We recently outlined a series of benefits for firms wishing to align resilience, response, and recovery programmes. As stated in an earlier blog, some benefits include:
- Efficiencies have been created through synchronised scenario testing and recovery testing,
- Service mapping now provides a complete view of operational resilience, and recovery, threats, and vulnerabilities,
- Common language has been created across business and IT incidents, with relevant domains now classifying resource criticality in the same way,
- Unified governance means smoother, and timelier decision-making.
Below, we outline some high-level considerations for firms wishing to undertake integration and alignment activity.
Strategic considerations
The first strategic consideration is a strategy!
A firm’s senior management should articulate its Resilience, Response and Recovery objectives and expectations through a strategy. The strategy will articulate how alignment plays into wider company objectives and business strategy and helps firms articulate target state, i.e., “how resilient do we want to be?” Understanding how integrating and aligning resilience across the firm supports business objectives, makes it is easier for everyone to understand how, and where, they can take responsibility and add value. It provides direction to drive activity and decision making across the entire programme.
As part of that strategy, firms should ask themselves what they hope to achieve through alignment activity and if the effort to align is proportionate to the scope and scale of their supporting programmes across Operational Resilience, Business Continuity Management, and IT Disaster Recovery.
For medium and larger firms, with multiple departments / functions and a mature Operational Resilience programme, the benefits of alignment are significant as we’ve outlined above. An additional benefit that firms have noticed is the time they’re saving on creating reports that often say the same thing for different committees.
Indeed, for those firms with a greater strategic goal for alignment and integration, they should consider how to go beyond these three areas to encompass wider risk and protective domains, such as third-party risk management, change risk and cyber risk.
However, for smaller firms with a limited number of departments / functions and single or small number of Important Business Services they may decide alignment is not worth the effort.
To be clear, these firms will still gain significant benefit but if resources are stretched, programme priorities may reside elsewhere.
Technology usage will form part of the strategy setting conversations. Again, for firms with a low maturity programme, they may feel that an Excel based tool works just fine to meet strategic objectives. We’d agree and encourage all firms to get manual programmes in a good place before deciding to invest in a technology platform.
A tool can’t compensate for a lack of defined methodologies or established processes and is only as good as the data that firms are able to provide.
For those firms with a functioning and mature programme, then a technology platform makes absolute sense giving firms the opportunity to leverage capability and data across multiple resilience, response, and recovery domains. These firms will find that they have access to enhanced data, increased production capability and enhanced output.
Other examples of considerations which will dictate the speed of strategic implementation may be foundational in nature.
- How effective are the supporting programmes you wish to align? We’ve explored key findings in Business Continuity and IT Disaster Recovery, Third-Party Risk and Operational Resilience that firms may wish to address before any efforts to align and integrate.
- What are the existing Operating Models and Governance structures across the protective disciplines in scope for integration? The complexity and embeddedness of the existing operating model will determine whether the alignment is both achievable in your target timeframe and proportionate in comparison with the effort required to implement.
Procedural and Process considerations
Asset Classification
For those firms looking to align resilience, response and recovery domains, these risks should consider a unified impact criteria and assessment methodology, so outcomes and assessments and treatment plans are consistent. There should be consistent resource (person, supplier, technology, data, facility) classification across in-scope domains.
For example, if ICT classifies a resource as critical and that resource also contributes to the delivery of an Important Business Service, firms need to develop an approach which ensures that criticality classification is recognised across domains.
Some firms are overhauling siloed taxonomies and developing a singular language to articulate criticality, however, there should be no need to reclassify all resources according to a singular taxonomy, instead firms can develop an alignment methodology to ensure accurate interpretation of the varying naming conventions.
Recovery Priorities
A firm’s strategy will articulate the services and functions a firm prioritises in the event of an incident to ensure the firm can still meet commitments to customers, shareholders, and regulators. This is standard practice for Operational Resilience programmes through Important Business Services and Business Continuity and IT Disaster Recovery programmes through the establishment of top-down Maximum Tolerable Period of Disruption. How firms link these recovery priority objectives across the resilience and recovery domains is a central part of the alignment programme.
A top-down and bottom-up approach is required to set the right recovery priorities and then operationalise alignment across those priorities. Top down will ensure that the business is focused on those functions and services that are most important to the firm, and therefore hopefully the customers.
Bottom up can be approached through mapping to an appropriately granular level to identify common assets (technology, data, people, facilities, suppliers) and processes underpinning the delivery of Important Business Services and Critical Functions.
Once firms are clear on top-down priorities and the supporting assets and processes to meet those priorities, they can begin to align Maximum Tolerable Period of Disruption (MTPD), Recovery Time Objectives (RTO) and Impact Tolerances (ITOLS) to ensure they are along the same timeline, feed into each other and fit snugly as part of an aligned resilience, response, and recovery approach.
Controls
An incident can be a resource failure, a process failure or human error but the process for proactive management is the same across domains and through a unified approach to proactive risk identification, firms can develop an aligned risk and control framework.
Once a firm has agreed aligned resilience and response objectives and defined a target state in their strategy, they can determine target state of resilience for each critical process, asset or service. For each process, asset, or service, firms can document the attributes that support the strategic objectives and for each attribute, an agreed target standard can be established. Once the target standard has been agreed, firms can assess against the standard and understand current state vs target state.
A gap between target state and current state indicates a potential process, resource or pillar vulnerability that must be considered within the control framework. The gap will be able to give firms a clear indicator of desired capability. A firm can then go on to develop controls, and metrics to monitor the risk or vulnerability or may agree remediation to achieve that desired capability.
This standardisation and alignment of controls and evidence of performance against the controls enables the ability to streamline and improve risk reporting and allow for better comparison of risks across assets, departments and processes.
With significant variance in Risk and Control Self-Assessment (RCSA) maturity, firms may consider whether a practical step will be for second-line functions to identify inherent risks, set standards and design the controls which the first line can operate. Using the RCSA to confirm that first-line understands, see value in and is operating the controls effectively, the second line can then consider the impact of controls to ensure appropriate levels of residual risk are achieved.
As first line matures in their capability to the aligned approach, second line can then work more collaboratively to produce appropriate risk and controls framework to deliver an even more integrated approach which drives a healthy risk and resilience culture.
Further considerations for procedural and process activities, include:
- Creation of Recovery Plans and playbooks for Important Business Services which address specific considerations for recovering Important Business Services in a series of common, most likely severe but plausible scenarios,
- Creating efficiency for firms through combined testing which addresses operational resilience scenario testing, crisis and incident management exercising, process and systems recovery testing.
Conclusion
Creating an aligned programme across resilience and supporting domains confers significant benefits on firms adopting the approach. Benefits lead to greater operational and financial efficiencies and ultimately result in a more resilient organisation.
However, there are steps to achieving and operationalising the alignment and integration of the domains. Many firms are focused on alignment through bottom-up “low hanging fruit” when a dual approach should be adopted which incorporates both top-down and bottom-up initiatives.
Please get in touch or book a meeting if any of the above resonates and you’d like to understand how we could support your programme objectives.
