Optimize risk management and business continuity management programs in times of disruption.
- Gartner client? Log in for personalized search results.
Why a robust operational resilience strategy is more important than ever
Today’s volatile, uncertain, complex and ambiguous (VUCA) business landscape is intersecting with the introduction of new products, services, business partners and digital transformations that have brought new vulnerabilities. Complex operational processes, sophisticated cyberthreats and a growing reliance on third-party service providers are only a drop in the bucket of potential hazards.
In response, C-suite executives and their organizations must boost operational resilience by reinforcing their ability to prepare, adapt, endure and rebound from challenges. It’s not about trying to avoid disruption — it’s a matter of what you do with and during disruption.
Operational resilience enables organizations to deliver under intense pressure
Enhance your organization’s ability to respond flexibly, agilely and proactively by adopting the following business continuity management (BCM) practices.
Address end-to-end processes and dependencies to increase operational resilience
Business continuity plans (BCPs) are essential to prepare an organization to recover critical business functions in the face of disruptive events. But BCPs don’t always address the core drivers of operations disruptions and their impact on product and service delivery. Operational resilience takes a more expansive approach, focusing on tolerance levels for service delivery disruption and their impact on internal and external stakeholders.
To build operational resilience, gain a thorough understanding of dependencies that could disrupt operations, and develop effective response strategies at both the enterprise and business unit levels. Go beyond reactive measures and examine the processes that underpin key business functions and service deliverables. For a financial institution, for example, these include deposit transaction processes, ATM services, loan closure and insurance policy claims.
Assess inherent dependency-related operational risks and the impact from failures
The risk control self-assessment (RCSA) provides a structured way to evaluate the effectiveness and efficiency of the internal control environment. Through an RCSA, your organization can:
Pinpoint critical operational processes
Identify and evaluate the exposure to risk events
Determine any residual risk exposures that need attention
To proactively manage and mitigate operational risks and foster a control environment conducive to operational resilience and business growth, design the RCSA at a level that can detail all the dependencies and interdependencies. Specifically:
Get granular with process maps or flowcharts, such that the RCSA can help mitigate local risk exposures and dependencies that might impede critical business functions.
Identify each dependency as a separate risk exposure with sufficient detail to determine the key sources of dependency.
Assess the risk of each failed dependency, including both inherent risk and residual risk.
Align operational resilience strategies across the enterprise
Once the RCSA is complete, operationalize it. Incorporate dependencies, acceptable impact tolerances, key recovery strategies, redundancies, substitutability and proactive contingencies into your business impact analysis (BIA), and your BCM and disaster recovery processes.
Within the BIA, pinpoint recovery time objectives, maximum tolerable outage objectives and other relevant metrics to ensure they fall within the established impact tolerances. If they don’t, devise resilient strategies in the BIA to address the gaps based on the specific needs outlined in the RCSA.
The end product of this analysis provides an overview of potential operations impacts and will help confirm that BCM and disaster recovery processes align with the expected level of operational resilience across the organization.
Evaluate the impact of failed dependencies on operational resilience
Managing operational risk involves the strategic collection, analysis and reporting of operational incident data. This data is vital to understanding the origins of operational risk events, assessing the control environment’s effectiveness and proactively mitigating losses within agreed-upon risk tolerance thresholds.
To make the most of operational incident data, implement a robust incident risk management program and governance framework — and foster a culture that prioritizes risk management by:
Ensuring that incidents are recorded
Escalating risks as needed
Assessing root causes and material impacts
Putting appropriate remedial actions in place
Operational resilience FAQs
How is operational resilience different from disaster recovery (DR) and business continuity planning (BCP)?
Operational resilience is a more mature level of resilience than DR and BCP. While DR and BCP typically focus on isolated points of failure (like individual systems, personnel or processes), operational resilience encompasses the full spectrum of factors that support continuous product and service delivery.
What makes for a strong operational resilience framework?
A strong operational resilience framework integrates operational risk management and business continuity programs. This means going beyond traditional risk assessments to incorporate an end-to-end view of dependencies; analyzing that view within the risk control self-assessment (RCSA) methodology; and applying the insights gained to the existing business impact analysis (BIA) framework to be sure operations recovery strategies align with business continuity and disaster recovery plans.
Attend a Conference
Accelerate growth with Gartner conferences
Gain exclusive insight on the latest trends, receive one-on-one guidance from a Gartner expert, network with a community of your peers and leave ready to tackle your mission-critical priorities.
Drive stronger performance on your mission-critical priorities.