Regulators have recently put an increased emphasis on operational resilience within organizations — which can be defined as the ability of an organization to withstand and adapt to any sort of emerging risks and shocks. In July, the UK’s Financial Conduct Authority (FCA) and the Bank of England published guidelines on building operational resiliency. These guidelines include a plethora of critical advice for business’ looking to be operationally resilient, including encouraging a focus on identifying critical business services and a look at the ever-growing threat from cyber risks.
The risk management model being encouraged is to identify critical business services and report any emerging risks and disruptions that could threaten the resilience of the organization and the impact on its critical business services — not an easy thing to do with Excel Spreadsheets and static siloed systems!
Gaining a complete understanding of organizational and operational resilience requires a holistic comprehension of broader organizational objectives and strategy, in order to be able to manage risk and disruption in the pursuit of achieving overall business objectives. Far too often, departments such as information security and IT focus their reporting on the technicalities of an emerging risk and disruption without including and outlining the potential upcoming impact to critical business services, and as a result, entirely missing the context of the business, relating to the issue and point of reporting vs. the connected impact throughout the business.
Regulators such as the FCA have laid out a streamlined process that all organizations can use to build a stronger operational resiliency framework which includes:
- Identify critical business services
- Mapping the processes, technologies, information, and people that support critical business services
- Testing the ability of organizations to remain within their impact tolerances and the overall resilience of the underlying organizational foundation such as the IT architecture
- Communicate and plan with relevant stakeholders such as IT teams to prepare for any potential future incidents
Organizations have much to benefit by heeding the advice of these regulators, regardless of which industry or sector your organization operates within.
This business service approach allows the organization to manage the interconnection of risk functions such as information management and security, IT, third-party management, compliance, operations, performance etc. Since operational risk management encompasses a multitude of risk functions and departments throughout the organization, it is crucial that these functions collaborate and are integrated in order to connect ORM to the bigger picture of operational strategy in order to achieve resiliency.
With the ever-growing threat from a potential cyberattack looming over the head of risk managers everywhere, resilience to an emerging cyber incident should take center stage in the operational resiliency framework. It is becoming increasingly critical for organizations to link emerging cyber risks to critical business services and report on potential disruptions.
An integrated information and technology architecture is critical for organizations to build a more thoughtful and strategic approach to this operational risk strategy. Organizations need complete situational awareness and vision into risk scattered across systems, operations, processes, relationships, and data in order to fully achieve operational resiliency and to gain an understanding of the full impact of risk throughout the organization holistically and its impact on strategy, objectives, and performance.
The RUBIQ GRC on-line Cloud Platform is a Smart Assisted, ready to use tool, built by experts that know how to make the journey toward Operational Resilience easy for you and your organization!
Click here if you would like to participate in a free comprehensive EGRC & IT Governance Maturity Assessment. The assessment has been compiled by leading Enterprise GRC and Information Security, Cyber Risk and Information Privacy Governance advisory experts. Its quick, its simple and you will receive an expert and detailed report as an outcome of having done the assessment for your organization. A series of reports that can be confidently used to bring the leadership of your organization rapidly up to speed on the real exposures faced by your business!
The Steps are simple:
