What is Business and Operational Resiliency?

Written by The GRC Pundit

Published on2021-02-25Updated on2021-02-25Discussion4 Comments on What is Business and Operational Resiliency?

Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 

I am seeing a lot of interest in risk management and resiliency in my research. In this context, I come across the terms business resiliency and operational resiliency. There is a difference between business resiliency and operational resiliency. I see solution providers using these terms as either synonym, or I see some make the mistake thinking that operational resiliency is for financial services and business resiliency is for other industries. This mistake is because of the operational resiliency regulations in the financial services industry. The reality is that all industries have operations and processes and therefore have operational resiliency concerns. All organizations have business resiliency needs as well. There is not one organization that does not have business and operational resiliency needs.

What is the difference?

Business resiliency is broad, it includes the resiliency in the organization’s strategy, liquidity/cash, diversity/hedging, and operations. So operational resiliency is part of business resiliency just as its counterpart operational risk management (ORM) is part of, but not the same as, enterprise risk management (ERM). 

Here is how I differentiate the two and show that business resilience is broader than operational resiliency but also includes operational resilience.

• Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
• Operational resilience is a component of business resilience focused on internal processes, services, people, systems, and relationships.

Let’s Dive Deeper into Operational Resilience

Operational resiliency is not business continuity 2.0. It is much more than that. Operational resiliency is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party GRC/risk management (for example, the FCA/BoE/PRA guidance on operational resiliency references third-party/vendor risk throughout the document).

As for definitions, let’s look at how the financial regulators define operational resilience and I will give you my opinion which is the best definition:

• UK FCA: We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
• EU DORA: ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
• US OCC: Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
• Basel Committee on Banking Supervision: The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.

Granted these definitions are focused on financial services, so let’s evaluate them objectively in a context that crosses industries (strip out the financial services specific language). 

My least favorite definition is the EU’s DORA (digital operational resilience act). This is because it focused specifically and exclusively on digital operational resiliency. Operational resiliency is so much more than the depths and bowels of the IT department, technology, and information. Operational resiliency is also about people, processes, services, and third-party relationships. I also find the definition to be very reactive and not proactive.

Next in my order of least to best definition is the Basel definition. It is stuck in the idea of disruption and recovery, but has a broader view than DORA and does include elements of risk management. It is also another definition that is more reactive than proactive.

The US Office of the Comptroller of the Currency (OCC) definition is better. I like the fact that it specifically leads with operational risk management and takes it out of a pure business continuity context. This is good, but not good enough. I find the definition still a little weak as it is still focused on prepare and recover from disruption, a reactive approach.

The UK Financial Conduct Authority provides the best definition, and I love this definition. It is the shortest definition, but the only one that takes a strong risk management approach to operational resiliency. It is the only definition that mentions PREVENT as organizations can monitor and address situations before they impact the organization (at least in some situations). The idea of PREVENT gives a strong governance focus to this that ties into objectives and strategy to navigate the organization to manage uncertainty, a concept of agility to avoid disruption. The other element I love about this definition is that it references LEARN as well, so the organization learns from events and disruption so it does not repeat the same mistakes.

The United Kingdom wins again. I personally am a fan of regulations that come out of the United Kingdom (and nearly half my interactions are in the UK). The UK brought us principle/outcome-based regulations back in the FSA days (before the FCA), which then became EU better regulatory policy. The UK is leading in accountability regime regulation with the UK SMCR and now we have Australia BEAR, Ireland SEAR, Hong Kong MIC, and Singapore IA that have followed suit. The UK FCA is leading the world in digitizing the rulebook and regulations. More work is going into the UK Modern Slavery Act with greater requirements and enforcement penalties expected. Now I have digressed into other areas . . .

What are your thoughts on business and operational resiliency? How are they different? How are they related? How would you define them?