GRC Summit focuses on Resilience as a key enterprise capability

With great thanks to MetricStream for organizing a very informative event, this is the second blog covering a topic that featured at the recent GRC Summit gathering in London – in this case, Resilience.

You may wonder why this topic arises in the context of GRC. In the past, any threat that could be severe enough to compromise business continuity has been treated as a risk, and the necessary management of that risk would include measures to re-establish business operations. A number of GRC solution providers have developed functionality to document business continuity measures, and relate them to risk.

Although planning for business continuity at least establishes a level of preparedness, it can be judged as a ‘reactive’ approach to possible problems. Resilience goes further – seeking to be more proactive and recognizing situations in which some incident types are likely to happen (rather than merely being possibilities), or would have a severe level of impact. Data breaches are one example – it’s often quoted now (to make the point that they are so widespread) that any organization saying it has not suffered a breach incident should be the object of sympathy, because this means it doesn’t know that it actually has been breached (which is genuinely worse).

Over recent years, however, real-world incidents have illustrated the impactful and widespread effects that unexpected events can cause. Perhaps the most vivid example was the so-called ‘CrowdStrike crisis’ of July 2024, which paralyzed some industries for days and caused huge costs. There is no credible suspicion that this incident was caused maliciously, but the perpetrator of any deliberate attack might well have been satisfied with the same results, and the publicity (which impacted some organizations badly). This example also illustrates how long the effects last after the initial problem was remediated: dissatisfied customers and disrupted operations take up plenty of costly time, before all is back to normal. Doubtless, we will also hear some further remains of the story when annual financial results are declared.

2024 also featured specific events from a range of geopolitical sources: multiple ongoing military conflicts with broad international consequences; possibly the worst climate disruption yet seen in some areas of the world; and several major elections causing dramatic political upheaval. All of these will have brought unplanned effects for numerous governments and organisations. It’s appropriate, then, that changes are well underway for the first major legislation that focuses on resilience – the EU Digital Operational Resilience Act (DORA). Experts at the GRC Summit estimated that most banks affected would already be 90% in compliance, because of their need to build protection mechanisms over many years – however, their belief was that the insurance sector may be far less prepared, and organizations in other sectors less so still. As with many such legislative or regulatory measures, the requirements arising from DORA will also apply to third parties providing services to organizations with direct compliance obligations, thereby extending the range of organizations affected considerably.

Tackling the issue is very far from straightforward, however. With experienced practitioners from well-known organizations made available for questions, and in mind of first-stage practicalities I asked: ‘who is typically the business owner of resilience?’ No simple or general answer was given, but there was consensus that organizations find difficulty devolving this to any level below COO. The explanation for this was that a common problem is planning for the loss and recovery of a single ‘platform’ or service, which causes disruption across multiple business units and revenue streams. More examples of high complexity scenarios, requiring detailed planning, included: having to recover services from ‘bare metal’; loss of Active Directory service; and loss of IP telephony. With these situations in mind, a key piece of advice for planning is to include a broad enough range of business users to contribute, and to also have them participate in testing and ongoing development of the eventual procedures. In particular, corporate communications should not be forgotten; they have the means to reach out to affected users, and to manage the ‘message’ during and after ongoing disruption in order to maintain customer and other stakeholder relationships.

With the thought that you cannot manage what you don’t measure, I also questioned what metrics indicate the organization’s degree of success in gaining resilience. I was happy with the answer from one panel member, that the appropriate objective is: ‘availability, to meet agreed/forecast demand’.

For the ever-growing GRC solutions sector, supporting resilience requirements is another area with promise for further market development. With all the complexity arising from organisations’ own business structures and operations – and reflecting back into those – I would expect services partners to be sharpening their credentials and honing ‘best practice models’, for their bids to provide assistance with enterprise challenges. All this may well see a high profile for the topic of resilience at next year’s GRC Summit event in London, to be held on June 10-12^th.