Resilience event playbook
Today’s complex and technologically dependent operating environment, combined with geopolitical uncertainty and environmental and climate changes, is creating new challenges for organisations. As a result, they are likely to face resilience events more frequently than ever before.
Although each resilience event may require a tailored response, a robust resilience framework enables organisations to respond swiftly and effectively, with clearly defined stakeholder roles and responsibilities.
The following playbook demonstrates how each component of the resilience framework can be applied in practice to restore normal operations with minimal disruption.
Event identification
Just as a resilience event can take many forms, there are also multiple ways it might come to the organisation’s attention. For example:
Self-identification:
Employees may report incidents which arise due to human error.
Automated controls and system monitoring:
System controls and monitoring tools can detect anomalies, unauthorized access, or unusual activity, alerting the organisation to potential resilience events.
Third-party notification:
Service providers should promptly inform the organisation of any disruptions, expected impacts, and provide regular updates on remediation progress.
News and media reports:
External events affecting multiple organisations may first be reported by reputable news outlets.
Malicious actor communications:
In cases of cyber or ransomware attacks, direct contact from threat actors may reveal the breach.
Regardless of how the resilience event is identified, the resilience framework should clearly detail the organisation’s expectations around first response, including who should be immediately contacted within the organisation.
Responding to the resilience event
When a resilience event occurs, the organisation’s response will likely depend on a number of factors, including but not limited to the cause and severity of the resilience event, the criticality of business services and functions impacted and the expected financial, regulatory and legal impact to the organisation and its end-users.
Organisations must be ready to mobilise internal teams and collaborate with external stakeholders to maintain critical services, resolve the issue, and meet regulatory obligations. This typically involves activating multiple coordinated workstreams, each focused on a specific impact area.
The key workstreams which may be enacted by an organisation when responding to a resilience event are outlined below:
The regulatory lenses of resilience
Our Resilience Playbook seeks to break out of this siloed approach and instead takes a holistic approach to resilience across the entirety of the organisation's operations and activities. Click on the sections below to find out more:
PURPOSE
To identify and deploy the relevant business continuity plan(s) to help ensure the organisation can continue to deliver critical services to end-users in the short-term.
KEY RESPONSIBILITIES
- Identify which business services and functions have a dependency on the impacted network, system, process, person or location and are likely to be impacted by reference to the organisation’s business service inventory
- Deploy the relevant business continuity plan(s) for each impacted business service or function which should detail the most appropriate alternative arrangements and workarounds for the affected process, system, location etc
KEY DOCUMENTS
- Business service inventory
- Business continuity plans
- Business continuity call tree
TEAMS AND PERSONEL
- Business continuity plan coordinator(s)
- All operational teams
PURPOSE
To provide overarching leadership and guidance to the organisation and senior management during a resilience event.
KEY RESPONSIBILITIES
- Oversee and support the simultaneous implementation of the relevant business continuity plans by the organisation
- Continue to monitor for other impacted business services or functions which were not previously identified
KEY DOCUMENTS
- Business service inventory
- Business continuity plans
- Crisis communication plan
TEAMS AND PERSONNEL
- Executive management
- Business continuity plan coordinator(s)
- Marketing & PR
- Legal, risk & compliance functions
PURPOSE
Identify the root-cause of the resilience event and resolve the issue at source.
KEY RESPONSIBILITIES
- Deploy the relevant response and recovery plans to resolve the issue impacting the affected network, system, process, person or location and restore normal service delivery
- Provide regular updates to the senior leadership team and crisis management function on the status of the issue resolution
- Provide required information to the team charged with co-ordinating regulatory reporting and notifications
KEY DOCUMENTS
- Response and recovery plans
- Crisis communication plan
TEAMS AND PERSONNEL
- All operational teams
- Technology
- Third-party service provider(s)
PURPOSE
Oversee the effective and timely resolution of a resilience event which has originated at a third-party service provider.
KEY RESPONSIBILITIES
- Act as the primary contact between the organisation and the third-party service provider
- Manage the ongoing relationship with the third-party service provider
- If the incident has occurred at a third-party service provider, review the assessment of reintegration or substitution of the service
- Consideration to be given to whether the invocation of the exit plan may be required
- Post issue resolution, consideration to be given to conducting an ad-hoc due diligence engagement of the impacted service provider
KEY DOCUMENTS
- Contracts & service level agreements
- Third-party service provider exit strategy & plans
TEAMS AND PERSONNEL
- Relationship managers
PURPOSE
Deploy the relevant crisis communication plan to ensure that impacted stakeholders and the board of the organisation are aware of the issue and the steps being taken to resolve it.
KEY RESPONSIBILITIES
- Maintain clearly defined and effective communication channels between key employees involved in responding to the incident, key external services providers and management.
- Provide periodic updates to the board
- Insurance providers
KEY DOCUMENTS
- Crisis communication plan
- Business continuity call tree
TEAMS AND PERSONNEL
- Executive management
- Crisis communication
- Compliance
- Legal
PURPOSE
Ensure that the required information regarding the resilience event is collated and submitted to the relevant regulatory bodies within the prescribed timeframes.
KEY RESPONSIBILITIES
- Identify which specific regulatory reporting requirements are triggered by the resilience event
- Collate the necessary information to compile and complete the regulatory reporting
- Manage the ongoing communications with the regulators, including the tracking of and response to any queries raised.
TEAMS AND PERSONNEL
- Compliance
- Legal
Reporting a resilience event
Depending on the nature and significance of the resilience event, organisations may be required to promptly notify regulators such as the Central Bank, European Central Bank, Data Protection Commissioners, or other relevant authorities. These requirements should be clearly mapped within the resilience event playbook.
Learning from the resilience event
Organisations are required to maintain a documented record of what was happening before, during, and after the disruption. Such documentation should capture the key decisions, inflection points and actions taken throughout the event, whilst recognising the information and facts that were available to the organisation at the time.
The information captured will inform the "lessons learned" exercise, and allow the organisation to better understand how the incident occurred, how it could have been avoided and how the organisation may respond more effectively if it does recur.
Remediation actions should be logged and tracked by executive management and the Board to ensure continuous improvement of the organisation’s resilience posture. If the event originated with a key service provider or within the supply chain, it may be appropriate to review and update contractual arrangements or service level agreements as needed to strengthen controls and safeguards, or consider alternative providers.
Each resilience event should prompt a review of relevant policy documents, such as business continuity and incident response plans, to determine if updates or adjustments are necessary.
Have you considered?
1. Employee Engagement
It is critical to the effective design and deployment of the organisation’s resilience framework that those employees who will be responsible for leading and managing the organisation through a resilience event have hands-on involvement in testing and refining the business continuity, disaster recovery and response plans which they will be expected to follow. By leveraging the knowledge and insights of those closest to each business service, the organisation is more likely to benefit from:
- Plans which are fully understood, embedded and thoroughly tested
- Well thought through and feasible alternative solutions and workarounds
- Have the full support and engagement of employees who are more likely to take ownership and accountability of the procedures they have helped create
2. Intragroup Complexities
For those organisations who operate within a group structure, there may be some additional complexities to consider in the wake of a resilience event. For example:
- Specific entities may serve as centres of excellence for certain business services or functions, providing these services to other subsidiaries and affiliates. Subsidiaries often rely on group-level network and technology infrastructure, meaning a resilience event can simultaneously impact both outsourced services received and those provided within the group.
- While the local organisation should have autonomy in their outsourcing decisions and ensure thorough oversight and due diligence of all outsourced arrangements, these arrangements can often be subject to centralised processes and controls e.g. a centralised function supports the co-ordination and completion of certain oversight and due diligence engagements with external third-party service providers. It is important then for the local organisation to ensure that they have appropriate influence and control over the design and performance of such centralised processes and controls, particularly if a resilience event at a specific provider has the potential to have a greater impact on them than on the others within the group.
- Many organisations utilise software and other technology-based operating platforms which are developed and licensed by an affiliated entity. Licenses to use these technologies may also be sold to third parties outside the group as a means of generating new and diversified revenue streams. Should a resilience event occur which disrupts the provision of these technologies, the organisation should ensure that the restoration of services to external clients is not unduly prioritised to the detriment of the group entities.