Professor Gianluca Pescaroli: Each organisation is unique and every consideration to be taken must consider their operational context.
The common assumption for operational resilience is the availability of technology, and there is a growing attention to cyber threats to mitigate disruptions.
However, it must be considered that those are just one of the many triggers of possible disruptions.
"The common assumption for operational resilience
is the availability of technology."
Operational resilience strategies should give more attention to understanding and assessing which invisible utilities that can be the lifeline of other core business services.
For example, the satellite infrastructure and its implications for both transactions and Information Communications Technology (ICT).
Thus, it is strongly needed to address the common vulnerabilities to their partial or total disruptions.
Gianluca: Organisations should constantly monitor and verify that they are not missing the basics, which in a fast changing operational context may be taken as assumption and become visible just in time of crises.
There are two key elements that we need to ensure consistencies across the whole groups, and they may be not rocket science:
These have now been included in the last ISO 22301:2019 and NFPA1600:19 but are often associated with add on more than being considered in their practical implications.
For example, do you have a contract for your generators, or do you have them in place, trained and with a gasoline reserve? Are the critical third-party providers doing the same?
Gianluca: I do not believe in “severe but plausible scenarios”, because this helps in a limited way to address uncertainties.
Moreover, “low probability high impact “does not mean “It won’t happen tomorrow”. In science and statistics this point is very clear, but this is often missed when translated into decision making.
I suggest, start with identification, which can be common vulnerabilities and cascading effects to different threats, assessing which could be the common paths of possible escalations that we may need to address.
"I do not believe in “severe but plausible scenarios”."
This is done for increasing the capacity to take decisions in situations of high uncertainties.
For example, think about an extreme space weather event and a targeted cyber-attack: the global navigation satellite system may be affected, and the operational implications may be very similar. This could be common to other triggers and threats.
Gianluca: The new lessons are associated with an increased relevance of cascading effects of technological failures, that can impact suppliers both directly and indirectly and must be considered for operational resilience.
For example, direct impact to suppliers may be caused by targeted cyber-attacks, or indirectly they may include the consequences of disruptions on other infrastructure sectors, such as a blackout.
The complex network system in which we are operating implies a raised value of common scenario and exercises with key suppliers, as well as defining realistic service level agreements derived from joint stress testing.
Gianluca: The case has grown for a balance between the two solutions.
The situation is still evolving and there is the need to achieve the maximum flexibility in the system that should be able to compensate and adapt depending on the scenarios that will arise in the next months.
This includes the possibility of concurrency of events, e.g. storms, flooding or extreme space weather happening during the pandemic that could strain further the resources available.
Gianluca: Change is an essential part of a dynamic organisational environment and is a constant praxis in the global networked society.
We want to maintain flexibility and resilience instead of losing it in the process.
This is possible investing in three aspects: