Operational Risk Sound Practice Guidance
What you'll learn in this guide:
Operational resilience is defined as the ability of an organization to deliver critical operations through disruption. It is an outcome rather than a risk and as such has historically been implicitly managed proactively through an organization’s Operational Risk Management Framework (ORMF) and IT/Cyber monitoring and reactively through incident response, business continuity, crisis, and recovery frameworks.
The increasing globalisation of business, particularly organizations’ use of and reliance on (in house or outsourced} technology, has led to a greater focus on operational resilience as an outcome to be explicitly monitored and reported upon at the Board level. The original organisational resilience principles in ISO 2236 (2017) have been supplemented by more detailed requirements for approach and quantification in financial services in the UK Prudential Regulatory Authority’s DP01/18, CP29/19, and most recently the Basel Committee on Banking Supervision’s (BCBS) principles for operational resilience (Nov 2020).
Covid-19 has provided a live test case for the application of these principles and experiences continue to shape the debate on how operational resilience is managed. Whilst some organizations have set up operational resilience teams and functions and implemented new frameworks the Institute (and BCBS) contend that operational resilience is a component of operational risk and advocate its delivery by leveraging existing ORM and continuity frameworks.
Operational resilience is an area that attracts diverse views among operational risk practitioners. Depending on the sector, scale, and risk profile of an organization, operational resilience approaches range in complexity and scope. For these reasons, the following paper does not recommend a one-size-fits-all solution. Rather, it outlines the key elements of operational resilience and a variety of good practices, using existing ORMF components, from which may be drawn a collection of appropriate, relevant, and proportionate ideas.
Download the full guide to learn:
- Comparing the Benefits of Internal and External Event Data
- The risk management lifecycle
- Identifying important business services
- Setting impact tolerance
- Operational resilience scenarios
- Operational resilience monitoring and control
- Implementation challenges