Operational Resilience is defined as an organisation’s ability to withstand and recover from disruptive events while maintaining continuous business operations. Operational Resilience can be built on existing practices of disaster recovery (DR) and business continuity planning (BCP). However, achieving Operational Resilience requires the whole organisation to play a part by:

1. 1. 1. 1. Focusing on all critical business functions
         2. Identifying key dependencies and interconnectedness between systems, people, processes, and third-party suppliers
         3. Testing scenarios that simulate real-world disruptions
         4. Encouraging a culture of continuous improvement and learning
         5. Establishing clear incident response roles and responsibilities
         6. Building redundancy and diversity into critical systems to minimise single points of failure

Furthermore, businesses must continually monitor their Operational Resilience plans and procedures, keeping them up-to-date and effective in the face of changing circumstances and emerging threats. It also requires senior executives to buy into and embrace the importance of Operational Resilience, prioritising it to guarantee customer trust, prevent brand damage, protect from financial losses, and comply with regulations.

What are the potential threats to your business?

In recent years the context surrounding Operational Resilience has shifted. Many businesses now have maturing hybrid working capabilities and this change has brought new own operational risks. Increased use of Cloud technology has increased businesses reliance on off-site data storage and systems, and consumer reliance on digital services has increased as well. The biggest threat to Operational Resilience is now a cyber attack.

Consumers and regulators are also more sensitive to service disruptions caused by lack of Operational Resilience. There is a greater expectation that service providers take all necessary steps to secure their systems and protect against cyber threats.

As a result, businesses have become focussed on protecting against cyber security threats, but this has meant a reduced ability to protect against and respond to physical disruptions.

To best protect your business, it’s important to understand the biggest threats to business continuity, such as:

Cyber security attacks

Cyber attacks can cause disruption to critical IT system and compromise the confidentiality of its data. The biggest cyber security threats include hacking, phishing, and malware which can compromise data and systems, causing business disruption and financial loss:

Source: Cyber Security Breaches Survey 2022

1. 1. 1. 1. Phishing involves sending emails or other messages claiming to be from a reputable source, to get the recipient to reveal sensitive information that is then used to compromise the individual or organisation
         2. Malware is software designed to infiltrate and gain access to computer systems. Malware can be deployed as viruses, Trojan horse attacks and ransomware
         3. Denial of Service (DoS) attacks are designed to overload a system with traffic making it unavailable to carry out its normal operations
         4. Insider threats are carried out from individuals from within an organisation. These can be accidental or deliberate actions to sabotage, steal or leak sensitive data

System failures

Network outages, hardware failures, software bugs can all cause downtime to IT systems and disrupt services.

Third party service provider outages

There is always increased risk when you are not in direct control of a service. Third-party providers deliver a myriad of services and outages will affect the ability of an organisation to deliver key business functions.

Natural disasters

Damage to physical infrastructure affects both organisations and the third-party providers causing disruption to operations. The same damage can impact the ability of employees to carry out their work.

Human error

This is particularly damaging when processes do not exist or are not well defined.

Supply chain disruption

Delays, or shortages of materials can impact the ability to provide products and services

Threats will continue to evolve, as technology and business operating models develop. Therefore, to act as quickly and effectively as possible, you need to assess the threat landscape regularly and adapt plans to best practice, incorporate employee training and create incident response plans accordingly.

It is essential for robust disaster recovery and business continuity and that your third-party providers, suppliers, and partners are also ensuring they have Operational Resilience procedures and plans in place.

While technology can provide some level of security, companies must test their overall resilience through:

– DR and BCP

– Critical incident scenario modelling

– Verification of third-party providers having established contingency
plans in case of disruptions

What is the regulators’ approach to making businesses operationally resilient?

The regulatory landscape is ever changing as regulators grapple with developing circumstances and consumer needs. In the UK, regulators are focused on establishing a regulatory framework to help businesses measure and adapt their Operational Resilience capabilities. While different industries and sectors are governed by their own regulations and best practices, critical third parties are likely to fall under these regulations.

Operational Resilience Framework

In March 2022, following a period of review, the Bank of England, FCA and Prudential Regulation Authority (PRA) announced a new Operational Resilience Framework for firms stating:

“Ensuring the UK financial sector is operationally resilient is important for consumers, firms, and financial markets. Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system.”

This framework sets out guidelines to help businesses identify important services, set impact tolerances, map and test interdependencies, and develop response and recovery plans. A deadline of March 2025 has been set for businesses to have assessed and developed their scenario testing capabilities to mitigate severe impacts on key client-facing services.

These regulations will continue to evolve, with further guidance proposed on outsourcing and third-party risk management as regulators recognise the increasing reliance on third-party providers for uninterrupted delivery of important business services.

Regulations outside the UK

Other regulatory bodies outside the UK are also looking to develop and expand their regulations around Operational Resilience. In the EU, the Digital Operational Resilience Act (DORA) refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The US prefers a more guideline centred approach, using existing risk management rules to set individual organisational standards around resilience.

Businesses must also comply with data protection laws such as GDPR in the EU, which requires businesses to take appropriate technical and organisational measures to protect personal data. Firms may also be contractually obligated to protect their customers’ data and to maintain a certain level of Operational Resilience. If a business fails to meet these obligations they face sanctions, fines or licence revocation that can severely limit their operations.

Alongside substantial fines, failing to comply with industry compliance best practice and national or international regulatory standards can lead to time-consuming audits or investigations and open your business up to liability action from consumers and business partners.

What are the consequences of a critical incident?

In the face of increased public and regulatory expectations, businesses must do more to secure their Operational Resilience and protect against threats. Even if your business or industry is not heavily regulated, poor Operational Resilience has the potential to harm your business, financially, reputationally, and more.

Businesses that ignore these risks or do not adequately implement an Operational Resilience plan risk their long-term survival:

Financial risks

The financial risks of business disruption are perhaps the most easily quantifiable for organisations and can include everything from:

1. 1. 1. 1. Potential regulatory fines and non-compliance sanctions
         2. Revenue damage caused by the interruption of services, system downtime, and delays
         3. Loss of revenue as customers take business elsewhere
         4. Increased operational costs such as new security measures, data recovery efforts, and repairs to assets
         5. Longer SLAs and operational cost to maintain workaround processes whilst the business recovers
         6. Increased insurance premiums

Reputational risks

Reputational risks associated with lower consumer confidence stemming from a lack of Operational Resilience are perhaps less easily measured. Reputational risks include:

1. 1. 1. 1. Brand damage leading to lack of consumer trust and loss of market reach
         2. Negative media coverage impacting customer numbers, revenue, and morale
         3. Reputational contagion affecting associated businesses and individuals, such as partners, contractors, suppliers, and customers

Human capital risks

The most underestimated risk factor is the damage operational inefficiencies and lack of resilience can have on your employees. Higher workloads and a loss of confidence can cause:

1. 1. 1. 1. Increased levels of stress and burnout leading to employee fatigue
         2. Reduced efficiency and productivity
         3. Increased turnover of crucial staff
         4. Widening skills gaps within your organisation
         5. A difficulty in attracting new high-quality talent to your organisation

The costs of complacency and the lasting impact of ignoring risk

In April 2018, TSB experienced a series of severe disruptive incidents when the bank attempted to migrate its customers from a legacy IT system to a new platform. The migration was designed to reduce costs and improve customer service, but it went wrong, causing significant disruption for TSB customers.

In November 2022, the FCA fined TSB £48 million, one of the largest ever imposed, for its role in the IT failures. The FCA found that TSB had failed to take appropriate measures to manage the migration and had not properly tested the new platform before launching it.

Crucially the IT failures were caused by an overall lack of Operational Resilience and a failure to manage third party IT providers correctly. While the size of the fine is what hit the headlines, TSB is far from alone.

Big names like British Airways, Equifax and Marriott Hotels have all experienced severe data breaches that have led to financial losses, fines, and reputational damage. Most recently the Royal Mail suffered a ransomware incident that threatened to expose customer data and led to a complete inability to ship international parcels.

Ignoring the risks and failing to maintain Operational Resilience can have significant negative impacts on business continuity. Complacency could have huge long-term financial impacts beyond mere business disruption. Regulatory sanctions for non-compliance can be costly and erode consumer trust. Cyber attacks can leave your IT infrastructure in need of significant security upgrades, and pressure on employee capacity can mean increased staffing costs.

Being prepared with continuous planning for severe disruptive events is becoming part of the fabric of an organisation’s risk management. The ‘do nothing’ approach is no longer an option with the myriad of impacts that will result from a critical business disruption or outage.

Interested in more?

This blog was written by Consulting Director David Ilett, Senior Consultant Jason Pillay, and Senior Consultant Mark Odlin.

If you’d like to read more on this topic, you can download our white paper, where we also look at:

1. Preventing and mitigating critical incidents
2. Responding and recovering from critical incidents
3. 8 essential questions to ask yourself to prepare for a critical incident

Download our white paper here.