Fatihah Ramzi, DigitalCFO Asia | 9 December 2022
Natural disasters, catastrophic occurrences, and operational mistakes will affect business operations and how well CFOs integrate people, processes, and technology will determine how well they manage risk.
Operational resilience is the capacity of an organization to recognize, avoid, respond to, recover from, and learn from interruptions that can affect the provision of operations or business services. Operational resilience ensures that a business can continue to operate despite difficulties and disasters. Delivering products and services is made possible by resilience. Business continuity and resilience are related, but resilience is a broader concept that encompasses other disruptive factors including cyber, technology, supply chain, and the current pandemic.
The COVID-19 epidemic and the ensuing economic upheaval are only two recent occurrences that underscore the necessity to comprehend and prepare for the probability of multiple, converging crises and their effects on operational resilience. Daily interactions between consumers and businesses and financial services include everything from purchasing coffee to paying bills or getting a mortgage. The resilience of these services is crucial. If their products are unavailable, financial services companies run the danger of losing the trust of their customers. But they also run the risk of breaking industry rules.
Organizations must be able to bounce back quickly from any disruptions they experience in order to be considered resilient. They must comprehend how service interruptions affect customers in order for this to be possible. However, this is challenging due to the growing complexity of IT. Agile development is facilitated by contemporary methods like multi-cloud architectures and the usage of open source code libraries, however manual monitoring of IT systems is highly difficult.
Financial organizations, especially CFOs, will need to deploy end-to-end observability throughout the whole IT infrastructure to foresee and fix issues before customers are impacted. Greater resilience will be made possible as a result, and financial services providers will be able to stand out from the competition by offering seamless digital experiences to their clients.
The fact that operational hazards might not be completely predicted is one of their major challenges. The very fact that risks are interconnected—with other businesses and the infrastructure of the financial markets—can have a negative effect on society. The resulting financial and reputational catastrophe might have a cascading effect on the entire industry. CFOs must accept that third-party service failures, system failures, and cyber intrusions will occur.
Unexpected outages, natural disasters, catastrophic occurrences, and operational mistakes will affect business operations and have an effect on stakeholders, clients, and the whole economy. How well CFOs integrate people, processes, and technology inside an organization will determine how well they manage risk. It’s crucial to make sure that a solid multi-layer risk strategy integrating the newest tools and technology is used to identify and manage the risks that arise between these interlinks.
CFOs can increase business continuity and control “known unknowns” by implementing an effective operational resilience program. Operational resilience goes beyond operational risk management and business continuity. It seeks to lessen the effect on customers and the larger economy. The need for CFOs to maintain business continuity by building operational resilience into their organizational DNA has been amply demonstrated by significant disruptive events like the COVID-19 pandemic.
Steps to Build an Operational Resilience Framework
1. Define Key Business Services / Critical Economic Functions (CEFs)
Identifying pertinent important business services that, if disrupted, might significantly impact the organization, customers, and the business environment is the first step CFOs should take to streamline and strengthen their operational resilience program. Since all subsequent processes depend on the accurate identification of these CEFs, the idea of potential harm is fundamental to operational resilience and serves as the program’s central organizing principle.
To effectively do this, organizations will need to:
- Align the organizational risk appetite with the organizational structure, corporate goals, market expectations, and supervisory objectives. This will help an organization to gain a fundamental understanding of the business service alignment to the overall business strategy and empower the organization to determine what its organizational resilience is.
- Determine who uses each service and engage them properly because their input is essential to the process.
- Bring the important insights into one view. This gives a company the knowledge necessary to further develop strategic and important activities that are in line with the organization’s level of risk exposure. Additionally, it offers visibility over connected third parties, associated processes, systems, people, and dependent persons that could affect corporate goals.
2. Set Impact Tolerance and Risk Metrics
Critical disruptions are caused by a variety of known and unknown events, which could endanger the organization. If businesses want to accurately report on the stability of the organization, it is crucial to try to foresee, prevent, control, or minimize these variables. When establishing impact tolerances and risk metrics, organizations need to be aware of the following:
- Establish tolerances with complete visibility and give operations and investments top priority. This is crucial since many firms are already required to make thorough, verifiable decisions in order to maximize their investment money.
- Become more aware of corporate services and procedures. Value-based implications that jeopardize the firm’s survival, volume-based impacts that affect consumers and market participants, and time-based impacts that undermine financial stability are among those that the board must rank and accept.
- Set tolerances using a logical and sensible process that takes into account all interconnected regions and processes. Realistic scenarios will be made possible, allowing for a better understanding and analysis of the impact tolerance as well as a quick examination of the different risks that might have an influence on the sector in which the organization operates and impacts on the overall stability of the economy. In addition, it’s crucial to enable a precise grasp of the project’s scope and organizational impact, in connection to its effects on customers and partnerships.
3. Understand Dependencies – Upstream and Downstream
Today’s business climate is dynamic. Recognizing the dependencies is a crucial first step for a CFO to create a relational data architecture to map the people, processes, technology, and third parties needed to deliver the business service. Understanding the links and points of view between internal and external factors is essential to fostering business resilience, as is making sure the whole picture is present, up to date, and that all changes are pertinent.
Such a strategy can aid in navigating the risks offered by third and fourth parties given that companies are becoming more dependent on third-party suppliers and the outsourcing of some operations. Gaining a better knowledge of upstream and downstream relationships can be accomplished by using the following best practices:
- Utilize technology to get a single, comprehensive view of all crucial operations that a business has identified in accordance with the primary elements to which it needs or wants to be resilient. Make sure everything is connected and understood by looking at the horizontal and vertical views of the vital capabilities in order to identify the obstacles.
- Make sure the company approaches third- and fourth-party providers with a risk-based and balanced strategy. To continue fulfilling their commitments, they will need to take into account the type, size, and complexity of their operations. Businesses who work with these providers are required to take reasonable precautions to handle their business in a responsible and efficient manner with suitable risk management systems.
4. Leverage Scenarios for Potential Points of Failure
In order to better understand the organization’s risk appetite and skills while searching for potential sites of failure, it’s crucial to make sure the impact on the business will actually occur. When creating scenarios for potential areas of failure, keep the following in mind:
- Include previous failures that were both under the organization’s control and uncontrollable to assist develop operational resilience and offer improved insight across processes. Examine business continuity management, data management, digital risk management, and third-party risk management to bring together various parts of the organization. Clarity when comprehending the actual possibilities might help CFOs better monitor cross-disciplinary risk scenarios.
- Utilizing the relational data structure, identify impact tolerance scenarios for people, processes, systems, and outside parties. This can be used to evaluate the influence of interrelationships. Understanding where stakeholders come into play can be improved by superimposing the scenarios on the business framework.
- Recognize how the risk appetite range can be used to develop action plans to reduce risks. Plot the data from risk scenarios using the service’s vitality, reliance metrics, and microeconomic intelligence. To create a solid business contingency plan, outline the action plan utilizing data on internal capital adequacy assessment, prioritizing of the recovery, governance framework, culture, corporate structure, controls, and regulatory framework.
- By forcing people to work outside of their comfort zones, CFOs can identify the weak points in a resilience plan. This can help CFOs to better grasp the operational resilience plan’s complexity, business criticality, usage frequency, visible areas, defect-prone locations, and other quantifiable success criteria.