operational resilience risk management regulatory compliance
Operational Resilience: Living in a House of Cards
Each summer, for over 200 years, groups of people throughout Catalonia come together to form towering human pyramids called castells. Building a castell requires a combination of strength, balance, courage, and trust – but what’s really impressive is that their height (sometimes eight- or nine-stories tall), and how long they stay up, depends entirely on the weakest member of the team.
The long-term trend for outsourcing means many organizations have more in common with the castellers than they might find comfortable. Why? Because despite whatever improvements they might make internally, they’re only as operationally resilient as their least resilient partner.
If you’re a financial services company, operational resilience is a regulatory necessity mandated by the FCA, DORA and the U.S. Fed – and those regulations are constantly being tightened. At BusinessOptix, we believe resilience should be a commercial imperative for every company because it’s not just about surviving disruption, it’s also about the ability to capitalize on business opportunities when they arise, and to do so faster and better than your competition.
What is Operational Resilience?
If you’re looking for a good introduction, listen to this podcast we made with our partners Risk Shapes, specialists in risk management. In it, Risks Shapes’ Simon Tweddle and Karen Latham stress that the first step towards becoming operationally resilient is to identify which of your key business services have the potential to inflict “intolerable harm” on your organization if they fail, and then understand what makes up those end-to-end services. They also stress the difference between systems and services – the latter being composed of interlinked and interdependent systems, processes, and human interactions. Any external dependency is a potential vulnerability. Unfortunately, few organizations can afford to wholly own the capabilities and capacity they need to do business. Everyone has an extended operational supply chain. Everyone outsources.
If the increasingly alarming global upheavals over the last couple of years have taught us anything, it’s that complacency is a luxury we can’t afford. We live in an uncertain world and it’s becoming more uncertain as the months go by. When it’s impossible to second-guess the future, resilience becomes a critical success factor and understanding where and how you’re vulnerable is vital. This is true whether you consume or supply outsourced services. In both cases, your business is at risk.
Asking the Right Questions.
So, what questions should you be asking yourself to start minimizing the risk to your business operations? What must you consider if you’re going to achieve synchronized operational resilience across your end-to-end processes and meet both regulatory obligations and best practice?
If you consume outsourced services, you might think you’re protected by the penalty clauses in your contracts with your suppliers. Maybe you are, but consider that phrase Risk Shapes used again – intolerable harm. Is your contract the equivalent to keeping a bucket of water beside a hay barn? Isn’t it better to prevent the barn catching fire in the first place?
If you’ve outsourced your service operations, in total or in part, you’re no longer solely responsible for service delivery. You’re at the mercy of others. If you want to guarantee your business services, every part of your service supply chain must be equally resilient. To achieve dependable supply chain services, you must treat your supplier’s operations as if they were your own. Ask yourself the following:
- How well can my operations cope with disruption (or lack of capacity) within our suppliers’ operations?
- Do I understand the impact on my suppliers if part of my operation faces either disruption or insufficient capacity?
- Is my supplier dependent on services from another supplier I already work with?
- How can I validate my suppliers’ solutions and ensure they meet my standards?
- How do I define and test failure scenarios?
- How will I know that our plans are synchronized across our end-to-end service delivery chain?
- How will I convince my Board and anyone who audits us?
If you supply outsourced services, it makes sound commercial sense to take a proactive approach to operational resilience, both your own and that of your customers, because a) it’ll help you avoid penalties for failing to meet SLAs and b) it’ll set you apart from your competition. Start by asking yourself the following:
- How do I demonstrate our solutions for operational resilience are in line with my customer’s requirements?
- If I’ve sub-contracted out specialist functions, how do I validate whether my suppliers’ solutions meet my standards and those of my customer?
- Am I dependent on a supplier my customer has also contracted with?
- Are my operations geographically consistent? If we’re using facilities in different countries, do they respond in the same way to the same types of disturbances?
- Do I understand (and equally important, can I communicate) the impact on my services if some, or all, of my customers’ operations face disruption or lack of capacity?
- How do I define and test failure scenarios?
- How will I satisfy my Board, my customers, and anyone who audits us?
The modern service supply chain makes achieving operational resilience complicated but it’s a manageable task if approached methodically. Understanding where you’re vulnerable requires an end-to-end view and an intimate understanding of the various interdependencies in the chain. Developing effective solutions requires imagination, transparency, and coordination to develop and test the widest range of disruption scenarios. Most importantly, don’t think of operational resilience as a box-ticking exercise but as a way of doing business.
If you’re a casteller, it’s bad news when the pyramid collapses, whether you’re at the top or at the base. That’s why the teams have a plan and why they practice so hard, individually and together, so everyone knows they can rely on everybody else to do their part. It’s only when you trust the people around you to deliver that you can build something extraordinary.