It’s pretty exhausting running a smaller business in the face of increasing compliance responsibilities. Latest is we have been asked to prepare a document detailing our approach to operational resilience. Once completed it will sit alongside the 33 other policy and process documents we have created, many of which are intended to demonstrate our capabilities to cope with crisis. So it shouldn’t be a surprise that this latest document requires us to consider how we apply these 33 other policies – from Modern Slavery to Data retention and destruction to Anti bribery – to ensure we are equipped to operate through a storm or two.
But I got to thinking, just what is operational resilience? Is it your ability to withstand adversity – more risk prevention – or is it your ability to recover from adversity, which is more about risk management? Seems to me that it is both but that the experience gained from recovering from an adverse event gives you a much greater ability to withstand a similar event in future.
But that is part of the problem with an inelastic policy on operational resilience. Yes, you may be better equipped to deal with an issue if you have lived through it before, but most impactful issues – by their very nature – are new ones we were not anticipating. They come outside our experience and often outside any framework for response. So what guides us in those scenarios?
We don’t have to look very far back for instruction. When Covid hit, it was disruption on an unforeseen scale. For some companies like us it was a cataclysmic event – our clients would be hard hit and our revenue would be reduced in line with their reduction in activity. At the same time we had to move quickly to everyone working from home – a massive challenge. To inform our response, what did we do? Well we didn’t dig out our BCP, or find a manual or policy that would steer us. We had to think about our values and our service commitments to our clients. And we had to look after our people. It meant changing the way we worked and connected. None of this was in a manual. It was all new.
I am not saying that it isn’t good to plan. We wouldn’t have 33 other policies if that was the case. Making sure you have the best possible foundation to prevent and respond to adversity is super important. But your response to crisis can define you as a company, and often the best approach is to stay true to your values. Just look at how Dream World botched their response to their ride disaster, and contrast with how Johnson and Johnson famously led with a human and honest response to their Tylenol disaster. I am betting J and J looked to their values and their customers’ interests as the signpost for their response.
Interestingly, when people ask us about our business, and look at our capabilities, they usually want to know all about our process stuff – sanction checking, our conflicts of interest, complaints register, etc. They don’t ask about our strategy, purpose and values. Yet examples of that in action, more than anything, will say a lot about a company and its ability to deal with and withstand a disaster which to me is what operational resilience is all about. If that is policy 35, I will be happy to do that.
