Reviewing requirements for operational resilience and developing agile programs in a changing environment

This content has been archived. It may no longer be relevant

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Chris Harner, Managing Director, Cybersecurity, Sia Partners

In your experience, how has the pandemic influenced your institutions resiliency?

The pandemic highlighted the complexity and hidden dependencies in the economy that previously were not evident to the public and many executives. The pandemic raised many resiliency issues, including:

  • People: Lockdowns forced firms to shift to a remote work model overnight. As a result, behaviours and attitudes changed, with a strong employee preference for remote work. Today, like most firms we have pivoted to a hybrid work model.
  • Cybersecurity: With a shift to remote work, there was an uptick in phishing and other attacks. VPNs for remote access and Multifactor Authentication (MFA) became a top priority to secure endpoints.
  • Relocation: As employees fled hotspots and lockdowns, tracking their location was important for monitoring employee safety, but also tax compliance for individual and corporate filers.
  • Real estate: Many companies are stuck with fixed assets or leased properties with low occupancy rates while those with a lean presence reduced overhead.
  • Operating model: Firms continue to re-evaluate offshoring and outsourcing strategies to mitigate supply chain breakdowns domestically.

As a consultancy Sia Partners was always nimble, continuing to serve clients while pursuing its acquisition strategy to expand its global footprint, talent and offerings.

When developing resiliency, is it important to include political disruption? Have any recent events emphasized this?

Operational resilience is the dynamic ability to adapt to internal or external shocks while maintaining critical operations and core business lines, regardless of the source of the shock. Political disruptions should be monitored as they often function as triggers to cascading failures. The conflict in Ukraine is a recent example illustrating how an event unleashes second and third order impacts due to obvious and non-obvious dependencies.

Europe’s dependency on natural gas for heating and energy was obvious. Sanctions on Russian goods and services led to Moscow shutting off gas supplies. The aggressive push toward alternative energy while shutting down coal fired and nuclear power plants led to a classic single point of failure, amplifying Russia’s leverage over Europe.

What was not obvious to most were the second and third order impacts. First, the looming heating crisis this winter naturally led citizens to seek out firewood for woodstoves. Firewood may have provided redundancy for home heating, but that would have required planning ahead to retrofit homes and manage forests to ensure an adequate supply of seasoned wood for efficient burning.

Second, the energy crisis is compounded by not only the lack of natural gas itself, but also critical by-products –including urea– required for fertilizer. Sanctions on Belarus aggravated the lack of fertilizer as it produces 20% of the world’s potash, another critical ingredient. Without chemical-based fertilizers, most farms’ production will be reduced by about half. Worse, the skyrocketing cost of fertilizer threatens the financial solvency of many farms,  intensifying a potential food shortage for the next season. Lastly, once farmland lies fallow, it can take years to bring it back into full production.

How do you test plans and recovery to disruption that hasn’t yet taken place?

We cannot see into the future, but we can construct hypotheses of what would happen if an unforeseen disruption occurred. One method is through thoughtfully designed tabletop exercises to test capabilities, communication protocols and the level of collaboration among stakeholders. Crisis management and recovery is a skill requiring “muscle memory” through rigorous training. The learnings from training and experience should be documented in playbooks focused on different events, from ransomware to failure of a critical vendor. Playbooks are critical to guiding executives under duress to manage an event in a structured manner.

What are the requirements for mapping processes and controls?

Often, we hear from clients that process mapping is burdensome and lacking, including failing to catch control failures or fraud events. Process mapping, like stress testing, is a tool borrowed by the finance sector from engineering. Most process mapping is conducted based on an inventory that closely follows linear processes conducted by functions and business lines. This is a typical decision since firms are organized internally as such, and it feels natural to create a process inventory and identify owners along the corporate structure.

Risk is not linear and seldom remains contained in one function, business line or product. Rather, in my experience, process mapping is most effective when management pivots to an end-to-end (E2E) view of risk tiered processes. An E2E view is better suited to capturing the connectedness between functions, business lines, risks, and controls for a process instead of the classic siloed approach.

Mapping should not be limited to tagging risks and controls to each individual step or decision in the diagram, rather it should also be used in a “big picture” exercise to determine how multiple control failures within the process could manifest itself into a cascading risk event. Lastly, there is an opportunity to leverage AI/ML to screen mappings and assessments to determine what “good” looks like and iterate with the owners to improve their work product.

 

Chris will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.

You may also be interested in…

Have you made your free account?