Article by Michael Howell, Research & Content Lead, The Protecht Group
Note: This article was originally shared by The Protecht Group.
Our previous article on this topic set out the conceptual differences between operational resilience, operational risk, business continuity and disaster recovery. But what do these distinctions mean in practice? Is a rigid divide necessary to meet regulatory expectations, and at a practical level, who from which teams should take on which responsibilities – and how can they best work together?
In the first article in this series, we defined how operational resilience, business continuity and disaster recovery fit together conceptually within the concept of operational risk – as encapsulated by our onion diagram:
This time round, we will take a closer look at how people and teams within these disciplines can work productively together.
A focus on resilience versus continuity
Operational resilience is primarily a desirable characteristic of any organisation. It is clear that business continuity is aimed directly at helping to achieve this characteristic. What has changed though is the renewed focus on operational resilience, primarily due to recent regulatory uplifts in the financial sector as well as increased focus in government for critical infrastructure.
There are two expectations of regulators that may divide people into business continuity vs operational resilience camps.
External stakeholder impact
One regulatory distinction is the focus on the external stakeholder under operational resilience to determine one or more tolerances. A Business Impact Analysis might also include a customer impact category – but it is traditionally how that impact to the customer manifests on the organisation (for example, percentage of lost customers), not the impact to the customer.
But why the divide? Our view is that you should measure both the internal and external impact (perhaps including those beyond those required by regulation) and choose the shortest timeframe when crafting your business continuity plans. This brings us back to alignment across operational resilience and business continuity; meeting whatever timeframe you set still requires you to activate some form of business continuity plan in order to achieve it.
Another distinction that may be considered is a focus on scenarios – particularly a requirement from some financial regulators to consider severe but plausible scenarios that might disrupt those externally important functions. While not universal, business continuity professionals often develop plans based on the resource(s) that is/are missing, not the specific scenario that caused it to be missing. The argument is that there are so many potential scenarios you can’t have a plan for all of them, or you might develop plans that don’t work if a scenario doesn’t occur as exactly as envisioned.
These are valid arguments, but scenarios also provide a backdrop against which to assess resource-based continuity and recovery plans – are they going to be valid or effective in those scenarios? Scenarios also allow for assessing the causal pathways and likelihood of disruption, allowing the organisation to make operational changes or implement preventive controls to reduce the likelihood a scenario will actually impact the organisation, or reduce the impact if it does.
In reality, this is a great example of where business continuity and operational risk professionals can and should work together to improve the operational resilience of the organisation.
So, who does what?
While we believe that Disaster Recovery is a sub-set of Business Continuity, and Business Continuity is a subset of Operational Risk, these are separate functions that require different specific skills and knowledge in order to be performed well. While related, we commonly see these roles distributed across the organisation rather than under a single umbrella. It is rare for direct responsibility for Disaster Recovery to sit outside a Technology team, for example.
Business Continuity is usually more closely aligned with Operational or Enterprise risk teams, perhaps reporting into, or working directly alongside, those teams. This enables a consistent approach across the organisation to developing business continuity while retaining a level of independence. An alternative approach is for Business Continuity to report to a Chief Operating Officer or similar role; after all, it is their operations that need to be continued in the event of a disruption.
In some cases, regulation may dictate who has ultimate ownership, or at least accountability. For regulated financial services in the UK, the Chief of Operations (SMF24 under their accountability regime) is accountable for operational resilience. For most entities across the world where operational risk, business continuity or operational resilience is regulated, Boards or Executive must approve related policies or plans, and ensure roles and responsibilities are clear.
Working together within a business
Regardless of where these roles sit in your organisation, structures, position descriptions, accountabilities, authority and working relationships should be designed to enable collaboration and achievement of operational resilience outcomes.
A few questions to consider on how well these teams are working together:
Do the teams use the same data sources when assessing resource dependencies?
Are the results of your business continuity testing incorporated into your operational risk profile?
Are you tracking key risk indicators or using early warning indicators to identify potential disruptive events before they occur?
Do those teams understand their contribution to operational resilience?
Do you have insights into controls assurance linked to disruptive events or scenarios?
If you haven’t already read the first article in this series, which sets out the conceptual distinctions between the different disciplines, you can find it here. https://www.protechtgroup.com/en-au/blog/opres-vs-bc-vs-dr-whats-the-difference?hsLang=en-au