What is operational resilience?

Operational resilience is the ability to prevent, detect, respond to, recover, and learn from operational disruptions. For organizations, operational resilience ensures business continuity and stability, in the present and future. Companies that demonstrate resilience generate higher returns, even in times of economic downturn.¹

What does operational resilience take? Careful planning and a people, processes, and technology (PPT) framework strategy. Effective operational resilience is a risk mitigation and management strategy that improves response and recovery processes. Disruptions can cause revenue loss, customer mistrust, and reputational damage. Operational resilience minimizes the impact of potentially disruptive events on an organization, its partners, and customers. In other words, it ensures the show goes on.

The pillars of operational resilience keep your company functioning without interruption, even if disruption occurs. Operational resilience can be broken down into five pillars:

Risk identification and assessment: Identifying and assessing risks is fundamental to risk management strategy, a core operational resilience initiative. Scaling and growing is risky business! Security breaches, economic changes, supply chain disruptions, intra-organizational transformations, and more all pose potential threats.

Methods to identify and assess risks include: brainstorms, documentation reviews, information gathering, strength weakness opportunities and threats (SWOT) analysis, root cause analysis (RCA), assumption analysis, and risk registers. Risk prioritization improves response capabilities. Concerned teams can act with minimal or no interruptions to business activities.

Business continuity planning: For a business to continue "as usual" in the face of a disruption, you must establish an order of operations and a list of stakeholders for any given disruption scenario. This is business continuity planning, which builds on risk identification and assessment methodologies to provide solutions to potential disruptions. A planning committee made up of IT, security, and executive leaders prepares the actions to be taken in the face of disruptions to minimize their impact.

A successful business continuity plan is contingent on several steps: information gathering (risk assessment), plan development and design, implementation, testing, and continuous maintenance and updates. Environmental factors change — from external factors like new laws and regulations to internal factors like new in-house technology. Therefore, regularly reviewing your business continuity plan is crucial to its viability.

Depending on the size of your organization, there are multiple elements to consider and a varying amount of risk to account for. A good business continuity plan is a simple one. It identifies the resources that are vital to continuous operations, locations relevant to continued operations, the people in charge of continuing operations, and potential costs.

Incident response and recovery: Businesses contend with cybersecurity breaches, threats, or attacks as an inevitability of the digital age. Incident response and recovery plans are formalized processes and technologies that prevent cyberattacks and minimize their impact if they do occur. Common security incidents include ransomware, phishing and social engineering, distributed denial-of-service (DDoS) attacks, supply chain attacks, or insider threats.

Incident response and recovery plans are typically created by a dedicated computer security incident response team (CSIRT). The members of this team are usually an organization's chief information security officer (CISO), its security operations center (SOC), IT staff, stakeholders from the C-suite, legal, HR, risk management, and regulatory compliance. These plans detail the roles and responsibilities of each stakeholder in the case of any given incident. They outline the protocols for restoring affected systems during an outage, a detailed set of steps to be taken in response to an incident, a communications protocol for informing all affected parties, and data collection methodologies for post-incident reviews and future learnings.

An incident response and recovery process must also include steps for detection and analysis, protocols for containment, and solutions for eradication. Once a threat is detected and analyzed by cybersecurity teams, it must be contained to limit damage. Short-term containment measures address the threat immediately to neutralize it, while long-term containment measures focus on strengthening the defenses of unaffected systems. Once a threat has been contained, teams can remediate the issue by eradicating it entirely. Only then does recovery come into play: teams restore systems to normal operations by patching, or getting systems back online.

Crisis management: Crisis management is defined by how organizations respond to any given crisis — large or small. A disruptive event occurs, an organization reacts and sets its business continuity plan into motion. That's crisis management. Effective leadership, efficient protocols, and swift mobilization distinguish a successful crisis management operation and a failed one.

Adaptive governance and culture: Effective crisis management requires agility and adaptivity from organizations. Quick responses to disruptions are only one part of achieving operational resilience. Adopting an adaptive governance and culture means organizations are also actively learning from their environment and incidents to inform future decision-making. It's like practicing a growth mindset at an organizational level.

Operational resilience is important for any organization’s bottom line. When services lag, break, or are hacked, it impacts customers and their safety. Depending on the industry, the ramifications can go from being inconvenient to life-threatening, such as in healthcare. They can damage customer trust and have legal repercussions — a data leak might even constitute a breach of regulatory compliance. Short term? You're bogged down with resolution efforts. But in the long term, your reputation suffers.

Operational resilience allows IT teams to minimize downtime, which ensures quick recovery, reduces operational interruptions, and maintains productivity. Preventing outages or quickly resolving them also maintains customer trust and organizational reputation. This, in turn, protects organizations against revenue loss and resulting financial instability.

Business continuity and operational resilience are sometimes used interchangeably but they vary in scope and approach. Business continuity is a pillar of operational resilience, referring to a formal and specific type of planning intended to ensure business continues smoothly and quickly in the event of a disruption.

Operational resilience is an all-encompassing, proactive approach that helps organizations withstand, adapt, and thrive during and after disruptions. It involves ongoing assessments for continuous enhancements. Every aspect of the organization gets re-evaluated, including supply chains, technologies, communications, and its workforce.

Operational resilience relies on adaptive governance and continuous improvement to supplement recovery procedures. For a business to demonstrate resilience, both business continuity planning and operational resilience methodologies are necessary.

Achieving operational resilience is increasingly challenging as new technologies emerge before organizations have time to adapt to their previous latest iterations. Cyberthreats are also increasingly sophisticated, requiring significant investments in cybersecurity professionals and technologies from organizations. Supply chains are more complex than ever, relying on an intricate web of global actors, all governed by different regulatory requirements.

For any organization, balancing costs and ensuring resilience is a consistent challenge. After all, operational resilience has a significant impact on any organization’s productivity, and therefore its financial viability. Companies must identify their priorities to understand how best to allocate funds and resources to maintain stability and growth.

Mitigating cyber threats and data breaches is also more resource-intensive than ever. Threat actors are better equipped, and companies have broader attack surfaces, increasing the number of vulnerabilities. An expanded digital environment, while offering an organization more flexibility and speed in development, is also a significant operational resilience challenge.

Enhancing operational resilience begins with developing a comprehensive resilience framework. Companies need to take a structured approach and integrate resilience frameworks into all aspects of the organization, from strategic planning to daily operations.

For effective cybersecurity resilience, organizations need to implement robust measures and conduct regular testing and drills. A proactive approach is half the battle for a cyber-resilient organization. It also ensures that thorough and relevant incident response and recovery plans have been formalized. Preparedness is key.

Ultimately, resilience is a matter of culture within the organization. Effective communication across all channels and a commitment to continued learning demonstrated by leadership is vital to enhancing operational resilience.

As companies continue to increase their spending on AI and machine learning technologies, we may see them used to bolster operational resilience. Predictive resilience models, which leverage data analytics and machine learning, may boost risk management initiatives by learning to anticipate potential disruptions, faster and in greater detail than analysts can alone.

Global collaboration and information sharing will also play an important role in fostering more resilient organizations. As supply chains cross borders and most companies employ across time zones with no sign of retreating, international cooperation in the realm of regulatory compliance, newfound threats, and security strategies will help ensure that organizations are resilient.

To expect the unexpected, companies must consider sustainable and long-term resilience strategies. With the climate crisis unfolding and causing weather events capable of serious disruptions, resilience goes hand-in-hand with sustainable choices. It isn’t limited to protective measures — true operational resilience will require reinvention and innovation.

• Achieve operational resilience with a flexible data store
• From vision to reality: Your guide to using generative AI to improve operational resilience
• Improve operational resilience with generative AI
• Generative AI for business observability: What IT leaders need to know
• Improve operational resilience by solving your hidden data challenges
• DORA: A paradigm shift in cybersecurity and operational resilience
• GovLoop playbook: Strengthening operational resilience

McKinsey, Resilience for sustainable, inclusive growth. 2022.