In the context of operational risk, it
is often the answer to the questions of,
“Where does a business failure hurt the
most?” and “What high-impact, high-loss
events would put us out of business?”
A key early step in this process is to
identify senior executives who understand
these questions and to make sure those
executives are on board as the visible
champions and sponsors of operational
resilience investments.
In addition, those making the case
for operational resilience must be able
to demonstrate that investments are subject to the same decision criteria as other
business investments such as alignment
to business mission, strategic objectives,
and critical success factors, which are the
basis for determining the high-value services that support the accomplishment of
strategic objectives.
The good news is that the benefits of
operational resilience are many and can
strengthen the enterprise from within.
Two of the foremost advantages are
lowered or eliminated redundancy and
reduced cost by optimizing between protection and sustainability strategies and
lowered operational risks with an enterprise focus.
Operational resiliency approaches are
also designed to achieve greater compliance as well as improved metrics to
demonstrate compliance and improve
processes in ways that are measurable and
manageable – and thus more effective.
Regulating Resilience
Another main driver for operational
resilience can be found in current laws and
regulations.
It is easiest to group the current compliance criteria as follows:
n;Regulatory/Legal Compliance:;laws;that
require;organization;policies,;practices,;and
procedures
n;Commercial/Contractual Compliance:
business;agreements;between;partners,
customers,;and;other;organizations
n;SLAs or other business agreements:
commitments;through;contracts;and;service
level;agreements;(SLAs);that;can;have
similar;penalties;for;non-compliance;or;non-performance
n;Organizational Compliance:;internal
controls;often;related;to;frameworks;or
standards;in;support;of;the;items;above.
Viewed from an operational perspective, organizational compliance serves as the
foundation upon which management’s desire
to comply with both legal requirements and
commercial agreements can be built.
The decision to satisfy regulatory compliance, once approved by the organization’s management, is then reflected in
the day-to-day operational tasks that are
developed, refined, and followed by management and staff.
From an operational perspective, it is the
obligation of business leadership to know
what areas of compliance are required by
laws or commercial agreements, and to
develop sufficient policies and procedures
within the normal business operation that
help ensure compliance is achieved.
From Model to Practice
Within the organization, the discussion
of how to implement a resiliency framework can be shaped by considering just
three simple questions:
n;First,;does;the;organization;bring;all;key
operational;stakeholders;(management,
IT,;Security,;BC/DR,;and;business;units)
together;in;an;integrated;program?
n;Second,;is;there;an;understanding;in
the;organization;of;what;standards;and
regulations;inform;operational;resilience
requirements;and;how;resilient;the
organization;wants;to;be?
n;And;third,;has;the;organization;embedded
its;risk;appetite;and;tolerance;into;these
requirements,;and;is;there;a;structured
program;to;assess,;prioritize,;and;manage
controls;for;operational;risks?
These questions should give the organization an accurate snapshot of its current
operational resiliency status and help guide
the decision making process. And the truth
is, no matter how resilient the organization is today, it must consider a formal
approach that moves beyond traditional
barriers to implementation and control.
One approach widely recognized for best practices is Carnegie
Mellon University’s CERT Resilience
Management Model (CERT-RMM). The
CERT Resilience Management Model is
the foundation for a process improvement
approach to security, business continuity
and aspects of IT operations management.
Carnegie Mellon researchers who were
studying information risks realized that
organizations treat security as separate from
business continuity and IT operations man-
agement, even though all three elements
work together to manage operational risk.
