Operational Resilience: The new language of risk management

Disruption, no matter the cause, is an ongoing battle for any organization. Geopolitical forces could levy additional restrictions on trade. Cybercrime might target your specific type of network or operations. Even internal employee struggles can increase risk and add unwanted delays that create an adverse operational ripple effect across your entire business. 

Leaders today must find ways to boost operational resilience. Instead of always functioning in a state of reactive awareness, a modern company must shift to a proactive stance so when the worst happens, there are plans and adaptations in place to weather the storm. 

As more U.S. regulators push into finance, medicine, insurance, and other fast-moving sectors, business continuity, third-party risk management, and governance all must be integrated into a more resilient framework.

From Reactive Risk Management to Operational Resilience

The goal of traditional risk management is to identify potential threats and control damage after the fact. Those systems are based on probability and prevention, but not tolerance. Operational resilience is different. Instead of focusing on how to prevent failure, it shifts the company to operate through failure. 

Such operational shifts are noted by U.S. regulators or third-party organizations like the Institute of Internal Auditors, which has marked the move “from reaction to readiness.” In 2020, the Office of the Comptroller of the Currency (OCC), Federal Reserve, and FDIC issued an update on interagency guidance defining operational resilience. The paper says a firm’s ability to “withstand, adapt to, and recover from disruptive events,” while still delivering crucial operations, is the key to success. 

During this process, organizations need to focus on business continuity equally. Both operational resilience and business continuity need to work “hand in hand.” That is how a business can ensure less downtime through advanced cybersecurity with adaptive tech, compliance with third-party oversight, supply chain readiness, and more. 

In June of 2021, 6.2 million workers lost jobs due to employers having to shut down businesses or due to a loss of client engagement. Even those organizations with formal continuity plans faltered due to concurrent operational disruptions across IT, HR, and vendors. To adapt, businesses today need end-to-end system visibility for governance and risk management.

The Critical Role of Third-Party Risk Management

Risk management must be through the lens of interconnected core functions. Such ecosystems are evolving where vendors, cloud service providers, logistics experts, and specialized suppliers all add vulnerabilities to a business. Third-party risk management must now be foundational as these services are required for growth and continuity. 

The banking industry is a perfect example. U.S. banking regulators like the FDIC view third-party risk management as an essential “part of the whole.” Everything, from initial selection to onboarding to termination, must be considered to ensure operational resilience with vendors. That way, if a SaaS provider suffers an outage, it doesn’t cascade downstream to business clients. 

Responsibility for third-party vendors doesn’t stop at a firewall. Businesses must decipher vendors by placing them in tiers, evaluating their business continuity capacities outside the primary organization, ensuring contract language enforces recovery timelines and access rights, and then monitoring risk throughout any relationship. But again, this is only one “arm” of operational resilience.

Governance, Compliance, and the Expanding Regulatory Lens

Beyond third-party risk management are the governance concerns that have moved from back offices to frontline defenses. Stakeholders at every level cannot silo governance in their own repository. 

For example, more and more businesses are aligning frameworks with EU governance initiatives in environmental concerns, cybersecurity, and privacy rights. That is causing U.S.-based firms to include more enterprise-wide identification of critical business services, board-level oversight of resilience objectives, and reporting on KPIs alongside financial and compliance metrics. 

The idea now with governance, especially in an emerging global market, is this: if the board can’t see the risk, the company cannot manage it effectively. Business continuity and operational resilience in the vein of governance must be viewed as a slice of a greater pie. One wedge in an end-to-end system where all are to be informed of any changes or needs. 

An example of this inside the United States would be current administration changes for deregulatory trends. The loosening of regulators like the CFPB (Consumer Financial Protection Bureau) is causing operational whiplash on leaders. That demands a more flexible system, so when the political leanings of the country shift once again, the wave of change will not lead to downtime or expensive fees. 

Just consider what is happening at the same moment in time right now: 

• U.S. banking regulators propose enhanced changes to eSLR requirements
• EPA repeals landmark endangerment finding behind climate change
• U.S. regulators move to ease financial crisis-era bank capital rules
• U.S. bank regulators pull back guardrails on bank crypto activities and reporting

The point is, things are changing rapidly, and businesses must be more flexible to maintain operations in such climates.

Measuring Resilience: Going Beyond Traditional Risk Models

Traditional risk models base measurements on a singular event and its potential impact. Due to the unpredictability of modern risk, those models often fall short. The global pandemic or failure in a cloud provider are both examples of such a need for change. 

U.S. regulators desire impact tolerance. Developing metrics reflecting operational resilience, including recovery time objectives (RTOs), service level disruptions, and third-party dependency thresholds, is crucial to ensuring long-term continuity. In some cases, that may include scenario-based testing, even for high-impact, low-probability events. Simulating such extremes uncovers hidden dependencies and allows a business to “rehearse” an event, even if it never occurs. Such practices help a business absorb disruptions so it can maintain operations. 

Payment processors measure operational resilience using common terms like Mean Time to Restore (MTTR) or Mean Time to Detect (MTTD). Such metrics demonstrate how the company is doing, what is currently putting pressure on operations, and how quickly they can push through such events.

Best Practices: Integrating Governance, Compliance & Vendor Risk

Unfortunately, there is no “playbook” for building such operational resilience and business continuity. It seems each organization offering advice has a new idea of how to implement changes or systems. A better choice would be an end-to-end automation like Pirani Risk that can assess, adapt, and report in real time. In the meantime, some practices to ensure success would include: 

• Map All Critical Business Services: Before you can know what needs operational resilience, you first have to identify internal and external dependencies, suppliers, data feeds, and platforms. You must document critical operational and core business lines. 
• Tier Vendors by Need: Not every third-party partnership has the same importance. Clarify your various vendors based on service impact and risk exposure while reviewing their due diligence concerning continuity and risk management. 
• Embed Enterprise-Wide Governance: Create a unified view of governance and risk management across the organization to better bridge compliance efforts in all sectors, including finance, IT, procurement, and base operations. 
• Automate Monitoring: Have real-time, around-the-clock monitoring so if regulatory changes occur or a cyber threat pops up, stakeholders are not blindsided into a reactive posture. 

Finally, when you do run joint exercises with different departments to test out various scenarios, include your vendors. Having multi-party coordination will not only test your systems, but also ensure operational resilience two or even three tiers removed from core systems.

Wrapping Up

Operational resilience is not a buzzword. It is a fundamental shift in how your business formulates third-party risk management, business continuity, and governance. A unified system backed by an end-to-end automation capable of adjusting in real time to any new threat is crucial to maintaining systems and pushing through failures. 

Pirani Risk offers software that automates and simplifies your risk management by turning it into decisions, culture, and results. You’ll save time shuffling through endless reports by having a unified dashboard with clear indicators that help reduce errors and support compliance. 

Start for free today or schedule a demo to learn how this technology can ensure your business is resilient enough for any future disruption – regardless of how U.S. regulators or geopolitical environments might change.

Curious about what your risk management process would look like with Pirani?

Want to learn more about risk management? You may be interested in this content 👇

• Cyber vs Operational Resilience: What’s the real difference?
• Operational Resilience in the Age of Cyber and Third-Party Risks

• Mastering Operational Risk for Business Resilience