Operational Resilience: Respond and recover from critical incidents

14th June 2023

Having measures to prevent and mitigate critical incidents is an important step in your approach to Operational Resilience. But your overall strategy must address plans for dealing with a severe incident when it strikes. Large organisations and recognised brands from across the financial and commercial worlds have been exposed due to weaknesses in their overall resilience capabilities.

Robust response strategies can mitigate the impact of an incident on your ability to provide important business services, reassure employees, clients, and customers that you can manage a critical incident, and that you can recover quickly and effectively with minimum disruption.

Are your critical incident response and recovery plans ready?
To answer the question ‘is your organisation critical incident ready?’ it’s important to consider several key factors:

– Do you understand the resources required to deliver your important business services? The criticality of the people, processes, facilities, technology and third parties should all be mapped against those services. Identifying the resources needed means:

    1. You have everything available and organised sufficiently to be able to respond to a disruption to the organisation.
    2. You can track dependencies between key resources and identify and mitigate potential risks associated with them.
    3. You can pinpoint resource gaps which the organisation can then prioritise activities to mitigate.

– Your organisation’s level of Operational Resilience maturity when it comes to modelling severe and plausible scenarios. How are you managing identified risks to maximise your ability to deliver your important business services? Have you developed strategies to address those risks before they become actual incidents?

– Is your organisational governance up to the task? Are business-wide processes designed and implemented with Operational Resilience in mind? It is important to ensure those processes are aware of critical dependencies, have clearly identified owners and documented procedures which are stored in a central location accessible to everyone who needs them.

Processes should be regularly reviewed and updated to remain relevant to your business needs. Applying good governance to incident response and recovery plans will help ensure that you are continuously improving your Operational Resilience and minimising the impact of any disruptions to your operations.

– Are there workarounds for disruptions in important business services in place. Have they been tested to prove they are both realistic as well as practical and effective?

All this information will enable your business to direct investment in the right places but also be aware where you are susceptible. This may mean higher focus in these areas when considering workaround processes.

Other questions to ask to help you ensure your critical incident readiness include:
  1. Are your playbooks accessible?

Playbooks have a high-profile role in Operational Resilience by providing a documented, tested, and repeatable process for responding to incidents and disruptions. They offer a set of predefined procedures setting out the steps an organisation should mobilise to minimise the impact of an incident, ensure continuity of operations, and recover from the event.

The following are some ways in which playbooks can help improve Operational Resilience by:

– Standardising responses
Playbooks help to ensure that all members of the team follow a consistent process when responding to incidents. In doing so, playbooks can reduce the risk of errors, improve the speed and efficiency of your response, and minimise the overall impact of the incident.

– Identifying critical functions
Because organising playbooks aids organisations in identify their most critical functions, processes, and systems they can then prioritise response efforts and allocate resources, accordingly, ensuring that the most critical functions are restored first.

– Improving knowledge
Through testing playbooks, organisations can train their staff on the response process to ensure they are able to rapidly respond in the event of an incident.

– Aiding continuous improvement
Playbooks need regular review to address changes in the organisation’s
environment, such as new technologies, processes, or threats. This ensures playbooks remain relevant and effective in the face of evolving risks and challenges.

Overall, playbooks are a critical component of an organisation’s operational resilience strategy. They provide a structured and standardised approach to incident response, enabling organisations to minimize the impact of disruptions, ensure continuity of operations, and recover quickly and effectively from incidents.

  1. Are your communications prepared?

Recently, the major high street retailer, WH Smith, was the victim of a cyber attack targeting confidential current and former employee data. Their response plan included a robust external communication strategy designed to reassure the public that customer data remained secure and stressing that trading was unaffected. Undoubtedly there was also a strong internal communication response as well.

In fact, in their statement WH Smith noted:

“Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities… We are notifying all affected colleagues and have put measures in place to support them.”

WH Smith’s communication planning included both internal and external communications as well as notifying regulatory and law enforcement authorities. Different types of critical incidents will require different types of communication plans. However, all types of critical incidents will require employee communications – from initial response action plans through to the recovery stage – to ensure morale and engagement is not lost.

Communication plans and templates are essential tools for operational resilience because they help ensure that critical information is communicated effectively and efficiently during a crisis or disruption. Having a well-designed communication plan in place will help ensure the right people receive the right information at the right time.

Communication plans and templates are important for Operational Resilience because they contribute to and improve:

– Consistency
Communication templates provide a consistent approach to communication, which helps ensure that all stakeholders receive the same message, with the same level of urgency, regardless of who is delivering the message. This consistency can be particularly important during a crisis or disruption, when miscommunications can have serious consequences.

– Agility
In a crisis, time is of the essence, and delays in communication can be costly. Communication plans and templates can help ensure that messages are delivered quickly and efficiently, without the need for time-consuming deliberations or decisions.

– Flexibility
Allowing for updates and modifications as the situation evolves. This can help ensure that stakeholders have the most up-to-date information, without the need for a complete overhaul of the communication strategy.

In summary, communication plans and templates are important tools for Operational Resilience because they help ensure that critical information is communicated consistently, quickly, clearly, and flexibly, even in the face of a disruptive event.

  1. Do you feed lessons learned into recovery playbooks?

Lessons learned can be derived from several aspects of an organisations Operational Resilience planning.  Scenario testing, where severe, but plausible potential disruptions to a firms’ operation allow playbooks to be tested. Previous critical incidents, how you responded and recovered are also a great source of information for improving your Operational Resilience and should be re-examined for valuable lessons that can aid recovery in the future.

Scenario testing and exercising should be an important part of your Operational Resilience and critical incident preparedness. But unless you are taking the conclusions of testing and lessons learnt from those exercises, assessing their importance, and feeding them into improved actions and plans for mitigation and recovery, then you are wasting their potential.

While the event is fresh in the memory, these actions need to align with existing governance structures. Who are the accountable senior stakeholders? Do actions have delivery dates and clear owners assigned? How are the actions that arise from scenario testing being tracked and monitored to ensure they aren’t forgotten?

Ensure that lessons are added to continuous improvement or risk action logs, that new iterations of response and recovery plans are tracked by the appropriate risk committees, and that every impacted stakeholder is apprised of new strategies and plans.

Interested in more?

This blog was written by Consulting Director David Ilett, Senior Consultant Jason Pillay, and Senior Consultant Mark Odlin.

If you’d like to read more on this topic, you can download our white paper, where we also look at:

  • Understanding the risks
  • Mitigating and preventing critical incidents
  • 8 essential questions to ask yourself to prepare for a critical incident

Download our white paper here.

    Keep up to date with Davies