11th May 2023
Operational Resilience is defined as an organisation’s ability to withstand and recover from disruptive events while maintaining continuous business operations. Operational Resilience can be built on existing practices of disaster recovery (DR) and business continuity planning (BCP). However, achieving Operational Resilience requires the whole organisation to play a part by:
Furthermore, businesses must continually monitor their Operational Resilience plans and procedures, keeping them up-to-date and effective in the face of changing circumstances and emerging threats. It also requires senior executives to buy into and embrace the importance of Operational Resilience, prioritising it to guarantee customer trust, prevent brand damage, protect from financial losses, and comply with regulations.
In recent years the context surrounding Operational Resilience has shifted. Many businesses now have maturing hybrid working capabilities and this change has brought new own operational risks. Increased use of Cloud technology has increased businesses reliance on off-site data storage and systems, and consumer reliance on digital services has increased as well. The biggest threat to Operational Resilience is now a cyber attack.
Consumers and regulators are also more sensitive to service disruptions caused by lack of Operational Resilience. There is a greater expectation that service providers take all necessary steps to secure their systems and protect against cyber threats.
As a result, businesses have become focussed on protecting against cyber security threats, but this has meant a reduced ability to protect against and respond to physical disruptions.
To best protect your business, it’s important to understand the biggest threats to business continuity, such as:
Cyber attacks can cause disruption to critical IT system and compromise the confidentiality of its data. The biggest cyber security threats include hacking, phishing, and malware which can compromise data and systems, causing business disruption and financial loss:
Source: Cyber Security Breaches Survey 2022
Network outages, hardware failures, software bugs can all cause downtime to IT systems and disrupt services.
There is always increased risk when you are not in direct control of a service. Third-party providers deliver a myriad of services and outages will affect the ability of an organisation to deliver key business functions.
Damage to physical infrastructure affects both organisations and the third-party providers causing disruption to operations. The same damage can impact the ability of employees to carry out their work.
This is particularly damaging when processes do not exist or are not well defined.
Delays, or shortages of materials can impact the ability to provide products and services
Threats will continue to evolve, as technology and business operating models develop. Therefore, to act as quickly and effectively as possible, you need to assess the threat landscape regularly and adapt plans to best practice, incorporate employee training and create incident response plans accordingly.
It is essential for robust disaster recovery and business continuity and that your third-party providers, suppliers, and partners are also ensuring they have Operational Resilience procedures and plans in place.
While technology can provide some level of security, companies must test their overall resilience through:
– DR and BCP
– Critical incident scenario modelling
– Verification of third-party providers having established contingency
plans in case of disruptions
The regulatory landscape is ever changing as regulators grapple with developing circumstances and consumer needs. In the UK, regulators are focused on establishing a regulatory framework to help businesses measure and adapt their Operational Resilience capabilities. While different industries and sectors are governed by their own regulations and best practices, critical third parties are likely to fall under these regulations.
In March 2022, following a period of review, the Bank of England, FCA and Prudential Regulation Authority (PRA) announced a new Operational Resilience Framework for firms stating:
“Ensuring the UK financial sector is operationally resilient is important for consumers, firms, and financial markets. Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system.”
This framework sets out guidelines to help businesses identify important services, set impact tolerances, map and test interdependencies, and develop response and recovery plans. A deadline of March 2025 has been set for businesses to have assessed and developed their scenario testing capabilities to mitigate severe impacts on key client-facing services.
These regulations will continue to evolve, with further guidance proposed on outsourcing and third-party risk management as regulators recognise the increasing reliance on third-party providers for uninterrupted delivery of important business services.
Other regulatory bodies outside the UK are also looking to develop and expand their regulations around Operational Resilience. In the EU, the Digital Operational Resilience Act (DORA) refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The US prefers a more guideline centred approach, using existing risk management rules to set individual organisational standards around resilience.
Businesses must also comply with data protection laws such as GDPR in the EU, which requires businesses to take appropriate technical and organisational measures to protect personal data. Firms may also be contractually obligated to protect their customers’ data and to maintain a certain level of Operational Resilience. If a business fails to meet these obligations they face sanctions, fines or licence revocation that can severely limit their operations.
Alongside substantial fines, failing to comply with industry compliance best practice and national or international regulatory standards can lead to time-consuming audits or investigations and open your business up to liability action from consumers and business partners.
In the face of increased public and regulatory expectations, businesses must do more to secure their Operational Resilience and protect against threats. Even if your business or industry is not heavily regulated, poor Operational Resilience has the potential to harm your business, financially, reputationally, and more.
Businesses that ignore these risks or do not adequately implement an Operational Resilience plan risk their long-term survival:
The financial risks of business disruption are perhaps the most easily quantifiable for organisations and can include everything from:
Reputational risks associated with lower consumer confidence stemming from a lack of Operational Resilience are perhaps less easily measured. Reputational risks include:
The most underestimated risk factor is the damage operational inefficiencies and lack of resilience can have on your employees. Higher workloads and a loss of confidence can cause:
In April 2018, TSB experienced a series of severe disruptive incidents when the bank attempted to migrate its customers from a legacy IT system to a new platform. The migration was designed to reduce costs and improve customer service, but it went wrong, causing significant disruption for TSB customers.
In November 2022, the FCA fined TSB £48 million, one of the largest ever imposed, for its role in the IT failures. The FCA found that TSB had failed to take appropriate measures to manage the migration and had not properly tested the new platform before launching it.
Crucially the IT failures were caused by an overall lack of Operational Resilience and a failure to manage third party IT providers correctly. While the size of the fine is what hit the headlines, TSB is far from alone.
Big names like British Airways, Equifax and Marriott Hotels have all experienced severe data breaches that have led to financial losses, fines, and reputational damage. Most recently the Royal Mail suffered a ransomware incident that threatened to expose customer data and led to a complete inability to ship international parcels.
Ignoring the risks and failing to maintain Operational Resilience can have significant negative impacts on business continuity. Complacency could have huge long-term financial impacts beyond mere business disruption. Regulatory sanctions for non-compliance can be costly and erode consumer trust. Cyber attacks can leave your IT infrastructure in need of significant security upgrades, and pressure on employee capacity can mean increased staffing costs.
Being prepared with continuous planning for severe disruptive events is becoming part of the fabric of an organisation’s risk management. The ‘do nothing’ approach is no longer an option with the myriad of impacts that will result from a critical business disruption or outage.
This blog was written by Consulting Director David Ilett, Senior Consultant Jason Pillay, and Senior Consultant Mark Odlin.
If you’d like to read more on this topic, you can download our white paper, where we also look at:
Our Property MD Mark Grocott talk to Post Magazine about innovation…
Lesley Johnson talks to Post Magazine about attracting diversity to the…
Yesterday our Training Manager Kaylee and one of our Graduates Chris…
Davies Group has announced that US private equity firm HGGC has…