Effective business continuity & operational resilience are both outcomes of good risk management

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM is more firm centric, however the crucial point is that effective OpRes and BCM are both outcomes of good risk management.

If a key business service fails and damages a firms’ customer base and its reputation, or if an unexpected event such as a flood results in IT systems being shut down, is it strictly relevant to key stakeholders e.g. Customers, Shareholders, Employees, responsible Management, Regulators, whether the failure of the failed process was categorised as OpRes or BCM?

Whether we call these outcomes OpRes or BCM in many ways it doesn’t matter so long as the objectives of the risk management process are fulfilled.

The key analysis that integrates OpRes with BCM is a Business Impact Analysis (BIA) underpinned by an effective and comprehensive Operational Risk Management Programme (ORMP).

Without a BIA how does a firm know what to prioritise or know the level of controls required to mitigate disruption events?

Without an ORMP how does a firm know what risks it faces:

  • Where these risks map into business lines and services provided
  • How scenarios and stress tests impact the business
  • The impacts of changes to risks and controls to the overall risk profile of the business and the downstream impact on OpRes and BCM

What does a BIA provide?

Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

The BIA should provide the basis from business continuity and resilience strategies and plans can be developed.

It should :

  • Establish recovery priorities and minimum resources required to maintain availability
  • Establish/estimate worst case scenarios
  • Identify recovery time objectives following an incident

The critical steps in creating an effective BIA are first establishing all the activities of the firm and their links into the underlying corporate and business structure.

The analysis should include

  • Complete list of products and services
  • Critical processes which support the most important products/services with time critical details
  • Key staff and resources to support critical processes
  • Key systems which support critical processes, including excel and word documents
  • Third party and internal dependencies
  • Key stakeholders who would be affected by any loss of products and services
  • Identification of a responsibility matrix for critical activities

Once the business critical activities are identified the next stage is to analyse the threats, vulnerabilities and response triggers for these activities.

For further information on how to analyse the above and use this information to create an effective Business Continuity Strategy and Plan, and further detailed advice on how to:

  • document the plan
  • test
  • monitor
  • communicate
  • update the plan for maintenance continuous improvement

We strongly recommend reading chapter 11 of Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

In our view effective Business Continuity Management and Operational Resilience cannot be derived in isolation from an effective Operational Risk Management Programme. The starting point is by necessity Operational Risk Management, from here it is possible to create a satisfactory BCM and OpRes programme as an outcome of Operational Risk Management.

In summary RiskLogix believes that both OpRes and BCM derive from effective Operational Risk Management and has developed an award-winning solution to enable firms to manage Operational Risk for maximum business benefit and the realisation of outcomes that include effective Business Continuity Management and Operational Resilience.

In addition, the integrated modelling tools within the RiskLogix suite of products includes an analytical program that provides Monte Carlo simulations of individual controls to estimate the impact of their failure over differing time horizons, which we believe is highly relevant to a rigorous analysis of threats, vulnerabilities and planned responses to incidents.

For more details of these products please contact us at www.risklogix-solutions.com

Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

RiskLogix Solutions Limited

RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.

Global HQ

Eagle House
167 City Road
London
EC1V 1AW
+44 207 377 2250

enquiries@risklogix-solutions.com
www.risklogix-solutions.com
www.linkedin.com/company/risklogix-solutions

Related Posts

Common mistakes in risk appetite – Part 2: The devil is in the detail
This week Tony and John go into more detail about common mistakes made in risk appetite work.  This exert is taken from their book Mastering Risk Management… There are many reasons to have a risk appetite and many mistakes to be made along the way.  A risk appetite encourages management to be involved in risk …

Common mistakes in risk appetite – Part 2: The devil is in the detail Read More »

Common mistakes in risk appetite – Part 1: Risk Appetite Strategy
This week Tony and John discuss common mistakes made in risk appetite work.  Part 1 explores the strategic side of risk appetite.  Part 2 will go into more detail. This exert is taken from their book Mastering Risk Management… There are many reasons to have a risk appetite and many mistakes to be made along …

Common mistakes in risk appetite – Part 1: Risk Appetite Strategy Read More »

Keep external risks on the radar with regular horizon scanning
This week Tony and John discuss external risks and the importance of horizon scanning. This exert is taken from their book Mastering Risk Management… One of the problems of risk management, and indeed management generally, is that so much time is spent worrying about internal risks and not looking at the external environment. Generally, the …

Keep external risks on the radar with regular horizon scanning Read More »