Effective business continuity & operational resilience are both outcomes of good risk management

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM is more firm centric, however the crucial point is that effective OpRes and BCM are both outcomes of good risk management.

If a key business service fails and damages a firms’ customer base and its reputation, or if an unexpected event such as a flood results in IT systems being shut down, is it strictly relevant to key stakeholders e.g. Customers, Shareholders, Employees, responsible Management, Regulators, whether the failure of the failed process was categorised as OpRes or BCM?

Whether we call these outcomes OpRes or BCM in many ways it doesn’t matter so long as the objectives of the risk management process are fulfilled.

The key analysis that integrates OpRes with BCM is a Business Impact Analysis (BIA) underpinned by an effective and comprehensive Operational Risk Management Programme (ORMP).

Without a BIA how does a firm know what to prioritise or know the level of controls required to mitigate disruption events?

Without an ORMP how does a firm know what risks it faces:

  • Where these risks map into business lines and services provided
  • How scenarios and stress tests impact the business
  • The impacts of changes to risks and controls to the overall risk profile of the business and the downstream impact on OpRes and BCM

What does a BIA provide?

Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

The BIA should provide the basis from business continuity and resilience strategies and plans can be developed.

It should :

  • Establish recovery priorities and minimum resources required to maintain availability
  • Establish/estimate worst case scenarios
  • Identify recovery time objectives following an incident

The critical steps in creating an effective BIA are first establishing all the activities of the firm and their links into the underlying corporate and business structure.

The analysis should include

  • Complete list of products and services
  • Critical processes which support the most important products/services with time critical details
  • Key staff and resources to support critical processes
  • Key systems which support critical processes, including excel and word documents
  • Third party and internal dependencies
  • Key stakeholders who would be affected by any loss of products and services
  • Identification of a responsibility matrix for critical activities

Once the business critical activities are identified the next stage is to analyse the threats, vulnerabilities and response triggers for these activities.

For further information on how to analyse the above and use this information to create an effective Business Continuity Strategy and Plan, and further detailed advice on how to:

  • document the plan
  • test
  • monitor
  • communicate
  • update the plan for maintenance continuous improvement

We strongly recommend reading chapter 11 of Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

In our view effective Business Continuity Management and Operational Resilience cannot be derived in isolation from an effective Operational Risk Management Programme. The starting point is by necessity Operational Risk Management, from here it is possible to create a satisfactory BCM and OpRes programme as an outcome of Operational Risk Management.

In summary RiskLogix believes that both OpRes and BCM derive from effective Operational Risk Management and has developed an award-winning solution to enable firms to manage Operational Risk for maximum business benefit and the realisation of outcomes that include effective Business Continuity Management and Operational Resilience.

In addition, the integrated modelling tools within the RiskLogix suite of products includes an analytical program that provides Monte Carlo simulations of individual controls to estimate the impact of their failure over differing time horizons, which we believe is highly relevant to a rigorous analysis of threats, vulnerabilities and planned responses to incidents.

For more details of these products please contact us at www.risklogix-solutions.com

Source: Mastering Operational Risk by Professor Tony Blunden and John Thirlwell, FT Publishing International.

RiskLogix Solutions Limited

RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.

Global HQ

Eagle House
167 City Road
London
EC1V 1AW
+44 207 377 2250

enquiries@risklogix-solutions.com
www.risklogix-solutions.com
www.linkedin.com/company/risklogix-solutions

Related Posts

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

2021 Global state of enterprise risk oversight Managing the Rapidly Evolving Risk Landscape
The 2021 Global State of Enterprise Risk Oversight, 4th edition, a joint commission with NCSU and AICPA-CIMA, reports on the ever-evolving status of risk globally.  Focused upon 4 geographic areas, the effects of the pandemic, geo-political events, cyber threats, and rapid innovation have affected responses and actions of all entities.  The content focuses upon five prevalent …

2021 Global state of enterprise risk oversight Managing the Rapidly Evolving Risk Landscape Read More »

Cost-benefit analysis – Driving business value from operational risk data
Developing a cost-benefit approach to risk and control frameworks has long been a goal for operational risk teams. Boards, senior executives, and the business could use such analysis to make better decisions about where to invest in their control frameworks. However, some feel that this kind of analysis simply isn’t possible without sophisticated approaches such …

Cost-benefit analysis – Driving business value from operational risk data Read More »