March 5, 2020
March 5, 2020
Operational resiliency—an organization’s ability to withstand adverse, disruptive change in its operating environment and continue delivering critical business services and economic functions—is a vital skill in the digital age.
It is achieved through processes that help the business detect, prevent, respond to, and recover and learn from catastrophic operational and technological failures, such as a major cyberattack, power outage, or pandemic.
To gain fresh perspectives on the board’s role in overseeing this preparedness, Protiviti met with a group of active directors during a roundtable at a December NACD event to discuss their experiences. Below are key questions raised during and takeaways from the dialogue.
The directors agreed that operational resiliency starts with a front-to-back evaluation of the business services and functions that are critical to the execution of the business and that have a significant economic impact.
When considering “impact,” it is important to look beyond the four walls of the organization to consider external stakeholders such as customers, third parties, regulators, investors, and the environment. Elements that may determine criticality include the percentage of overall revenue that a service supports, the service’s estimated daily impact on the customer experience, the number of market participants providing or using the service, the length of time the business can operate without it, and the extent of regulatory interest should a major resilience event affect the service.
Once the most important services and functions are determined, the organization can assess its exposure to adverse, disruptive events and how to prevent, detect, respond to, and recover from them. The organization can then build operational resiliency through a program that enhances its ability to learn from catastrophic operational and technological failures.
Management should also assess impact tolerance. For example, up to what point would the organization be tolerant of an event that stresses operational resiliency before it is necessary to trigger a recovery and resolution plan? What is the customer base’s tolerance for accepting the event occurring and continuing to do business with the organization? What are the expectations of other external stakeholders, and how would they respond to a major incident affecting the organization?
When evaluating the organization’s resiliency in addressing an extreme but plausible catastrophic event that could result in the loss of a critical service or function, management should consider the velocity of the event or how quickly it will make an impact, the persistence of the impact, the sufficiency of the company’s response plan if the event occurs, and the extent of uncompensated risks, if any, that the company faces as a result of the event (e.g., significant environmental, health, and safety exposures).
The likelihood of the event’s occurrence can sometimes be a consideration. However, likelihood is not as significant a factor in evaluating exposure to catastrophic events as the enterprise’s response readiness is. The question is not “Will it happen?” It’s “What will we do if it does happen?”
The question around the board’s proper role in this scenario surfaced many times at the NACD roundtable. Overall, the group agreed that the board should be notified promptly of an event that is likely to require disclosure to investors, regulators, or both. Additionally, the board should be aware of the company’s response to the event, but should not drive the action. The board also should be engaged with:
There was also much discussion on how granular the board’s engagement should be. All of the directors recognized that matters that could damage the company’s reputation and erode brand image warranted the board’s closest attention and timely oversight.
Individual board members are not required to be technical experts on operational resiliency. But directors should collectively possess adequate knowledge, skills, and experience to constructively challenge senior management and evaluate decisions that have significant operational resiliency consequences.
Directors at the roundtable agreed that clear accountability and responsibilities should be established for management and that a policy statement can be helpful in this regard. To that end, it can be useful to understand how the company’s operational resiliency program is organized, who is responsible for preparing for and responding to various resilience-testing events, and the extent to which line-of-business leaders are engaged for specific business services. Directors should also expect management to provide appropriate information and periodic reporting on the operational resiliency program.
The board’s focus should be on the types of events that may put the organization out of business. Management should have a clear understanding of what specific services could shut down the business if they were interrupted in a major way.
Directors should work with and through the CEO to articulate the desired culture of risk awareness and ethical behavior for the organization, both of which influence the firm’s commitment to operational resiliency. It is up to management to establish and sustain that culture under the board’s oversight. For a more complete look at this roundtable, read Protiviti’s full summary of the event.