By Matt Kelly, Editor and Founder of Radical Compliance
This article first appeared in the Spring 2022 issue of Risk & Resilience Magazine.
Businesses today are besieged by disruption, and that makes resilience — the ability of an organization to withstand disruption and keep providing services to customers — more important than ever before.
Of course, that’s an easy point to say, putting the idea into practice is the tricky part. How, exactly, does a business go about developing resilience? What capabilities should the company foster, especially when the disruptive threats range from pandemics to cybersecurity to climate change to supply chain collapse, and much more? What reports does one give to the board?
Compliance officers and risk managers need to answer those questions somehow. So many threats with the potential for severe disruption exist today that “operational resilience” is no longer just some esoteric term of art thrown around in a few highly regulated industries. It’s a business imperative. Every organization needs to get better at withstanding disruption.
One place to look for guidance on that journey is the financial sector.
Regulators in the financial sector have talked about operational resilience for the better part of a decade. That’s because banks and other financial firms (a) play a crucial role in supporting the greater economy, and (b) are enormously complex operations with a huge range of enterprise risks.
More to the point, those regulators learned painful lessons during the 2008 global financial crisis (and in subsequent mini-disasters, like the “flash crash” of 2010) about just how much damage disruptions in this sector can cause. The agencies have closely watched financial firms’ ability to withstand disruption ever since and churned out numerous pieces of guidance about operational resilience along the way. For example:
We could go on from there. Some of the guidance focuses more on vendor risk and how to manage it; some talks about the duties financial firms have to keep providing services to customers. Most of the material is light on jargon and details specific to the financial world, so risk managers in any industry can give it a read and put it to good use.
When one does give the guidance from financial regulators a close read, several themes quickly emerge.
First is the importance of IT risk management. Especially in today’s world, where hybrid work environments are the norm and employees might need to isolate themselves at home on short notice, the ability to keep providing services amid disruption depends on technology. So, a company’s ability to manage its IT systems — for privacy, cybersecurity, data availability, and the like — is paramount.
Second, because most corporate IT systems now depend on cloud-based technology providers, IT risk management and third-party governance have fused into a single challenge. That is, a company can’t keep its IT risks in check without effective third-party governance. Your ability to identify and monitor third-party relationships is crucial to operational resilience because those third parties are crucial to the technology you use to provide services to customers.
Third is the importance of business continuity planning and disaster recovery. For example, these plans need to consider how disruptions to your physical assets (say, a weather disaster shutting down offices and data centers) could pressure your IT assets (everyone working from home, handling confidential data with personal devices and unknown networks). The plans should first address how to restore mission-critical services immediately, and then a resumption of normal services as soon as possible.
Those are the points that financial regulators have stressed to banks, broker-dealers, clearinghouses, and other financial firms for at least a decade — and they apply just as well to any large organization that wants to assure its resilience in the modern world.
As sensible as the above ideas may be, companies still need to turn them into an actual program that can improve operational resilience. We can break that down into one important decision to make and several important capabilities to develop.
The important decision is who takes ownership of this responsibility. The most logical candidates are either the CISO or a chief risk officer since many of the duties for both roles already relate to operational resilience. If your company doesn’t have a chief risk officer or head of enterprise risk management, or if your CISO can’t devote the necessary time, a chief audit executive could do the job too.
Regardless of who leads your resilience project, in practice, he or she will need plenty of help and input from compliance officers and leaders of the operating business units. If you already have an in-house risk committee that reviews risk management periodically, don’t be surprised if that committee evolves into a “resilience advisory committee” of some kind.
The important capabilities you will need to develop revolve around understanding what data, processes, and third parties you have, and how all those things relate to your operations and compliance obligations.
For example, you’ll need to identify the business processes that are mission-critical to your company, and then map out the data and third parties necessary for those processes to run normally. That lets you understand which assets and third parties are critical to your company’s resilience, so you can prioritize their availability. Maybe that means creating redundant data archives, maybe it means maintaining a list of emergency suppliers or strengthening contract clauses with the suppliers you have. Either way, resilience first depends on identifying your critical business processes and mapping out the assets that make them work.
Building operational resilience is no easy task. A company must first identify its critical business processes, data, and third parties, and the relationships among all three. Then it needs to catalog the threats to those mission-critical items and develop strategies to assure that those critical processes can continue even when the threats come to pass.
That’s complicated work. To succeed, a large enterprise has to use a proven technology tool. There’s simply too much at stake (and too many details to track) to rely on spreadsheets, emails, and manual processes. A company should equip itself accordingly.
Then get on with the task of building operational resilience, because the number of threats to modern business won’t be receding any time soon.
Matt Kelly is the founder of Radical Compliance, which provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as the personal blog for Matt Kelly, the long-time (and now former) editor of Compliance Week. Kelly writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.
Share with Your Friends:
