Operational resilience is an important and frequent discussion for management boards, with many organizations having to navigate difficult times through recent global crises. However, organizations should seek a long-term model that allows them to not only ‘’keep the lights on’’ and survive a crisis, but to grow despite unfavorable conditions. This model should provide a sustainable solution that protects operations from disruption and makes the organization resilient against any type of crisis, providing answers to questions such as:
- What makes an organization resilient?
- What needs to change and who takes the responsibility over the resilience of the entity?
- Do all organizations and industries require the same actions to set up an efficient enterprise resilience framework?
- How do we evaluate the needs of different industries and companies?
At KPMG, we’ve witnessed our clients struggle to respond to these questions, understand what is required, and implement an operational resilience framework in their organizations. In this article we introduce the most important pillars for the transition to a resilient organization and describe our approach to successfully implementing an operational resilience model.
What is operational resilience?
Operational resilience is the ability of a firm to prevent, respond to, recover, and learn from operational disruptions to avoid events that could threaten the viability of the firm, create instability in the market, cause harm to consumers and market participants, or hinder firms from achieving business objectives. This goes beyond traditional business continuity planning by looking at an organization across its critical business services.
Prevention refers to the actions an organization takes to safeguard against incidents and crises that can threaten its operations. Setting up controls to cover the risks that can harm the organization should be part of the solution. We need to identify which risks are most likely to happen and which will have the biggest impact on the day-to-day operations.
Performing a business impact assessment to focus on the most vulnerable areas is a critical step in business continuity exercise, to identify the parts of the business that need the greatest protection. Business leaders can save time at the beginning of a crisis and quickly take the most important decisions by delegating the roles and responsibilities among management and the different functions before a crisis occurs. The same holds true for key tools and resources such as checklists, templates, and databases.
Another crucial part of anticipating a crisis is the psychological and practical preparation of the people involved. Raising awareness within the organization and providing training to the people that need to be the first to react increases the feeling of accountability among the employees and helps management to remain strategic in their actions and decisions.
Responding well to a crisis means tackling an adverse situation without delay. Here, the approach of the organization should be hands-on, starting with gathering the facts, assessing the gravity of the crisis, and activating the appropriate governance teams. Internal and external communication is paramount to inform clients and investors in a timely manner, demonstrating that the organization acts in a transparent way and takes all the measures possible to exit the crisis at the minimum cost to the organization and its most important stakeholders. The response approach may vary depending on the industry, the company, and the crisis.
After a crisis, the organization needs to evaluate where it has taken the biggest hit and what it needs to do to recover and return to its usual day-to-day operations at 100% capacity.
This last phase is very important. This is where the cycle of the crisis ends and where the preparation for the next crisis starts. An organization must evaluate the reaction to the crisis, identify mistakes and develop ways to react in a more coordinated, more efficient, manner to ensure that these lessons are integrated into the crisis framework for the future.
A resilient organization focuses on a proactive and reactive response to a crisis. A crisis event is not a matter of ‘’if’’ but ‘’when’’. Having a framework in place will create a clear pathway to prevent, respond, recover, and learn from these challenging situations. Each organization is different, and the path needs to be paved based on the different needs, markets, and special requirements. Each response framework developed by KPMG is uniquely tailored to your organization’s needs; we start from scratch and then create a model customized to your organization together with your team.
How can KPMG help?
We have developed an efficient operational resilience framework and identified what needs to be prioritized to successfully enable the organization to prevent, respond, recover, and learn from a crisis. We can help you to :
- Conduct a gap analysis with best practices and the framework in place
- Perform a business impact assessment (BIA)
- Help you to define recovery time objectives (RTO)
- Identify the relevant controls in place and consult on improvements
- Perform crisis simulations
- Define actions to increase awareness within the organization
- Define roles and responsibilities
- Put in place a crisis management team (CMT)
- Set up standardized templates to be used during a crisis
- Consult on recovery measures
- Define crisis evaluations KPIs and measurements
It is very important to nurture a crisis-readiness culture. This includes having a crisis management team in place that is properly briefed, ready to take on responsibility, coordinate the necessary actions, and capable of leading the crisis response at any level and across any function. When the crisis is over, it is imperative for management to prioritize the actions that will bring the organization to its “business-as-usual” mode and review the crisis response to ensure continuous improvement of the operational resilience framework. These are only a few actions and controls that management needs to put in place to ensure continuity of operations with the full organization on board.
An organization that wants to survive a crisis needs to anticipate how it will do so. Shielding the organization with robust controls, standardizing the foreseen, and informing and preparing for unpredictable challenges are key elements of an organization’s journey to establishing an operational resilience framework.
