WHITE PAPER
Key Principles in Building
Operational Resilience
Most, if not all, organizations have been impacted by the pandemic or other recent
disruptions from natural, cyber, fraud, human error, or a combination of causes. These
Resiliency cannot be
events have impacted employee health and safety, disrupted supply chains, caused
physical damage, loss of customers and reputational damage, and exponentially
the responsibility
increased the cost of doing business. Resources within the organization to address of a small group of
disruptions are spread thin even with one disruption, let alone concurrent events that people—everyone
tax not only the resilience team but also the rest of the organization. must have a role
The nature, frequency and magnitude of disruptions have caused organizations to in building and
evaluate their resilience, which includes their abilities to properly identify threats, practicing resiliency.
analyze the risk and implement plans to avoid or recover from them. Operational
resilience has become a regulatory, corporate, and board-level topic within many
organizations across multiple industries.
Organizations of all industry, size and location are discovering that it is impractical to
rely on recovery alone and they must become resilient.
Operational Resilience
Operational resilience is the ability of an organization to absorb changes and
adapt in an evolving environment, and continue to deliver their objectives, and
survive and prosper.
Operational resilience includes, but is more than, business recovery; it is a change in
mindset, culture and approach that drives the implementation of resilient measures
and practices throughout the business.
The shift from recovery to resilience requires a cultural change starting at the top of
the organization, and cannot only be the responsibility of a small team – it requires
focus throughout the entire organization.
Building a resilient organization requires a shift from a reactive to a proactive
posture and resilience must be built into the very fabric of the organization—from its
culture to how the company operates both internally and across the extended third-
party ecosystem.
Operational resilience requires a shift from focusing on the recovery of internal
processes and systems to ensure the ability of the organization to continue to provide
important products and services to external parties, regardless of the disruption.
There are six key focus areas that should be considered in building operational
resilience that include:
• Prioritize important business services
• Address disruptive scenarios
• Transition from recovery to resilience
• Inspire ownership across the organization
• Integrated resilience and risk management
• Develop a resilient ecosystem
Prioritize Important Business Services
Every organization has a core mission and strategic objectives that include providing
products and services to its customers – it’s what produces revenue for the company.
Organizations must define their most important products and services and the
impact tolerances for each. Impact tolerances are business metrics that define the
point (in time, dollars or other effects) at which effects of a disruption are intolerable.
For example, impact tolerances could include the amount of revenue or customers
the company is prepared to lose, or transactions that could go unfulfilled during
a disruption. For an airline, an impact tolerance might be cancelled flights. For a
healthcare entity the impact tolerance might be untreated patients. It’s up to each
organization to determine the impacts they can tolerate from a disruption.
Large, complex organizations provide their products and services to customers via
supporting business processes, systems, people, assets, data, facilities, and external
partners. Everything cannot be made resilient at once, therefore, it is critical to focus
on the most important products and services and the business processes, systems,
people, assets, data and facilities.
Address disruptive scenarios
Each organization must assume that at some point a disruption will occur that will
interrupt their ability to provide products or services. The organization must identify
the threats and scenarios that could cause a disruption – specifically that would cause
them to exceed their impact tolerances mentioned above.
Scenario analysis is the art and science of identifying ‘what could go wrong’ including
the potential threats, risks and combinations that could disrupt the organization and
evaluate the organization’s ability to be resilient enough to the negative effects.
Transition from Recovery to Resilience
An effective business continuity management (BCM) program is a vital part of the
strategy to build operational resilience. A BCM program includes business continuity
planning (BCP); IT disaster recovery (ITDR); incident management, which is the
routine handling of small, business-as-usual events before they become a crisis; and
crisis management, which is dealing with actual crisis events.
Key Principles In Building Operational Resilience | 2
Even though BCP, ITDR, incident management and crisis management are the most
common components of an organization’s BCM program, they are often disconnected
and performed by separate teams with different tools, objectives and approaches.
Disruptions and crises result in enough damage by themselves, but the disconnected
state of these teams can add to the risk, reduce speed to respond and result in more
negative impacts.
Integrating these functions builds operational resilience by better aligning the
organizations that deal with disruptions, using approaches that are more fluid,
practical, actionable and tested—and reduce intolerable impact to the organization.
Inspire Ownership Across the Organization
Building operational resilience must no longer only be the responsibility of the BCM
program, but instead must be owned across the business—by each business unit
and department, including IT, sales, public relations and more. Building operational
resilience may start with the BCM program but it will not thrive without proactive
participation across the business in building operational resilience into the
organization’s culture, processes, systems and practices.
A critical component is ownership of operational resilience at the executive level.
Executive ownership, such as by the chief operating officer (COO), chief risk officer
(CRO), chief compliance officer (CCO), or chief information officer (CIO), provides
the importance, sponsorship and visibility to make and sustain progress against other
business priorities.
Integrated Resilience and Risk Management
Risks that threaten the operational resilience of an organization come in many
forms—health crises, cyber threats, operational events and supply chain disruptions.
In fact, risks impacting an organization can often cause a domino effect. For example,
weak security controls in a third party may result in a cyber breach to the engaging
organization. The breach may result in an exposure of customer data (a compliance
violation) and result in a disruption of systems that requires IT disaster recovery.
The interconnected nature of risks illustrated in this example demonstrates that risk
management must be integrated across the organization and operational resilience
must be closely tied in—especially aligning on risk appetite, risk tolerance and
a risk profile.
A challenge to this premise is that risk management is typically performed by separate
functions across the organization, including third-party governance, IT, internal
audit, operational risk and business resilience functions. This approach, which has
likely grown up over time, may put the spotlight on individual risks, but where C-suite
executives and boards are asking frequently about the status of strategic risks, it
makes rolling up those risks and reporting them at high levels very difficult.
Key Principles In Building Operational Resilience | 3
All the functions performing separate risk management activities should align, if not
organizationally, then at least using the same methodologies, risk tolerances and
automated toolsets, so the results, reporting, dashboarding and monitoring of key risk
indicators are more instantaneous and accurate when rolled up as strategic risks for
executives. This type of risk management discipline will only strengthen the ability to
build operational resilience.
Develop a Resilient Ecosystem Parties
AThird parties, external partners, supply chains and others are an extension of the
organization and in some cases perform very critical functions for them. Internal
and third-party organizations are often very closely intertwined in the delivery
of products and services, and if one is disrupted, the other may be impacted too.
Therefore, it is vital to ensure that external ecosystems are as resilient as the
organization. Myriad issues must be considered as organizations strive to build
operational resilience with individual third parties and across their unique third
-party ecosystems.
Third-party ecosystems are becoming more complex and specialized. For example,
organizations may become dependent on a small number of outsourced or third-party
service providers who are very difficult or impossible to substitute, which could, over
time, give rise to systemic concentration risks. A major disruption, outage or failure
at one of these service providers could create a single point of failure with potential
adverse consequences for financial stability. This can be especially true of cloud
providers. In addition, sub-outsourcing to a third party’s third parties (nth parties) can
amplify certain risks in outsourcing arrangements, such as data security, and limit an
organization’s ability to manage them—particularly where large, complex chains of
service providers are involved.
Third-party resilience is complicated to achieve because the control and
responsibility lie with the third party. However, there are ways to build toward
operational resilience of third parties. For example, during onboarding of a third party,
service-level agreements and clauses can be included in contracts that stipulate the
third party will take steps such as maintaining and testing their recovery plans. These
agreements should cover how the third party will maintain operational resilience
under normal conditions and in the event of a disruption. Engaging organizations can
also monitor the third party on an ongoing basis through performance and resilience
metrics, perform joint tests of resilience measures and normalize procedures to align
the resilience of the third party with their own over time.
Third-party resilience is best achieved through a combination of upfront agreements
and ongoing arrangements that build resilience between the engaging organization
and the third party together.
Key Principles In Building Operational Resilience | 4
Summary
As organizations mature their operational resiliency approaches, they must About Archer
look holistically and proactively for ways to build resiliency into the fabric of Archer, an RSA
the organization. Concepts like redundancy, diversification and adaptability are company, is a leader in
important. It is just as important to improve the BCMS program, ensure executive providing integrated risk
visibility, align resiliency and operational risk, and build a resilient third-party management solutions
ecosystem. Taking action in these areas will significantly enable the organization to that enable customers to
build operational resiliency. improve strategic decision
making and operational
resiliency. As true
pioneers in GRC software,
Archer remains solely
dedicated to helping
customers understand risk
holistically by engaging
stakeholders, leveraging
a modern platform that
spans key domains of risk
and supports analysis
driven by both business
and IT impacts. The Archer
customer base represents
one of the largest
pure risk management
communities globally, with
over 1,500 deployments
including more than 90 of
the Fortune 100.
©2020 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are registered trademarks or trademarks of RSA Security
LLC or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes
the information in this document is accurate. The information is subject to change without notice. 08/21 White Paper, H19591-2 W409231.
You might also like
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (537)
- Trends in Process Improvement and Data ExecutionDocument19 pagesTrends in Process Improvement and Data ExecutionAdolfoNo ratings yet
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5794)
- Process Mining For Dummies FinalDocument52 pagesProcess Mining For Dummies FinalAdolfoNo ratings yet
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (895)
- State of Process ExcellenceDocument26 pagesState of Process ExcellenceAdolfoNo ratings yet
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- Check-In Workpath Guide - EN V2 - Explore La Guía de Registro de WorkpathDocument8 pagesCheck-In Workpath Guide - EN V2 - Explore La Guía de Registro de WorkpathAdolfoNo ratings yet
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (588)
- OKR Benefits For Teams and Employees - Beneficios de OKR para EquiposDocument10 pagesOKR Benefits For Teams and Employees - Beneficios de OKR para EquiposAdolfoNo ratings yet
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (400)
- OKR - A Complete Guide On How To Succeed With Objectives and Key Results - 012021Document39 pagesOKR - A Complete Guide On How To Succeed With Objectives and Key Results - 012021Adolfo100% (1)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- Unit 6 Test MHF4U - Fatima YahyaDocument2 pagesUnit 6 Test MHF4U - Fatima YahyafatimatumbiNo ratings yet
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (838)
- Structure 2 SoalDocument3 pagesStructure 2 SoalAgung WibowoNo ratings yet
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- GILLIGANDocument4 pagesGILLIGANVAIDEHI AGARWALNo ratings yet
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- Book DownDocument17 pagesBook DownProf. Madya Dr. Umar Yusuf MadakiNo ratings yet
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- Sce - Elektro Ppu - 2022Document2 pagesSce - Elektro Ppu - 2022sghscribd2012No ratings yet
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- Spectral Triad (AS7265x) Hookup Guide - SparkFun LearnDocument13 pagesSpectral Triad (AS7265x) Hookup Guide - SparkFun LearnFrancisco BoteroNo ratings yet
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- Tle InterventionDocument8 pagesTle InterventionNorman T. Regal100% (1)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- Score Tutorial: Gpat 2011 Test SeriesDocument11 pagesScore Tutorial: Gpat 2011 Test SeriesRambo FeverNo ratings yet
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (345)
- Pseudalert Iso 13843 Validation ReportDocument38 pagesPseudalert Iso 13843 Validation ReportVoThiAnhLoanNo ratings yet
- Chapter 4 - The Bernoulli Equation and Pressure VariationDocument20 pagesChapter 4 - The Bernoulli Equation and Pressure VariationErnesto LimNo ratings yet
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- Eligible Candidate List - RCCIIT - RAPIDD Technologies - WB - 2021 BatchDocument4 pagesEligible Candidate List - RCCIIT - RAPIDD Technologies - WB - 2021 BatchAbhishek DeyNo ratings yet
- Rec Erc 77 03Document74 pagesRec Erc 77 03MehriNo ratings yet
- Revision Test Comparative Superlative Adjectives A Grammar Drills TestsDocument3 pagesRevision Test Comparative Superlative Adjectives A Grammar Drills TestsLili PaunescuNo ratings yet
- Alejandria - Olive - COT - Physci REVISEDDocument3 pagesAlejandria - Olive - COT - Physci REVISEDOLIVE ALEJANDRIANo ratings yet
- Management and Maintenance of Electrical Equipment in Industrial FacilitiesDocument7 pagesManagement and Maintenance of Electrical Equipment in Industrial FacilitiesLester MuscaNo ratings yet
- Psop Assignment Dec 16, 2021Document8 pagesPsop Assignment Dec 16, 2021Ravi Nagar 47No ratings yet
- Test Bank The Economy of Nature 6th Edition Robert E. RicklefsDocument21 pagesTest Bank The Economy of Nature 6th Edition Robert E. Ricklefsbachababy0% (1)
- Step 5 - DRADocument19 pagesStep 5 - DRACHICKYNo ratings yet
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1090)
- Tutorial 1 KimiaDocument2 pagesTutorial 1 Kimianabilnash21No ratings yet
- Momentum - and - Impulse Grade 9 For EXERCISE SOLVINGDocument58 pagesMomentum - and - Impulse Grade 9 For EXERCISE SOLVINGSittie LailaNo ratings yet
- Disclosure To Promote The Right To InformationDocument12 pagesDisclosure To Promote The Right To InformationShivashish ChaturvediNo ratings yet
- Competitive Advantages RitelDocument15 pagesCompetitive Advantages RitelAsih ArumNo ratings yet
- Iii: Geography:: Name & Signature of Invigilator/sDocument24 pagesIii: Geography:: Name & Signature of Invigilator/sRajNo ratings yet
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (121)
- 603 Quiz 3Document2 pages603 Quiz 3Cj SuarezNo ratings yet
- RTP-LASG8Q3M5W5Document9 pagesRTP-LASG8Q3M5W5Atheena Johann VillaruelNo ratings yet
- Shivam Garg - Curriculum Vitaé - CVDocument4 pagesShivam Garg - Curriculum Vitaé - CVSHUBHAM MAHARANANo ratings yet
- Module 3 Tip Session 3Document13 pagesModule 3 Tip Session 3IRIS JEAN BRIAGASNo ratings yet
- Testing Effects of Acid Rain On StatuesDocument5 pagesTesting Effects of Acid Rain On StatuesDanielle LoneNo ratings yet
- Production Logging Tools and InterpretationsDocument34 pagesProduction Logging Tools and InterpretationsRizwan FaridNo ratings yet
- Shear Box Test ExcelDocument8 pagesShear Box Test ExcelUanaid Van RooyenNo ratings yet
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (821)
