. .

Operational Risk Management: The Foundation of Operational Resilience
BB OR [D] 6

[OR] [Pillar] [E1] [C4] Interdependency Between Operational Risk Management and Operational Resilience

Operational resilience has emerged as a critical capability for organisations operating in an increasingly volatile, uncertain, complex, and ambiguous (VUCA) environment.

While resilience focuses on the organisation’s ability to withstand, adapt to, and recover from disruptions, this capability does not exist in isolation. It is built upon a foundation of well-established risk management disciplines.

At the core of this foundation lies Operational Risk Management (ORM)—a structured and systematic approach to identifying, assessing, managing, and monitoring risks arising from internal processes, people, systems, and external events.

Understanding the role of ORM within operational resilience is essential, as it provides the risk intelligence and control environment necessary to support resilience outcomes.

[OR] [Pillar] [E1] Operational Risk Management

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

New call-to-action

eBook 1: Chapter 4

The Interdependency Between Operational Risk Management and Operational Resilience

[OR] [Pillar] [E1] Operational Risk Management

Introduction

Operational Risk Management (ORM) and Operational Resilience (OR) are often discussed as separate disciplines within an organisation. However, in practice, they are deeply interconnected and mutually reinforcing.

While ORM focuses on identifying, assessing, and mitigating risks, operational resilience ensures that the organisation can continue to deliver its critical business services even when those risks materialise.

This chapter explores the interdependency between ORM and operational resilience, demonstrating how both disciplines must work together to create a robust and sustainable operating environment.

 

Understanding the Relationship

The relationship between ORM and operational resilience can be summarised as follows:

  • Operational Risk Management reduces the likelihood of disruption
  • Operational Resilience reduces the impact of disruption

These two disciplines address different aspects of uncertainty:

  • ORM is preventative and control-focused
  • OR is adaptive and recovery-focused

Despite these differences, they are not independent. Instead, operational resilience depends on the outputs of ORM, while ORM gains context and direction from resilience objectives.

 

ORM as an Input to Operational Resilience

Operational resilience relies heavily on the outputs generated by ORM processes. These include:

Risk Identification

ORM identifies potential sources of disruption, including:

  • Process failures
  • Human errors
  • System outages
  • External threats

These identified risks form the basis for resilience planning.

Risk Assessment

ORM evaluates the likelihood and impact of risks, enabling organisations to:

  • Prioritise high-risk areas
  • Allocate resources effectively
  • Focus resilience efforts on critical exposures
Control Effectiveness

ORM assesses the strength of controls, helping organisations understand:

  • Where controls are robust
  • Where gaps or weaknesses exist

This informs the design of resilience strategies, particularly in areas where controls may fail.

Incident Data and Lessons Learned

ORM frameworks capture and analyse incidents and near misses, providing:

  • Insights into past failures
  • Trends in operational risk
  • Opportunities for improvement

These insights are essential for developing realistic and effective resilience scenarios.

Operational Resilience Enhancing ORM

The interdependency is not one-directional. Operational resilience also strengthens ORM by expanding its perspective.

Focus on End-to-End Services

ORM traditionally focuses on risks within processes or functions. Operational resilience introduces a broader view by:

  • Focusing on end-to-end critical business services
  • Considering cross-functional dependencies
  • Highlighting systemic risks

This encourages ORM to adopt a more holistic approach.

Emphasis on Impact Tolerance

Operational resilience requires organisations to define impact tolerances—the maximum level of disruption they can tolerate.

This concept enhances ORM by:

  • Linking risk assessments to business outcomes
  • Encouraging quantification of impact
  • Aligning risk appetite with operational capabilities
Scenario-Based Thinking

Operational resilience emphasises severe but plausible scenarios, which:

  • Challenge existing assumptions about risk
  • Expose hidden vulnerabilities
  • Test the effectiveness of controls

This strengthens ORM by introducing more forward-looking and stress-based analysis.

 

A Complementary Relationship

ORM and operational resilience are best understood as complementary disciplines that address different but related objectives.

 

Dimension

Operational Risk Management

Operational Resilience

Primary Objective

Reduce risk occurrence

Ensure continuity of services

Focus

Risks, controls, and processes

Services, outcomes, and impact

Approach

Preventative

Adaptive and responsive

Time Horizon

Pre-event

During and post-event

Key Question

What can go wrong?

What happens if it does?

 

This complementary relationship ensures that organisations are both:

  • Risk-aware (through ORM)
  • Disruption-ready (through operational resilience)

 

Integration Across the Organisation

For ORM and operational resilience to be effective, they must be integrated rather than siloed.

Key areas of integration include:

Governance
  • Shared oversight at the board and senior management levels
  • Alignment of risk appetite and resilience objectives
  • Integrated policies and frameworks
Processes and Methodologies
  • Alignment between risk assessments and resilience planning
  • Integration of RCSA with resilience mapping
  • Use of common data sources and metrics
Data and Reporting
  • Shared risk and resilience dashboards
  • Integrated reporting on risk exposure and resilience performance
  • Consistent use of indicators (e.g., KRIs and resilience metrics)
Culture and Awareness
  • Promoting a culture of both risk management and resilience
  • Training staff to understand both disciplines
  • Encouraging proactive identification and escalation of risks

 

The Lifecycle of Interdependency

The interdependency between ORM and operational resilience can also be viewed as a continuous lifecycle:

  • Risk Identification (ORM)
    Identify potential threats and vulnerabilities
  • Risk Assessment (ORM)
    Evaluate likelihood and impact
  • Control Implementation (ORM)
    Mitigate and manage risks
  • Resilience Planning (OR)
    Prepare for disruption scenarios
  • Response and Recovery (OR)
    Maintain service continuity during disruption

  • Review and Improvement (ORM & OR)
    Learn from incidents and refine both frameworks

This lifecycle demonstrates that ORM and operational resilience are not sequential but iterative and interdependent processes.

 

Risks of Treating ORM and OR Separately

Organisations that treat ORM and operational resilience as separate or disconnected functions may face several challenges:

  • Duplication of effort and resources
  • Inconsistent risk and resilience assessments
  • Gaps in coverage of critical services
  • Ineffective response to disruptions
  • Misalignment between risk appetite and resilience capability

Such fragmentation can weaken both disciplines and leave the organisation exposed to unforeseen risks.

 

Key Takeaways

The interdependency between ORM and operational resilience can be summarised as follows:

  • Mutual Reinforcement
    ORM informs resilience, while resilience enhances ORM
  • Complementary Objectives
    ORM reduces likelihood; resilience reduces impact
  • Shared Inputs and Outputs
    Both disciplines rely on common data, assessments, and insights
  • Need for Integration
    Effective implementation requires alignment across governance, processes, and culture
  • Continuous Lifecycle
    ORM and operational resilience operate in an ongoing, iterative cycle

 

New call-to-action

Operational Risk Management and Operational Resilience are not standalone capabilities—they are interdependent elements of a unified approach to managing uncertainty.

ORM provides the structured framework for understanding and managing risks, while operational resilience ensures that organisations can continue to function even when those risks materialise.

Together, they enable organisations to move beyond simply avoiding failure to withstanding and thriving in the face of disruption.

True resilience is achieved not by eliminating risk, but by integrating risk management with the capability to endure and recover from disruption

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

 New call-to-action

 

Comments:

 
CTA Banner_OR
CTA Banner_ORA
CTA Banner_BCM
CTA Banner_ITDR
CTA Banner_CM
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2026