Key Takeaways Operational Resilience
- Anthony Peccia
- Oct 17, 2024
- 1 min read
In 2013, lighting struck an office building in Mount Pleasant, South Carolina, causing a fire to break out. The offices were home to Cantey Technology, an IT company that hosts servers for more than 200 clients, including Bank ABC.
The fire torched Cantey’s network infrastructure, melting cables and burning its computer hardware. The equipment was destroyed beyond repair and the office was unusable. But Cantey’s clients never knew the difference, because of Cantey’s robust BCM.
The CEO of your bank calls the CRO and says: “They never knew the difference! that is impressive. Would our clients know the difference if our servers were destroyed?”
In turn, the CRO asks you to review the bank’s COB and report back if it needs any enhancements.
The shift towards the SMA strikes a good balance between regulatory requirements and risk sensitivity. Could the Bank enhance this by adding a flexible buffer that adjusts with emerging risks like cybersecurity? This might provide an edge in managing operational risk.
In addition, I think comparable analysis is also important. When the company is unsure about their current level of risk controlling effectiveness. They could compare the system with the comparable companies that work in the similar industries to see if they outperform the benmark.
Are all critical third-party suppliers involved in our COB planning, and how often are their business continuity plans tested? What contingency measures are in place if a third-party supplier experiences a disruption?
I think the question of will our client ever notice the server was broken really depends on how fast the recovery process take to maintain the similar functionality. It also depends on how many users are affected or what part of the geographical regions are affected. In addition, it is also important to periodically check if the current control of risks works and to do some scenarios tests since scenarios could be different and the resulting risks are different. The prepared team should have the ability to handle the risks in different situations
To make our client "never know the difference", we should ask whether we have sufficient redundancy and geographic distribution to ensure minimal disruption in case our primary servers are destroyed. Additionally, how frequently should we test our disaster recovery plans to ensure they can handle real-world scenarios like fires or cyberattacks, and what improvements can be made to our current COB plan? For our bank, it raises the important question of whether our current Continuity of Business (COB) plan can deliver the same level of resilience. How can we further strengthen our disaster recovery systems to ensure minimal client impact in case of server failure, and what role should frequent stress tests play in identifying weaknesses?