📕Insight 3 of 3 - Establishing end-to-end operational resilience capability is as much about culture as process

When it comes to Operational Resilience, embedding the right culture across the entire organisational ecosystem is an essential endeavour, as Kaustubh Ambavanekar explains.

The first two articles in this Operational Resilience series set the scene for a mindset shift from Operational Resilience to what we at Mason Advisory call ‘Enterprise Resilience’. The term reflects the importance of building resilience into the fabric of the organisation and across the supply chain, from third party suppliers, through internal stakeholders, and out to the customer.

My previous article outlined how a strong, prioritised Enterprise Resilience Management framework keeps the roadmap on track, ensuring that effort and resources are targeted to the right areas at the right time. I explored the importance of establishing a resilient internal culture that considers issues like continuity planning and encourages a lean, agile approach, enabling your people to function effectively, even if disruption or disaster strike. And I touched briefly on the importance of looping the third-party supply chain into the approach. Now, I would like to delve deeper into that last notion by examining the challenges that organisations typically face when attempting to align internal ways of working with external stakeholders.

In fact, in my experience, most organisations have more resilience capabilities in their armoury than they might think. Depending on the maturity level, it is comparatively rare to come across an organisation that has not already thought about, for example, their Governance, Risk and Compliance (GRC) framework, or some sort of Disaster Recovery plan. This is good news, providing the foundations from which to build a full resilience capability. Where things tend to come unstuck is in connecting all of the components in an integrated way. This is partly a question of mapping a strategic resilience framework and partly a process of designing and delivering the right architecture and roadmap. But, to bring all of this together, there is also cultural work to be done to establish an understanding of why resilience matters and a commitment to continuous improvement across all stakeholders.

Designing an Operational Resilience roadmap that plays to your strengths

My last article described the strategic framework that should connect IT with the business to establish Enterprise Resilience. Now, let’s explore an approach on building an Operational Resilience roadmap leveraging current capabilities. This will vary depending on organisational maturity, the effectiveness of existing capabilities, and where the business is on its resilience journey. But a typical example of building a robust operational resilience roadmap might look like this:

Figure 1 – Roadmap and Key Principles

This kind of logically sequenced roadmap allows the business to achieve momentum by leveraging the best of what is already there (for example, GRC capabilities). That, in turn, sets the stage to build on a strong foundation by revisiting areas like Business Continuity and Disaster Recovery plan in the context of the latest resilience landscape, including changing regulations. Next, it makes sense to focus on integrating continuity and recovery into existing risk and resilience management functions, for a seamless approach. Having connected the main resilience capabilities, building accountability and ownership across those responsible for important business services and their critical paths embeds the approach in a sustainable way. How leaders achieve this will depend in no small part on the established organisational culture, ways of working and leadership style. But it must be understood that cultural management is an ongoing journey, not simply a discrete task. In summary, leaders must work with their people to ensure that resilience is being built into the organisation’s DNA – through values, behaviours, and ways of working – every day.

Extending the approach to third party suppliers

All of the above is essentially within the organisation’s control – although many businesses find that validating their approach with the benefit of an independent, expert, impartial view brings valuable clarity and focus. However, when we look at the wider ecosystem, factors become more unpredictable. Suppliers have their own cultures which will vary considerably according to the respective industry, the nature of the product or service, and indeed the supplier’s own incoming stakeholder chains and influences.

So, how do we align? The key is in establishing clarity, parameters, communication, and motivation. Ultimately, it starts with a conversation. If there is an opportunity to build that conversation into initial procurement, engagement, and onboarding, then all the better. If the relationship is already established, introducing a debate which effectively seeks to revisit the supplier/client relationship might be harder. But, in either case, it must be done. Because, if your supply chain does not align to your resilience framework, neither party is truly resilient nor protected. So, the key is in demonstrating the benefits of a joined-up approach, providing a clear and manageable framework that your suppliers can dovetail into, maintaining a transparent dialogue, and supporting that with refreshed contractual conditions where feasible. Plus, remember that this is not just about how your supplier engages with your business. It is also about how your business operates with its suppliers, and this is where revisiting and refreshing the resilience approach is of as much benefit to them as to you.

Finally, let’s not forget that all of this must also extend to the other end of the ecosystem: the customer. For financial services organisations, multiple scenarios need to be considered, tested, and mitigated, especially in light of new FCA, PRA and DORA regulations which will be non-negotiable come March 2025. Every financial organisation needs to ask probing questions. What are our customers’ tolerance levels? How would we communicate with and reassure them in the event of an outage? How can we reassure them that their data (and, or course, their money) is secure? What do they need from us to trust us? The answers to questions like these not only help to target efforts to the right resilience initiatives. They also allow technology leaders to do important work, ensuring that the architecture, operating model and capabilities are geared up to connect the supply chain, internal operations, and the customer in a holistic way.

None of this is easy, and it will take time. All of it, however, is achievable. Plus, as my colleague, Jon De’Ath, explains in the first article of this series, this is not a finite activity but a journey of continuous review and improvement. Because the world of digital threats is evolving. So, every financial services organisation must evolve alongside, to ensure that the business delivers what is needed, not just to protect itself, but to attract, grow and retain that all-important customer base.

Mason Advisory has long experiences of helping financial organisations – from multi-national banks to regional building societies – to tackle their Operational Resilience challenges. If you are concerned about being ready for new regulatory compliance, or simply want to initiate or revisit an internal resilience strategy, talk to us. You can enquire via our website, email us at fsi@masonadvisory.com, or call us on +44 (0)333 301 0093.