[INTERVIEW] Operational resilience, how to recover after an attack!

Hello Roxane! Thank you for your time! Today, we’re going to talk about the Operational Resilience Maturity Assessment Framework. Could you summarize the tool in one sentence?

To sum up, the Operational Resilience Maturity Assessment Framework is a tool that measures the level of operational resilience of an organization.

What is Operational Resilience?

We believe that Operational Resilience (OpRes) is a young but increasingly unavoidable issue for our clients, especially for those in the financial sector. The United Kingdom has been a pioneer in this field, with an Operational Resilience Framework coming into force in March 2022, imposed by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Similarly, the European Union is set to follow suit, with its Digital Operational Resilience Act (DORA). The underlying principle for both legal frameworks is the acknowledgement that many events, both internal and external, can disrupt the activities of banks and other organizations.

Operational resilience therefore involves different sources of threats: from third parties (partners, suppliers, or service providers), pandemics, power failures, fire, to name but a few. From an organisational point of view, resilience is very often a program driven by the Head of Operational Resilience, the IT department or the risk division, and less often by a CISO.

Why did you create this tool? What problem does it solve for clients?

Under pressure from regulators, our clients have launched programs to increase their level of resilience, and therefore have had to measure their maturity level, both before and after these programs. Compliance is a good starting point, but it doesn’t go far enough! The idea of our Operational Resilience Maturity Assessment Framework is to provide a tool that encompasses both these new guidelines, and the best practices observed in the field. The tool is useful because it:

  • Measures the maturity of an organization, in terms of the methodologies and processes in place to address Operational Resilience.
  • Reports on the actual resilience capabilities at a given moment by analysing the tools and capabilities in place.
  • Facilitates the formalisation of a risk reduction plan and the management of resilience by highlighting the main areas that require more investment.
  • Integrates all Wavestone’s field experience in resilience from all our offices! Especially in the UK, where Operational Resilience is more advanced than the European Union countries, we have been working on resilience projects for over 3 years.

It assesses the organisation’s processes and operational implementation with a form consisting of ninety questions spanning twelve major topics. For each question, a resilience score between 0 and 5 is assigned, and a list of evidence is provided to support this score.

Customers are always keen to benchmark, and this has been incorporated into the assessment. Everything has been thought out to standardise the evaluations and thus allow clients to position themselves in the market; it’s a real value-add!

As the regulatory landscape matures, we’ve identified a need to maintain a global view; firms must implement Horizon Scanning functions to stay ahead of regulators and the competition. Therefore, working in conjunction with our maturity assessment tool, we have an Operational Resilience Regulatory Radar which maps regulations across the globe according to the same themes. It is a live document, updated every quarter that provides a holistic view of OpRes regulation and allows the user to compare by both geography and topic.

Can you tell us about the last time you used it?

The trigger for the creation of the Operational Resilience Maturity Assessment was a UK project supporting a major bank. Initially, we provided a 360° analysis of their resilience during which we developed our first assessment framework. With it, we were able to establish four maturity levels of resilience: 1) “Insufficient”, 2) “Compliant”, 3) “Good Level” and 4) “Leader”. We were then able to position them on these 4 levels and provide relevant advice and feedback accordingly.

Recently, we received a second assignment from another banking company, providing an opportunity to modify the assessment and make it more precise and extensive. We also modified our list of proofs that are used to position an organization against the correct maturity level, and added a 5th level of maturity, “The Pioneer”.

Currently, we use this framework in the financial sector, which has a high level of maturity given the regulatory constraints and the sensitivity of the data it processes. For clients in other sectors, we would adapt the levels to align with the overall maturity of the market.

Any final thoughts?

We think we can go even further in assessing resilience in a few years. The more feedback we get from the field, the more precise we will be on the required conditions to reach a level. For example, a player will be considered mature if it has the capacity to rebuild its AD in 3 hours. Just like on the CyberBenchmark. The next step would therefore be to define quantitative and/or qualitative indicators… And the only way to do this is to continue to confront the framework with reality!

Although everything can be improved, we are still very proud of this tool which was built in collaboration with our customers and experts, and has already proved its worth.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top