August 19, 2021
In the interconnected, interdependent world that we live in, 2020 showed us that we are more vulnerable than ever. The disruptions and shocks of the last year may be behind us, but they have certainly taught us that we need to be more prepared for what’s to come. Living and working through a pandemic and dealing with the turbulence that came with it has added a whole new dimension to the concept of resilience. One year on, we are now more accustomed to this new challenge and paradigm of business, technology, and people, having been thrust into the world of remote working, with new and accelerating pressure on digital operations and distributed technology models. In the face of uncertainty, the silver lining of the events of the past year is that we have been forced to press fast-forward on innovation and adaptability, and have achieved it with impressive pace.
The pandemic challenged the way organizations were operating, communicating, and safeguarding against risk and disruption, exposing the shortcomings of traditional resilience approaches, and in others bolstering them significantly. What was clear was that siloed approaches to resiliency weren’t up to the standard needed to address the situation, and we are seeing a significant change in the way operational resilience will look going forward.
Having responded to the challenges brought upon us by the sudden shift of the pandemic, what happens next? It’s difficult to make completely foolproof predictions in times of change and turbulence, and as such resilience has become a real priority for businesses across industries. It’s not so much about knowing what’s coming or reacting under uncertainty, but having the ability to prepare for a wider realm of possibility, identifying signals, and responding with intent and strategy once we know it’s on the horizon.
In a world punctuated with Zoom meetings, digital operations, and remote working, what does remain certain is that the interplay between teams and technology is where great things can happen. IT and operational resilience are fundamental, and organizations need to invest in technology and agility to support future development and innovation. I’ll break that down in a bit more detail.
In March, the FCA finalized its proposed rules on operational resilience, and firms now have an initial 2022 deadline to meet. The foreword suitably summarized this mandate, saying:
‘The disruption caused by Covid-19 has shown why it is critically important for firms to understand the services they provide and invest in resilience to protect themselves, their consumers, and the financial system from disruption’
The critical element here involves setting impact tolerances - at which point does a potential disruption become intolerable to customers and the wider market? Holding financial institutions to this level of accountability only highlights the importance of protecting the continuity of critical services and having the plans in place to adapt to what could be around the corner, but also the events that we might not see coming. To stay within the impact tolerance for business services means businesses will have to have a much more robust strategy in testing and planning for potential failure, but, crucially, with the regulatory pressures mounting, the ability to evidence those frameworks, too. Protecting IT change should therefore remain a priority.
It’s no shock that 80% of all major outages have their root cause in change, and so it’s vital to consider it a prime focus when it comes to building resilience. The pace of change driven by accelerated digital transformation is creating more risk, meaning that organizations have to make more of these changes to maintain pace, leading to more complexity and a higher risk of operational outages. Stronger governance, day-to-day risk management, increased automation, and more robust testing are key contributors to successful change activity and reduced disruption. As the technology stack continues to evolve, it brings with it more risk but also new opportunities to make decisions driven by data. Importantly, developing considered foresight enables organizations to make the legacy changes needed whilst easily transitioning to the future, which is becoming a key competitive differentiator.
A recent McKinsey & Company report stated that resilience is now on the CEO agenda of every company across all industries. Although many organizations have to prepare for shocks and disruptions of many kinds, the impact of the pandemic has woven the resilience priority into the fabric of organizations and is now becoming less of a compliance mandate and more of a competitive differentiator. An effective resilience strategy, with visibility and accountability across the board, can drive efficiencies, improve customer outcomes, and accelerate the pace and safety of change. A key way of building resiliency is to digitize end-to-end operations, orchestrating work with intelligence and visibility. That said, this isn’t just a toolset discussion. Yes, technology will drive and differentiate our resilience efforts, but more than that we need to make sure we can create a culture with these tools embedded and designed to foresee change and prepare us for the unexpected. As Katy George, Senior Partner, McKinsey & Company says: ‘The need for visibility on both the demand and supply side is what will enable organizations to withstand disruptions with minimal impact to productivity - and potentially while improving productivity.”
Gartner’s latest Operational Resilience report notes that organizational resilience remains a strategic imperative, growing in importance as businesses face threats from pandemics, cybercrime, severe weather, climate change, and civil and political instabilities. Security and risk management leaders should therefore anticipate growing trends that impact resilience. The pandemic has highlighted the interdependence of multiple areas of resilience planning, especially as technology pervades the enterprise and companies are operating on almost purely digital models in distributed environments. These areas could include different types of risk management, continuity management, and incident and crisis response. However, communication across an organization is crucial to establish resilience and, significantly, maintain the observability needed to provide that audit trail to stakeholders, leadership, and regulators. This means resilience no longer lies with the IT or even the risk management side of the business - it is multi-disciplinary and all facets of the business, especially technology users and producers, must prepare for future disruption and change. As the barriers between siloes continue to be broken, operational resilience can truly become a differentiator and give organizations the confidence that they are prepared for the unexpected.
Organizations cannot plan for every scenario, but they can invest and strengthen their resilience strategies to build the level of preparedness needed. Technology is a central driver, with data management, insight, and visibility providing the springboard for users to make better, more informed, and faster-paced decisions during any change event or disruption. This includes identifying data dependencies and using software to simulate possible outcomes, relying on technology to failover to the next best alternative during unexpected disruptions and identify bottlenecks, as well as proactively identify corrective measures.
With the reputational and financial risk of downtime ever-growing, the ability to factor any possible failures into planning and process is foundational. What’s therefore needed is a better architecture to maintain governance, control, visibility, and toolset autonomy. Culture is central to this, and companies in 2021 will need to find a way to orchestrate multiple tools and build flows of work across them that permeate the organization.
Operational Resilience is indeed a journey, not a destination...