Many organizations are;relying on;business
continuity;or;disaster;recovery
plans;for;resiliency,;but;fall
short;of;true;operational
resilience;because;they
aren’t;defining;processes;and
managing;assets.
problems when a threat that
can disrupt business operations emerges.
Typically, enterprises have relied on
business continuity and disaster recov-
ery plans to serve the purpose of react-
ing and adapting quickly to a disruption.
While BC/DR plans no doubt hold value
in any organization, many companies
still can struggle to verify with 100 per-
cent certainty that their BC/DR plans are
fully functional and actionable, and also
integrated into the organization’s specific
“risk appetite.”
This uncertainty is often the result of an
inadequate understanding of operational
risk. To improve that understanding, risk
and resilience management must be sup-
ported by a transparent examination of risk
and, more specifically, a clear understand-
ing of the organization’s risk appetite.
What is Risk Appetite?
Risk appetite is a function of organizational culture. Risk appetite is defined as an
organization’s tolerance for accepting risk.
It’s a careful balance between the achievement of business objectives and continuous
compliance with regulatory requirements.
When an organization gains a transpar-
ent view of the risk,
it is willing to accept versus the risk
it desires to mitigate or remove; it
is positioned to move from merely
managing risk to achieving a state of
operational resilience.
Yet many organizations forego investing in what can truly be called operational
resilience. They see risk management as a
challenge that resides solely at the enterprise level – and not one that must be
addressed at the service and functional
area level as well. While a holistic view
of risk is essential to the resilience of an
organization, increasingly complex operational environments often cause top-down
approaches to fail.
This usually results because of a combination of five factors:
1.;lack;of;convergence;between;operational
risk;activities;
2.;lack;of;common;language;to;communicate
about;risk;
3.;an;overreliance;on;governance,;risk,;and
compliance;(GRC);software;and;other
technological;approaches;
4.;no;means;to;measure;managerial
competency;;and
5.;inability;to;confidently;predict;outcomes
during;times;of;stress;or;disruption.
Achieving operational resilience requires
a commitment across the enterprise.
The Challenge
Operational risk is an honest reflection
of the reality of today’s world.
It is not possible to build an impermeable operational risk infrastructure. But it
is possible to fully understand an organization’s personnel, processes, facilities,
and technology infrastructure and map
this to a specific risk appetite. This direct
mapping should be the essential outcome
from any operational risk management
program which an organization puts in
place.
By focusing on the outcome, an organization can more easily predict the performance of business services under
uncertain conditions, manage unknown
risks, meet its mission under adverse circumstances, and return to normal after the
disruption.
No matter how resilient an organization
considers itself to be, it should look to formalize its approach to managing resilience
in order to overcome traditional barriers to
implementation and control.
Making the Business Case
Positioning operational resilience to
build a stronger business is accomplished
by articulating the business need and
showing how to meet it – in a tangible and
measurable way and at an affordable cost
with a positive return.
