Operational resiliency is a term that has been showing up within the last 12 months. Is it a new operating model or is it a progressive model for the new operating environment in light of a pandemic. This article describes what is operational resiliency and how you can put in an operational foundation to migrate to operational resiliency.
2020 has been an exciting and trying year. The business continuity and disaster recovery staff were excited to actually implement their plan. Many organizations were ill prepared for how to convert their workforce from onsite to remote. Later in 2019 and going into 2020, the term operational resilience started being used, but what really is operational resilience. Formally, operational resilience was a set of techniques that allow people, processes and informational systems to adapt to changing patterns or events. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification. Wait, that’s business continuity and disaster recovery, isn’t it? Well, let’s look at the terms and see what we can come up with relative to how an organization can migrate to operational resiliency. Operational resiliency is becoming a key agenda item for senior management and Boards of Directors. Organizations have grown more complex to support the business need – Internet of Things (IoT), 7 X 24 customer support or manufacturing, and data sharing globally. The malicious actors have developed methods to require organizations to monitor and operate at a high level of security and sophistication to ensure there are no severe impacting compromises.
We know operational means that things are ready for use anytime and anywhere. To security or risk personnel, they think of the governance, risk management, and compliance (GRC) framework the organization has implemented. Other staff think we do have a process to move to a recovery scenario when an event is declared, and something has gone wrong. Organizations should plan for the types of events that occur in their local and regional areas where they have offices or remote staff, even if it is global. Many organizations forgot about a pandemic where everyone internally now had to be working remote. Organizations had to struggle to ensure their communication lines, firewalls, virtual private networks (VPNs), and their multi-factor authentication solution would work for everyone in the organization. Organizations needed to be operational from day one onward. If you look at a GRC framework, this is the capability to reliably achieve objectives, while addressing uncertainty, and acting with integrity. The notion of operationally resilient requires that we understand the operational objectives of the organization and in that context manage the risk and uncertainty by hitting those objectives while operating with the boundaries of values and requirements set by the organization.
We know resiliency is the capacity to recover quickly from difficulties and be able to keep the business operational. Yes, similar to a combination of business continuity, who are the primary support units and staff and what are the priority systems that need to be operational to support customers, internal staff, and third parties. Many organizations have the systems to support customers, internal staff, and third parties. The issue was the resiliency of staff and who need to be online and available to support customers, internal staff, and third parties. Enter the concept of operational resiliency and what organizations should really have implemented.
What does operational resiliency need to include from an organizational viewpoint:
Organizations may say they have all that implemented but do they really. Can they switch in less than one day from an onsite business to a remote business, supporting all functions for internal staff, customers, and third parties? Organizations cannot separate the business continuity and disaster recovery functions if they want to have operational resiliency. They need to make a smooth transition to be able to say to their staff, customers, and third parties ‘We are here to continue our superior support for your teams.’ Organizations that have call centers and the call operators who are onsite will have the hardest time with the conversion, because many call centers are like clean rooms. A clean area is a “specified area in which the concentration of airborne particles is regulated and classified, and which has been designed and is being operated appropriately for regulating the introduction, formation and deposition of particles in the area.” (ISO 1464 41-1) Cleanroom technology for a call center includes all technical and operational measures avoiding the potential risk of information loss, which can include: no recording devices, no paper for notes, not being able to browse the Internet, no smart phones, etc. How do you quickly convert this to home-based technology over night when it has not been done before in an organization? Organizations that work with intellectual property development, software development, formulas of any type, all need to think about how to protect the information when reacting to an event.
Why do we really need operational resilience based on business need and not necessarily technology need?
Essentially, based on the needs above for operational resiliency, organizations need to move to operational resiliency where they can bend, no matter what happens, but not break and stop business operations. Operationally resilient organizations will focus on a broader scope than just business continuity and disaster recovery to being integrated into the risk-mitigation strategies of anything occurring. The organization will focus on anticipation of an event, prevention (governance) and constant change, rather than individual recovery activities. The cloud and virtual architectures and systems will be even more important, but again that will bring in the supply chain with reliance on third parties for support. Some characteristics of operational resilience are as follows:
Organizations need to ensure the senior management and Board of Directors are thinking about operational resiliency with questions like:
So how does an organization get started with migrating to an operational resilient framework? First and foremost, you need to start small to provide transparency for one business service to prove it can be done and make an impact to the business processes. The steps would include things similar to the following:
As an organization goes through implementing operational resiliency, they will be able to reduce their operational risk exposure, improve monitoring, be able to respond to events with less of a business impact, be more effective and efficient in the delivery of business services.
Is operational resiliency something new or just a new term? Operational resiliency is a new term that encompasses our same processes and includes more improvement in business services to be able to recover almost instantly from anything that may happen in the business or organizations environment. So, review your current service operational framework and see how much improvement is needed to be able to achieve operational improvement and switch the operating environment without a great impact to the business services and organizational operations.
Achieving operational resilience continues to be challenging given the increasing complexity of processes, technology infrastructure, organizational silos, and location of staff. However, the business benefits go beyond pure risk and compliance, often forming an inherent part of an organization’s business services value. Operational resilience requires organizations to understand how all domains (technology, data, third parties, facilities, operations, and people) impact critical service delivery and build a consistent set of resilient capabilities and controls across these domains. You need the dependencies of cross-functionality and specialized expertise to evaluate and measure the resilience of the organization in light of the specific risks it faces along with extensive coordination, collaboration, and preparation to ensure that the organization appropriately considers resilience in all activities and is ready when the worst happens. Being a resilient organization, you focus on anticipation, prevention and adaptation, rather than recovery actions once the event has happened and you are left wondering why this happened.