The governance around resilience
You want to become resilient to cyberattacks, human errors, power outages, and many other causes of service interruptions. Where do you start?
You could ask your IT team and your Operations leaders to take the required measures to ensure "reliability." Do you think that will work without any oversight and guidelines? I can tell you right off the bat: No, And you will have given the same answer in your head already. Moreover, your company's department heads will have the same answer: no. And why? Exactly because they do not know how you want to put the "law" into effect in your company.
Your next question is, of course: "what law?." If you are in Europe, you will have heard about the many laws of the EU, like NIS2, MIFID II, DORA, EMIR, and so many more. You will be subject to other laws if you are in Asia, the US, the Middle East, Africa, or Oceania. And if you deliver services to EU companies governed by the first set, you may be subject to those European laws as well.
So far, about the laws, let's look at what this gives you.
If you're like me, you want your client to be able to use your services, almost no matter what. That means you must ensure your services are available to your clients under most circumstances. Ok, if WWIII breaks out with nuclear missiles flying all over, all bets are off. Let's ignore that occurrence. (your contracts include "acts of God" exclusions, right? (if not, let's talk.) That is the real reason you must ensure your services to our clients are resilient. Resilient systems and processes ensure your income, revenue, the livelihood of your employees, the ROI for your shareholders, and your reputation.
As I said, there are 4 stages. Let's begin with stage 1: governance.
What is governance but telling your staff what you want them to do? Nothing! So, Let's tell them what to do and how to achieve their Key Performance Indicators. That way, you get what you want, being in control, and they get what they want: their bonus.
Resilience governance needs to start at the top of the organization. And for that, you need to know WHY it is being introduced.
- To mitigate risks posed by growing vulnerabilities introduced by increased interconnectivity
- To address the shift in your risk profile as you adopt increasing digital adoption
- To acknowledge that third-party suppliers underpin your ability to supply services to your clients
- To adopt a single, consistent approach to operational resilience across markets
Obviously, this is a holistic view of the markets across the US, EU, Oceania, and Africa. Each of these markets has its own interpretations and nuances.
The point, however, stays the same: have a sound company oversight and management view via clear governance rules like ownership, policies, procedures, guidelines, and operational task lists.
In the end, it is all about the ability to build, ensure, and review operational resilience from a technological and business perspective.