The Five Pillars of Operational Resilience

The Five Pillars of Operational Resilience

The Basel Committee (on Banking supervision) defines operational resilience as “the ability […] to deliver critical operations through disruption”. This could not be more succinct. Like all abilities it takes time and effort to get good at it. Here is a brief view of the key elements that collectively deliver resilience for an organization and where attention needs to be focused to ensure the ability and capabilities are developed.

The five key ‘pillars’ of resilience are:

  • Risk Management
  • Information Security (including Cyber Security)
  • Incident Management (including Crisis Management)
  • Business Continuity

and

  • Disaster Recovery.

Let us take a closer look at each of these.

Risk Management

Know what threatens the continued delivery of services! What defences (controls) do you have in place today? Are they effective? Can you do more to prevent undesirable “risk events”? A useful starting point for this is to consider a disruption and what could cause it. For example:

  • a utility failure
  • a power outage
  • a loss of the use of your building because of fire, flood, storm, etc.
  • a significant reduction in the number of available personnel (through pandemic, strike action, or some other event)

or

Have you done all that you can to prevent an undesirable outcome? And then, what if it does happen anyway? Do you have a plan to mitigate the consequences?

Information Security

Information Security has its own pillar because almost all functions or activities are dependent to some extent on technology. Information Security is about protecting the Confidentiality, Integrity, and Availability (CIA) of information, and doing this requires skill and knowledge. The NIST Cyber Security Framework is a useful tool to guide activity in this area. Identify, Protect, Detect, Respond and Recover are the five key sub-areas that make up this framework. ‘Identify’ is important because an information asset you might not have identified may go unprotected. ‘Respond’ is the other element I would highlight here because without a considered response plan, downtime is likely to be triple what it might have been had one been in place.

Incident Management

When you do have an incident (be it minor or significant) you will recover faster if you have considered that event, or a similar one, in a scenario exercise. The nature of the incident will determine the response required, the personnel required to address the disruption, and the external parties that are critical to the resolution of the incident. For example, if the incident is significant and generates public interest you will need to be ready to ‘go on camera’ and communicate your concern, commitment, and control of the incident.

Business Continuity

When a disruption happens there are usually two teams formed: the first manages the incident and prevents it from becoming a disaster, the second is the business continuity team which works to ensure that key systems are recovered within the agreed timeframes and that the organisation can continue to deliver services and/or products at acceptable predefined levels. The risk assessment will already have identified the critical activities and their dependencies; scenario testing will have validated the plans. Roles and responsibilities will have been established as well as the succession of authority in the event that certain individuals are not available.

Disaster Recovery

The fire is out, the flood has receded, the cyber-attack has been repelled. Now begins the ‘Recovery’ phase. The ‘Continuity’ phase may be supported by temporary resources (people, equipment and facilities) so this phase needs to be kept as short as possible. It may take days, weeks or even months to get back to normal and the eventual outcome will benefit from prior planning. Consider the following in your recovery plans: building repair; server / PC / laptop repair/replacement; dealing with backlogs; preparing insurance claims; and planning the phased return of employees.

When you do have an incident, large or small, take time to review what you learned during it and how your new knowledge can be used to improve your plans. Better still, share your learnings with your peers and seek reciprocation of sharing. Clever people learn from their experiences; really clever people learn from other peoples’ experiences.

Contact us to learn more about how CalQRisk can assist with your operational resilience efforts.

Recent News

CalQRisk attends the Charities Leadership Summit 2022

CalQRisk will be in attendance at the Charities Leadership Summit on September 15th, 2022.   This year's summit ...
Read More
Brokers Ireland Logo

CalQRisk attends the Brokers Ireland Meet the Market Day 2022

CalQRisk will be in attendance at the Brokers Ireland Meet the Market Day at the RDS on September ...
Read More

CalQRisk is Attending the CUMA Autumn Conference

CalQRisk will be attending the CUMA Autumn Conference on Sustainability and Strategy. The conference takes place on September  ...
Read More
laptops on a table doing risk reports

What is Operational Resilience?

Many organisations aim to be operationally resilient, however, what this means and how to practically achieve it can ...
Read More

CalQRisk Shortlisted for CIR Risk Management Awards 2022

CalQRisk is delighted to be shortlisted for the Risk Management Product of the Year at the CIR Risk ...
Read More

Featured Risk and the Failure to Establish a Risk Conscious Culture

One of the first banking scandals of scale was the fraudulent Treasury securities bids by Salomon Brothers traders ...
Read More

Mid West Simon Community implement the CalQRisk Meetings module  

Mid West Simon Community implement the CalQRisk Meetings Mid West Simon Community has recently implemented the CalQRisk Meetings ...
Read More
b&S credit union implement calqrisk

B&S Credit Union implement CalQRisk

B&S Credit Union implement CalQRisk – 90th credit union in Ireland to do so B&S Credit Union have ...
Read More

CalQRisk Announces Partnership with the Welsh Sports Association

CalQRisk is delighted to announce its partnership with The Welsh Sports Association. The Welsh Sports Association (WSA) is ...
Read More
laptop and writing in notebook

What is Good Governance?

What is good governance?  Governance can be defined as: “The system by which entities are directed and controlled. ...
Read More