47% of UK businesses are currently experiencing a lower turnover than this time last year.[1]
The coronavirus pandemic has brought home the necessity to be able to service customers through any operational disruption.
An operational resilience team assesses the potential risks that could cause disruption and puts steps in place to enable to business to continue operations regardless. The structure of this team will impact how quickly they can make an impact and how successful it is long term.
There are different options that we’ll explore to find the best fit for your company.
What is Risk and Resilience?
Risk comes in all shapes and forms and can only be identified by your own company.
In August 2020, the New Zealand Stock Exchange (NZX) suffered 4 days of Distributed Denial of Service (DDoS) attacks. This type of attack stops the servers from working by sending so much traffic it overwhelms their capacity.
This forced NZX to stop their cash trading and they had to close their market for a period on each of the 4 days.
The market was physically capable of running, but they didn’t want to disadvantage people who required access to the website. Institutional dealers were still able to negotiate deals directly and put them through the market.
This is an example of operational resilience, as even through a direct, offshore attack, NZX were able to keep important customers satisfied. Also, as learning is part of the operational resilience cycle, they have hopefully learnt from the experience and will be able to handle an attack even better next time.
The response was planned, coordinated and communicated to their customers.
Should It Be Led By The C-Suite?
Operational resilience needs to be driven from the top down.
Planning for it requires the resources of multiple departments and could affect how operations are currently run. Similarly, it needs buy in throughout the company and that’s not possible without a top-down approach.
In a smaller company, it may be appropriate for the C-Suite to be part of the operational resilience team. This is because they are likely to have the holistic knowledge of the company and be best placed to consider potential risks.
However, in larger companies, the top tier of management may have other priorities, so it could be more tactical members of each department take responsibility.
The operational resilience team will still need two-way communication with the company’s leadership. The senior team need to dictate direction and allocate resources and the resilience team need to report their findings and get authority for the required actions.
One way to structure this is to have a two-layer team. The ‘core’ team focussing on the work and a ‘steering committee’ at board level. With regular interaction, the core team can get direction and authorisation from the steering committee, and the board gets to keep up to date with progress.
Cross-Functional, But Who Exactly?
An operational resilience team needs to understand the company’s key services, the risks to these and the steps that can be taken to mitigate the risks. The best way to achieve that is to have a cross-functional team where all the key people are involved in the process.
For example, it’s unlikely that one person has a deep understanding of cyber security and knowledge of the supply chain.
The departments who are likely to be required are:
- IT & Cyber Security
- Procurement & Supply Chain
- Operations
- QHSE
- Sales and Marketing
All of these depend on the nature of your business. A large manufacturer will need their QHSE team to plan how they can continue operations safely. A financial services firm will want to continue operations through a cyber-attack. Those with complex supply chains will need to ensure goods are still delivered in and out of their premises.
Prioritising Leadership By Risk-Types
If your company is large enough, it could a warrant hiring an Operational Resilience Manager. If not, you’ll need to appoint a leader of the team. The leader will set the team’s goals, report to the board and celebrate its achievements.
If a full time manager isn’t appropriate, the leader will need to come from within the cross-functional group.
Even before undertaking the operational resilience process, it’s likely that you have some understanding of what the risks to your business are.
As previously mentioned, if you’re a manufacturer with a complex supply chain, this could be the source of the most risk. Alternatively, if you rely heavily on technology then a cyber attack could be your biggest concern.
Once you understand the potential risks to the business, the leader could come from the department which has the biggest responsibility for the major risk events.
Shouldn’t Operations Lead Operational Resilience?
It could be argued that as we’re talking about operational resilience, the team should be led by Operations.
This could be appropriate, but the operational resilience team needs to map the end to end services of the company. Also known as the value chain, it covers the processes from raw materials through to the end user (who may be your customer’s customer).
A lot of companies have specialist Operations teams who are excellent at whatever the company does – IT services, manufacturing, financial advice – but not necessarily experts in the surrounding business processes that make it possible.
Operations teams can be too close to the detail of the internal processes so the external risk factors can get side-lined.
Current Training & Capabilities
Another consideration for the structure of the team is the current capabilities of your employees.
The key skills required for an operational resilience team are:
- Analytical skills to calculate impact tolerances
- Creative ideas for mitigation
- Market insight to understand customer and supplier requirements
- Risk management training
- A thorough understanding of the company’s customers and services
You can choose the people for your team based on skillset, not just seniority.
Perhaps you already have an individual with the leadership and process training who could lead the team. If you have a colleague with an MBA or similar expertise, you could decide the leadership structure based on those individuals, rather than which department they are in.
It would be advantageous to consider something like Belbin’s Team Roles when setting up your team to ensure a balanced set of skills.
Conclusion
There are several ways that an operational resilience team can be structured. You need to consider the size of your company, the types of risk you’ve identified and the capabilities of potential team members. The operational resilience team needs to ensure service delivery to customers and sufficient revenue through any disruption.
Unfortunately, this means there’s no right answer for how it should be structured. The team needs to reflect your company and what you need to achieve.
