volumes, technology, location, metrics, facilities, and critical third parties.

By mapping out their resources in this way, businesses can identify potential vulnerabilities and develop appropriate strategies to ensure continuity in the event of a disruption.

5. Can you complete scenario testing?

Businesses must have a structured and organised way to complete scenario testing against plausible scenarios, ensuring that their workaround processes achieve their aim within the required timeframe. It is important to be confident that lessons learned from scenario testing will be tracked and implemented, enabling you to continuously improve your resilience strategies.

By completing thorough scenario testing, businesses can identify potential weaknesses in their Operational Resilience plan and implement appropriate measures to ensure they can respond to and recover from critical incidents effectively.

6. Are your Playbooks and communications ready?

Playbooks should be developed, stored centrally, and signed off by appropriate business leaders. Internal and external communications should also be designed and signed off, ensuring that they are structured in a way that all levels across the business can understand.

By having these Playbooks and communication strategies in place, businesses can minimise the impact of disruptions to their operations and ensure continuity, while also protecting their customers, employees, and stakeholders.

7. Is your governance structure fit for purpose?

A robust governance structure is critical for effective Operational Resilience. This includes top-to-bottom accountability with governance committees at the right level, looking at the relevant risks and mitigations to make key business decisions and absorbing the lessons learnt from scenario testing and previous incident responses.

It is also essential to have a system for tracking and reporting lessons learned, ensuring continuous improvement. A fit-for-purpose governance structure ensures that all stakeholders are aware of their roles and responsibilities, and that all risks are adequately addressed.

8. Is your culture resilient?

It is essential that everyone in the business understands their role in managing risk and that risk management is embedded across the entire employee lifecycle. Promoting a resilient culture at all levels and featuring Operational Resilience across the culture empowers your employees. Helping them to identify and manage risks effectively, leading to better decision-making and increased overall resilience.

If your answer to any of the above questions is no, it’s time to act! Failing to address gaps in your Operational Resilience capabilities could put your business at risk. Leading to significant disruptions to your operations, substantial financial losses, as well as damage to your reputation.

To ensure that your business is fully prepared for critical incidents, you may want to consider working with a trusted consulting firm, such as Davies Consulting, who can provide expert guidance and support in developing and implementing an effective Operational Resilience strategy.

How Davies Consulting can help

Davies Consulting has pioneered a robust methodology which has helped businesses improve their Operational Resilience and provided them with the tools required to manage their Operational Resilience going forward.

Over 7 weeks we work closely with key stakeholders to assess your enterprise-wide Operational Resilience. In doing so we map your maturity, identify vulnerabilities, provide baseline tolerances, and support you with actionable recommendations that reduce and mitigate risk.

If you would like to learn more about how Davies holistic approach can help you enhance your Operational Resilience and protect your business, contact us now.

Interested in more?

This blog was written by Consulting Director David Ilett, Senior Consultant Jason Pillay, and Senior Consultant Mark Odlin.

If you’d like to read more on this topic, you can download our white paper, where we also look at:

• Understanding the risks
• Mitigating and preventing critical incidents
• Responding and recovering from critical incidents

Download our white paper here.