Overcoming Operational Resilience Implementation Barriers

Business continuity. Disaster response. Crisis management.

These terms have been commonly used in the industry for decades, and likewise, unfortunately, many organizations still use related legacy, siloed processes to plan for and address business disruptions, even when real-world scenarios show there are challenges with this approach.

So, why are so many organizations today hesitant to shift focus to a strategy that’s more holistic and aligns programs to work together, as well as in tandem with business goals, market situations, and customer expectations? What’s holding them back from moving toward a more comprehensive operational resilience program? And, are you one of them?

This is one of the topics addressed recently in The BCI’s first Operational Resilience Report 2022, published in partnership with Castellan.

According to the report, many organizations, about half of respondents, say they are facing challenges related to introducing operational resilience into their environments, with knowledge a primary inhibitor.

Other factors contributing to implementation barriers include:

  • 47.8%  Not having the headcount or staff time to implement
  • 38.5%  Having the right people in the organization to oversee (governance) and run an operational resilience program
  • 37.2%  Understanding, monitoring, and managing supply chain risks
  • 27.5%  Managing concentration risk

A Lack of Understanding

In addition to those barriers, the report highlights other challenges and benefits of operational resilience, especially in light of a growing number of mandates popping up related to operational resilience regulations and expectations.

Take for example one of the current most highly publicized changes, the United Kingdom’s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)’s new requirement that financial services organizations comply with new operational resilience regulations. This new initiative has been problematic for some organizations that say it’s difficult to comply because there aren’t any templates or working examples available, as well as a lack of straightforward rules dissemination.

It’s not just financial services that struggle. The report points out that operational resilience means different things across different sectors and sometimes even between different companies within those sectors.

And while more organizations are beginning to see the benefits of operational resilience as best practice, others say because it’s not a regulatory or legal requirement (more than 46%), they don’t have an operational resilience program in place.

Other reasons organizations cite behind not implementing an operational resilience program range from a lack of time and resources to a belief that business continuity is all they need.

Get The Getting Started with Operational Resilience Guide


Who’s Responsible?

While the UK’s measures are shining a brighter light on the need for organizations to embrace operational resilience as a way of doing business, many still have distinct lines between their programs.

The report found that operational resilience is generally championed from the top down, for example, from the board or the chief operations officer, while implementation and management is commonly the responsibility of the head of business continuity.

This is another example of how that siloed approach holds many organizations back from shifting to an operational resilience focus. While executive and key stakeholder support and championing is important, to be truly successful, the program must be embedded throughout the entire organization.

Yet, some organizations can’t work past these obstacles because they still don’t have a good understanding of the differences between business continuity and operational resilience. When asked about the definition of operational resilience, the report found some organizations see operational resilience from a technology perspective alone, focused on cyber threats, data loss, disaster recovery, and IT.

The report says that while that is an important part of an operational resilience program, it’s just one of many other necessary components.

The bigger picture here is that because of this confusion, some organizations use the words business continuity and operational resilience interchangeably, even though the programs serve different purposes.

Some respondents said they view operational resilience as a subset of business continuity. The reality is that your operational resilience program should be the overarching strategy that incorporates business continuity management, as well as disaster recovery, crisis management, and other programs designed to seek out and mitigate potential business disruptions.

Overcoming Challenges

So, how can your organization break through these barriers?

The answer lies within your organizational culture. As we mentioned, that top-level executive support is key, but it’s not the only linchpin. Building a culture of operational resilience is critical to success. That means you need to make sure you have the right people, with the right skills, in the right roles, to make this move from concept to reality. To evaluate if you have the right people on your team for success, download our Business Continuity Accountability Guide.

As we’ve seen in recent years, however, hiring qualified people in technology, security, compliance, and resilience management roles is challenging. There are more opportunities than trained individuals. Some organizations also struggle to find financial support needed to recruit those professionals.

How can you overcome the challenges caused by tight budgets and few hires? You may find it helpful to work with a resilience management advisor who can offer counseling and guidance for this journey.

An advisor can help you look at your existing programs, identify gaps and weaknesses, pinpoint siloes and other barriers, and help you develop a plan to make the move to a more holistic program, including support building a resilience culture within your organization.

The Takeaway

Ideally, as you go through this process, you should be able to look back and have a better understanding of what your impact tolerance is. By defining plausible scenarios and determining your remediation prioritization strategies, your organization should be in a solid position to understand which of your resources, if disrupted, would prevent you from resuming important business services as you’ve aligned them to your impact tolerances. This is a core element of operational resilience.

Need help evaluating what your organization needs to do to move toward an operational resilience program? Contact a Castellan advisor today, and we’ll be happy to help. Want to take a closer look at the Operational Resilience report? Download the report here.

Get The Getting Started with Operational Resilience Guide


Goodbye, uncertainty. Hello, confidence.
Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.

Now you’re ready.TM

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.