P2.T7.

Operational & Integrated Risk Management

“Striving for Operational Resilience,” Oliver Wyman,

2019

Bionic Turtle Practice Questions

By David Harper, CFA FRM CIPM
www.bionicturtle.com
“Striving for Operational Resilience”
P2.T7.20.16. STRIVING FOR OPERATIONAL RESILIENCE ............................................................. 3

2
“Striving for Operational Resilience”
P2.T7.20.16. Striving for operational resilience
Learning Objectives: Compare operational resilience to traditional business continuity
and disaster recovery approaches. Describe elements of an effective operational
resilience framework and its potential benefits.

20.16.1. Operational resilience is different than traditional business continuity and disaster
recovery (BC/DR) planning. In regard to this contrast between resilience and BC/DR, which of
the following statements is TRUE about operational resilience?
a) The primary focus of operational resilience is recovery
b) Operational resilience emphasizes physical hazards or perils
c) Operational resilience develops uniform (aka, standard) tolerances and scenarios across
business units
d) Operational resilience ignores organizational silos in favor of end-to-end delivery of
critical services

20.16.2. According to Oliver Wyman, in striving to build operational resilience, each of the
following is (true as) a key question that the board and senior management should be asking
EXCEPT which is misguided?
a) What are our critical business services, and what is our measure of criticality (because
we should focus on the potentially critical components of service delivery across
organizational silos)?
b) What is our risk appetite for resilience risk, and how is risk appetite reflected in our
impact tolerances (because resilience is different than, but incorporated into risk appetite
statements and metrics)?
c) Does the organization understand the dependencies of critical business services on
organizational assets (because the traditional focus on assets in silos might ignore
dependencies)?
d) Have we prepared distinct, customized incident response regimes for each different
incident type (because a single incident response regime is inferior to different incident
response regimes)?

3
20.16.3. Because his firm wants to establish an operational resilience program, Peter has
drafted the following four-step approach that he will propose to his boss:

I. Establish the Foundation: in this step, the firm will assign accountabilities, establish a
baseline of the organization's capabilities, and articulate the organization's critical
business services
II. Provide Visibility to the Board: this step will include identifying an initial set of metrics
(including resilience program metrics) to provide ongoing reporting to the board
III. Specify Launch Date and Execute full-scale rollout to all critical services: this step will
include a motivational countdown to R-day (aka, R-3, R-2, R-1 ... Resilience Day) the
day when the organization formally switches over to a status of resilience
IV. Expand the Program: this step will drive resilience improvements, and expand the
program to enhance capabilities

According to Oliver Wyman, which of the steps is misspecified; aka, incorrect?

a) None of the four steps are correct
b) Only the second step (II.) is incorrect; the other steps are correct
c) Only the third step (III.) is incorrect; the other steps are correct
d) All of the steps are correct

4
Answers:

20.16.1. D. True: Operational resilience ignores organizational silos in favor of end-to-end

delivery of critical services

In regard to (A), (B) and (C), each is false. Instead, according to Oliver Wyman:
 The primary focus of BC/DR is recovery. Says Oliver Wyman (emphasis ours), "Even
for many advanced institutions, adopting an operational resilience approach will imply
significant changes from traditional (more compliance-focused) BC and DR. Whereas
these traditional approaches focus solely on recovery, operational resilience has a
broader scope and needs to be integrated into the risk-mitigation fabric of the
organization. Resilient organizations focus on anticipation, prevention and adaptation,
rather than recovery actions once the horse has bolted."
 BC/DR emphasizes physical hazards or perils; e.g., says Oliver Wyman, "BC and DR
have historically emphasized physical events (e.g., natural disaster, active shooter), are
limited by organizational boundaries, and are, by most organizations, primarily viewed as
a check-the-box exercise rather than true risk management."
 In regard to the category of measurement, the traditional approach (BC/DR) assumes
"Standard business disruption scenarios across business units [and] Standard
tolerances for business disruption (recovery time/point objectives) for all scenarios."
However, the Operational Resilience approach assumes "Business disruption scenarios
tailored to each critical service based on an aligned and forward-looking risk assessment
[and] Tolerances for business disruption (impact tolerances) based on bespoke
scenarios."1

1 “Striving for Operational Resilience,” Oliver Wyman, 2019

5
20.16.2. D. False. The traditional approach (BC/DR) involves distinct incident response
regimes for different incident types which may negatively impact response times. The
operational resilience approach (under Preparedness) seeks "Single incident response regime
(unified incident command) for all incident types; Plans and capabilities monitored, tested, and
adapted continuously; and Emphasis on building trust among crisis management team to
enable effective response."2

In regard to (A), (B) and (C), each is TRUE; i.e., each is "resilience question for boards and
senior management" (see Exhibit 3).

Exhibit 3: Resilience questions for boards and senior management 2

2 “Striving for Operational Resilience,” Oliver Wyman, 2019

6
20.16.3. C. True: Only the third step (III.) is incorrect; the other steps are correct. Contrary
to a full-scale rollout, the advice is to start with a pilot program and once critical service.

The four steps are 1. Establish the Foundation, 2. Provide visibility to the board, 3. Focus on a
single critical service, and 4. Expand the Program.

In regard to the third step (Focus on a single critical service), the details are: "Run a pilot on one
critical service to enhance resilience (with sub-steps: Identify key dependencies and assess
risks; Define impact tolerances and evaluate resilience through scenarios; and Craft an
improvement roadmap); and identify key learnings and program enhancements to facilitate the
rollout of the program more broadly."3

Discuss in the forum here: https://www.bionicturtle.com/forum/threads/p2-t7-20-16-striving-

for-operational-resilience.23387/

3 “Striving for Operational Resilience,” Oliver Wyman, 2019