Compliance and risk management professionals take naturally to acronyms and terms of art that help us understand what we do, so let me introduce one that’s likely to become more important in years to come.
Operational resilience is the ability of a business to tolerate shocks and maintain normal operations. Those shocks can be all sorts of things — IT failures, natural disasters, terrorism, cyberattacks — but they’re typically sudden shocks, happening within hours or even minutes, that threaten your company’s ability to provide whatever it is you provide to customers.
Threats to operational resilience are on the rise. Regulators know it, and corporate boards know it. They’re also eager to prevent those threats — which means, inevitably, that operational resilience will be on the minds of compliance and audit executives, too.
For example, banking regulators want more authority to examine the tech vendors that work with large banks. The regulators want to be sure that those vendors are reliable and won’t crash in some crucial way that could paralyze the financial system.
Or if you want a small-scale example, consider the case of Virtual Care Provider Inc., an IT services firm based in Wisconsin that provides data storage, email, billing, and other services to more than 110 nursing homes across the United States.
VCP fell victim to a ransomware attack in November, where hackers shut down virtually all of the firm’s operations. That means those nursing homes relying on VCP also lost access to all their operations, including patient records and billing information — mission critical tasks for a nursing home. So the nursing homes have been stuck trying to re-create all their data and processes from scratch.
Whether we’re talking about whole industries (banking) or single firms (Virtual Care Provider), the challenge is the same. Companies need to govern their operations so that no matter what disruptions might come along, they can keep providing services to their customers.
Why are we talking about this now?
Because the risks to operational resilience are proliferating, largely thanks to how companies use modern technology. They have more vendors providing not just goods, but also services and business processes — including mission-critical business processes, like billing or email communications or data analytics.
That means more possible points of failure, with more severe potential consequences, all the time.
Banking regulators are leading the way on this issue right now. The Federal Reserve, for example, has numerous pieces of guidance about operational resilience, and Fed banking examiners do probe financial firms for how well their systems can withstand shocks.
Well, who believes regulators will stop at that sector? Consider our nursing home example from above, or telecommunications firms, or public utilities, or many other sectors. Eventually a vast swath of businesses will be under pressure to assure that they can withstand such disruptions. Even if regulators don’t act, consumers, business partners, boards of directors, and other stakeholders will.
A new type of risk assessment and assurance
Clearly this is a challenge of risk assessment. The question is exactly what type of risk a company is supposed to be assessing. Is this vendor risk? Cybersecurity risk? Business continuity risk? Something else?
The honest answer is that it’s all of those things, fused into one scary mess of potential failure — which is, really, all that the board, customers, and the public care about.
So companies are going to need a more thoughtful approach to how they assess their reliance on vendors, and how to assure that reliance won’t somehow threaten your company’s ability to keep providing services. That’s the capability compliance and risk management functions need to develop.
For example, some operating unit of the company will decide to rely on a tech vendor to run a business process. That operating unit might find a fantastic vendor from an operational perspective; that is, the vendor can perform the task flawlessly.
Your company still needs to assess the cybersecurity risks of that vendor; the continuity risks that perhaps the vendor might cease operations suddenly; and the regulatory risks to you of failing to execute whatever process the vendor performs for you.
Well, the CISO can perform the first risk assessment, internal audit the second, and compliance the third. The challenge for your company is that all of those assessments must be done in a coordinated way, to give some sort of “total risk score” to help senior leaders decide yes, let’s do this; or no, it’s not worth the risk.
Building that capability
Developing these risk assessment and management capabilities so that we can assure operational resilience — and even document it for some highly regulated sectors, like banking — is going to take time.
Companies will need frameworks to help them assess and remediate these risks. They’ll need policies and procedures to guide all this work: who does which parts of the risk assessment, at what point. You’ll need criteria to define when your relationship with a vendor pose too much risk to continue. You’ll need reporting and monitoring tools to know when those relationships do veer into the red zone.
Above all, however, companies will need a clear-eyed consensus about what operational resilience means to them. The concept is easy to grasp but defining how it works at your specific company is not. Maintaining operational resilience will require lots of collaboration among CISOs, compliance, internal audit, and risk management. That can be an elusive thing at many companies.
Still, as we close out the 2010s — show me a version of the 2020s where risk management skills like this will become less important. Because I don’t see one.
By Matt Kelly
- Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
- Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
- Entering the era of operational resilience - February 27, 2020