The Five Pillars of Operational Resilience

The Five Pillars of Operational Resilience

The Basel Committee (on Banking supervision) defines operational resilience as “the ability […] to deliver critical operations through disruption”. This could not be more succinct. Like all abilities it takes time and effort to get good at it. Here is a brief view of the key elements that collectively deliver resilience for an organization and where attention needs to be focused to ensure the ability and capabilities are developed.

The five key ‘pillars’ of resilience are:

  • Risk Management
  • Information Security (including Cyber Security)
  • Incident Management (including Crisis Management)
  • Business Continuity

and

  • Disaster Recovery.

Let us take a closer look at each of these.

Risk Management

Know what threatens the continued delivery of services! What defences (controls) do you have in place today? Are they effective? Can you do more to prevent undesirable “risk events”? A useful starting point for this is to consider a disruption and what could cause it. For example:

  • a utility failure
  • a power outage
  • a loss of the use of your building because of fire, flood, storm, etc.
  • a significant reduction in the number of available personnel (through pandemic, strike action, or some other event)

or

Have you done all that you can to prevent an undesirable outcome? And then, what if it does happen anyway? Do you have a plan to mitigate the consequences?

Information Security

Information Security has its own pillar because almost all functions or activities are dependent to some extent on technology. Information Security is about protecting the Confidentiality, Integrity, and Availability (CIA) of information, and doing this requires skill and knowledge. The NIST Cyber Security Framework is a useful tool to guide activity in this area. Identify, Protect, Detect, Respond and Recover are the five key sub-areas that make up this framework. ‘Identify’ is important because an information asset you might not have identified may go unprotected. ‘Respond’ is the other element I would highlight here because without a considered response plan, downtime is likely to be triple what it might have been had one been in place.

Incident Management

When you do have an incident (be it minor or significant) you will recover faster if you have considered that event, or a similar one, in a scenario exercise. The nature of the incident will determine the response required, the personnel required to address the disruption, and the external parties that are critical to the resolution of the incident. For example, if the incident is significant and generates public interest you will need to be ready to ‘go on camera’ and communicate your concern, commitment, and control of the incident.

Business Continuity

When a disruption happens there are usually two teams formed: the first manages the incident and prevents it from becoming a disaster, the second is the business continuity team which works to ensure that key systems are recovered within the agreed timeframes and that the organisation can continue to deliver services and/or products at acceptable predefined levels. The risk assessment will already have identified the critical activities and their dependencies; scenario testing will have validated the plans. Roles and responsibilities will have been established as well as the succession of authority in the event that certain individuals are not available.

Disaster Recovery

The fire is out, the flood has receded, the cyber-attack has been repelled. Now begins the ‘Recovery’ phase. The ‘Continuity’ phase may be supported by temporary resources (people, equipment and facilities) so this phase needs to be kept as short as possible. It may take days, weeks or even months to get back to normal and the eventual outcome will benefit from prior planning. Consider the following in your recovery plans: building repair; server / PC / laptop repair/replacement; dealing with backlogs; preparing insurance claims; and planning the phased return of employees.

When you do have an incident, large or small, take time to review what you learned during it and how your new knowledge can be used to improve your plans. Better still, share your learnings with your peers and seek reciprocation of sharing. Clever people learn from their experiences; really clever people learn from other peoples’ experiences.

Contact us to learn more about how CalQRisk can assist with your operational resilience efforts.

Recent News

6 things you need to know about the Individual Accountability Framework (IAF)

The Central Bank of Ireland has recently released regulations and guidance on the Individual Accountability Framework (IAF). Here ...
Read More

Paysend chooses CalQRisk as their Risk Management Solution

Paysend, a next generation integrated global payment ecosystem, has recently implemented the CalQRisk solution in order to enhance ...
Read More

ESG and Sustainability Reporting

The practice of businesses promoting sustainability and social responsibility in their operations can be traced back to the ...
Read More

CalQRisk Wins Best RegTech Solution at National Fintech Awards

CalQRisk, a leading provider of Governance, Risk & Compliance solutions has won the ‘Best Regtech Solution Award’ at ...
Read More

CalQRisk shortlisted in National Fintech Awards

The CalQRisk solution is shortlisted for ‘Best Regtech Solution Award’ at the inaugural National Fintech Awards. The National ...
Read More

CalQRisk shortlisted in 2023 CIR Risk Awards

Having won ‘Risk Management Product of the Year’ at the 2022 CIR Risk Management Awards, CalQRisk is now ...
Read More

From Risk Capacity to Risk Appetite

Risk Capacity is the maximum amount of risk that an organisation is technically able to assume before breaching ...
Read More

SMT automates their approach to Risk Management with CalQRisk

SuMi TRUST Global Asset Services (“SMT”), a subsidiary of Sumitomo Mitsui Trust Bank Limited, one of the largest ...
Read More

Digital Operational Resilience for the Financial Sector Act (DORA)

The Digital Operational Resilience Act (DORA) entered into force on 16th  January 2023. It outlines EU regulations for information ...
Read More
Database

8 Things to Consider in a Data Breach Response

A data breach can lead to reputational damage, financial losses and much more. By effectively preventing and investigating ...
Read More