Following the publication of FCA’s and PRA’s Building Operational Resilience Policy Statements 21/3 and PS6/21, many firms initially equated the Operational Resilience Policy requirements to an enhanced business continuity capability.
As firms’ understanding and thinking have matured it has become apparent that this would be far from satisfactory.
It is now clear that the scope and complexity of the undertaking are such that a dedicated solution is an absolute necessity for all but the smallest of organisations.
Firstly, let us consider traditional business continuity. The Business Continuity Institute says…
“Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible”.
In reality, a good deal of an organisation’s business continuity plans place too great an emphasis on utilities and IT assets, focusing on their recovery within a defined recovery time objective (RTO). People (teams), processes, and other resources are often not given the degree of consideration they merit.
While, the FCA, describe operational resilience as:
“The ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”
Why are they not one and the same?
While there is considerable commonality between the two, there are significant differences in scope, scale, and complexity of the undertaking.
Business Continuity focusses internally on the organisation itself and its ability to continue to function. While Operational Resilience looks not just internally but also externally bringing into scope, not only customers but also overall market integrity and indeed the entire financial system.
Business Continuity attempts to deal with all risks that may impact all business activities and mitigate against them. Operational Resilience focusses on a relatively small number of identified Important Business Services, accepts that there will be disruption to them, and attempts to ensure they remain within the defined impact tolerances despite this.
The directive to identify and map Important Business Services, set Impact Tolerances, define plausible Disruption Scenarios and test against these makes compliance a non-trivial undertaking.
These requirements are continual, in line with best practice continuous improvement activities. These activities include:
- All services being continually reviewed to assess their importance.
- Impact Tolerances being continually reviewed to ensure validity and acceptability.
- Plausible Disruptive Scenarios repeatedly tested, refined, and evolved to reflect a shifting sector and world gestalt.
What does success look like?
While business continuity is an essential component of an Operational Resilience solution it is just one constituent part. Integration with other systems including, but not limited to, Estates; Human Resources; Business Process Management; Application Performance Management; Cloud Platform Monitoring tools; etc. is a necessity. It is essential that data from disparate systems is combined to provide a holistic and comprehensive view of the Important Business Service ecosystem while remaining focused on the Operational Resilience requirements – a purpose-built solution is needed.
Corporater Operational Resilience Solution
Corporater’s Operational Resilience software solution’s out-of-the-box functionality allows firms to prepare, detect, respond, recover and adapt to disruptions to important business services.
Focused, Comprehensive, Connected
For more information see Corporater Operational Resilience Solution.