Operational Resilience (OR) is about preparing a business or organisation for things which are unlikely to happen, but which can have a devastating if they do.
All too often businesses have dismissed this sort of planning as unnecessary. After all, what’s the point in planning for something that’s never going to happen? But as the last few years have shown us, these previously “impossible” events – from a container ship getting stuck in the Suez Canal to the global financial crisis, from a pandemic to the sudden withdrawal of companies from Russia – can and do happen, even in quick succession.
At Wavestone one of our OR focuses is on cyberattacks, which are a growing threat. There have been several attacks over the last few years which have stopped companies functioning for weeks and even months. Our job is to help companies plan how to survive an attack and grow again afterwards.
During 2022, I noticed that people have really woken up to the need for OR planning, thanks in no small part to the fact that authorities in the UK, the EU and Europe and Asia respectively have begun to create regulations which require companies – banks and insurers especially – to show their preparedness. The UK has led the way and now the EU is following suit with its Digital Operational Resilience Act (DORA). In Asia, countries are developing their own individual responses, and the same thing is beginning to happen at a state level in the US.
This is a good thing: it forces companies to act, and it means OR is on the agenda at board meetings across the world. Nobody can ignore operational resilience any more, because it’s illegal to do so.
There are some really well-considered, sensible requirements in the regulations which are completely in tune with the way companies need to consider their resilience. We advise people to concentrate on each of their functions and think about the bare minimum their business needs to operate. And this varies a lot between companies and sectors. For example, a bank can’t function at all if its IT function fails. But in the same situation, a sportswear manufacturer can keep itself alive by selling the shoes it has in its inventory – even if it can only accept cash and has to write every receipt by hand!
It’s important for businesses to remember that complying with regulations doesn’t mean they’re truly resilient. Even if it puts you on the right path, simple compliance shouldn’t be seen as the final destination. And if all you’re focused on is meeting your obligations, it’s difficult to see the bigger picture. That’s our challenge for the next few years.
As we begin 2023, I see different levels of preparedness in terms of operational resilience across the globe. It’s most advanced in the UK and just starting in the rest of Europe – as mentioned above with the creation of regulations, while in many regions it’s rarely addressed. There are companies which have encountered and dealt with actual catastrophes, and there are companies which have taken the decision to address resilience independently because they know it makes them stronger.
What I would like to see this year is for more companies to take this approach. I think the key is to make regulations robust and standardized in the way GDPR has been standardized, but for them to remain sensible and pragmatic.
Companies will have to decide where OR sits in their organization. This will vary according to the company and its attitude. Will they have a Chief Resilience Officer, or will resilience be a part of Risk, Information Security or some other function? Most companies already have Business Continuity Planning, which tells them how they will respond to a crisis and get back to where they were before. While OR is about much more fundamental threats than that, it could be an evolution of this role.
But perhaps the most important thing companies need to do right now is to consider exactly what they would do if the worst happened.
It’s one thing to have a plan. But if you’re going to move your business to Frankfurt when there is an earthquake in Paris, it’s important the people in Germany know what they’re expected to do. Every plan should be tested and practised by the people who could be responsible for keeping your company alive. This is the difficult part, and most businesses haven’t yet done it. The year 2023 is the perfect time to make that change happen.