Resilience is not a one-time box-tick exercise but an ongoing journey that begins with data and culture

2022 was a year of ongoing and compound crises, as organisations were faced with a myriad of disruptions.

From global and regional conflicts, to cyberattacks, supply chain disruptions, climate incidents, inflation, and economic downturn, never has it been clearer that operational resilience has become a boardroom priority.

On top of numerous disruptions, companies have also faced evolving global compliance requirements as regulators prioritised requirements to begin fast-tracking operational resilience.

As risk and compliance landscapes continue to evolve in 2023, organisations must prioritise resilient outcomes with a data-driven approach and foster a culture of program integration across the entire organisation.

When disruption inevitably occurs, resilient risk programs provide the tools to enact an informed response.

Global regulations and compliance

Regulators are taking operational resilience seriously by enacting and enforcing regulations around resilience, third-party risk, and cybersecurity as well as by heightening the compliance requirement for businesses.

The European Union (EU) passed the Digital Operational Resilience Act (DORA) in 2022 with an expected date of final implementation and compliance by Q4 2024.

In the US, the SEC (Securities and Exchange Commission) 2022 examination priorities established an enhanced focus on operational resilience. Operational resilience legislation for critical infrastructure sectors, such as financial services, demonstrates that regulators understand why resilience is imperative and are taking steps to ensure adequate protections are in place.

For businesses, these new regulations signify that simply being resilient is not enough – they must actively demonstrate resilience to relevant shareholders and regulators.

Furthermore, regulators are beginning to hold executives personally liable for regulatory violations. Uber’s former chief information security officer was recently found guilty in federal court for concealing a cyber incident from regulators.

This recent shift to holding executives personally liable for corporate compliance demonstrates that regulators are taking this seriously – and expect the same from all businesses as well as their leadership.

Geopolitical risks 

Although it feels like the COVID-19 pandemic is finally coming to an end, businesses will continue to face other significant risks in 2023.

The geopolitical crisis in Ukraine highlighted the multilateral impact of geopolitical events, including on personnel, vendors, the economy, and supply chains. Geopolitical events will continue to remain a pain point for many businesses with global operations.

With tensions growing in East Asia between China and Taiwan, businesses would do well to prepare for any possible disruption if war were to break out in this region.

Given many goods originate from East Asia, a major disruption could result in significant supply chain challenges. To prepare, businesses should evaluate their supply chains and map any touch points to the region. From there, companies should explore alternative options and determine how they would respond should a disruption occur.

Disruptions often happen at a moment’s notice, but with the proper proactive measures, businesses can quickly trigger an informed response.

In light of the severe business disruptions following the Ukraine-Russia war, businesses need to be on the front foot and stay ahead of any potential disruptions in 2023 and beyond.

Data is key

Operational resilience is data-driven. True resilience means having the necessary data to assess and respond to a situation promptly, while limiting disruption to customers.

With businesses expected to face continued disruptions in 2023 and with regulations becoming more complex, businesses must take a data-driven approach to managing their operational resilience.

Data is a crucial component of operational intelligence to help businesses make informed decisions and communicate information with key stakeholders and regulators.

Operational intelligence includes business processes, people, and technology overlaid on enterprise data elements. It provides a holistic picture of an organisation, how it works, and its risks to guide intelligent decision-making.

Connecting data in this manner offers executives and regulators thorough insights into business resilience through a central lens.

Beyond organisational data, scenario testing will be a key priority for businesses in 2023 to further understand the impact of specific hypothetical disruptions. 

Along with the increase in data collected by resilience teams, privacy and data security issues will continue in 2023 as organisations create processes to effectively manage the issues in the context of their operational resilience program.

Resilience in the spotlight

Operational resilience brings together the separate functions of governance, risk, and compliance alongside other business functions to drive informed decision-making.

In 2023, we will see businesses continue to adopt a data-driven approach to resilience to stay ahead of emerging risks and compliance obligations.

Resilience is not a one-time box-tick exercise. It is an ongoing journey to create a culture shift within an organisation and, as such, does not happen overnight.

But do not let the long journey stop your organisation from taking the first step – every organisation must start somewhere, so for businesses that have not yet begun their resilience journey, 2023 is the perfect time to start.

Alex Toews is director, Risk Products, at Fusion Risk Management