[OR] [Pillar] [E1] [C3] ORM as the Foundation of Resilience

eBook 1: Chapter 3

Operational Risk Management as the Foundation of Resilience

Introduction

Operational resilience is often described as an organisation’s ability to anticipate, withstand, respond to, and recover from disruptions while continuing to deliver its critical business services.

While this capability is the ultimate objective, it is built upon a more fundamental discipline—Operational Risk Management (ORM).

ORM serves as the foundation upon which operational resilience is constructed. Without a clear understanding of risks, vulnerabilities, and the effectiveness of controls, any attempt to build resilience would be incomplete and potentially ineffective.

This chapter explores how ORM underpins operational resilience by providing the structure, insights, and mechanisms required to manage uncertainty and support continuity.

The Foundational Nature of ORM

At its core, ORM is concerned with understanding and managing risk. It enables organisations to systematically:

• Identify operational risks across all business activities
• Assess the likelihood and impact of these risks
• Implement controls to mitigate or manage risk exposure
• Monitor and report on risk levels over time

These activities form the baseline capabilities required before resilience measures can be effectively designed.

Operational resilience builds on this foundation by asking:

• What happens if controls fail?
• What if risks materialise despite mitigation?
• How can the organisation continue to operate under adverse conditions?

Thus, ORM provides the first line of defence, while operational resilience provides the second line of assurance.

From Risk Awareness to Resilience Capability

The transition from ORM to operational resilience can be understood as a progression:

• Risk Awareness (ORM)
  Understanding what can go wrong
• Risk Management (ORM)
  Implementing controls to reduce risk
• Resilience Planning (OR)
  Preparing for scenarios where risks materialise
• Resilience Execution (OR)
  Responding to and recovering from disruptions

Without the first two stages—both driven by ORM—resilience planning lacks a solid basis. Organisations would be attempting to prepare for disruptions without knowing where their vulnerabilities lie.

ORM and the Identification of Vulnerabilities

A key contribution of ORM is the identification of operational vulnerabilities. These vulnerabilities may arise from:

• Inefficient or poorly designed processes
• Human error or insufficient training
• Technology failures or system limitations
• External dependencies, such as third-party providers

Through tools such as:

• Risk and Control Self-Assessments (RCSA)
• Process risk mapping
• Incident analysis
• Key Risk Indicators (KRIs)

ORM enables organisations to pinpoint areas where disruptions are most likely to occur.

These identified vulnerabilities serve as the starting point for resilience planning, guiding efforts to strengthen weak points and prepare contingency plans.

ORM as the Basis for Control Effectiveness

Operational resilience depends heavily on the effectiveness of controls. However, controls do not exist in isolation—they are designed, implemented, and monitored through ORM.

ORM ensures that:

• Controls are aligned with identified risks
• Control gaps are identified and addressed
• Control performance is regularly assessed
• Improvements are continuously implemented

When controls are strong and effective, the likelihood of disruption is significantly reduced. When controls fail, ORM provides the mechanisms to detect and respond to these failures early.

This dual role reinforces ORM as the foundation of both prevention and early detection, which are critical elements of resilience.

Supporting the Identification of Critical Business Services

One of the central concepts in operational resilience is the identification of Critical Business Services (CBS)—those services whose disruption would have unacceptable consequences.

ORM supports this process by:

• Assessing the impact of risks on different business services
• Identifying services with high operational risk exposure
• Highlighting dependencies and concentration risks

By linking risk assessments to business services, ORM helps organisations determine:

• Which services are most critical
• Where resilience efforts should be prioritised
• What level of disruption is acceptable

This ensures that resilience strategies are risk-informed and business-focused.

ORM and Scenario-Based Thinking

Operational resilience relies heavily on scenario analysis, particularly the assessment of “severe but plausible” events.

ORM contributes to this by:

• Providing historical incident data
• Identifying emerging risks and trends
• Highlighting potential failure points

These inputs enable organisations to develop realistic scenarios, such as:

• System outages
• Cyberattacks
• Third-party failures
• Operational process breakdowns

Without ORM, scenario analysis would lack depth and relevance, reducing its effectiveness as a resilience tool.

Continuous Monitoring as a Foundation for Adaptability

Resilience is not a static capability—it requires continuous adaptation to changing conditions. ORM supports this through ongoing monitoring and reporting, including:

• Tracking Key Risk Indicators (KRIs)
• Monitoring control effectiveness
• Analysing incidents and near misses
• Identifying emerging risks

This continuous feedback loop ensures that organisations can:

• Detect early warning signs of potential disruptions
• Adjust controls and mitigation strategies
• Update resilience plans as needed

In this way, ORM provides the dynamic foundation that allows operational resilience to evolve over time.

The Consequences of Weak ORM

The importance of ORM as a foundation becomes most evident when it is absent or ineffective. Weak ORM can lead to:

• Poor visibility of risks and vulnerabilities
• Inadequate or misaligned controls
• Failure to identify critical business services
• Ineffective or unrealistic resilience planning

In such cases, organisations may believe they are resilient, but in reality, they are unprepared for disruptions.

This highlights a critical principle:

Resilience cannot compensate for poor risk management—it depends on it

Key Takeaways

The role of ORM as the foundation of operational resilience can be summarised as follows:

• Provides Risk Visibility
  Identifies risks, vulnerabilities, and dependencies across the organisation
• Enables Control Effectiveness
  Ensures that appropriate controls are in place and functioning
• Supports Critical Service Identification
  Links risk exposure to business services
• Informs Scenario Planning
  Provides data and insights for realistic disruption scenarios
• Drives Continuous Improvement
  Enables ongoing monitoring and adaptation

Operational Risk Management is the cornerstone of operational resilience. It provides the essential building blocks—risk identification, assessment, control, and monitoring—that enable organisations to understand their exposure to disruption.

Operational resilience, in turn, builds upon this foundation to ensure that, even when risks materialise, the organisation can continue to deliver its critical business services.

In essence:

Operational Risk Management lays the groundwork for resilience by reducing uncertainty, while operational resilience builds on that groundwork to ensure continuity under uncertainty

A strong ORM framework is therefore not optional—it is a prerequisite for achieving true operational resilience.