With most firms now having dedicated functions in place to deal with operational resilience it is becoming more important than ever to establish end-to-end capabilities that feed into the larger BAU (Business as Usual) processes. These help to ensure all requirements are being captured and given due consideration. Governance models, training and culture, tooling strategies are all integral parts of an operational resilience function but are liable to fall short without a tailored MI (Management Information) capability.
Management information enables all metrics and reporting items to be captured in a single medium to drive decision making for the collective operational resilience function.
Understanding the benefits and success criteria of an MI model within an operational resilience function
MI (Management Information) and the governance it enables are critical to managing an organisation’s operational resilience. It provides decision makers with the visibility of where the key risks map to the respective IBS (Important Business Services), where they should focus their attention and what the biggest gaps in the contingency plans and recovery capabilities are. Some features of a well-constructed MI model include:
- The quantity of IBS and the related processes they envelop
- How many of these IBS are considered critical according to the predefined metrics
- The scope of the dependencies of these IBS (IT Apps, HR, Third Parties)
- The existence and level of detail of any BCP (Business Continuity Plan)
There are several factors which can gauge the effectiveness of an MI model. Some of these key indicators include but are not limited to
- Leadership team have a clear view on the present-day resilience of the organisation as well as historical framing and forecasted resilience over time
- Stakeholders feel engaged, feel they can input effectively, and can isolate the data within the MI model that reflects their area of focus
- The derived resilience metrics improve over time
Features and prerequisites of an effective MI model
A MI (Management Information) model is only as strong as the data used to build it and underpin the respective insights. Without a level of thoroughness towards the source and quality of the data, any insights would not prove actionable. Practically speaking, clients vary in maturity when it comes to data quality. The key is to understand that data quality is a journey, something to build on iteratively. On this journey there are several areas that need to be addressed.
For the model to be effective it needs to encompass data inputs from all areas of the business. Were there to be a missing IBS or an incomplete DRP then the accuracy of the model can be called into question.
Any insights drawn from the MI model need to be an accurate reflection of the organisation at that point in time. For this to be so, the underlying data model should be subject to regularly scheduled updates and data refresh cycles.
As well as the regular refresh it is vital for the operation of an MI model that the agreed upon level of data is provided at the agreed-on refresh date. Any variation in the data format or refresh cadence would lead to incompatibilities with the model and lead to the loss of that specific business unit’s insight and the relationships as they map to the other areas of the business.
Any data proved should be subject to comprehensive quality control to ensure an accurate reflection. False data could prove detrimental to ongoing resiliency efforts in the event of an actual crisis.
A comprehensive understanding of the target audience is also key when establishing a MI model. More specifically, the different use cases need to be fleshed out as a precursor to help understand the different MI “views” that may need to be created as part of the model.
Conclusion
Having the ability to automate an organisational responsibility as forward-facing as operational resilience is highly desirable. A well-established MI model is a key contributor to this as the level of visibility it enables drives educated remediation efforts. With the necessary buy-in from key stakeholders it embeds resilience within the culture of the company, making subsequent changes to operational resilience regulations or the organisation at a wider scale, that much easier to incorporate to the existing model going forward.