Operational Resilience in 2024
In 2024, the phrase “operational resilience” refers to an organization’s ability to overcome adverse circumstances which may cause monetary loss or operational disruption. The definition may include business continuity, cybersecurity, disaster recovery, and risk management issues - all of which form part of an organization’s operational resilience efforts.
In today’s world, risks and compliance requirements rapidly expand and evolve, so it’s not a question of if there will be a disruption to your services, systems, or processes, but when. The rising frequency and severity of diverse risks, including cyberattacks, natural disasters, pandemics, supply chain problems, and changes to regulations, have highlighted the need for organizations to prioritize and strengthen their operational resilience. To keep up, organizations must take an innovative approach to operational resilience in 2024, so that they can be more adept at anticipating disruptive events and increasingly agile in response and recovery phases.
So, what does operational resilience look like in 2024?
Operational resilience in the boardroom
Operational resilience is a topic of concern for modern boards and of particular interest to the Chief Officer overseeing the risk management function, but what does it look like in the boardroom?
In many cases, OR is a set of techniques that allows people, processes, and informational systems to alter operations in the face of changing business conditions. Organizations that are operationally resilient have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.
Because leaders understand their organization, and have the skills to respond to sudden changes, they are often a key part of the business' resilience. Building a plan centered around the organization’s leadership, and how they can help during stressful or challenging times, minimises stress and maximises employee, investor, and customer confidence in the organization.
Adapting to new regulations
As the need for operational resilience intensifies in our increasingly interconnected world, global governments are responding with new regulations to help ensure critical services, especially in the financial sector, can withstand disruptions. These regulations aim to provide a safety net, protecting the economy and essential services from the fallout of major service failures.On top of new laws and regulations, regulators’ expectations are increasing,but it’s an evolution rather than a revolution.
One size does not fit all
Today, organizations face operational disruptions from more sources than ever before. In order to create a truly resilient organization, businesses must widen their planning scope to embrace all aspects of resilience.
For instance, companies affected by the supply chain upsets we saw in the past year now understand that they must develop operational resilience plans to manage those business disruptions if no plan existed before. Cybersecurity threats, natural catastrophes, new laws, and regulations, such as the recent EU laws on the use of AI, and even such changes as new competitors entering the market, continue to pose their own risks to operational resilience.
There is no one size fits all solution for responding to such a wide range of operational risks. For example, the capabilities needed to respond to a ransomware attack are different from those needed recover from a massive wildfire.
Here are operational resilience thoughts that leadership should focus on:
- Governance
- What is the organization’s risk appetite?
- What Key Performance Indicators offer a full view of maturity?
- Who are the accountable people in 1st and 2nd line defence for operational resilience?
- Organizational
- Are the dependencies of business services on these assets fully understood?
- What are the most critical assets?
- How does the resilience process shift how operations, technology, and vendors are managed?
- Integration
- How are existing definitions of critical business services being leveraged?
- What is the organization’s impact on customers/services and critical systems?
- What are the most critical/product services and why?
- Measurement
- How is the level of resilience monitored and managed within the organization?
- When is the organization outside of defined impact tolerances?
- What are the most critical risks for the organization?
- Preparedness
- How is the organization prepared for operational resilience deployment?
- How often is the response and recovery process being exercised and tested?
Research your competitors
Examining competitors within the same industry can be a wonderful way to understand the risks an organization might face. Competitors often have similar risks and may already have firm risk management policies in place to build resilience. You could:
- Examine the competition to identify any key risks the organization shares with its direct competitors.
- Analyze the competition's contingencies and how they have established resilience.
- Use this information to build a more effective plan for the organization and better understand the organization’s role in its industry.
With more resilience, an organization can develop a unique advantage over its competitors, so it’s important to keep building and improving on existing plans.
When competitors don’t understand their critical failure points or risks, an organization with resilience that already knows its risk factors is prepared for them. Then, when an emergency or sudden change occurs, the organization with a contingency plan is typically more adaptable. This can mean the difference between surviving and thriving or business failure. When competitors struggle to meet these changes, the prepared organization can adapt and respond more effectively and maintain its operations and revenues. This enhances customer trust and a better market position.
The benefits of engaging employees in resilience
A contingency plan and proper risk assessment indicates to employees that the organization’s leadership both understands and cares about the potential risks that employees also face if the organization cannot maintain its operations.When staff understand the organization’s risks, and how the organization responds to them, they feel increasingly supported and confident in their employer. In turn, this can boost morale.
An increase in employee morale can have various positive effects on a business, which are not limited to increased production and quality and reduced turnover rates. With higher employee morale the organization’s leadership may face less stress from wondering what can happen in case of an emergency.
Increased operational resilience boosts investment
Alongside employee and leadership team enhancements, investors feel more confident about investing in an organization with stronger resilience and risk management.
Investing in a business can be inherently risky, so investors typically try to minimise the number of risks they incur. Supporting a business with strong risk management and resilience allows an investor to take a safer approach to investing, and feel confident that the organization will not fail during high-stress periods, potentially costing them their initial investment.
Business continuity, disaster recovery or operational resilience?
Terminology is always tricky. In 2024, it’s generally accepted that business continuity, disaster recovery, and operational resilience are closely related concepts comprised of living documents that focus on disruption response and recovery. They also require annual exercising/testing and organization-wide buy-in.
However, business continuity and disaster recovery are components of operational resilience. In other words, they are not synonymous. Having business continuity and disaster recovery plans does not mean an organization is operationally resilient, but an operationally resilient organization will have business continuity and disaster recovery plans.
Moving forward into 2025
Going forward, regulators’ expectations on what organizations must do to comply with operational resilience will continue to develop as new technologies, such as generative artificial intelligence and its associated threats, continue to evolve. As such, organizations must remember that operational resilience is not a “once and done” process. In order to become truly operationally resilient, organizations must continually grow, expand, improve, and learn.