There are many misconceptions about operational resilience…

Don’t let outdated assumptions about operational resilience leave you exposed. We’ve witnessed first-hand how these misunderstandings can put organisations in jeopardy. 

Operational resilience isn’t just about having a backup plan; it’s about building a dynamic, comprehensive approach to risk. 

Operational resilience refers to the ability and capacity of an organisation to anticipate, prepare for, respond to, and recover from disruption. The disruption could be from a variety of sources, from cyber-attacks to system outages. This means they can continue to deliver their critical services, regardless of any disruptive or challenging circumstances.  

Let’s debunk 5 pervasive myths about operational resilience that could be putting your business at risk. 

Five myths about operational resilience 

Myth 1: Operational resilience is the same as business continuity 

Are you under the impression that a simple backup plan is enough to recover from a disruption or breach? 
 
A disaster recovery or business continuity plan is a vital step to ensure your organisation can recover after a disruption. However, it doesn’t ensure you’re agile or adaptable going forward. Business continuity planning involves preparing for specific disruptions to ensure critical operations continue, whereas operational resilience takes a broader and more proactive approach to preparing for unforeseen events, creating a culture of resilience. 

Operational resilience extends beyond business continuity by integrating proactive risk management, robust recovery capabilities, and a flexible, adaptive approach to managing people, processes, and systems.  

Research from Gartner found that ‘Business continuity plans (BCPs) play a key role in resilience by focusing on recovery from individual impactful events. But they may not always address the end-to-end operations processes and dependencies that can impact operational resilience.’ 

Myth 2: Only large businesses need to think about operational resilience 

Think your business is too small to be targeted?  

Think again. While 57% of small business owners think they won’t be targeted by cyber attacks, a Verizon report identified 43% of all data breaches happened to small businesses in 2019. Not only this, but small and medium-sized businesses often have leaner resources and less margin for error so, if disruption strikes, a cyber-attack can become a cyber disaster. A rigorous approach to operational resilience helps protect your operations, reputation, and customer trust, no matter how small your business is. 

The NCSC offer specific, easy-to-follow and implement guidance for small businesses on cyber security. 

Myth 3: Resilience is IT’s problem... 

Operational resilience can appear to be all about firewalls, backups, and cyber defence and monitoring tools. 

Far from it.  

People, processes, and organisational culture all play key roles in operational resilience. Your business is only as resilient as your least informed employee. Without integrating, training, and educating every department on operational resilience best practices, from HR to customer service, you risk leaving vulnerabilities that can be exploited during a crisis. These best practices can include how to spot and report a data breach, password best practices, and how to recognise scams.  

Disasters do not respect departmental boundaries. When every part of your organisation is involved in resilience planning, you build a culture of preparedness. 

While technology and financial resources are important, the human element of operational resilience i.e. your training, culture, and clear processes is equally critical.  

Myth 4: Cookie-cutter, one-off plans will make your business resilient 

You cannot just set and forget your operational resilience plan. 
 
Operational resilience is an ongoing journey; not a final destination, as threats evolve constantly due to emerging technologies. For instance, the National Cyber Security Centre has highlighted that AI will be increasing the global threat of ransomware attacks in the coming years, as AI makes it easier for cyber criminals to launch precise attacks at scale. It is safe to say that a static plan quickly becomes obsolete, leaving gaps in your defence that can be exploited. Regular testing, updates, and improvements ensure your resilience strategy stays effective in the face of new risks, reducing your downtime and potential losses by staying ahead of the curve. 

 Every organisation has unique risks based on its industry, location, and operations. A cookie-cutter approach can overlook critical vulnerabilities. For instance, public sector organisations are vulnerable to ransomware attacks on the public’s data, so air gapped, immutable backups are key here. This is to ensure data can be recovered even in the event of encryption, preventing downtime and ransom payments. Tailoring your plan means you mitigate the specific threats you face. This can mean:  

• Identifying your organisation’s specific impact thresholds (the level of disruption your business and customers can take without experiencing harm) 

• Considering your business setup and the risks this presents, such as unsecured personal devices and unmonitored access for remote workers 

Myth 5: Regulatory guidelines are optional 

Operational resilience is not just a ‘nice-to-have' 
 
This is especially true for highly regulated sectors such as financial services and the public sector. Non-compliance with regulations can lead to severe financial penalties, reputational damage, and can leave your business exposed to risks.  

Some examples of compulsory regulations include: 

FCA (PS21/3) 

Financial services firms must identify critical business services, set impact tolerances, and demonstrate the ability to continue delivering these services within those tolerances during disruptions (such as cyber attacks or system outages). They must also continually test their resilience under various possible scenarios. 

DORA 

EU-based financial businesses and their IT service providers must implement comprehensive ICT risk management frameworks, including continuous monitoring, resilience testing, and incident reporting mechanisms. 

GDPR 

All businesses operating within the EU must use techniques such as pseudonymisation and encryption to protect personal data, get explicit consent to process personal data, and ensure data can be accessed, transferred, and deleted upon request. 

This list is by no means exhaustive, so it’s essential to check which regulations apply to your business and ensure your compliance.  

Don't wait for a crisis to test your operational resilience. For a truly robust approach to safeguarding your business and building a culture of resilience, it’s time to enlist an expert partner. Uncover your hidden recovery risks with a recovery risk report from the Celerity team and get actionable protection measures in a matter of days.