This relatively new term, “Operational Resilience” has many asking, “is this the same as business recovery?”, or “what’s the difference?” While there are similarities, let me explain the differences. There are similarities but let me attempt to show how they’re different.
Operational Resilience is an evolution from traditional business recovery (also called Business Continuity, IT Disaster Recovery) to, instead of focusing only on being able to recover the business when it’s disrupted, to making the business resilient so impacts from disruption are minimized and the organization can keep operating even when disruptions occur. Considering an average company can lose as much as 10% of its value by being disrupted, Operational Resilience focuses on preventive measures to reduce those potential impacts.
Traditional Business Continuity
For decades, organizations worldwide have had Business Continuity functions to help the business recover after a disruption. This entails documenting and testing recovery plans that are focused on the internal business processes, facilities, people, and IT systems. Business impact analyses (BIAs) identify which internal business processes or IT systems are most critical to the company. I want to emphasize that this approach is reactive (recovery) and focused inwardly (internal business processes, IT systems, etc.).
Operational Resilience
This concept originated from regulators in the financial services industry, primarily in the UK. Recent regulations have been implemented which are reverberating around the world as other global regulatory bodies follow suit. Unlike Business Continuity, Operational Resilience is more effective at preparing organizations for disruptions resulting from pandemics, supply chain shortages, geopolitical disruptions, and cyber-attacks.
The main components of Operational Resilience are in the term itself. Operational (the way the company operates) Resilience (building measures in to reduce impact from disruption). It’s proactive versus reactive.
Another distinction is the focus. Operational Resilience starts with identifying the most important products and services the company offers to its customers. This is outward-focused. Because of that focus the priorities and metrics can be very different. The most important metric is “Impact Tolerance”, or to what extent a customer or the company itself be impacted before the disruption is considered intolerable. For example, if our online banking portal is down and customers can’t get to their money, how long will it be tolerable to a customer? Or if the company is losing revenue because online banking is down, how much revenue can the company afford to lose? The metrics are in real impact – dollars and cents in this example. This analysis drives a different approach than just having recovery plans when online banking is down. The company is going to be much more proactive in their measures to make sure online banking isn’t down at all.
I’ve talked about a few examples of the difference between Business Recovery and Operational Resilience. Here’s a table that highlights some of the differences.
| Business/IT Recovery | Operational Resilience |
|---|---|---|
Objectives | Focused on recovery of what’s disrupted | Focused on building resilience across the organization |
Business Impact Analysis | Focused on determining criticality of internal business processes | Focused on identifying important products and services offered to customers |
Metrics | Recovery Time Objective and Recovery Point Objective | Impact tolerances, such as:
|
Risk Management | BCM team does cursory risk analysis | Coordination with risk management function is vital so there is one risk approach across the company. Often called Integrated Risk Management |
Testing | Typically consists of walkthroughs of recovery plans to see if they make sense | Comprehensive scenario testing of what could go wrong and how do we react. What operational measures do we have or need in place. |
Dependencies | Focus on a business process or an IT system or a facility. Sometimes considering the interdependencies | Starting with the product/service offered to the customer, identify the business processes, systems, people, data, facilities and third parties that are involved in providing that product/service – then build resilience into this entire ‘value chain’ |
Third Parties | Make sure they have their own recovery plans | The third parties’ impact tolerances have to match ours. They’re part of the value chain mentioned above, and we have to make sure they’re as resilient as our company is. |
Some may say there isn’t much difference but having spent the last 30 years of my career in this field, I’m here to say this is an evolution. Even though, for now, it’s a topic stemming from regulation, it’s a best practice that should be adopted by every organization.
For more information, look at resources posted at Archer Operational Resilience. Contact us to speak to an Archer expert.