How to change mindsets and build Resilience by Design

Several weeks into the COVID-19 crisis, companies have adapted to new working conditions and are now looking ahead, planning for what comes next. Across all industries, and across all countries, this crisis has highlighted the need for strong Operational Resilience embedded in the organisation. This article will take you through our key observations of the market during the crisis and the lessons we can take for Operational Resilience.  We will define what Operational Resilience is and summarise the practical advice shared during our Virtual Briefing to embark on your own Operational Resilience journey.

What have we learned during the COVID-19 crisis?

The COVID-19 crisis was an unprecedented shock for most of our clients, who had to work fast to find a way to maintain minimum activity and adapt to new conditions. This transition was more or less painful depending on the existing remote working culture, processes and platforms to enable it.

Nevertheless, this real-life test of continuity measures highlighted some key challenges on operational resilience topics across multiple industries:

  • Gaps in existing communications plans, generating the need to identify missing stakeholders and craft messages in a hurry
  • Limited ability of IT solutions to scale up to serve all business needs for remote working, forcing organisations to re-think their business priorities
  • A business-first approach leading to organisations taking more cybersecurity risks whilst threats increased, thus shifting their risk appetite
  • Weaknesses in the supply chain and insufficient dependency analysis, where sometimes the primary and backup supplier were in fact sourcing from the same third party

The activities undertaken to mitigate these challenges are valuable lessons that must be leveraged today, as organisations work on their exit plans and the momentum on the topic is strong. “Quick fixes” put in place are great starting points and must be reviewed, refined and tidied up to become sustainable and form the foundation of Operational Resilience.

Why Operational Resilience?

Typically, organisations suffer from simple or conventional threats (data loss, IT incidents) and slightly more complex threats (critical application incidents, third party incidents), which are addressed by organisations through standard continuity measures like disaster recovery plans and potentially specific playbooks and targeted crisis management plans. However, these standard continuity measures do not go far enough to address the increasing diversity and complexity of the threat landscape.

In the past few years, “extreme shocks” have multiplied: WannaCry attack on the NHS (2017), data breach on Ticketmaster and Dixons Carphone (2018), IT disruption at TSB (2018), National Grid network power blackout (2019), Covid-19 pandemic (2020). ”Extreme shocks” refer to highly disruptive events that are difficult to handle due to the level of complexity and internal and external dependencies associated, and therefore require a dedicated and specific response, and not only a combination of different existing plans.

“These examples highlight the need for organisations to be prepared for extreme shocks, whatever the likelihood.”

Today, traditional resilience faces the following challenges:

  • Lack of pragmatic approach, with plans that are too generic or too detailed and thus ineffective during crisis situations
  • Lack of operationalisation, with capabilities that are not kept up to date in the face of new threats and siloed programmes
  • Lack of end-to-end and pan-organisation approach, as interdependencies within the organisation and dependencies on suppliers are not taken into account
  • Lack of business ownership, as continuity is driven by continuity teams even though the business is best placed to understand key priorities and identify key weaknesses in their chain

“To address these challenges, a paradigm shift is required.”

First, a shift in mindset about risk is crucial: as all operational disruptions cannot be avoided, companies must think about what really matters and identify weaknesses in critical products and services that people, businesses and the wider economy rely on. A continuous testing approach is required to incrementally improve real resilience ability and challenge how much disruption organisations can really tolerate. Crisis management communication needs to be improved in order to limit the damage of disruption. Finally, business stakeholders must embrace clear accountability on the topic.

Most importantly, extreme shocks should not be an operational risk that organisations can accept, nor should resilience be a simple compliance exercise: it should be embedded throughout the organisation. This is the purpose of Operational Resilience.

What is Operational Resilience?

The term has been defined in multiple ways by different regulatory bodies and frameworks (FCA, PRA, BCI, ISO and NIST). Wavestone summarises these definitions with three key pragmatic aspects:

  1. The ability of organisations to identify and analyse their real threats to understand how they could affect them (e.g. extreme physical incidents, IT disruption, data corruption and massive cyber-attack) and learn from internal and external disruptions
  2. The deployment of resilience capabilities linked and tailored to those threats, encompassing existing operational controls, ad-hoc capabilities or dedicated plans in the key domains of resilience: crisis management, third party resilience, business and IT continuity and IT recovery
  3. The implementation of monitoring capabilities and continuous processes to assess real maturity on their ability to avoid disruption caused by threats, maintain critical activities during a crisis and recover quickly in case of disruption

True resilience is only achieved if it is “by design”, meaning that the new paradigm disseminates widely and deeply into the organisation. In order to do this, we have identified 7 key success factors in our work with our clients.

7 key success factors to embed Resilience “by Design”

  1. Focus on business services and activities delivered to your clients and internal and external dependencies
  2. Deeply analyse your threats to understand how they will impact you, the ecosystem and your clients
  3. Deploy one single testing plan with 3 levels of tests: tabletop exercise, continuity live exercise and crisis simulation
  4. Leverage and augment existing capabilities aligned with the threats and operational controls in place
  5. Communicate business accountability and onboard these stakeholders at the beginning
  6. Build a resilience feature team to change the mindset and break silos
  7. Build high-quality MI to understand, arbitrate and decide

These success factors need to be kept in mind at each step of the construction of Operational Resilience, and later, continuously, in order to maintain and improve along the journey. But how can companies begin this journey now?

Change the paradigm: where to start?

As companies recover from COVID-19 and work on leveraging learnings from the crisis to accelerate their journey to operational resilience, Wavestone has put together a checklist of key questions they should ask themselves to assess their readiness to start the move to Operational Resilience.

  • What are the threats I should consider? What are the potential impacts of extreme shocks?
  • How I can make the mapping of assets and dependencies sustainable?
  • What is my learning process to analyse external or internal crisis and take away lessons?
  • How do I model my end-to-end business value-chain and identify what is critical (pan-enterprise oriented approach)?
  • What are other metrics to define my tolerance other than the duration of disruption?
  • How can I make the mapping of assets and dependencies sustainable?
  • Are my ad-hoc Operational Resilience capabilities mature enough to maintain and recover from an extreme shock?
  • What are my operational controls? What is their level of maturity?
  • What are the scenarios to test this year?
  • What are my different committees to talk about Resilience? What is my RACI for Operational Resilience?
  • How do I measure and monitor my level of maturity to avoid, maintain and recover against a given threat?
  • What is my 3-year strategy and my 12-month roadmap?

These questions are designed to be a starting point; answering them requires collaboration between all stakeholders of Operational Resilience and will enable you to start your journey with the right mindset: collaboratively, and with the sustainability of everything you put in place as a first priority.

Mathieu Couturier

Mathieu Couturier

Manager

When we talk about resilience and crisis, we are used to saying, “it is not a matter of if but of when”. This is emphasised by the current COVID-19 crisis and the growing number of cyber-attacks. At Wavestone, we believe operational resilience is a real opportunity to deploy a new culture, to enable the work that has been carried out for many years to converge, and to fill the gaps proactively to protect your company and your customers from harm due to crisis tomorrow.

When we hosted our Virtual Briefing, we received many questions on topics such as the different Operational Resilience frameworks, how to design efficient testing and crisis simulation exercises, how to increase resilience with robust operational controls, and the influence of people and behaviours on resilience. We will be publishing further articles on these topics in the coming months to help you along your journey. In the meantime, don’t hesitate to reach out to our experts to discuss further.