• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / Entering the era of operational resilience

By Ethics &Compliance Matters ™, Navex Global ® | 4 Minutes Read February 27, 2020

Entering the era of operational resilience

operational resilience

Compliance and risk management professionals take naturally to acronyms and terms of art that help us understand what we do, so let me introduce one that’s likely to become more important in years to come. 

Operational resilience.

Operational resilience is the ability of a business to tolerate shocks and maintain normal operations. Those shocks can be all sorts of things — IT failures, natural disasters, terrorism, cyberattacks — but they’re typically sudden shocks, happening within hours or even minutes, that threaten your company’s ability to provide whatever it is you provide to customers. 

Threats to operational resilience are on the rise. Regulators know it, and corporate boards know it. They’re also eager to prevent those threats — which means, inevitably, that operational resilience will be on the minds of compliance and audit executives, too.

For example, banking regulators want more authority to examine the tech vendors that work with large banks. The regulators want to be sure that those vendors are reliable and won’t crash in some crucial way that could paralyze the financial system. 

Or if you want a small-scale example, consider the case of Virtual Care Provider Inc., an IT services firm based in Wisconsin that provides data storage, email, billing, and other services to more than 110 nursing homes across the United States. 

VCP fell victim to a ransomware attack in November, where hackers shut down virtually all of the firm’s operations. That means those nursing homes relying on VCP also lost access to all their operations, including patient records and billing information — mission critical tasks for a nursing home. So the nursing homes have been stuck trying to re-create all their data and processes from scratch. 

Whether we’re talking about whole industries (banking) or single firms (Virtual Care Provider), the challenge is the same. Companies need to govern their operations so that no matter what disruptions might come along, they can keep providing services to their customers. 

Why are we talking about this now? 

Because the risks to operational resilience are proliferating, largely thanks to how companies use modern technology. They have more vendors providing not just goods, but also services and business processes — including mission-critical business processes, like billing or email communications or data analytics. 

That means more possible points of failure, with more severe potential consequences, all the time. 

Banking regulators are leading the way on this issue right now. The Federal Reserve, for example, has numerous pieces of guidance about operational resilience, and Fed banking examiners do probe financial firms for how well their systems can withstand shocks. 

Well, who believes regulators will stop at that sector? Consider our nursing home example from above, or telecommunications firms, or public utilities, or many other sectors. Eventually a vast swath of businesses will be under pressure to assure that they can withstand such disruptions. Even if regulators don’t act, consumers, business partners, boards of directors, and other stakeholders will. 

A new type of risk assessment and assurance

Clearly this is a challenge of risk assessment. The question is exactly what type of risk a company is supposed to be assessing. Is this vendor risk? Cybersecurity risk? Business continuity risk? Something else? 

The honest answer is that it’s all of those things, fused into one scary mess of potential failure — which is, really, all that the board, customers, and the public care about.

So companies are going to need a more thoughtful approach to how they assess their reliance on vendors, and how to assure that reliance won’t somehow threaten your company’s ability to keep providing services. That’s the capability compliance and risk management functions need to develop.

For example, some operating unit of the company will decide to rely on a tech vendor to run a business process. That operating unit might find a fantastic vendor from an operational perspective; that is, the vendor can perform the task flawlessly. 

Your company still needs to assess the cybersecurity risks of that vendor; the continuity risks that perhaps the vendor might cease operations suddenly; and the regulatory risks to you of failing to execute whatever process the vendor performs for you. 

Well, the CISO can perform the first risk assessment, internal audit the second, and compliance the third. The challenge for your company is that all of those assessments must be done in a coordinated way, to give some sort of “total risk score” to help senior leaders decide yes, let’s do this; or no, it’s not worth the risk.

Building that capability

Developing these risk assessment and management capabilities so that we can assure operational resilience — and even document it for some highly regulated sectors, like banking — is going to take time. 

Companies will need frameworks to help them assess and remediate these risks.  They’ll need policies and procedures to guide all this work: who does which parts of the risk assessment, at what point. You’ll need criteria to define when your relationship with a vendor pose too much risk to continue. You’ll need reporting and monitoring tools to know when those relationships do veer into the red zone.

Above all, however, companies will need a clear-eyed consensus about what operational resilience means to them. The concept is easy to grasp but defining how it works at your specific company is not. Maintaining operational resilience will require lots of collaboration among CISOs, compliance, internal audit, and risk management. That can be an elusive thing at many companies. 

Still, as we close out the 2010s — show me a version of the 2020s where risk management skills like this will become less important. Because I don’t see one.

By Matt Kelly

  • About
  • Latest Posts
Ethics &Compliance Matters ™, Navex Global ®
NAVEX Global is the recognized worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.
Latest posts by Ethics &Compliance Matters ™, Navex Global ® (see all)
  • Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
  • Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
  • Entering the era of operational resilience - February 27, 2020

Article by Ethics &Compliance Matters ™, Navex Global ® / Business, Finance and Accounting, Information Technology, Privacy / business continuity planning, cybersecurity risk, operational resilience, risk assessment, risk management

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Ethics &Compliance Matters ™, Navex Global ®

NAVEX Global is the recognized worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy