The BCI launches new Operational Resilience Report
The BCI has released the BCI Operational Resilience Report 2022, sponsored by Castellan Solutions. This report examines how different organizations, across many sectors, understand operational resilience while taking a look at the steps they have taken to achieve it and whether legislation is motivating organizations to implement it.
Defining operational resilience
More than three-quarters of organizations (77.9%) have or are developing an operational resilience programme. Although these numbers are impressive, the report reveals that while many organizations believe they have an operational resilience programme in place, they may actually be aligning closer to the organizational resilience standard, ISO 22316. Definition confusion may not be an issue in itself but, for business continuity (BC) professionals who have been asked to implement operational resilience programmes within their own organizations, it could ultimately lead to a programme failing. As a demonstration of this, 17.1% of respondents believe that there is no need for an operational resilience programme in their organization as they already have a business continuity programme in place. “Operational resilience is just business continuity done well” was a frequent – and concerning – sentence spoken by a number of survey respondents.
Meanwhile, many respondents were concerned that these blurred lines between operational resilience and business continuity could lead to an increase the likelihood of blind spots forming inside their own organization as the focus switches to protecting external customers and markets. The importance of having a BC programme working in tandem with an operational resilience programme is therefore of utmost importance.
The impact of regulation
New regulations have supported the rise of operational resilience programmes within the financial services sector, with the UK’s FCA/PRA regulation leading the way with implementation deadlines. Despite this, only one in five of the UK’s financial services institutions think regulators have done enough to help them implement the regulations. Respondents have largely pinned this to a failure in documentation, with important information spread between various sources instead of a core source document. On a positive note however, many countries around the world are now following the lead of these operational resilience regulations and are working hard to implement their own variations.
It is also important to note the influence of the regulations on operational resilience uptake, not just within the financial services industries but also outside it. This may in part be due to organizations needing to align with the operational resilience programmes of larger organizations as they form part of the larger organization’s important business services, but some are simply using the regulations as a framework to construct their own programmes.
Other findings:
- When asked to what extent the risk committee, technology committee, executive committee and the board have operational resilience appearing on the agenda, respondents said most committees discuss operational resilience on a six-monthly basis at least.
- In the UK financial sector, 64% of respondents under the regulations think the impact tolerances set by their organizations are correct and will be able to be demonstrated by 31 March 2025.
- Respondents identified ‘embedding operational resilience into the fabric of the organization’ as the key challenge facing its implementation.
Rachael Elliott, Head of Thought Leadership at the BCI, commented: “This is a report our membership has long been asking for, particularly those in the banking sector. Whilst most of the larger financial institutions that fall under the regulations have got teams in place to understand, build and implement operational resilience programmes, their smaller counterparts are typically relying on BC departments for the day-to-day running of operational resilience programmes. Many feel very alone in what they are doing, and are calling on the regulators to not only provide easier to digest guidance, but also offer case studies of good practice to help them build their own effective programmes. Encouragingly however, operational resilience is quickly becoming a term which is understood by resilience professionals. Nevertheless, we need to be cognizant of the fact that it has different, but equally valid, meanings across different sectors and there is certainly no place for a “one size fits all” approach to operational resilience.“
Brian Zawada FBCI, Chief Strategy Officer at Castellan Solutions commented: “Castellan sponsored this report because the concepts and practices espoused by operational resilience have become incredibly important to organisations around the world in all sectors. Putting the customer first in terms of preventing and responding to disruption is essential. Making the assumption that’s its not a question of if, but when, a disruption will occur is essential as well. When paired with a strong crisis management and crisis communications capability, organisations that consider the concepts in this report will be far more resilient than those that don’t. And the engagement with senior leadership will excel as well!”