There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM is more firm centric, however the crucial point is that effective OpRes and BCM are both outcomes of good risk management using operational risk software.
If a key business service fails and damages a firms’ customer base and its reputation, or if an unexpected event such as a flood results in IT systems being shut down, is it strictly relevant to key stakeholders e.g. Customers, Shareholders, Employees, responsible Management, Regulators, whether the failure of the failed process was categorised as OpRes or BCM?
Whether we call these outcomes OpRes or BCM in many ways it doesn’t matter so long as the objectives of the risk management process are fulfilled.
The key analysis that integrates OpRes with BCM is a Business Impact Analysis (BIA) underpinned by an effective and comprehensive Operational Risk Management Programme (ORMP).
Without a BIA how does a firm know what to prioritise or know the level of controls required to mitigate disruption events?
Without an ORMP how does a firm know what risks it faces:
- Where these risks map into business lines and services provided
- How scenarios and stress tests impact the business
- The impacts of changes to risks and controls to the overall risk profile of the business and the downstream impact on OpRes and BCM
What does a BIA provide?
Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.
The BIA should provide the basis from business continuity and resilience strategies and plans can be developed.
It should :
- Establish recovery priorities and minimum resources required to maintain availability
- Establish/estimate worst case scenarios
- Identify recovery time objectives following an incident
The critical steps in creating an effective BIA are first establishing all the activities of the firm and their links into the underlying corporate and business structure.
The analysis should include
- Complete list of products and services
- Critical processes which support the most important products/services with time critical details
- Key staff and resources to support critical processes
- Key systems which support critical processes, including excel and word documents
- Third party and internal dependencies
- Key stakeholders who would be affected by any loss of products and services
- Identification of a responsibility matrix for critical activities
Once the business critical activities are identified the next stage is to analyse the threats, vulnerabilities and response triggers for these activities.
For further information on how to analyse the above and use this information to create an effective Business Continuity Strategy and Plan, and further detailed advice on how to:
- document the plan
- test
- monitor
- communicate
- update the plan for maintenance continuous improvement
We strongly recommend reading chapter 11 of Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.
In our view effective Business Continuity Management and Operational Resilience cannot be derived in isolation from an effective Operational Risk Management Programme. The starting point is by necessity Operational Risk Management, from here it is possible to create a satisfactory BCM and OpRes programme as an outcome of Operational Risk Management.
In summary RiskLogix believes that both OpRes and BCM derive from effective Operational Risk Management and has developed an award-winning solution to enable firms to manage Operational Risk for maximum business benefit and the realisation of outcomes that include effective Business Continuity Management and Operational Resilience.
In addition, the integrated modelling tools within the RiskLogix suite of products includes an analytical program that provides Monte Carlo simulations of individual controls to estimate the impact of their failure over differing time horizons, which we believe is highly relevant to a rigorous analysis of threats, vulnerabilities and planned responses to incidents.
For more details of these products please contact us at www.risklogix-solutions.com
Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
Global HQ
Eagle House
167 City Road
London
EC1V 1AW
+44 207 377 2250
enquiries@risklogix-solutions.com
www.risklogix-solutions.com
www.linkedin.com/company/risklogix-solutions
