Welcome to the SecAware blog

I spy with my beady eye ...

7 Aug 2020

NBlog Aug 7 - what is operational resilience

Seeing the term 'operational resilience' being bandied about right now, I thought I'd take a closer look, starting with the definitions.

So what is 'operational resilience'?  It is:
  • "a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification." says Gartner.
  • "both a process and a characteristic of an organization to adapt rapidly to changing environments and needs. It is an organizational trait that allows it to carry out its mission or business despite the presence of operational stress and disruption. In other words, it is the organization's ability to handle and control external factors that may hinder it from functioning." says Techopedia.
  • "financial resilience" says Accenture (begging the question: What is financial resilience?).
  • "the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover, and learn from operational disruptions" says the Bank of England.
  • "the ability of an organisation to adapt rapidly to changing environments. This includes both the resilience of systems and processes and more generally the ability of the organisation to continue to operate its business in the event of disruptive events." says KPMG.
  • ... and so on.
Some commentators focus on specific aspects that interest or concern them - financial stability for example, and systemic failure of highly integrated and interdependent industries. The blogs and papers I've read so far mostly concern the financial industry, presumably reflecting initiatives and pressure in this area from the UK banking authorities, but the fundamental principles are universal and far from new. 

In a business context, I see no practical distinction from business continuity. It's about management ensuring that the organisation's critical activities (business units, processes, systems, relationships/supply chains, whatever) are able to continue operating more-or-less normally despite potentially disruptive incidents of various kinds - COVID19 for instance.

Except perhaps under rare circumstances, no sane manager would argue that critical business activities should be fragile or flaky, so isn't this simply stating the bleedin' obvious: existential risks must be addressed adequately, surely? Well, no, there's more to this due to the implications:
  • The criticality of business activities varies between activities and over time, hence there are complexities and dynamics, not least the matter of identifying the critical aspects that need to be addressed;
  • 'Becoming resilient' is trickier than it seems with lots of possible approaches;
  • 'Becoming resilient' is also potentially very costly, especially if the objective is more than merely scraping through, barely remaining in business;
  • At the same time, 'becoming resilient' has substantial business benefits in terms of better performance, capacity and flexibility, increasing the ability to cope with or take advantage of changes and unexpected situations, even under normal everyday circumstances;
  • Resilient organisations have more options available, with less possibility of disastrous changes and omissions;   
  • There are generally competing demands on the resources necessary for resilience, and other objectives ... such as "being efficient and profitable"; 
  • There are governance, compliance and assurance aspects, in addition to risk and business continuity management;
  • The requirements of various stakeholders need to be taken into account, some of which may conflict (e.g. some owners may desire a low-risk low-profit investment, while others may be happy to accept more risk in order to gain more profit; any suppliers and customers who are highly dependent on the organisation have a markedly different perspective than those with no particular ties or loyalty). 
Therefore operational resilience is a management imperative in any organisation that expects to remain in business ... and, yes, that's another definition to add to the list. You're welcome.

No comments:

Post a Comment