No items found.

Pragmatic Resilience

What is operational resilience?

Resilience has become the new corporate buzzword, but what does it really mean and how does an organisation become truly resilient? Organisations are slowly accepting that focusing solely on preventative measures is not sufficient when faced with inevitable incidents and crises.

Many definitions of personal resilience highlight the need for self-awareness, adaptability and agility, but when defining organisational resilience, the focus is often on processes, structures and policies for incidents and crises. Such a theoretical approach risks stifling and even preventing people recognising and adapting to the incident or crises they face. Supporting good people in doing the right thing in a crisis is key to resilience.

This paper outlines a new approach to resilience using Beyond Blue’s 8P model. This framework offers a new way for organisations to think about resilience in the increasingly dynamic and unpredictable world in which we live.

There is a difference between organisational and operational resilience. Operational resilience is one of three subcomponents of organisational resilience, alongside reputational and financial. These three areas are best understood by the type of crises they seek to mitigate:

  • Reputational resilience: scandal or gross misconduct, for example sexual harassment or child labour.
  • Financial resilience: changes in demand, fraud or credit pressure.
  • Operational resilience: factory fire, pandemic or cyber-attack.

These three areas are not mutually exclusive and often overlap. A severe cyber-attack, for example, can start as an operational issue but quickly have a material impact on a firm and reputational implications if the firm does not have a clear customer-focused communications strategy.

2020: a year to forget

Many people on the eve of 2020 were glad to see the back of 2019. Little did they know what 2020 would have in store.
Much of the world spent the year in and out of national and regional lockdowns with the UK implementing a seemingly ever-changing tier system. As the world adapted to working from home, technology providers were hit with an unprecedented rise in demand and the likes of Zoom, MS Teams and Slack hit the headlines with security or performance issues as their userbases grew exponentially overnight.

Whilst a Brexit trade deal was agreed at the close of 2020, existing supply chain issues have been, and are likely to continue to be, exacerbated by inevitable teething issues in the implementation of the deal.
The world’s largest economies have been decimated; the IMF predicted a 4.4% fall in global GDP in 2020 with the UK and the Euro area falling 9.8% and 8.3% respectively. Whilst the IMF’s 2021 projection is positive, it won’t restore countries to pre-COVID-19 levels and organisations will be taking a prudent stance, conserving cash and reducing costs as they face huge uncertainty for the next 18–24 months. With a backdrop of varied governmental COVID-19 responses, Brexit and the highly charged US election, geopolitical tensions continue to rise with accusations of foreign interference, disinformation campaigns and state-sponsored cyberattacks. In December 2020, the US accused Russia of a supply chain cyber-attack which led to the compromise of many US government networks. In Q3 2020, there was a 50% increase in the daily average of ransomware attacks compared to the first half of the year, and many threat actors are now extorting money from organisations not just to unlock encrypted systems and data, but also to preserve the confidentiality of their data.

High-profile victims included Travelex, Garmin and Honda, with some reportedly paying multi-million-pound ransoms. In October, the US Treasury and G7 took a much harsher stance, threatening civil penalties against organisations who made or helped facilitate ransomware payments to cyber criminals on the US sanctions list. Organisations who fall victim to ransomware and, in part, their cyber insurers, now face the unenviable dilemma of choosing between potentially astronomical manual recovery costs (if recovery is even possible) versus similarly large fines from governments.

COVID-19 was not 2020’s only crisis. Time is running out for the world to act on climate change, Black Lives Matter protests have taken place in over 4,000 cities, and the Wirecard scandal and US House antitrust report on the Big 4 tech companies are the latest in a series of events which have increased widespread distrust and scepticism of big business. As a result, organisations find themselves being pulled in opposing directions by their stakeholders. Customers and employees expect organisations to have a voice and play their part in social injustice and climate change. Investors are applying increasing pressure on the organisation’s sustainability with ESG investing (Environmental, Social and Governance) soaring in popularity, with ESG-themed exchange-traded funds topping US$100bn in total assets for the first time in July 2020. Meanwhile, governments and regulators increase oversight and regulation, requiring growing overheads to sustain compliant operations, while organisations try to remain immune to a constantly changing geopolitical backdrop.

Minimal viable company (MVC)

The MVC is core to all aspects of organisational resilience and should be defined before organisations identify and map their IBS.

Key to defining the MVC is understanding what viable means to the organisation. For many, a key element will be a core set of profitable services or products. Therefore operations, reputation and finance need to be considered:

  • Operational: The MVC is the operational core of an organisation which serves as the foundation for the IBS. This core is comprised of the foundational technology infrastructure, critical data, supply chain, associated skills and expertise, and assets that the majority, if not all, of the IBS are dependent upon.
  • Reputational: Without customers and demand for an organisation’s services or products, the organisation loses competitive advantage, which over time will impact its bottom line. Organisations must both understand and consider their critical customers and the basis of their reputation when responding to incidents and crises.
  • Financial: The ability to preserve the organisation’s operations and reputation is dependent on having sufficient financial means. The MVC needs to both define and preserve an agreed minimum level of cash and assets, and an appropriate balance of liquidity and capital to do this.

In any crisis, the preservation of the MVC will dictate the organisation’s response and be critical in the event of a worst-case scenario or black swan event. The potential controls that might be used to protect an MVC (in line with the organisation’s risk appetite) may be resource intensive, costly and complex to implement, so it is key that the MVC contains only those services and resources that are critical to survival.

Resilient culture

Any concept, be it sustainability, innovation or inclusivity, will only be truly achieved when it penetrates organisational culture and is embedded as a core value. Different approaches have varying levels of success which are heavily dependent on the existing organisational culture.

Resilience can be closely aligned to a number of other operational concepts that organisations typically strive to embed, such as the importance of employees as the first line of defence against the cyber threat, and if done correctly can help organisations working to become more innovative and sustainable.

Resilience by design

A key tool in achieving a resilient culture is embedding resilience in the design, procurement and innovation of the organisation’s products and services, specifically those involving technology and third parties. Many organisations attempt to conduct assessments of privacy or security at the end of these processes, undermining the importance of resilience.

This means that only retrospective mitigating controls are available (if indeed they can be retrofitted at all), and the organisation loses the chance to take a forward look and build effective systems from the start.

Conclusion & next steps

The last year has highlighted the need for organisations to focus on their resiliency, regardless of whether it has been mandated through regulation. It has also provided a rare opportunity to learn from an operational disruption of such scale that senior leadership teams cannot ignore the findings and the need to be better prepared.

Whilst buy-in may not be the issue, boards and executives will expect a programme that demonstrates value, effectively measures progress and translates into sustainable BAU processes, and therefore a pragmatic approach is essential.

Get in touch

Please get in contact with a member of the Beyond Blue team to find out more about our 8P model and how we can help set up your organisation for success in an increasingly unpredictable environment.

What is operational resilience?

Resilience has become the new corporate buzzword, but what does it really mean and how does an organisation become truly resilient? Organisations are slowly accepting that focusing solely on preventative measures is not sufficient when faced with inevitable incidents and crises.

Many definitions of personal resilience highlight the need for self-awareness, adaptability and agility, but when defining organisational resilience, the focus is often on processes, structures and policies for incidents and crises. Such a theoretical approach risks stifling and even preventing people recognising and adapting to the incident or crises they face. Supporting good people in doing the right thing in a crisis is key to resilience.

This paper outlines a new approach to resilience using Beyond Blue’s 8P model. This framework offers a new way for organisations to think about resilience in the increasingly dynamic and unpredictable world in which we live.

There is a difference between organisational and operational resilience. Operational resilience is one of three subcomponents of organisational resilience, alongside reputational and financial. These three areas are best understood by the type of crises they seek to mitigate:

  • Reputational resilience: scandal or gross misconduct, for example sexual harassment or child labour.
  • Financial resilience: changes in demand, fraud or credit pressure.
  • Operational resilience: factory fire, pandemic or cyber-attack.

These three areas are not mutually exclusive and often overlap. A severe cyber-attack, for example, can start as an operational issue but quickly have a material impact on a firm and reputational implications if the firm does not have a clear customer-focused communications strategy.

Download our Insights Piece

Related Articles

READ ALL THOUGHT Insights

Want to speak to us?

If you would like to discuss a cyber or resilience problem with a member of the team, then please get in touch however you feel most comfortable. We would love to help you and your business prepare to bounce back stronger.

Get in touch

Consent

This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Learn more

Allow All

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Always active

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.