Operational Resilience – The “new kid on the block” or risk management reinvented?
The Choluteca Bridge, Honduras
By: David Tattam - Director of Research and Training - The Protecht Group
Even prior to the COVID-19 crisis, the term “operational resilience” was creeping into the risk managers vernacular. Driven primarily out of the UK and the Bank of England’s focus on operational resilience during 2019, the concept of operational resilience was thrust upon the banking world. More recently on 6 August 2020 the Basel Committee for Banking Supervision published its consultative paper on principles for operational risk and operational resilience.
Then came COVID-19 which pushed “resilience” to the forefront of every organisation’s thinking, not just the banks, and it became “real” both at an organisation and personal level. How will we be affected? How will we cope? What will we look like after the pandemic?
We all now have a clearer practical view of what organisational and personal resilience means and now its time to take a pragmatic view of our resilience and learn from the pain of being stretched and pushed in ways we have not experienced before.
This article looks are:
1. The meaning of “Operational Resilience”
2. The key features that affect the level of an organisation’s operational resilience
The meaning of “Operational Resilience”
One of my favourite definitions is from Technopedia.
“Operational Resilience is both a process and a characteristic of an organization to adapt rapidly to changing environments and needs. It is an organizational trait that allows it to carry out its mission or business despite the presence of operational stress and disruption. In other words, it is the organization's ability to handle and control external factors that may hinder it from functioning”
The recent Basel Banking paper states that operational resilience “enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption.”
The key objectives of operational resilience are therefore to be able to withstand, respond to, recover from and adapt to large stressful events / disruptions. This requires:
- Withstand: Have adequate buffers across all of your key “capitals”.
- Respond: Have a comprehensive and well planned and practiced crisis plan.
- Recover: Have adequate focus on the disaster recovery and business continuity plans to recover after the crisis has run its course.
- Adapt: Have the ability to quickly adapt the organisation to a changed world, both to a short term temporary change and also a long term permanent change. The keyword in COVID-19 has been to “pivot”i.e. to adapt
The key features that affect the level of or an organisation’s operational resilience
The key features that impact the level of organisational resilience are:
a) Understanding the shocks that we need to be resilient to
The organisation needs to be aware of, and fully understand, the various shocks to which it is vulnerable. These will typically include
- Pandemics / Infectious diseases
- Acts of nature (weather, natural disaster)
- Human-made accidents
- Cyber Attacks – Data and systems
- Technology Failures including Information/communication breakdown
- Asset shortage (Food, Water)
- Climate Change
- Environmental – Bio-diversity Loss
- Conflicts and weapons
- Social Action
- Space threats - Solar Flares, Asteroids
This requires a rigorous stress testing capability to ensure severe but plausible scenarios are analysed based on assumptions that are based on the best knowledge available.
Check this FREE ASSESSMENT TOOL - Assessing Your COVID-19 Organisational Health
b) Understanding the strength of your operational capitals
“Capital” acts as the final internal buffer an organisation has between the net impact it experiences after taking into account all of its controls including insurance and risk management and failure. It is the back stop, the last resort. After the “capital” is used up, other than external (government, third party) assistance, it will fail.
So, what are the capitals? An organisation’s capitals will depend on the specific nature of the business and operations. They can be determined by considering which “assets”, financial, non-financial and intangible the business has on which it relies and with the serious degradation or loss of those assets, the organisation is in serious trouble. The typical capitals are:
- Equity: The amount of financial capital we are able to lean upon to use to cover losses before liabilities exceed assets and the organisation is insolvent.
- Cashflow: The amount of funds and cash available to cover losses and cash requirements.
- Physical Assets. This includes land, buildings, infrastructure, plant and equipment, stock, supplies etc.
- Supply Assets. This covers supply chain.
- Natural Assets. This covers natural assets including water, air, flora, fauna etc.
- Process Assets. This covers the processes used for supply, manufacturing and delivery.
- Human Capital: The human resources including our people, knowledge, culture, team cohesion etc.
- Social Capital: The extent of the social licence we have to operate and how robust that licence is in times of stress. This includes brand and reputation.
- Intellectual Capital: This covers such things as patents, copyrights, software, licences
- Relationship Capital. This covers third-party relationships covering all key external stakeholders.
- Customer Assets. The customer relationships and customer supply contracts and customer demand.
c) Understanding the interconnections and interdependencies in your processes and risks
It is critical that all operational interconnections and interdependencies are understood. An end to end process is as strong as the weakest link. There is no value in making certain operational components resilient when interconnected and interdependent operational components are not resilient.
There is no better illustration of this than the Choluteca Bridge in Honduras. The bridge was built to be resilient against the extreme weather likely to be experienced in the area. Hurricane Mitch arrived and the bridge survived. The problem was the roads either side of the bridge did not, and the rivers’ course was changed so it no longer spanned the river. A resilient piece of process but rendered useless as the end to end process was not equally as resilient!
d) Ensuring that our crisis management plans, contingency plans including BCP and DRP are adequate.
We must have in place an adequate range of plans to cover the severe but plausible scenarios discussed above. These plans must be regularly updated and practiced to ensure they will operate effectively when called upon to do so.
In many aspects, operational resilience is an overall outcome of good enterprise risk management. When risks are well understood and documented, and adequate controls applied to those risks, a level of operational resilience will result. It is therefore not a new concept but part of our existing ERM frameworks. Operational Resilience is not the “new kid on the block” but it does require a specific focus to ensure our ERM frameworks adequately pick up the elements discussed here.
Above all else, it should be considered part of your overall ERM process and your level of operational resilience will be a by-product of how well your ERM frameworks and supporting processes and systems stack up.
1. Download our free COVID-19 organisational health assessment tool to help you manage the various COVID-19 related issues across your organisation.
2. Webinar series recordings: COVID-19: Applying Enterprise Risk Management Thinking. In partnership with the RMIA and Protecht. https://info.protechtgroup.com/covid-19-applying-enterprise-risk-management-thinking-webinars-all-industries
3. Blog articles and other resources: Managing Enterprise Risk and Compliance in a COVID-19 World. https://www.protechtgroup.com/managing-risk-and-compliance-in-a-covid-19-world