Professional Documents
Culture Documents
Most, if not all, organizations have been impacted by the pandemic or other recent
disruptions from natural, cyber, fraud, human error, or a combination of causes. These
Resiliency cannot be
events have impacted employee health and safety, disrupted supply chains, caused
physical damage, loss of customers and reputational damage, and exponentially
the responsibility
increased the cost of doing business. Resources within the organization to address of a small group of
disruptions are spread thin even with one disruption, let alone concurrent events that people—everyone
tax not only the resilience team but also the rest of the organization. must have a role
The nature, frequency and magnitude of disruptions have caused organizations to in building and
evaluate their resilience, which includes their abilities to properly identify threats, practicing resiliency.
analyze the risk and implement plans to avoid or recover from them. Operational
resilience has become a regulatory, corporate, and board-level topic within many
organizations across multiple industries.
Organizations of all industry, size and location are discovering that it is impractical to
rely on recovery alone and they must become resilient.
Operational Resilience
Operational resilience is the ability of an organization to absorb changes and
adapt in an evolving environment, and continue to deliver their objectives, and
survive and prosper.
The shift from recovery to resilience requires a cultural change starting at the top of
the organization, and cannot only be the responsibility of a small team – it requires
focus throughout the entire organization.
Large, complex organizations provide their products and services to customers via
supporting business processes, systems, people, assets, data, facilities, and external
partners. Everything cannot be made resilient at once, therefore, it is critical to focus
on the most important products and services and the business processes, systems,
people, assets, data and facilities.
Scenario analysis is the art and science of identifying ‘what could go wrong’ including
the potential threats, risks and combinations that could disrupt the organization and
evaluate the organization’s ability to be resilient enough to the negative effects.
Third-party ecosystems are becoming more complex and specialized. For example,
organizations may become dependent on a small number of outsourced or third-party
service providers who are very difficult or impossible to substitute, which could, over
time, give rise to systemic concentration risks. A major disruption, outage or failure
at one of these service providers could create a single point of failure with potential
adverse consequences for financial stability. This can be especially true of cloud
providers. In addition, sub-outsourcing to a third party’s third parties (nth parties) can
amplify certain risks in outsourcing arrangements, such as data security, and limit an
organization’s ability to manage them—particularly where large, complex chains of
service providers are involved.
©2020 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are registered trademarks or trademarks of RSA Security
LLC or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes
the information in this document is accurate. The information is subject to change without notice. 08/21 White Paper, H19591-2 W409231.