I remember listening to a conversation between two veteran business continuity professionals at their annual conference. This was way back in the summer of 2018, when Operational Resilience was just a discussion paper.
‘So, we are all going to be resilience managers now, are we?’
Much has happened since then. We are now accustomed to a polycrisis reality, in which all sectors (not just financial services) are impacted by complex, simultaneous crises. And in this new reality, resilience has become the currency of trust with stakeholders.
Over the last couple of years, we’ve noticed a shift in perception, from seeing Operational Resilience as a re-badging of BCM, to seeing Operational Resilience as a unifier of several disciplines. We’ve seen Operational Resilience emerge as a common thread that forces the traditional siloed view of the organisation to pivot towards a holistic, end-to-end view. Business Continuity practitioners are still gainfully employed, likewise IT Disaster Recovery, Cyber risk and 3rd Party Risk practitioners. What’s changed is the shift from an internal process-led view to an external service-led view.
Since consultation on PS21/3 ended in 2021, KPMG has been dealing with the reality of implementation, directly supporting over 200 clients globally. Some firms are moving faster than others, but all are on a path to transition before the 2025 deadline. Let’s face it, the last two years hasn’t been trouble-free, with pandemic, financial crisis, cyber-attacks, and supply chain disruption.
Early adopters are starting to notice strategic value from adopting Operational Resilience approaches. What’s interesting is that we are seeing the same thing in non-regulated sectors, both in UK and internationally. Here’s three real life use cases we are seeing play out:
- Example 1: A manufacturing client faced difficult decisions during the COVID-19 pandemic: how to prioritise implementation of their new product line, which was critical to viability, with the prospect of key resources being impacted (including people, plant, and supply). Having piloted service mapping and impact tolerances on their new product, they were able to quickly understand the processes and services that did (and did not) support it and prioritise accordingly. They are now rolling out operational resilience across the business.
- Example 2: A telecoms client faced massive loss of systems and data during a major cyber-attack. Commercial service owners were not able to describe a minimum viable service and believed their service was critical in its entirety. Dependencies on people, technology, data, premises, and suppliers was only partly understood. Although this client is only part-way through implementing Operational Resilience, they are already more confident about evidence-based decision-making in crisis.
- Example 3: A client supporting Critical National Infrastructure (CNI) was required to prove resilience. Traditionally they had conducted various tests of Business Continuity Plans, Contingency Plans and IT Disaster Recovery Plans. They’d even run test exercises for their Incident Managers and Incident Management Teams. The step change for this client came when they started doing two things differently: firstly, they looked through the lens of critical services; taking a top-down, holistic approach to testing. Secondly, they realised that, to build confidence of CNI customers, their stress testing needed to be data-driven. As they progressed in maturity, they introduced reverse stress testing, but that’s another story. Although they had not, at that point, embarked on a full programme of Operational Resilience, these step changes allowed them to reap benefits early on.
We are now far enough into Operational Resilience programmes to see opportunities for real strategic value – not just compliance. Operational Resilience approaches are proving highly adaptable to non-regulated organisations, who are starting to adopt them for the right reasons.