Operational resilience – A shield against uncertainties

The implementation of new regulations can be seen as a burden for affected companies, but it can also be an opportunity to better navigate the rough sea of business uncertainty. The next big thing in the world of regulations is operational resilience, and it is not limited to one new law in one specific region. It is on the rise worldwide with a multitude of new regulations emerging around the globe (e.g. CPS 230 in Australia, FCA in the UK).

This means the more offices you have around the world, the greater the probability that you must comply with several local regulations for operational resilience. One example is the EU’s Digital Operational Resilience Act (DORA) for the financial services industry. Even if you are not located in Europe, if you are doing business in the EU, you need to comply with it.

On-demand webinar: Unlocking Compliance: Navigating Operational Resilience Regulations (like DORA)

Why is operational resilience so important?

To understand why operational resilience is so important, it is necessary to understand what it means exactly. Let me consolidate it in two major points:

1. Prevention: Prevention in the context of operational resilience means that you take measures to reduce the likelihood of disruptions and to minimize the impact on your business. It is tightly connected to operational risk management with a strong focus on proactive risk mitigation.
2. Recovery: Recovery means that, in case of disruptions, you can respond to events and recover without much damage and get back on track quickly. It is also important to learn from operational disruptions.

So why is it important? Many disruptions are difficult to predict and some are not even avoidable. They hit without warning and too fast to react rapidly and appropriately. Think of the COVID-19 pandemic, the war in Ukraine, the blocked Suez Canal and high inflation, all happening within just a few years. On top of those, cyber attacks happen when you are the most vulnerable.

Companies that just surrender to their fate will surely disappear from the market quickly. However, if they take measures to prepare for the unpredictable, they will become more resilient and can more easily recover from disruptions. Like Starship Enterprise, they can build a shield to protect themselves against threats. Should an unexpected threat occur, the more resilient company can respond more adequately, learn from the disruption and get back to business faster.

Consequently, operational resilience is not just a new, annoying regulation to comply with. It is a business necessity to become more agile, survive and thrive.

Is operational resilience new?

No, it certainly is not, but operational resilience goes beyond pure business continuity management or data recovery. Rather than a standalone framework such as for operational risk, operational resilience is a combined approach incorporating practices for continuity planning, disaster recovery, third-party risk management and more. It fosters an integrated approach, combining these practices for a variety of use cases. As effective as the individual practices are on their own, a combined approach is better than a siloed approach because you know what happens when the disciplines interact with each other.

The five pillars of DORA

The DORA for financial services institutions within the EU targets information and communication technology (ICT) risks including cyber security, privacy and supply chain risks. It will be effective as of January 2025.

DORA requires financial services to control their ICT risks based on five pillars:

1. ICT risk management
2. ICT incident reporting
3. Testing on digital resilience
4. Third-party ICT risk management
5. Information exchange

The January 2025 deadline seems far away, but the threat of ICT risks is ever present. Institutions should make their protective shield mission capable as soon as possible.

Tools that help

An integrated approach to operational resilience is important to ensure compliance and build an effective shield. As in many other use cases, a combined view of business and IT is as important as ever to understand the whole of your operations. To achieve this, you can use a combination of business process management (BPM) and strategic portfolio management, for example with ARIS and Alfabet.

One decisive advantage of such tools is the fact that they support many types and variations of regulations. Following an approach that is applicable and extendible for all present and future regulations can be a competitive advantage.

Three phases of operational resilience

Finally, let’s look at the three phases of operational resilience:

1. Set your strategy: Define stakeholders, objectives, roles and important business services (IBS). These critical operations are crucial to deliver the required services to stakeholders. For example: Payment services for banking. Then set tolerance levels for every IBS. For example: What is an acceptable downtime for internet banking?
2. Analyze your operating model: Map your supporting processes to IBS and connect them to IT systems. This is important because you will need the process/IT mapping for scenario testing. Then identify critical resources such as IT systems, people or facilities, and assess their health.
3. Scenario testing, learning and monitoring: Identify extreme yet plausible disruptive scenarios and test their impact on critical resources. Use the test results to continuously improve your operating system and identify what processes can be made more resilient. It’s a continuous cycle of testing, learning and improving, supported by monitoring and reporting.

ARIS and Alfabet provide capabilities for deep analysis of processes and IT systems, especially in the analyze phase. Business process analysis and process mining give you invaluable insights for scenario testing, while strategic portfolio management provides a deep dive into critical IT systems. Together, ARIS and Alfabet can help you build that protective shield to keep your Starship Enterprise on an even keel, boldly making its way through the risks, uncertainties and harsh realities of today’s business world.