In a complex world, our current risk management systems may not be up to the job of navigating disruption. Adél Drew looks at how adopting ‘operational resilience’ can help
Revolutionary ideas start on the outskirts of society and seep into the centre over time. Those ideas that reach the centre of society’s consciousness result in a collective mindset change – what was once radical becomes the norm.
The concept of resilience emerged in ecology in the 1970s, defined by the ecologist CS Holling as “a measure of the persistence of systems and their ability to absorb change and disturbance and still maintain the same relationships between populations or state variables”. This definition describes how a resilient system can start in a stable state, undergo transformational change, and then move to a dif-ferent stable state. It introduces the idea that resilience is not necessarily about bouncing back – some-times it is about bouncing forward.
In 2022, the concept of resilience has made its way into the zeitgeist of our personal and corporate lives, helped by COVID-19. However, much of the way we view disruption within organisations is still about bouncing back – aiming to return to ‘normal’ as soon as possible. We have not yet wholly em-braced a resilience mindset, or accepted that disruption and change are inevitable.
From a regulatory perspective, the concept of operational resilience is revolutionising the way we view business interruption. In the UK, those regulated by the Prudential Regulation Authority and/or the Financial Conduct Authority are in a transition period of embedding operational resilience and third-party management regulations by 2025, after a journey that started in 2018. The Central Bank of Ire-land expects firms under its supervision to evidence operational resilience actions and plans by the end of 2023. Operational resilience principles for banks were published by the Basel Committee on Banking Supervision more than a year ago and are being adopted by countries worldwide. In the US, a joint agency paper on sound practices for operational resilience has been published for domestic banks, and builds on the existing business continuity handbook. If operational resilience is not yet an agenda item at your organisation, it is coming.
Operational resilience fills the gap between present risk management systems and business continuity approaches. It is a system of action that prepares for disruption by moving away from pinpointing pre-cisely what could go wrong in an increasingly complex world. Instead, the focus is on whom we need to protect, through which important business services, how much disruption these services can tolerate before they cause intolerable harm, the chain that makes up these services internally and via third-party suppliers, and regularly testing our assumptions under plausible but severe scenarios.
To build resilience, we must accept that disruption is inevitable. Operational resilience regulations re-quire businesses to identify their important business services and make these resilient. This requires an external view and understanding of what our critical services are to customers and financial markets. It then becomes necessary to understand every person, process, system, facility and piece of information
that contributes to the delivery of this service. The aim becomes to deliver these critical services throughout disruption without pause – not to reinstate them as soon as possible. See ‘Develop general resilience’ and ‘Bound the problem’ (left) for examples of where this process could have made a big difference.
In general, organisational resilience can be built on the same changes in mindset as operational resili-ence. It is a paradigm shift that upgrades our traditional oversight risk management systems to one of insight and action before disruption occurs, enabling us to better prepare for situations that are un-precedented. Both start from a place of assuming that disruption will happen. Our roles now are to invest in adaptive capabilities so we can navigate transformational change and then move to different stable states.
Bound the problem: focus on critical services
During the past decade, a pandemic was ranked as the highest priority security risk on the UK government’s National Risk Registers. Looking through these registers, the main mitigative actions were stockpiling antivirals and investing in vaccine Advance Purchase Agreements. This fell short of a resilience mindset, aiming to implement solutions after a pandemic event started; the government should have focused on building resilience beforehand.
A House of Lords Risk Assessment and Risk Planning Select Committee was appointed during the COVID-19 pandemic. Its report Preparing for Extreme Risks: Building a Resilient Society (bit.ly/SelectRisk_Resilience) highlights the government’s general unpreparedness for a pandemic; it states that, despite the government having a pandemic strategy, “very little implementation of the strategy had taken place” by the start of the COVID-19 pandemic. In my view, the scale of the pandemic and a lack of focus both contributed to the problem.
“Resilience is not necessarily about bouncing back – sometimes it is about bouncing forward”
The UK’s slogan throughout the pandemic lockdowns was ‘Stay home, protect the NHS, save lives’. If these key vulnerabilities had been front of mind during the risk-planning phase, the government might have been better prepared for this tagline. A plan to stockpile PPE to protect the NHS might have added more value than stockpiling antivirals whose effectiveness, according to the British Medical Journal, was uncertain (bit.ly/Antivirals_mistake). During a Risk Assessment and Risk Planning Select Committee discussion on the topic, Dr Catherine Rhodes, senior research associate of the Biosecurity Research Initiative at St Catherine’s College, Cambridge, told members that there has been an “underinvestment over years in the surge capacity of the NHS”. This lack of capacity not only put the NHS under severe strain, but also resulted in more lives being lost.
Disruption can come from a wider range of threats than there is capacity to prepare for. When we are overwhelmed by data and options, we may experience analysis paralysis, resulting in delayed or no action. Additionally, if we attempt to protect everything equally, we could fail to implement solutions that are sufficient in a disruption. We can focus our efforts by focusing on the most critical processes and thus bounding the problem.
Develop general resilience: fortify every point along critical processes
In August 2003, 45 million people in the US and 10 million in Canada were left without power for periods ranging from a few hours to several days. The cause? An overgrown tree had come into contact with a single power line. What followed was a chain of events, involving human and system error, that turned what should have been a local outage into the largest power failure North America has ever experienced.
There is fragility and the potential for spectacular failure in a complex system with many interconnections. Extreme events do not necessarily arise from extreme risks. Small knock-on failures in the underlying chain which supports critical processes can go undetected for a while and then suddenly reach a tipping point, after which they turn into a crisis. Emerging risks can follow a similar pattern – starting out on our radar and then turning into an unexpected event, after which the world is never the same again. Consider COVID-19 or the war in Ukraine, or the way antimicrobial resistance or the climate crisis could theoretically evolve.
This shows the importance of understanding the resources that support our critical processes and ensuring that there is resilience along this chain. Some events that result in disruption cannot be predicted. We need to move away from trying to pinpoint precise disaster scenarios and instead focus on building general resilience to all hazards throughout the supporting structures of these processes.
Consider the NHS example; strategies that could be implemented to make the NHS more resilient, such as stockpiling PPE or increasing surge capacity, would also be effective against other security risks, such as laboratory leakage of pathogens or biological attacks. Instead, much of the government’s focus in the National Registers was on pandemic influenza, which was expected to result in 20,000–750,000 fatalities – hence the decision to stockpile antivirals. Meanwhile, emerging infectious diseases such as novel coronaviruses were only expected to result in up to 100 fatalities.
Adél Drew is a consultant at Milliman