Brian Sims
Editor
Brian Sims
Editor
THE BUSINESS Continuity Institute (BCI) has issued the Operational Resilience Report 2022. Sponsored by Castellan Solutions, the comprehensive document examines the ways in which different organisations operating across many and varied sectors understand operational resilience, while also appraising the steps those businesses have taken to build resilience and whether legislation is motivating organisations to implement their processes and procedures.
More than three-quarters (ie 77.9%) of those organisations questioned have already developed – or are developing – an operational resilience programme. Although these numbers are impressive, the report reveals that, while many organisations believe they have an operational resilience programme in place, they may actually be aligning closer to the organisational resilience standard that is ISO 22316.
‘Definition confusion’ may not be an issue in itself but, for business continuity professionals who’ve been asked to implement operational resilience programmes within their own organisations, it could ultimately lead to a programme failing.
As a demonstration of this, 17.1% of respondents to the BCI’s survey that underpins this report believe there’s no need for an operational resilience programme in their organisation as they already have a business continuity programme in place. “Operational resilience is just business continuity done well” was a frequent – and somewhat concerning – response received from a number of survey participants.
Meanwhile, many respondents were concerned that these blurred lines between operational resilience and business continuity could lead to an increase in the likelihood of ‘blind spots’ forming inside their own organisation as the focus switches towards protecting external customers and markets. The importance of having a business continuity programme working in tandem with an operational resilience programme is of the utmost importance.
Impact of regulation
New regulations have supported the rise of operational resilience programmes within the financial services sector, with the UK’s Financial Conduct Authority/Prudential Regulation Authority regulation leading the way on implementation deadlines. Despite this, only one-in-five of the UK’s financial services institutions believe regulators have done enough to help them implement the regulations.
Respondents have largely pinned this to a failure in documentation, with important information spread between various sources instead of a core source document being in existence. On a positive note, though, many countries around the world are now following the lead of these operational resilience regulations and working extremely hard to implement their own variations.
It’s also important to note the influence of the regulations on operational resilience uptake, not just within the financial services realm but also outside of it. At least in part, this may be due to organisations needing to align with the operational resilience programmes of larger firmss as they form part of the latter’s important business services, but some are simply using the regulations as a framework by which to construct their own programmes.
On the agenda
When asked to what extent the risk committee, technology committee, executive committee and the Board have operational resilience appearing on the agenda, respondents said most committees discuss operational resilience on a six-monthly basis at the very least.
In the UK’s financial sector, 64% of respondents under the regulations think the impact tolerances set by their organisations are correct and will be able to be demonstrated by 31 March 2025.
Respondents identified ‘embedding operational resilience into the fabric of the organisation’ as the key challenge facing its implementation.
Guidance and Case Studies
Commenting on the research findings and the content of the new BCI report, Rachael Elliott (head of thought leadership at the BCI) stated: “This is a report our membership has long been asking for, particularly so those members operational in the banking sector. While most of the larger financial institutions that fall under the regulations have teams in place to understand, build and implement operational resilience programmes, their smaller counterparts are typically relying on Business Continuity Departments for the day-to-day running of operational resilience programmes. Many feel very alone in what they are doing and are calling on the regulators to not only provide easier-to-digest guidance, but also offer Case Studies of good practice to help them build their own effective programmes.”
Elliott continued: “Encouragingly, operational resilience is quickly becoming a term which is understood by resilience professionals. Nevertheless, we need to be cognisant of the fact that it has different, but nonetheless equally valid meanings across different sectors. There’s certainly no place for a ‘one-size-fits-all’ approach being taken towards operational resilience.”
‘Customer first’ approach
Brian Zawada FBCI, chief strategy officer at Castellan Solutions, added: “Castellan Solutions sponsored this report because the concepts and practices espoused by operational resilience have become incredibly important to organisations around the world in all sectors. Putting the customer first in terms of preventing and responding to disruption is essential.”
Zawada also explained: “Making the assumption that it’s not a question of ‘If’, but rather ‘When’ a disruption will occur is essential as well. When paired with a strong crisis management and crisis communications capability, organisations that consider the concepts in this report will be far more resilient than those who don’t. Engagement with senior leadership will excel as well.”
*Download the full report by accessing the Business Continuity Institute’s website
