I am sitting in a pub in London having a pint after an intense week of interactions with organizations. My mind is laser focused on the burning issue of the day: operational resiliency.
The FCA, PRA, and Bank of England have recently released a discussion paper focused on the need to build greater operational resilience in organizations. This challenge is much broader than just the United Kingdom and financial services; it is an issue that crosses the globe and industries. How do we build resiliency in our business to risk and disruption?
Today’s organization is complex and chaotic—in a constant state of metamorphosis. Keeping complexity and change in sync is a significant challenge for operational risk management functions. Consider that the modern organization is:
- Distributed. Traditional brick-and-mortar business is a thing of the past: Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries with distributed operations complicated by a web of global relationships.
- Dynamic. Organizations are in a constant state of change. Distributed business operations are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world. The multiplicity of risk environments an organization monitors span regulatory, geopolitical, and operational risks across the globe.
- Disrupted. The intersection of distributed and dynamic business brings disruption. Change (dynamic business) combined with complexity (distributed operations and relationships) means the organization is easily disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk information across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, and volume of risk is overwhelming—disrupting the organization and slowing it down at a time when it needs to be agile and fast.
In defining operational resiliency, I can think of nothing stronger than leveraging the OCEG definition for governance, risk management, and compliance (GRC). This is a capability to reliably achieve objectives, while addressing uncertainty, and act with integrity. To be operationally resilient requires that we understand the operational objectives of the organization and in that context manage the risk and uncertainty in hitting those objectives while operating with the boundaries of values and requirements set on the organization.
Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.
Connecting ORM and BCM is just part of achieving operational resiliency. To be resilient requires that the organization also manage the intersection of compliance, information security, business operations/processes, performance, third-party management, and other risk functions. Operational risk management is an umbrella covering a lot of risk departments that have historically operated in silos. These silos need to collaborate and connect in a broader operational risk strategy focused on the operational resiliency of the organization.
Managing operational risk activities in disconnected silos leads the organization to inevitable failure. Decentralized and disconnected distributed systems of the past catch the organization off guard to risk. The complexity of business and intricacy and interconnectedness of risk requires an integrated approach. Silos of risk fail to actively manage risk and leave the organization blind to intricate relationships of connected risk across the organization. An ad hoc approach to operational risk management results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk as an integrated part of business.
Distributed, dynamic, and disrupted business demands a strategic approach to operational risk strategy and process enabled with an integrated information and technology architecture. The organization needs complete situational awareness of risk across operations, processes, relationships, systems, and information to see the big picture of risk and its impact on organization performance and strategy.
This article is connected to an associated GRC Illustration and roundtable that GRC 20/20 collaborated with OCEG and Refinitiv to produce. I encourage you to download the detailed GRC Illustration on Connected Management of Operational Risk Prevents Disruption and the related roundtable discussion on this topic.
Well said Michael!
You’ve inspired me to blabber on along similar lines (https://blog.noticebored.com/2018/12/nblog-dec-7-whos-owns-silos.html)
My rant was also a response to an old friend and colleague who is pushing the opposite approach, namely studiously ignoring everything that isn’t absolutely essential to infosec, reducing it to its very core … although to be fair, that’s in the context of achieving ISO/IEC 27001 certification, where focusing on the specific goal is arguably appropriate. [I’m not entirely convinced but I appreciate his perspective!].
I receive your newletter, and also i participate in many forums about authonomy (human beings, not machines), self protection, health, trends alloy, learning process, efective management ; even for a small town or a factory.
Your observations are quite right!