What is operational resiliency? 

A robust operational resilience framework is mandatory for the financial services sector, energy and utilities companies, telecommunications providers, critical national infrastructure, and public sector and government organisations.  

For example, operational resilience is critical to the financial sector to ensure continuity of essential services and maintain public trust and confidence. According to IBM's Cost of a Data Breach report, the average lost business cost following a data breach was $1.47 million in 2024. With a heavy reliance on real-time payment systems, any downtime in payments connectivity can be a significant threat. This downtime can harm a business’s reputation, as well as the global financial ecosystem. 

Your operational resilience framework is the strategic approach to fortifying your organisation against disruption- allowing business as usual to continue even when under a cyber-attack or in the event of a system outage. 

Key components of the operational resilience framework include: 

Identifying your minimum viable organisation 
This refers to the services that are absolutely essential to the running of your organisation and would cause the most harm internally and externally if disrupted. This is with a view to prioritising these services in your operational resilience strategy. 

Setting your impact tolerance
For each of these essential services, you then need to set the maximum tolerable level of disruption. You need to understand the threat landscape, potential risks, and timeframes required for recovery to ensure your impact tolerance is accurate and realistic. 

Understanding and testing your dependencies 
Dependencies could include your systems, teams, and third parties party providers (such as managed IT service providers)- essentially, this any service, system, individual, or organisation that you depend on to keep operations up and running.  

To mitigate potential disruptions out of your direct control, it is crucial to find the potential vulnerabilities of your dependencies (such as cash flow issues with your suppliers of cyber security risks with third party technology providers), test and evaluate these, and then create contingency plans accordingly. 

Protecting your organisation 
Protecting your organisation against your findings can look like: 

• Creating continuity plans and disaster recovery plans 

• Establishing real-time 24/7 monitoring systems 

• Fostering a workplace culture that prioritises operational resilience 

Crafting your internal and external communication plans 
Create actionable plans to communicate with stakeholders in the event of a disruption, ensuring you can act quickly to minimise your reputational damage.  

Your operational resilience framework should be frequently reviewed and updated as your organisation and the threat landscape evolve. If you already have created your operational resilience framework and are looking to enhance your approach, check out our blog on how to build operational resilience in your organisation for a deeper understanding of building an operationally resilient culture.