Operational resilience under pressure as risks compound existing threats

Businesses have been told their operational resilience will be tested in the year ahead as a range of risks and challenges put systems under stress.

Alex Toews (pic) director, risk products at Fusion Risk Management, said 2023 will deliver new tests and companies will need to ensure their resilience is robust enough to withstand the pressure.

“2022 was a year of ongoing and compound crises, as organisations were faced with a myriad of disruptions,” he explained. “From global and regional conflicts, to cyberattacks, supply chain disruptions, climate incidents, inflation, and economic downturn, never has it been clearer that operational resilience has become a boardroom priority. On top of numerous disruptions, companies have also faced evolving global compliance requirements as regulators prioritised requirements to begin fast-tracking operational resilience.”

Toews added: “As risk and compliance landscapes continue to evolve in 2023, organisations must prioritize resilient outcomes with a data-driven approach and foster a culture of program integration across the entire organisation. When disruption inevitably occurs, resilient risk programs provide the tools to enact an informed response.”

He warned regulators are taking operational resilience seriously by enacting and enforcing regulations around resilience, third-party risk, and cybersecurity as well as by heightening the compliance requirement for businesses. The European Union (EU) passed the Digital Operational Resilience Act (DORA) in 2022 with an expected date of final implementation and compliance by Q4 2024. In the US, the SEC (Securities and Exchange Commission) 2022 examination priorities established an enhanced focus on operational resilience.

“Operational resilience legislation for critical infrastructure sectors, such as financial services, demonstrates that regulators understand why resilience is imperative and are taking steps to ensure adequate protections are in place,” he said. “For businesses, these new regulations signify that simply being resilient is not enough, they must actively demonstrate resilience to relevant shareholders and regulators.”

Aside from regulatory the challenges of the past year are set to be exacerbated.

“Although it feels like the COVID-19 pandemic is finally coming to an end, businesses will continue to face other significant risks in 2023,” Toews explained. “This year, the geopolitical crisis in Ukraine highlighted the multilateral impact of geopolitical events, including on personnel, vendors, the economy, and supply chains. Geopolitical events will continue to remain a pain point for many businesses with global operations.

“With geopolitical tensions growing in East Asia between China and Taiwan, businesses would do well to prepare for any possible disruption if war were to break out in this region. Given many goods originate from East Asia, a major disruption could result in significant supply chain challenges. To prepare, businesses should evaluate their supply chains and map any touch points to the region. From there, companies should explore alternative options and determine how they would respond should a disruption occur.”

He continued: “Disruptions often happen at a moment’s notice, but with the proper proactive measures, businesses can quickly trigger an informed response. In light of the severe business disruptions following the Ukraine-Russia war, businesses need to be on the front foot and stay ahead of any potential disruptions in 2023 and beyond.”

Toews said date remains key to resilience given that it is data driven.

“True resilience means having the necessary data to assess and respond to a situation promptly, while limiting disruption to customers. With businesses expected to face continued disruptions in 2023 and with regulations becoming more complex, businesses must take a data-driven approach to managing their operational resilience.”

“Beyond organisational data, scenario testing will be a key priority for businesses in 2023 to further understand the impact of specific hypothetical disruptions,” He added. “Certain disruptions are more likely to occur than others, such as a hurricane hitting Florida that results in flooding and loss of power, or a supply chain impact that causes a primary supplier to deliver goods a week or more late. Testing these scenarios with a genuine probability can help a business understand how it will be impacted and how to respond. This ensures organisations know exactly how to react when the event does occur.

“But as compound crises increase, businesses should also test scenarios that are deemed ‘highly unlikely’. Running these stress tests can help inform responses to more complex risks and disruptions.”