Operational Resilience is the focus, capability, and capacity to rapidly recover from (op) risk events by having ready the necessary resources and well-prepared recovery plans.
See lesson 5 Operational Resilience readings for additional information
Operational Resilience
Under critical activities, there is 'Third Party,' and under recovery plans, there is 'Communication.' I have a question about this. Where would communication with third parties fall within this MECE framework? Does 'communication' here refer specifically to internal communication? Also, I wanted to confirm that 'third parties' refer to companies that assist in resolving issues and keeping the business operational—for example, a database company in case files go missing or a hardware company if computers go down.
I have a question after finishing the cases related to each component of the RMF: Is a gap analysis mandatory for each of the ECRG? In addition, when I was discussing the class content with my groupmates, we still feel a bit confused about the timeline for each component. For example, is exposure considered the risk that the company should be careful with and try to avoid, while control refers to the process of managing the exposure to prevent the risk from occurring? Resilience, as mentioned above, is the recovery process from a risk event to mitigate the negative effects, while governance is more of a macro-level oversight to identify potential improvements in the overall regulatory activities. I want to…
How can the MECE framework be applied to categorize recovery objectives, recovery plans, and critical activities to ensure no overlap and full coverage of potential operational disruptions? since a MECE structure approach supports continuous improvements, enabling the integration of evolving internal and third-party risks into resilience planning.
In the resilience section, we first identify critical activities, which are divided into internal and third-party categories. If the critical activities are third-party-dependent, what should be done in this case? Does the company still have any say or control over this?
After the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) have been identified and aligned with business objectives and regulatory requirements, how frequently should the organization conduct simulations or stress tests to evaluate the effectiveness of the recovery plan and these objectives?