Top Takeaways from the BCI’s Operational Resilience Report 2022
Now that the BCI’s Report on Operational Resilience 2022, sponsored by Castellan, is a few weeks old and having been introduced live in London and internationally via webinar, I thought it was about time to build on the Foreword to the report I wrote and share a few additional thoughts on key findings and professional reactions from numerous experts.
Let’s start with four of the questions and associated findings.
1. Question: If you have or are developing an operational resilience programme, what are your reasons for this? (Page 8 of the report)
Finding: Whilst regulation is a primary driver for operational resilience programmes, good practice is encouraging take-up amongst the broader market – 73.4% for good practice purposes.
My Reaction: No matter how you define operational resilience and what you include in terms of key outcomes, this is a great finding because it highlights the innovative nature of our professional and how we strive for continual improvement.
2. Question: If you do not have an operational resilience programme, why not? (Page 8 of the report)
Finding: Whilst regulation is a primary driver, it is also the main reason for organizations in unregulated sections not to adopt operational resilience [practices].
My Reaction: It’s unfortunate that legal and regulatory requirements often drive action and even innovation. But I want to comment on one of the other top three reasons. 18.4% answered “We do not have the time or resources to implement such a programme”.
With budgets shrinking and expectations growing, operational resilience is a necessity. In my opinion, the strategic nature of operational resilience forces a focus on what’s most important, or said another way, efficiency (with the promise of doing more with less). So, if time or resources are a typical constraint, make the time to consider some of the principles of operational resilience found in an ever-growing number of regulations, standards, and publications. Check out this resource outlining how you can get started with operational resilience today.
3. Question: What are the “critical” or “major” challenges to implementing operational resilience with your organization? (Page 11 of the report)
Finding: Five responses were answered more than 25% of the time:
50% – Embedding operational resilience into the fabric of the organization
47.8% – Not having the headcount or staff time to implement a programme
38.5% – Having the right people in the organization to oversee and run an operational resilience programme
37.2% – Understanding, monitoring and managing supply chain risks
27.5% – Managing concentration risk
My Reaction: I think there’s a lot of truth to these findings. Some of the key attributes of operational resilience, such as defining impact tolerance and making sure the organization is structured in a manner to never exceed it, is a change. And change is often painful, and in this case, a move to operational resilience necessitates a culture change for many.
In some cases, as 38.5% indicated, more strategic skills and thinking are needed, and as 27.5% indicated, there’s a need to tackle really tough, entrenched problems. My advice – embrace these professional growth opportunities, as well as the opportunity to solve some tough problems for the benefit of your organization and its customers.
4. Question: Does your organization have an operational resilience programme or project? (Page 6 of the report)
Finding: 78.8% of organizations have an operational resilience programme or project in place.
My Reaction: If you’re like me and you’re familiar with many of the operational resilience requirements or practices globally, you’re probably questioning this finding. But keep in mind, many survey respondents are not in financial services and many probably hadn’t read the PRA or FCA requirements. So, the definition of “operational resilience” was left to their own interpretation.
With all of this said, I’d like to end this blog by covering a key, albeit controversial theme, or quote, made by numerous respondents – “isn’t operational resilience just business continuity done right?”.
In talking to professionals before the issuance of the report, and certainly over the past few weeks since the report was issued, I find some people are offended by this statement, some instantly embark on a comparison of the two efforts, and others simply agree. But when we step back and acknowledge the many interpretations of “good practice” when it comes to continuity and resilience, as well as the application of good practice in our organizations based on need, many practitioners focus on different outcomes and therefore one’s interpretation often influences the reaction to the quote.
But I would like to offer this. If you made the customer the centerpiece of your business continuity program, or if you worked to prevent disruption while recognizing that disruption is evitable because not all forms of disruption can be prevented, you might agree with the statement. However, if operational resilience “thinking” pushed you toward some new concepts such as impact tolerance and plausible scenarios, then it may have introduced some significant value and therefore operational resilience is different from business continuity.
As such, I would challenge all of us to leverage the best and most applicable elements of leading practice – from business continuity to operational resilience and even other disciplines – to ensure a continual capability to meet customer and market demands by appropriately investing to prevent disruption when possible and to build a response capability to minimize impact when the uncontrollable or unpredictable happens.
Don’t get hung up on words or titles.
Instead, let’s use our collective experiences and the influence from studies such as this report to help organizations build a capability to “bend, not break” regardless of what happens. Hopefully we can work to prevent disruption and respond favorably, regardless of what we call the work we do or the discipline in which we operate.
Brian brings more than 25 years of experience managing and building world-class, global business continuity programs to his role as Chief Strategy Officer for Castellan. Outside of his work with Castellan and its clients, Brian previously served as the Head of the United States Delegation to ISO Technical Committee 223, the authors of ISO 22301. Brian contributed to ISO 22301 and led the project team that created ISO 22317, the business impact analysis standard, and ISO 22331, the business continuity strategy determination standard. Brian is a frequent author and speaker, currently serving on the Editorial Advisory Board of Continuity Insights magazine. Brian previously served as the Business Continuity Institute US Chapter Board President and as the President of the Northern Ohio Chapter of the Association of Contingency Planners. Brian is certified as a Fellow of the Business Continuity Institute. In 2020, he published his first book The Business Continuity Operating System. Brian is also a two time Lifetime Achievement award winner from CIR (2021) and the BCI.
Get resilience insights delivered to your inbox.
Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.