In this episode, Krishna Grenville-Goble is joined by Georgia Hunter, Director in KPMG UK’s Operational Resilience team, to explore what operational resilience really means in practice and how it differs from traditional risk management.
Together they discuss how organisations can identify their most important services, map end-to-end delivery and test realistic scenarios in order to respond, adapt and recover when disruption hits. They also cover the idea of a ‘minimum viable company’ and why live testing is raising the bar beyond annual tabletop exercises.
What you need to know:
Operational resilience is service-led: Focus on the products and services customers rely on, not organisational siloes
End-to-end mapping needs to include people, process, technology, data, facilities and third parties so you can spot any single points of failure
Testing should move beyond annual tabletop exercises towards live, realistic, multi-event scenarios and proven workarounds
Leaders should define the ‘minimum viable company’. The skeleton services required to keep the lights on during disruption
Third-party resilience needs ongoing monitoring and joint scenario testing across the extended supply chain (including fourth and fifth parties)
Providing the insights on this episode:
Georgia Hunter
Krishna Grenville-Goble
All in just 15 minutes.
The Insight in 15 is KPMG UK's flagship podcast for business leaders and decision makers.
Join us every fortnight for a fresh perspective on the issues shaping the future for your business, people and communities.
No filler. We cut to the chase, setting out the risks and opportunities, and providing insights you can put into action straight away.
Episode transcript
Krishna: Welcome to the Insight in 15, I'm Krishna Grenville-Goble, and today I'm joined by Georgia Hunter director in KPMG's operational resilience team. Georgia, we've got 15 minutes. We're going to jump straight in with our first question. What is operational resilience?
Georgia: Operational resilience is a key part of enterprise resilience. So it sits alongside financial resilience and commercial resilience. It's the ability of an organisation to prevent, respond, adapt to and recover from an operational disruption. So what it allows organisations to do is to look across their end to end services, understand how they're delivering them, and bring together an aggregate picture of their organisational resilience.
Krishna: And what's the difference between organisation resilience and risk?
Georgia: Operational resilience is the organisation's ability to continue providing its most important services or products to customers, despite all of the different disruptions that might be happening from both an internal and external perspective. Whereas risk is more of an inward looking view, looking at the key things that could go wrong within an organisation.
However, they are very interlinked. And risk management is a critical part of operational resilience.
Krishna: So what does that mean in reality? Can you give me an example?
Georgia: Yeah of course. So if you think about a payment service for a bank, it will already have a number of risk controls already in place. So think about processing monitoring performance type controls. What operational resilience does is it looks at things when they go wrong.
These controls have failed. So it's how do we continue providing that payment service, if there is a technology outage or a third party outage, you know, what are the workarounds that we can put in place and how long can we actually sustain those for?
Krishna: That sounds like organisations might be doing this already. Is that what you are seeing and hearing?
Georgia: Yes. So they are doing it already, but often in separate teams. So there'll be someone whose responsibility it is to look at cyber resilience, someone's responsibility to look at technology resilience.
But what we need to look at is those things in aggregate from an end to end service point of view. So if something does go wrong, they can quickly pinpoint how that impacts their service and what workarounds they need to put in place. If you take an example of, say, a head of sustainability, they are already looking at, you know, how different, natural disaster scenarios might impact the delivery of the service, but commonly that doesn't actually involve the business and what they would actually need to implement.
So what we're trying to do is bring the business into these discussions and look at things from an end to end service point of view.
Krishna: And why is this important for businesses now?
Georgia: So it feels like we're living in a constant state of disruption at the moment. And it's no longer good enough to just dust off your business continuity plans when something goes wrong.
Organisations need to be prepared and be able to respond quickly when these disruptions occur. This can be anything from cyber attacks, the Iran conflict, you know, the increasing use of disruptive technology. These are all big risks to, our service delivery. And we need to ensure that we are appropriately prepared for them.
Krishna: So is operational resilience considered a strategic priority?
Georgia: Yes, more and more. So we are seeing operational resilience becoming a board level agenda and topic that is being discussed very frequently. It is being seen as a peer to financial resilience in a lot of organisations already, but we're starting to see that focus more and more just because of all of these potential disruptions.
And ultimately, the board is accountable for delivering resilient services to their customers or clients.
Krishna: So it's obviously high on the board agenda, or it should be high on the board agenda. What sort of questions should boards be asking?
Georgia: So first and foremost they should be asking what are our most important services or products that we are delivering, and have they been prioritised based on harm, you know, to the customers, to you and I, on the, on the high street, rather than intent from an internal perspective like they traditionally have been, they should also try to get some confidence around how they're actually delivering those.
Do we have a clear understanding of the end to end mapping of all of our technology, third parties, people, facilities and data that actually that we need to actually deliver that service? And the next step is how are we testing for this, how we actually preparing and how comfortable are we that we can implement these workarounds that, you know, we've talked about when looking at some of these vulnerabilities.
Krishna: Who should take ownership of this?
Georgia: So operational resilience typically sits within the CEO function of an organisation. However, depending on that type of organisation or the industry, we are seeing it split across, you know, chief technology office, as well.
And this is mainly because organisations don't have an operational resilience function set up today. So it's trying to find a place for that, you know, a BAU capability.
Krishna: What should organisations be doing now to achieve that kind of operational resilience.
Georgia: So there's four key things that organisations should be looking at.
So the first one is getting that board accountability and responsibility tone from the top is really important. The second is defining what their operational resilience strategy is. So you know, what measures are we going to put in place? The third is building that business as usual operational resilience capability to allow for preparation and response when disruptions occur. And the fourth is understanding what the minimum viable company is.
Krishna: So let's delve into a few of the areas you covered. What does operational resilience strategy need to cover?
Georgia: Your operational resilience strategy is seen as an enabler to your broader, firm wide strategy. It's really looking at how you can continue to provide your most important services or products, and the measures in which you need to put in place should a disruption occur.
It's really, you know, making sure that your customers are at the heart of service delivery and where there any potential vulnerabilities these have been, remediated or, you know, mitigated.
Krishna: What do I need to do to build a business as usual capability?
Georgia: So first of all, they need to understand what their minimum viable company is and the key services that make up that, you know, skeleton of the organisation. In doing so, they'll start to identify who are the key people within the business who own these services or products. And then they can start to look at how they interact with some of the traditional adjacent functions like technology, cyber and people, and start to build up that bit of that operating model.
And the role of the central team that BAU capability is to bring all of those insights together and start to build that aggregate picture of resilience so that you know, your board and senior managers can start making investment decisions on some of those vulnerabilities through the through the testing that they've completed.
Krishna: You mentioned minimal viable company. What does that mean?
Georgia: First of all, you need to understand what is the long list of products and services, that your organisation delivers from both an internal and external point of view.
You then need to complete a set of prioritisation assessments to look at, you know, if these were disrupted, what is the impact, and harm that could be incurred by, you know, your customers, the firm and the market as well. And from that you can then determine, you know, what is your minimum viable company, what are the set of minimum skeleton services that you need to keep the lights on in the organisation, but will also allow, you know, your most important and critical services and products to be delivered?
The important thing here is that it's not BAU delivery. It's that really minimum delivery that you need.
Krishna: And so what sort of scenarios should I be testing?
Georgia: Organisations should start looking at broad multi event scenarios. So it's no longer good enough to just look at one asset or application being disrupted.
It needs to be a multi event end to end disruption of a particular service. So this can be any combination of a third party outage, a technology outage combined with a natural weather event, leaving a whole workforce off for whatever reason. And you should also be looking at how you're incorporating things from your risk registers. You know, that are already there. And also some external, threat horizon scanning inputs as well.
Krishna: How do I get hold of the tool to test those scenarios?
Georgia: So there are multiple different inputs. First and foremost it's looking at how your mapping of how you've actually deliver that service or product.
So what are my critical applications, data, people, third parties and facilities that I need to actually deliver that service, can quickly pick out whether any, you know, concentration risks or a single point of failure that you could test.
You should also look at incorporating, things from your risk register and tailoring that to the specific service. And you should also look at things from a horizon scanning threat point of view, as well.
So that could be from both an internal perspective, but also should think about those external threats as well
Krishna: So what is the weakest link in most organisations? Where are they going wrong?
Georgia: So organisations currently don't have a full picture of how they are delivering their services. So mapping is still quite immature across a number of the different areas, such as technology. Organisations just haven't been able to map the full technology stack to each of their most important critical products and services.
That obviously has an impact on all of the assessment and preparation that you need to do, you know, should a disruption occur. The second thing organisations need to do is more testing. So it's not good enough to do an, you know, annual test where you just sit down and walk, talk through what you're doing. We're seeing organisations move to live testing when they're actually implementing parts of that work around to see how sustainability is and how long they could actually do that for.
And then the last is the third party supply chain organisations don't have a great understanding of their supply chain. They might understand a little bit about their third parties, but beyond that, their understanding is quite limited.
Krishna: You mentioned supply chain. And obviously businesses are reliant on suppliers and other businesses and partners. So how do you track the resilience of suppliers and business partners?
Georgia: First of all what an organisation needs to do is understand who are they critical third parties, but more importantly understand their third party. So your fourth or fifth parties you can't rely solely on, you know, a one and done due diligence assessment of your third parties.
There needs to be that ongoing monitoring and risk assessment that's completed, you know, on a monthly, quarterly basis. Through that, you'll highlight any potential vulnerabilities with that third party and their performance. And what we're starting to see now is organisations move towards code testing. So where you do a lot of your scenario testing already as an organisation, it's inviting those third parties in so you can stress test the activity and the workarounds and how you would interact with that third party if there was to be a disruption.
Krishna: So we're nearly out of time. But there's always one question we ask our guests. What's the one takeaway you have for our listeners?
Georgia: Start thinking about operational resilience today because it's too late to start thinking about it once the disruption has happened.
Krishna: Thanks, Georgia. That's all we've got time for. Don't miss all of our episodes on Apple Podcasts, Spotify and YouTube. We'll see you next time for The Insight in 15.
Get in touch
Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.