Time to Get Serious about Digital Operational Resilience

  • 27 Jul 2023
BCI_Time to get serious about Digital Operational Resilience.png

What is digital operational resilience?

By now, most have heard of operational resilience. But what specific safeguards are needed to mitigate cyber threats and other forms of ICT risk? That’s where digital operational resilience comes into play.

Here, digital operational resilience refers to the ability of a business to build, assure, and review its operational integrity and reliability. How to go about it? Digital operational resilience is achieved when a business has the full range of capabilities needed to address the security of those network and information systems that support its continuity.

Why digital operational resilience now?

Why now, though?

The short answer is ICT risk vectors, particularly from critical third parties, have multiplied. For their part, individual risk vectors have also become more serious.

Indeed, nowadays, any number of reasonably identifiable circumstances could seriously compromise the security of network and information systems, technology-dependent tools and processes, operations, as well as the provision of services.  

How to achieve digital operational resilience

So, how do companies go about getting their digital estate operationally resilient? Well, the overall process will depend on their digital assets.

Nevertheless, there are certain generic steps to take, which the subsequent article will lay out.

  • ICT risk management. To address ICT risk, like risk more broadly, businesses should consider putting in place an internal governance and control framework to ensure its effective and prudent management.

Tasked with developing, maintaining, and updating such a framework will be the management body of the business. Specific duties delegated to that body might include:

  • Put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data
  • Set clear roles and responsibilities for all ICT-related functions 
  • Establish appropriate governance arrangements to ensure effective and timely communication, cooperation, and coordination 
  • Approve, oversee, and review the implementation of ICT business continuity policy and ICT response and recovery plans
  • Approve and review ICT internal audit plans, ICT audits, and material modifications 
  • Approve and review policy on arrangements regarding the use of ICT services provided by ICT third-party service providers
  • ICT-related incident reporting and notification. What if an ICT incident occurs despite these efforts? Firms will then require incident reporting and notification protocols to ensure appropriate stakeholders are kept abreast of relevant information, either for statutory, contractual, operational, or reputational reasons.

Relevant protocols might look like: 

  • Early warning indicators
  • Procedures to identify, track, log, categorize, and classify ICT-related incidents according to priority and severity and the criticality of the services impacted
  • Roles and responsibilities that need to be activated for different ICT-related incident types and scenarios
  • Plans for communication to staff, external stakeholders, and media and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to entities that act as counterparts
  • Reporting of at least major ICT-related incidents, with explanation of the impact, response, and additional controls needed to be established 
  • ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure 
  • Digital operational resilience testing. Of course, these protocols must all be tested to ensure they will hold up during an ICT-related incident. And so, it should be incumbent on businesses to establish, maintain, and review a sound and comprehensive digital operational resilience testing program. 

That program will become an integral part of the larger ICT risk-management framework, for the purpose of assessing preparedness for handling ICT-related incidents, as well as identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.

  • ICT third-party risk management. Part of the rationale behind increasing attention on digital operational resilience stems from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. How to manage it?

Firms should adopt and regularly review a strategy on ICT third-party risk, as part of their ICT risk management framework. This strategy on ICT third-party risk should also include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. 

In close, digital operational resilience has become more important than ever, with the escalating risk arising from dependence on third party providers. However, up to this point, few firms have gotten serious.

Targeted regulation like the Digital Operational Resilience Act (EU) as well as cultural change in risk management will help spur change. But firms shouldn’t wait to enhance their digital operational resilience capabilities. 

They should instead begin today, implementing many of the steps outlined in this guide and procuring the right resilience management platform. For more on the steps to take, download Noggin’s Guide to Digital Operational Resilience & the Software Capabilities Needed to Achieve It.
 

More on