The key in "Lesson Learnt" is for an organisation to promote a culture of continuous learning and improving from scenario testing and actual incidents.
It is essential to improve and communicate remediation and vulnerabilities after scenario testing.
Lesson Learnt in Operational Resilienceby an organisation before and after an operational disruption should include the following:
After implementing the OR program, an organisation can still find itself in a situation where an important or critical business service can still experience a disruption or outage. This can be due to an unpredictable "black swan" event, such as the COVID-19 pandemic, unidentified interdependencies, or "black spots" within the organisation.
These may be some good documentation to refer to in your organisation:
In addition to the learning as previously described, the business landscape will constantly shift, moving the threats and challenges, and impact tolerances need to be set each year; hence, there is a need to learn and ensure that operational resilience is continually improved continuously. This includes defining the current and desired positions, and steps should be identified to close the gap between the two.
Improving and communicating lessons learned is critical for continuously enhancing operational resilience and fostering a learning culture.
The following steps should be taken:
Consolidate and analyze the lessons from scenario testing, real disruptions, and post-incident reviews. Identify common themes, recurring issues, and systemic vulnerabilities.
Based on the analysis, develop action plans to address the identified areas for improvement. Prioritize actions and assign responsibilities to ensure accountability for implementing the necessary changes.
Execute the action plans and implement the recommended improvements. This may involve updating policies, procedures, technologies, training programs, or incident response plans.
Share the lessons learned and implemented improvements with relevant stakeholders. This includes internal teams, management, and external partners. Communicate the actions taken to address vulnerabilities and enhance operational resilience.
Establish mechanisms for ongoing monitoring, evaluation, and enhancement of operational resilience. Foster a culture of continuous improvement by encouraging feedback, conducting regular reviews, and incorporating best practices.
Definition | Explanation | Definition | ||
Important Business Service |
Define important or critical business services at the correct level of scope is critical. The challenge is not to be both too granular or not granular, which will result in excessive work if it requires a detailed drill down and too high level, which results in not being able to manage the OR gaps. |
|||
Internal and Underpinning Services are NOT Business Services |
Differentiate business services into one of three categories: a business service, an internal service, or an underpinning service. Internal service and underpinning services are NOT business services. |
|||
Levels of Harm |
Defining levels of harm, especially "intolerable harm", is crucial to supporting the identification of Important Business Services. The challenge is that what constitutes intolerable harm and the potential consequences of a disruption to individual stakeholders and customers are not apparent. |
|||
Time Criticality |
When looking at "intolerable harm" caused to the customers and stakeholders by the disruptive event, time criticality is often the most significant indicator. The long-term nature of fulfilling the committed obligation to deliver products and services is one of the most crucial considerations. |
|||
Scenario Testing: Business Continuity Vs Operational Resilience |
Scenario testing as part of business continuity and disaster recovery often focuses on short-term disruptions posed by technology failures or the unavailability of people, processes and infrastructure. For operational resilience, scenario testing builds and demonstrates an organisation's capacity to anticipate, prepare for, respond to, and adapt to incremental changes and sudden shocks (external disruptive events) in its operating environment. |
|
||
Internal and External Communications |
The ability to communicate effectively is paramount during disruptive events. Built robust internal and external communication strategies to allow organisations to act quickly and effectively to reduce potential harm. |
|
||
Identify Important Business Services | Map Processes and Resources |
Set Impact Tolerance |
Conduct Scenario Testing | Improve Lesson Learnt | |
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.