2020 has seen an 81% increase in requests for defence against money laundering in the UK, according the to the National Crime Agency.[1]
An increase in organised crime is a predictable side effect of the pandemic, as criminals take advantage of the chaos left in its wake. It’s also a symbol of the complexity of making an organisation operationally resilient: if it manoeuvred through supply shortages in the early stages of the crisis, it must still maintain course through the choppy waters of stabilising supply in a changed economy.
The pandemic has highlighted two complex areas for operational resilience: cyber security and managing third parties. All organisations depend on them, but they are complex areas in which to measure and manage risk.
This article will review how to implement operational resilience framework within these parts of the organisation.
Cyber Security
The maritime industry saw a 400% increase[2] in cyber attacks during 2020 and other industries have been hit this year, too, with hackers taking advantage of the pandemic. Overall, the UK saw a 31% increase in the number of attacks.[3]
Cyber attacks can have a huge impact on operations. This year also saw the New Zealand stock exchange being hit by four successful Denial of Service (DDOS) attacks, resulting in the early closure of its cash markets.
The purpose of operational resilience is to be able to continue servicing customers during any disruption. This is particularly sensitive in the financial services sector because of the impact any disruption can cause on the economy and consumer confidence.
Whether an organisation is in the financial services sector or not, it’s likely to be highly dependent on interconnected and complex IT systems.
When identifying important business services for the operational resilience policy, there were probably many that were underpinned by the same IT programs and infrastructure. This means that disruption to IT services can disrupt multiple important business services.
Cyber Security as a Subsection of the Operational Resilience Framework
For this reason, cyber security could be treated as an independent subsection of the operational resilience framework. The same steps for implementing the overall operational resilience policy could be followed for cyber security.
Instead of identifying important business services, the process would identify key IT infrastructure which underpin those services. The resources and assets required for that infrastructure would be mapped and threats understood. The impact tolerances could be calculated for each IT program or network. Instead of calculating the tolerance before the customer was affected, the tolerance duration would be calculated as however long the disruption could last before the important business services were affected.
As we’ve discussed in previous articles, one of the key principles within operational resilience is continuous learning and improvement. One of the differences when considering cyber security’s impact on resilience is the cycle time for review and improvement.
Cyber security doesn’t sit still and wait for annual reviews to come round and pick up new threats. The landscape is consistently changing and new threats appear on a daily basis. Any operational resilience policy needs to allow for continuous review of cyber security and the implementation of defence mechanisms to counter these threats.
Similarly, the programs and infrastructure should be intentionally reviewed for ways to make it more robust and less vulnerable to attack.
Managing Third Parties
A second complex issue in operational resilience is the dependence on third parties.
John Donne claimed that no man is an island, but today he might have made the same comparison to businesses. It’s impossible to operate without relying on third parties – whether they supply raw materials, connectivity or business travel.
The threats organisations face from third parties include: business collapse, failure to deliver, compliance failures and reputational damage.
The business continuity policies of third parties is out of the buyer’s control – an organisation and no more dictate how resilient a supplier is than make themselves an island. But no matter the complexity of the challenge, these risks still need to be understood, managed and mitigated.
Risk Profiling of Third Parties
One way to start is to allocate a risk profile to each third party. Contingent monitors third party risk factors and assigns a risk score. Priority can then be given to the third parties with the highest risk profile, for example, those in geographic areas at risk of natural disasters or those in financial difficulty.
To add another level of risk profiling of suppliers, they can be mapped according to the strategic importance to the organisation. Any third party that is on the critical path for delivering important business services will need to be monitored more closely.
Once highlighted, high-risk third parties can be treated in much the same way as an internal process. The threats to the service provision should be identified. Then, although the organisation may not have much control to change the third party’s response to risks, it can be proactive in being flexible and adaptable.
For example, the organisation could identify secondary sources of supply should the supplier fail. Similarly, organisations can reflect on their own processes to see how they could adapt and work without the third party in a time of disruption.
An additional measure is to treat critical third parties with a closer relationship to manage demand, disruptive events and be made aware of potential problems as quickly as possible.
Conclusion | Complete Organisational Resilience
Beginning an operational resilience framework within an organisation can seem like opening Pandora’s box. It often raises more questions and identifies more risks than the organisation was expecting, particularly in the areas of cyber security and third parties.
However, to be truly resilient the organisation needs to tackle these areas and treat resilience as a process that covers the whole of the organisation and is ready for any type of disruption.
