Top Takeaways from the BCI’s Operational Resilience Report 2022
Brian Zawada
share
Now that the BCI’s Report on Operational Resilience 2022, sponsored by Castellan, is a few weeks old and having been introduced live in London and internationally via webinar, I thought it was about time to build on the Foreword to the report I wrote and share a few additional thoughts on key findings and professional reactions from numerous experts.
Let’s start with four of the questions and associated findings.
1. Question: If you have or are developing an operational resilience programme, what are your reasons for this? (Page 8 of the report)
Finding: Whilst regulation is a primary driver for operational resilience programmes, good practice is encouraging take-up amongst the broader market – 73.4% for good practice purposes.
My Reaction: No matter how you define operational resilience and what you include in terms of key outcomes, this is a great finding because it highlights the innovative nature of our professional and how we strive for continual improvement.
2. Question: If you do not have an operational resilience programme, why not? (Page 8 of the report)
Finding: Whilst regulation is a primary driver, it is also the main reason for organizations in unregulated sections not to adopt operational resilience [practices].
My Reaction: It’s unfortunate that legal and regulatory requirements often drive action and even innovation. But I want to comment on one of the other top three reasons. 18.4% answered “We do not have the time or resources to implement such a programme”.
With budgets shrinking and expectations growing, operational resilience is a necessity. In my opinion, the strategic nature of operational resilience forces a focus on what’s most important, or said another way, efficiency (with the promise of doing more with less). So, if time or resources are a typical constraint, make the time to consider some of the principles of operational resilience found in an ever-growing number of regulations, standards, and publications. Check out this resource outlining how you can get started with operational resilience today.
3. Question: What are the “critical” or “major” challenges to implementing operational resilience with your organization? (Page 11 of the report)
Finding: Five responses were answered more than 25% of the time:
50% – Embedding operational resilience into the fabric of the organization
47.8% – Not having the headcount or staff time to implement a programme
38.5% – Having the right people in the organization to oversee and run an operational resilience programme
37.2% – Understanding, monitoring and managing supply chain risks
27.5% – Managing concentration risk
My Reaction: I think there’s a lot of truth to these findings. Some of the key attributes of operational resilience, such as defining impact tolerance and making sure the organization is structured in a manner to never exceed it, is a change. And change is often painful, and in this case, a move to operational resilience necessitates a culture change for many.
In some cases, as 38.5% indicated, more strategic skills and thinking are needed, and as 27.5% indicated, there’s a need to tackle really tough, entrenched problems. My advice – embrace these professional growth opportunities, as well as the opportunity to solve some tough problems for the benefit of your organization and its customers.
4. Question: Does your organization have an operational resilience programme or project? (Page 6 of the report)
Finding: 78.8% of organizations have an operational resilience programme or project in place.
My Reaction: If you’re like me and you’re familiar with many of the operational resilience requirements or practices globally, you’re probably questioning this finding. But keep in mind, many survey respondents are not in financial services and many probably hadn’t read the PRA or FCA requirements. So, the definition of “operational resilience” was left to their own interpretation.
With all of this said, I’d like to end this blog by covering a key, albeit controversial theme, or quote, made by numerous respondents – “isn’t operational resilience just business continuity done right?”.
In talking to professionals before the issuance of the report, and certainly over the past few weeks since the report was issued, I find some people are offended by this statement, some instantly embark on a comparison of the two efforts, and others simply agree. But when we step back and acknowledge the many interpretations of “good practice” when it comes to continuity and resilience, as well as the application of good practice in our organizations based on need, many practitioners focus on different outcomes and therefore one’s interpretation often influences the reaction to the quote.
But I would like to offer this. If you made the customer the centerpiece of your business continuity program, or if you worked to prevent disruption while recognizing that disruption is evitable because not all forms of disruption can be prevented, you might agree with the statement. However, if operational resilience “thinking” pushed you toward some new concepts such as impact tolerance and plausible scenarios, then it may have introduced some significant value and therefore operational resilience is different from business continuity.
As such, I would challenge all of us to leverage the best and most applicable elements of leading practice – from business continuity to operational resilience and even other disciplines – to ensure a continual capability to meet customer and market demands by appropriately investing to prevent disruption when possible and to build a response capability to minimize impact when the uncontrollable or unpredictable happens.
Don’t get hung up on words or titles.
Instead, let’s use our collective experiences and the influence from studies such as this report to help organizations build a capability to “bend, not break” regardless of what happens. Hopefully we can work to prevent disruption and respond favorably, regardless of what we call the work we do or the discipline in which we operate.
Brian brings more than 25 years of experience managing and building world-class, global business continuity programs to his role as Chief Strategy Officer for Castellan. Outside of his work with Castellan and its clients, Brian previously served as the Head of the United States Delegation to ISO Technical Committee 223, the authors of ISO 22301. Brian contributed to ISO 22301 and led the project team that created ISO 22317, the business impact analysis standard, and ISO 22331, the business continuity strategy determination standard. Brian is a frequent author and speaker, currently serving on the Editorial Advisory Board of Continuity Insights magazine. Brian previously served as the Business Continuity Institute US Chapter Board President and as the President of the Northern Ohio Chapter of the Association of Contingency Planners. Brian is certified as a Fellow of the Business Continuity Institute. In 2020, he published his first book The Business Continuity Operating System. Brian is also a two time Lifetime Achievement award winner from CIR (2021) and the BCI.
Get resilience insights delivered to your inbox.
Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
