Operational resilience – what’s all the fuss about?

Updated: Jan 6

Operational resilience is quickly becoming a buzzword. But, what's all the fuss about?


Nigel Munden, founder and MD at the UK-based assessment consultancy Enien, shares his insights and best practices in the guest article below.


Operational resilience - Banner - Enien

There is a lot of focus on Operational resilience (OR) especially for those companies in the UK financial services sector where regulation is forcing a consistent operational resilience implementation in an attempt to protect both UK financial organisations and the broader UK economy.


Every company will have an operational resilience capability but for far too many this is an implicit capability that is either managed in the bowels of the organisation or enthusiastically pushed toward a third party…any third party...well nearly!



Operational resilience graph by Enien

Stay on top of the latest governance, regtech and innovation trends and insights!

Subscribe to our monthly newsletter >


Third party risk - operational resilience


The key challenges for large organisations are not the understanding or planning of what they need or should do, but the “herding” of the many divisions/departments which are very unlikely to be organised in line with the regulator’s view of “important business services”. For smaller organisations, on the other hand, knowing where to start and determining how much is enough seems to be the main issue.


In today’s digital-first economy, technology plays a key role in helping organisations protect assets that deliver the “important business services” so they can recover as quickly and with the least market and regulatory noise as possible in the event of a crisis. However, it is the people who install, integrate and optimise the technology to deliver these capabilities that should be the organisation’s focus, along with providing awareness and training for all staff to:


a) minimise actions that could create a chain reaction that causes a breach, and

b) know what they should do in the event of a disruption.


Each company’s unique position will help define what to do next, some examples:


1) Identify a Board member or Executive to own the OR programme

2) Determine the organisations current capability, not from the policy but from the operation, consider the following communities:

  • Staff involved in the protection of assets involved in the delivery of important business services

  • Staff involved in recovering from a disruption of an important business service

  • Executives both accountable and who may have a role in the management of an incident (communications – customer, regulator, staff etc)

  • Staff awareness of what they should and shouldn’t do both as part of normal operation as well as in the event of a disaster!

3) Determine unique company roadmap based on analysis of current-mode along with company’s culture, business and risk positions

4) Consistent, repeatable execution of the process to protect and recover from a breach that logs actions, responses, escalations for both internal and regulator audit.


Whilst operational resilience is being enforced in the finance sector by various regulatory bodies worldwide, we’re starting to see a rising pressure in that direction for organisations in other sectors too. More and more organisations are now recognising the benefit of implementing an effective operational resilience policy. In addition to helping an organisation be more resilient, it can also be considered as a selling point to customers who are increasingly concerned about this threat.




Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?


ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.



0 comments