Preparing for the Unexpected: A Proactive Approach to Operational Resilience

Try these steps to create an operational resilience action plan that will satisfy financial regulators and help sustain business without disruption.

Cameron Dicker, Director of Global Business Resilience, FS-ISAC

October 6, 2023

4 Min Read
Red arrow hopping over an obstacle
Source: Olivier Le Moal via Alamy Stock Photo

Preparing for the unexpected may be a contradiction in terms, but for financial firms it is essential for survival. The sector has long been a target for threat actors, given that this is where the world's money is. And as the financial ecosystem becomes increasingly interconnected, threats to its security and resilience are rapidly evolving and increasing.

Operational resilience is not just about responding with agility to risks but also maintaining continuity of operations with minimal or — even better — no disruptions. So, whereas cybersecurity is about preventing and defending against cyberattacks, resilience focuses on sustaining operations despite attacks.

Recognizing the necessity of operational resilience, regulators are emphasizing the need to be prepared for unforeseen incidents. A prominent example is the EU's Digital Operational Resilience Act (DORA), which provides a framework for the finance industry to detect, prevent, contain, and recover from attacks associated with information and communication technology (ICT).

Operational Resilience: Beyond Business Continuity

Keeping a business running is not a new concept. Business continuity management and disaster response are well-developed functions within financial firms. But while business continuity focuses on ensuring smooth handling of disruptions when they occur, operational resilience goes beyond that. It is a proactive approach to ensuring reliability of digital systems no matter what happens. This sense of reliability is critical to maintaining public trust in the global financial system.

Operational resilience is by no means easy to achieve. However, there are definite steps that firms can take to begin their journey. The first step is to get a holistic view of the risk landscape; a comprehensive assessment of operations, interconnections, and continuity requirements. Once this is done, the fundamental principles of operational resilience can form the building blocks of a future-ready strategy, depending on the size, complexity, and role of your organization in the overall financial ecosystem.

Here's what an action plan might look like:

Identify Internal and External Risks

  • Identify operations that are critical to business management and continuity. Look for key dependencies in internal and external systems and the operations they rely on.

  • Understand the threat landscape as it evolves to create an effective response plan that makes relevant information easily available to concerned personnel working to protect against and mitigate disruption.

  • Create seamless communication channels between internal and external groups, including information-sharing bodies, cybersecurity teams, and government partners. No firm can understand the constantly evolving threat landscape alone; collaboration is the only way to enlarge your view beyond what your own team and tools provide and minimize blind spots.

  • Maintain an in-house inventory of assets (both physical and digital), event classes, and threats to stay prepared for the unexpected.

Put a Response Strategy in Place

  • Identify your organization's risk appetite by determining the acceptable levels of disruptions for each critical operation. With this, you also get a comprehensive view of the system's ability to resist, absorb, adapt to, and recover from an incident. It also helps you prioritize risks and create efficient controls and contingency plans for potential threats.

  • Build response plans to sustain continued synchronization across operations during times of crisis. Use learnings from previous attacks and exercises to understand the required adjustments and set procedural standards. Identify relevant people and teams within your company and determine their roles and responsibilities during risk events.

Be Ready to Take Action

  • Conduct regular mock drills to test the various components of your incident response plan, both internally and externally. Include your third-party vendors in your strategy and practice exercises to put an immediately executable action plan in place.

  • Ensure effective governance, both internally and externally, to develop and implement a proactive, enterprise-wide strategy that is compliant while being feasible, effective, and safe to execute.

Becoming Future-Ready in a Globalized World

The financial sector is better able to navigate an increasingly complex world with a proactive approach to operational resilience. Operational resilience helps reduce the cost of disruptions, improve resource allocation efficiency, and ensure agility in responding to emerging market opportunities. It is critical to maintaining, and indeed, enhancing customer trust and loyalty in a world where cyber incidents are daily front-page news. And of course, regulators are demanding it.

No firm can achieve operational resilience purely on its own. Intelligence sharing within the global financial community helps firms understand current and emerging threats and learn how others are mitigating them. It keeps larger institutions at the forefront of cybersecurity while arming smaller firms with knowledge and tools to protect themselves. It is so critical to operational resilience that DORA dedicates an entire article to it.

Beyond regulation, the public sector is also increasingly collaborating with the private sector to protect critical infrastructure, which includes the financial sector. Around the world, organizations including the US Treasury Department's Hamilton Series and NATO's Locked Shields regularly conduct large-scale exercises to test that communication and coordination channels will function efficiently during major incidents. The goal is not only to minimize operational disruption but to proactively maintain public calm and trust.

Operational risks are no longer geographically bound. Cross-border intelligence sharing and exercises help financial institutions build a comprehensive approach to operational resilience. When you are prepared for the unexpected, it not only enables you to act from a position of confidence and strength but also fosters trust and confidence from stakeholders necessary to long-term business success.

About the Author(s)

Cameron Dicker

Director of Global Business Resilience, FS-ISAC

Cameron Dicker is the Director of Global Business Resilience at FS-ISAC and the Deputy Director of the Financial Services Sector Coordinating Council. As Director of Global Business Resilience, Cameron oversees FS-ISAC's exercise programs as well as the regional Business Resilience Committees. Prior to joining FS-ISAC, Cameron worked on resilience policy and crisis management for the Department of the Treasury and the Federal Reserve Board.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights