Operational Resilience Seminar

okay we have people coming in we're just going to wait uh one more minute to let people um enter the room and then we'll be able to to start okay just a bit more yeah we still people coming in so I'm just going to wait a little more um okay well I'm I'm just going to start so hello everyone um thank you so much for for joining this session my name is Mario I'm a business commity consultant and organizational resilience for Premier continum uh and as I mentioned thank you so much for joining this session today and thank you for the BCI to to supporting us and hosting this uh this events um and it is even more special for us here at prier Kino because this webinar is really launching our Insight Series where we just share tips and tools to other professional so um here the the purpose it's really to give uh actionable insights to other professional uh residance professionals uh because we really want to create um an opportunity for residance professional to well just exchange share experiences and lesson learn um based on what they're doing inside of their own organization um the goal is also to generate IDs whether it's from our presentation or even though even through the chat um conversation that you might have and I highly encourage you to to do so uh to leverage the chat as a as a tool um and finally we want to offer Concrete Solutions so we want to um uh push them ourselves from the theory here um and which is why we really decided to start this with operational resilience as it's still an evolving um subject if I can correct like that so uh well I would be remissed if I didn't introduce and present Premier Kum so um we're an organization with more than 25 years of um experience in the fields we have three Lins of services so that would be the automation with the software per resolution uh but we are also certified trainers with the business continuity Institute as well as iore um and finally we're a consulting firm so we assist clients with various type of mandates ranging from certification to ISO 2231 uh to implementing a bcms facilitating uh tabletop um exercise so really just a little bit about myself here so as I mentioned I'm a business con and organizational residence consultant um I assist organization mostly in North America so public and private organization uh to develop and Implement uh residance programs whether it's itdr or bcms for example uh and today I really also have the immense pleasure of having as a guest uh marielen Primo who's our Executive Vice President here um at prum she's been a business and residance expert for for more than 20 years now and she's also a b instructor as well as the former uh president of the BCI Canada and marien also won the consultant of the year Award with the BCR America Awards um this past Edition so thank you Marian for for joining thank you and looking forward to this session and please you know we it's also Marian's going to be presenting some elements but please also share we have a there's a Q&A that you can put your questions in as well as the chat uh regarding the chat please make sure that you're actually selecting everyone so if everyone can see their comment but we'll have some time at the end to also uh look at your questions thank you so um throughout this session we'll really focus on operational residence um and and like I mentioned earlier it's really in its practical application and those practical examples we're using are really based on the key challenges we've identified uh we've met with our clients and this is really the ones are really coming up the the most frequently and of course we can well introduce uh and I fight challenge without providing strategies and tips on how to um overcome them so like um many of you I'm sure I've read the latest report from the business cont Institute uh regarding operational resilience so the the least one in 2024 um and there was this statement from one person that was interviewed and the statement was um operational residency is an outcome and is the umbrella that sits across good business continuity good operational risk management good supplier management good cyber strategy and making sure that all your technology is up toate and work works as um expected um and here we really try to illustrate this B this with the picture that you see here so this kind of umbrella um that would Encompass um everything um and this is really as I mentioned this statement is really the driver for the presentation because the definition if it can be called like that um really doesn't specifically Target one regulation or one uh regation or one law for example it definitely encompasses multiple and it's more about some practice practices some business practices um and it's also a good way to differentiate between operational resilience um and business quity because there's usually um difficulties here understanding the difference between the two so um when I um talk about regulation and here regulation guidelines approach rules etc for some organization it might means this so they have to follow the digital operational residance act so there are in Europe but for others sometimes it can look like this um and of course I'm ex exagerating here uh but if you look at the latest data from from the report that I mentioned well we can say that 66.2% of organization um that are interviewed said that they need to comply up to five regulations and for other it can be more than five so 18.4% would be more than five which can be really really hard um and as it as it's still um Uncharted territories if I could say like this um questions about the look of this pist really makes sense and definitely U emerges so just move this here so um when we talk about uh operational resilience of course for some um it's mandatory so here we're looking at uh Financial in institutions Bank health services and others but for others it's really just a matter of sound practice as I mentioned um and here we could make a parallel to business City for example because again for some mandatory for other it's not but it's still in their interest to implement ment BCM for example um in terms of well having those practices those structures in place those processes and even for the to get the the trust of their interested parties for example um and here currently there is a a window of opportunities uh because well we have no guarantee that later on they won't be become it won't become mandatory also for um others sector that the opportunity to really build operational resilience for those that are not are currently regulated so here I've gathered some information from the the latest report and this is really just because it's it's the current states of operational resilience so of course we have the the 58.5% of organization that would say that they're doing it for good practice purposes which has which I definitely think it's a it's a good thing here and that's something that we should upload um if we look at the the top five major major challenges of implementing um operational resilience well here I really want to highlight uh the first one that would be the the embedding uh because well we'll definitely touch on that this is also something that we identify as a as a challenge here um as I mentioned in terms of compliance to regulation so per some it might mean up to five other it may mean more than five which can become um quite a lot uh also for the top four critical essential processes and tools within operational resents well definitely identifying those IBS those important business services uh mapping the dependes to suppliers so 88.3% we have to identify the impact rences and based on those impact rences well we need to prioritize and work on vulnerabilities that would threaten them so yeah that's something here that should be taken into um consideration so here I just want to stop for a moment on this um this slide that we well on this box that we see here uh because I really love to hear uh from you in the chat with just a yes no in terms of whether you think that regulators and governments have done enough um and I'll just give you a a few seconds here just to say yes no in terms of this question here so I'll let you just um answer and here I think I not able to see the the chat actually go okay so we have no they could do more erup not much yes not enough okay okay so there is I think there still a trend of no not enough they they should and they they could do more more clarity okay no North North America okay we have still some yes okay more alignment alignment okay okay perfect so so thank you for for sharing your opinion of this um I think this is really a good uh Benchmark in terms of uh where we at currently so um lastly the the the tick the Box uh stats so this one I feel is uh really important because first of all is resounding uh 70.6% of yeses which is uh definitely a Critic again of The Regulators but also because just like the the before and after Co well there would be a before and after deadline for implementation and the question here is would it be just a mandatory exercise or if you could add documenting then you can just pass or should we expect a a real change in business practices um and the first been coming to my mind here would really be um ISO 2231 certification and for some organization it's just a check the box exercise but for other it's really implementing uh processes practices making sure that people are aware so this is also something just to to keep an eye on um and to take into consideration so um now we're going to do just a little ice breaker so it's just two questions for for now uh because I really want to hear more about you guys in terms of what you think um and where you're at currently in terms of operational resilience um so we'll have two question now we will have two question at the end of the of the session um so I don't if you know vvox but it's just a matter of scanning the the QR code that you see here or you can also go to vx. apppp um and just enter the the ID session here so I'm just going to give you um a few seconds to do this um and after that you can just keep the window or the the tab open and you'll be able to go back to it later at the end of the session uh you still have the information related to the the QR code and if you want to join later on so I'm just going to give you the opportunity to to join and to scan so um as I mentioned I have two questions and the first one would be is your organization subject to any operational resilience currently so I'm going to give you the opportunity oops to enter I think I went to press it perfect okay people are [Music] answering so yes no not sure okay I'm just going to wait just a few more seconds okay so I'm just going to look at the results here um okay so yes okay so more than half um of participants here today um are subject to re-regulation and we still have almost 40% that would say no and some of you are not sure and I think this part it's really interesting actually uh and this does reflect that there is currently a gap between um the involvement of the The Regulators where they are identifying as um requirements and they extend the scope of those regulations um so we're going to move on to the next section so here it's how far long are you in the process of implementing operational residence so just started still building almost done done so again I'm going to give you a few second to complete okay I'm just going to wait bit more I'm just going to close here okay so uh still building for for the majority which is H good we have some of some of you guys that are currently done in terms of implementing um operational resents uh and I really hope that people that answered Don will um just share their experience um in terms of or how they did the implementation their their challenges because I mentioned as I mentioned we're going to identify some challenges during today's session but you might different than that so really don't is to share your own experience in the chat and and talk between each other so the thank you thank you so much for participating in the vvox um I think this is really um insightful and as I mentioned we will have two more questions at the end of this um session so it would be the same identification and QR code You' be able to to have access to so key challenges as I mentioned we've identified uh six challenges for for today of course they're more than that different than that so but this is the the ones that are coming the the most frequently I would say and the ones that we've um identified so the first one coordination and governance and well this one really ties nicely with the the first image that we had uh of operational resents that I was showing at the at the beginning of the session um where we were showing this kind of umbrella covering programs and processes that are in place because well we shouldn't reinvent the wheel we should leverage the tools already in place that working and that are supported by uh leadership sh leadership and that are communicating um inside of the organization the Second Challenge here it's really about identification of important business services um and this is uh the challenge that I mentioned when we look at the the statistic uh that were available um in the reports because well how do you do it and what's the difference between an important business service um and a prioritized activity that would I during the um during the B and the risk assessment so we will provide more example on that um later on during the the session uh threat assessments so definitely tied to those important business services mentioned above and should be built on what is um already existing the solution and uh response planning so this challenge is also a a good way to look at the broader targets of operation regs because it's more than just the plan the BCP five well of course we R exercise and simulation of our plans well of rbcp Crisis management plan Etc but here it's about uh those important services and proving that you meet the impact tolerances that you've set um six meting conformities uh and regulation requirements so just proving that you meet the requirements with um evidence that you you can provide to the Auditors and The Regulators for example so when we look at operational resilience really globally and the challenge that we're identifying the different regulation um operational resilience is broader in its scope but it's more precise in its application so this is really something just to keep in mind uh throughout the the session so first challenge governance um as mentioned ending operational residance in the fabric of the organization is definitely a a challenge because well where do we start who should we include how to to do it um and we know that in order to uh achieve operational resilience it must be a joint effort within the organization and it cannot be happening with just business commity professional and therefore ensuring coordination is really important and we can tie to a um a joint government governance with auding committee for example and maybe you already have with business con where we just have some people that are missing from the table and then it would just be a matter of bringing those people in U bringing them together and that definitely can be a a key success factor here so when we talk about um governance of course we look at internal processes documentation structures um and yes for each organization they have their own context but um as you can see here on the section through the the example that I have here um we're really looking at the steering committee for the bcms for example um and we have the the standard rules so sponsor uh business adviser uh risk management advisor information security advisor so those roles are really quite um standards um and yes for some organization it could be just a matter of adding in someone new to to the role to the operation residents role uh but not all organization of the RO the the budget for this so sometimes it could just be a matter of sharing the responsibilities between the roles that are already there that already existing um and of course when we talk about resources um so those roles that you can see here well automatically we talk about competencies and competencies is really highlighted in many standards related to to bcms and uh it for example um so individuals that have there in operational residence should have the opportunity to attend conference on the subject trainings uh they should be able to have a better understanding of what other people in the same position are doing because we're really in this stage where everything is not quite sure everyone is not quite sure about anything or how to do it so exchanging would really be the goal here um internally with external Partners as well um and I know many organization operating in the same sector uh having Benchmark meetings where they just exchange on best practice um on risk Trends and what they should be aware of and how to assess those situations that are uh quite common uh in their fields so really those informal meetings could also be an opportunity here to talk about um operational residents so here for example we have a a table that you see here with the events and actions that were taken by the steering committee um and it could be items that would include the operational residance so they would be targeted specifically those activities related to um operational resents and the um lesson learned that we've found after testing a specific IBS for example um so this is really something that could be using and leveraging the same processes the same um actors that are already there inside the organization so as I mentioned it's all about well navigating the same Waters and using the same road we've always had um following the update cycle of B and plans annual testing and exercise so it's really about um maximizing those uh levers so important business services um here I'm using the term important business services more in a general manner just to Mark the gap between business continuity um because of course not all regulation uses the the term important business uh services but if we just look at the um the bottom part that we have here so the IBS and prioritize um activity um for the prioritized activity um if those activities were to be interrupted then there would be a high or really high impact on the organization and therefore uh an impact on the clients and interest interested interested parties so this would be more related towards um BCM for example whereas IBS are the services that if interrupted would impact the Integrity of the market and it would be a direct impact on the clients so this would be here the difference um between the two um and as you can see here above I do have a a a table and this would be the the standard example um that I'll be using throughout the the session today um so we have our service that would be claims processing for example and we've identified this service as customer uh facing customer related as its type so automatically based on that and the description description that is provided then we consider this service as an IBS that's why we just check the box um so here we're talking about efficien and L of claims from the initial uh notification to the settlements um and ensuring customers receive timely assistance and uh payments uh we also have the mention of the peak period so that would be here here continues um so this one would really be identified here as an IBS um and at the opposit um the standard example for um services or process that are not IBS would be payroll because even though it might be a prioritized activity for the organization it wouldn't qualify as an important Service uh it might still be a supporting area for example but the ex exence in terms of the mapping and the details would be less um constraining here so if we move on to just the the impact tolerances um so the impact metrics uh I'm sure everyone has one um and that's defitely something that you can leverage uh when you look at your IBS for example uh so it just be a man of for example adding a new column with the impact on the customer um as well as the description of the impact levels that way we could just we out the non-customer facing uh Services uh just by using the impa Matrix um and here uh as you can see again I'm using the the example of the claims uh processing so we have the claims processing the service name here we can see that in terms of the tiering it's a priority one so IPS automatically um and then we look more into details in terms of the assessment and the impacts So based on the categories that we have in our impact metrix we would be able to say that in terms of financial impact it would take us one week to reach a high or a very high impact uh if this activity were if this service were to to stop customer would be 48 reputation 72 legal 72 and this is how we would get our mtpd here so the mtpd would be really based on the uh shortest time frame which is customer 48 Hours um and of course justification so in terms of direct impact to the client to the customer the duration so providing some insight regarding this in terms of Maximum acceptable delays the volume what we should take into consideration what we should do at the very least and the service level so where is the the minimum acceptable resolution time um and customer acceptation or satisfaction ratees so this is really in terms of time frame that we should evaluate our service but it should also be in terms terms of level so here if we look at the impact category um the financial impact would be low because it's one week uh customer it's very high reputation high and Regulatory would be High um as well and here it's really important to note that the justification for the assessment is just as important as the assessment itself uh and it's for really compliance purposes of course uh but also as a guideline during test and exercises so identification and mapping end to end in terms of our important business services um so here this is really just a reminder that important business services are not pertaining to one business nit um and here I'm using business nit but terminology could could be different depending on your organization um but the service is really a cross uh function um and this is really something that we can see here with our uh yellow uh column uh so this is really good way to to represent this type of information as well uh to have a better um understanding so again here um if we just go back to to our example then we have the claims processes uh claims processing that is our service here our important uh Business Service um but this is when we talk about operation resilience well we have to dig deeper uh we really have to do this mapping end to end that means that we have our important business services and we need to look at the activities the processes that are contributing to this um IBS so for example here we can see that claim notification document collection customer followup for example are contributing to the claims processing um IBS and of course that also means that we need to do an evaluation an assessment of the impact for those processes as well as calculate their own mtpd again justification is really important um and we could also get this type of view here more in terms of a tree chart as so tree chart really allows you to have a high level view of um interconnection of dependencies of really mapping end to end of this process of this important business services so here we could see that for the claims processing that has in 48 hours mtpd well then we have all of those processes or activities contributing to it and we have the information in terms of their own uh criticality so oops I move too fast here so um when we talk about dependencies again the challenge here is um yes we should identify our dependencies but how detailed should we be what should we map and that means really looking both internally and externally as well um it's really about pushing deeper in terms of the information that we try to to capture and those Solutions those strategies that are in place both on our sides as well as on the side of the supplier so again here I'm using the the um tree chart view to see the I the global ver information so we have the claims processings claim notification depend on the supplier a for example and this is something that could be mapped um with the table that you see here where we have the activity the process the claim notification that depends on the supplier a the need for the supplier a is that they provide call center uh for claims in both French and in English um and if the supplier is not available then we need to find our alternate measures inter interum procedures uh so here you would be for example to transfer the calls to an internal call center and it's also about asking more information so for example we could see that the partner here has completed the assessment so I'll be able to show you the the assessment after that so looking at those external dependes but also looking at internal dependencies and it's not not just saying I need this team for example and that would be it no it's really about seeing the relationship here is it upstream or Downstream dependency um which business in it which team which department which function do I depend on why do I need them and do I have something in place if they're not available um and you could even decide to push further here and ask the function well what is your mtpd what is your R regarding this service that you're providing um and of course asking them about um slas if there are things that are um in place um and as I mentioned that the workaround that we see here the inter procedures uh this is something that should also be tested and exercised U but we'll be able to look at that uh um in more details afterwards uh and really all of this could be part of the the ba so when you're doing your um your standard bi I'd say at the workshop well this is something that you could discuss you could go into more details when you look at IBS here uh it could even be a separate dependency assessment documents um I know that some organization are splitting those type of um information so if I zoom in on the dependes to third party here well uh those critical suppliers should also be interviewed uh really through specific form so they should have their own plan for example um that you'd be able to to map out and of course getting answers here uh is really a challenge of its own but it's also beneficial for them to maintain a a good partnership uh with the organization um and for the ones that are U more reluctant if I could say like this um well regular are uh planning on being more restrict in their approach uh in the regulation and they should soon be um the target as well of those regulations so they're going to be forcing the end of those third parties and I think especially in the in the US so when we talk about uh the supply chain resilience as you know it's really more than asking do you have a a bcms and yes and okay we're fine with that um it's really about creating a plan split specific to our suppliers as I said well we look at the service they're providing the assessment of the mtpd so for example here we could see that for our supplier they're providing Insurance result F investigation storage of physical file we could see the mtpd 48 and 72 hours uh we could also ask them what is your strategy if you were to not be able to provide this service so here they could say we have a secondary site in place we have other partner or supplier that we could work with um and it's also about identifying what would be the impact on the company's operation if that service were to be uh not um available um but it's also about asking them what are your residence measures that are in place and impact level preparedness level uh based on scenarios that we as an organization dependent on you we've identified are critical for our organization and this is really the second table that you see here where we have those um it standard scenarios um and here we asking the supplier to assess what would be the impact level for the loss of site for example so here they ST Low because they already have a secondary outsite available and the prepar this level here is really uh green because it's documented it's in place uh and they have tested this specific um scenario in their organization um but it's also about getting the accurate information from your vendors and your suppliers um so here we're asking what is the approval date for the information that we're capturing uh we also asking did you exercise did you do testing if so then yes then when sorry um and also asking them some comments in terms of was it a success a failure of course they won't they will never say that it was a failure but really getting more information more insight um and just asking them in terms of plan to check on act what's their the current uh status so of course getting all of that information uh it could be part of the the contract negotiation process uh to really have everything that I mentioned here but again it all Edge on good faith and what they are ready to accept in terms of fallouts uh if they're okay with financial penalties then you better hope you have strong uring procedures in place um because you can't really be that dependent on them um this time we're zooming in on it dependency um and again here we should just provide more details both at the the process level uh so for example here I'm using the system bin attch uh why do I need this system for what's my request in terms of R2 RP as well do I have something in place if the system is down and something that is really strong here but it's also looking about the R2 Gap so for example here um we've said that we need the system in 24 hours and the IT team said that the official R2 would be 24 hours and the Gap here even though it's yellow and we can see that it's matching the two information this is really just to take into consideration and take um into consideration when you're writing your in procedures that maybe your definition of R2 is not the same as the it R2 in a sense that maybe for you is uh your R2 it's when you're losing the system but for it it's that they have to first um bring back the whole infrastructure uh the VPN and all the servers and databases and then they will do the 24 hours to recover the uh application so sometimes it can be a gap here and this is something that needs to be taken into consideration when you're uh writing your in procedures and this also something that should be considered in terms of discussion exchange to have with it team um in terms of what do they mean for official R2 here um data classification so here for example we would let the um the business unit members the important business services member identify what is the data classification because sometimes well the smes are better at identifying what kind of information is available in the system um rather than the IT team for example and operational residence is also about as I said it's really more granular um and more detail in terms of the practice and that's why here we're linking the system to the process leveraging it so this is something also to to keep in mind here um and to keep in mind when we're looking also at the processor too because it should be matching the two of them um so this is really for more for the the business part I'd say uh but we should also provide more details in terms of the um it components um and for example it's about looking at the system here and dependencies they have and they're ties to um other system that they may need other database U and servers that we should identified here and that's why we have the the binch highlighting the downstream dependencies to Classic for ex example um and what is the the dependency R2 so here for example it would be 4 hours so really being more um granular and this is really related and ties to the itdr program and the plans we have for um our system now if we just move on to threat assessment and this is really entering another area uh iish um and it's really about uh integrated risk management we have a focus Fus on operational risk management and usually this piece here is a is a well old machine I think people from the risk team are usually quite uh efficient in their their process um but here we identify inter interdependencies sorry to other risks so for example we have our operational risk uh we should say that it depends on business C risk for example and itdr risk cyber risk uh so it's really about creating a profile for your risk here mentioning those dependencies mentioning the the link to the Strategic plan for example um and it's also about doing the assessment for a different time uh of per for to say for a different Horizon here so a short term and a long term as well so here for example we're using our three years as well um as a 10 years uh but it's really about taking into consideration our sectors our activity the market and the impact on the the customer um so here we look at the likelihood of V risk levels those levels as well would be um identified and again here engaging with other professional in the same sector can also support this process and uh provide the said uh Benchmark so it's really about establishing this profile at a global level but we should also be getting input from the are contributing to those important Services because they might have more insights um they could also better Orient how we do this type of assessment as well so if we just continue here for the threat assessment uh of course it means using available tools so we shouldn't throw the um likelihood and consequence metric that we currently using um and we also have to look at the multiple locations and do the assessment for those locations as well uh because obviously uh the assessment can be different from one side to the other um and here we're providing a a visual view of the information um because this is also something that you can leverage in terms of information that you're providing to leadership to the Auditors um and that shows that you know where you're at currently in terms of assessment uh and this really ties to operational resilience in terms of documentation so when we T when we look at um scenario modeling here we really talk about those vulnerab vulnerabilities and the risk assessment um and this is um all of this should be driven by the inent scenarios that you've identified and here I have some examples I say that those are the standard ones so the loss of access to promises or loss of access to sites um and loss of employees for example disruption of key business partner loss of essential resources um as well as of loss of it which then split into of course the loss of in infrastructure and data service and the loss of uh data so again those are really uh standard scenarios um we have organization that have different scenarios are more precise more detailed depending on their fields uh their sector um as well uh but this is really just um just an example here so the solutions we identify in our plans should be adapted should be based on those scenarios and must take into consideration the dependencies that we've captured so if we go to the uh solution and response planning challenge so here at the chall it really relates to should we have a different plan specific to operational resilience for example and maybe how detailed our Solutions should be and what to plan for so here for example this is something that you could find in a in a business quity plan for example where you'd have the incident scenario so here we we we decid to um leverage loss of access to site and loss of site for example high level it's to identify a con strategy so worth from home and this is something that should be really high high level here then it's about do we feel that this uh solution is at is as a green do we feel our residance level is good for this specific scenario so here we said yes with a green um because this strategy is documented it's exercise and we fly meet the requirements and the impact tolerances we've set um and it's also about maybe providing some recommendation and once you've set this kind of high level information and summary of the information then you need to go into a lot more details in terms of solutions that are in place related to this uh specific scenario um and for each uh solution we identified here we need to take into consideration what are our requirements for example loss of sites do I have Vital Records if so then what is my strategy for this if I to lose them uh if it's paper should I digitalize everything do I have copies anywhere else so those type of solutions um for the loss of of it system for example in terms of scenario well as we saw earlier we've identified the dependencies to the system and we've identified the strategies for each one of them uh that we should activate if this scenario were to H were to happen um and at the same time um here at the bottom part we have more of a a table um and a task related to Incident Management so if we talk about Incident Management then here the example is to um we should be getting to the pre-arrange meeting place and here you need to think about well what is our strategy to go there to go to this meeting place um to go to this second site what is the required equipment and of course to keep record of the information and the lesson learned just by doing the tracking of those events um and whether it's an exercise or an instance those events should generate Solutions should generate a Readjustment or validation of the solutions that we have um in place because they might highlight some gaps that we currently have so definitely something that should be uh used as well in terms of uh events and review um the same goes for cyber so we look at the uh scenario here for example that would be the prong outage due to malicious code ransomware mware so we identified our scenarios um and as you can see for it or for cyber it's more detailed for example but then once you have this then it's a identifying those steps the responsibilities of the relevant party and being able to just check when this is done to really provide some insight in terms of if there is a gap in those Solutions and if we should adjust those UH responsibilities here uh also when we talk about cyber and it um one of the main challenge was the Legacy infrastructure um and this is really one of the as I mentioned one of the biggest issue in terms of operational resilience and and if we can't change um this just by clacking our fingers well we can still take into consideration operational resilience when moving to a new system um it should also be part of the discussion that we have with the steering committee that this is on our right radar uh and we double our attention when this is concerned uh but it should also be um it should also go beyond the it discussion so the importance Business Services owner should also be aware of this that way they could also decide to Tor their Solutions and their strategy for this specific incident areio the loss of system or the um the um Integrity of the system for example so operational resilience is really about exchanging um and making sure the information um is communicating with everyone that would be uh that would have a a role during the the events our next challenge here would be I tested um and here it's really about the notion of severe but plausible and I think that this is something that's been talked about a lot here but it's really about what does it mean and cross reference data okay but how Pro of testing how so scenario testing is really a a combination of um of the impact tolerances that you've set for your important business services um as well as inance and scenarios that we've identified so the ones that we had earlier and finally it's also the solutions and the dependencies you have and the mapping of all of that information should provide the severe but plausible exercise you need to do uh and something that was mentioned a lot was AI uh as a great tool definitely a really great tool to get ideas in terms of um exercise scenario but it should also be used uh with caution and I've read that nuclear war was a highly recommend it scenario here but it's definitely the the worst worst case scenario for most of our organization and it wouldn't bring anything to to the table um and we're Way Beyond the notion of severe but plausible here so again with caution um so severe but plausible uh for example it could be if you um if you have a strategy for the loss of a specific system for example uh and it would be you use paper form and you can do that in 12 hours and then push the information uh in the system when it's back um then you can test the specific situation this specific scenario and then when it's done you can document it um or you can decide to see that if there is a gap for example you need to identify the improvements the lesson learn that should be put in place and include uh and be included in a review cycle so it's yeah it's really about it could be as granular like this um and here it's more notion of test than exercise because can you do it or not and for a I'd say more high level exercise implicating multiple areas then the lesson learn should be reviewing during the steering committee this should be inte integrated and included and it should be really an item here to be tracked uh until it's completed or resolved because well all the right players are already around the the table and so if you continue just with scenario testing here so in terms of reference data well the challenge is definitely definitely about the the volume of the information as well as the interconnection so having the right information and pushing them and pulling them to together here um and tools to automate everything are definitely a Time server and an accurate companion for for this um so for example here we just have those two tables where you could see just a report on the exercise that were completed so we could see the scenario category here uh the type of exercise it was simulation tabletop exercise could be a walk through of a plan for example uh we have the name of the exercise then the dates um the results number of participant so really pulling all those high level information um are really important in terms of evidence and proof that you're providing of testing uh to the regulators and for audit purposes um cross refence data is also a good way to see for example to determine what should be the scenario of your next exercise so the at the bottom the the the second table that we have here for example we have the units that would be accounting and finance and we could see for this units what is their level of resilience for the scenarios that we've identified and we could see that for the disruption of a key business partner well they say that they have a right resonance level and this would be the opportunity here to say that either we try to test the uh scenarios that are in green to confirm that this is really something that has been documented uh and that it's working or we could also decide to go with the red and then try to help them to go from this red to a green for example and just by having a work through of their plans or having them test some information or verifying and checking what is the the Gap here why there is this specific uh red and if it's related to they don't have the information from the vendor and the suppliers then it would just be to talk about the suppliers and have them um providing more information in terms of maybe their for example uh proof of testing so this is really about uh documentation documentation documentation uh keeping records of everything uh so it's about we have the system bch for example should it be tested yes uh it could be something that would be included directly in the plan where you could see the deer was it tested in the past three years so here for example it's saying yes in the second table um and we need to have the reference the exercise that was done so here that would be the the 2.4 that you see here for example um this would relate to the Dr that was tested so really making sure that we have AUD the trail and compliance of the things that are done um it's also about um the information that we identifying during the events so incident and exercise here uh so we have to confirm that the procedures the strategies that we have identified are correct and this could be highlighted just via a a plan an action plan for example so here for example um the team I don't have the name for it but just the team said that um after the Bob White uh exercise that we see here they've realized that the strategies are no longer applicable in a postco word and this is really the the lesson learn from the last exercise and based on this statement on the description of this they've decided that they need to discuss the strategies with the steering committee and this would really activate an action and uh a review plan of things that needs to be done and completed so here they could set a Target dates because they want it to be completed and done by then and then they could provide more comments and sone when it's done so really just um capturing uh the information and it's also about um just keeping in mind that if you don't meet the time frame uh that You' set this is not something that is catastrophic as long as the issue is identified the actions are put in place and the reassessment is um done so I can see that time is really flying so I'll just go through the compliance tracking so when we talk about compliance tracking um whether we're a regulated organization or not uh we should really document our compliance to the standard and the regulation that we have and it's really a good way to implement a structure and a guideline in the organization so here for example it's the compliance to the the standard iso2 through1 so providing more insight in terms of do we meet this regulation this control yes or no but how do we meet it and we provide more details um do we take actions do we have documents to support this claim so yes this is something also that should be um documented um compliance tracking should also look at the decis and kpis that we've set and we could also decide to set specific Matrix for operational residence but it could be part of the same cycle of review and the same cycle of Assessments so it's really um it should also be considered to track where you are in your in your journey I'd say to implementing operational resilience um and finally uh approval cycle so operational resilience it's about making sure you have this audit trail of information of the review cycle of approval cycle about who completed the information when um and the information here should be accurate should be up to dat uh it's about developing processes and methodology to make sure that uh we follow cycles of review uh it could be graphic viewers as well uh that's always a good um a good way to information just at a glance here um and flexible reporting based on needs um in terms of compliance audits uh confirmity it's really about being able to provide information that we're looking for um and again here having a tool is always a as I mentioned a good thing because that really helps you into uh looking for specific information so for example here we just wanted to see um the um solutions that were put in place after an event so the it failure here um and we've realized that we need to review the strategies for the system being attch uh and the action related to this would be to perform tests for example so really just matching the information that we're looking for and being able to provide this type of information to the regulator or the editor for for example um so I really haded to rush at the end because I really wanted to hear again from you guys um and Marian I think you will um you will be uh intervening at this point regarding the the the vvox so thank you so much for listening to me talk about reparation reasons for for when hour were here and again as I mentioned we just want to hear um just a little bit more for from you guys and this is a word cloud so you just have the option to enter more words uh as you want to um and Mar if you just want to go well thank you very much Maran for the session I mean there's was lots of movement happening in the chat uh we'll also be uh putting the um there's a button that's called resources at the bottom of the screen uh we'll um uh we'll try to make that available but otherwise please uh reach out to us and we'll make sure that we send you an updated version because the vvox won't be present in that resource um document um and for the ones who've asked so please uh see don't be shy please put comments and I believe you can put even more than one comment so please you know go and put some comments in um I know there were some questions regarding um kind of raising awareness to the gaps that may H May um exist within the organization um sometime sometimes we're tempted to show all green because for compliance reason we want to do so but on the other hand if there are some vulnerabilities as uh Patricia mentioned uh put that on on the risk register um and you know the the the good practice guidelines is a new version that was published um earlier um you know in November of last year which actually changed the word embedding to embracing business continuity so the more people do believe in the value of business continuity and operational resilience um that's also going to you know increase our state of Readiness the and capability and there was one uh comment earlier on talking about the that operational resilience actually an ability of the organization so definitely that's something that we want to build and yes we could have included facility management and operational resilience it was that was a great point that was also mentioned um so if people do want to send out you know an email to us um I'll put that in the chat um if you want to do that then are are we getting comments because I know we're getting to the top of the hour so yeah yeah I think I could close in this session well and thank you very much again you know if you do have um any you know any questions don't hesitate to reach out um I hope you found excellent we're getting some you know IPS impact tolerances um definitely a challenge to get you know our head around what's actually expected um do you have another question Marion yeah there so so the ones that you struggled with um so I think we'll actually you know close them to by considering the sake of time so you do have a so if you were able to put some in lucky you so did you want to say a few words on um yes so yeah thank you so much for for joining the session um there'll be an article available on our website and this is really just high level in terms of what is operational resilience as mentioned by Mary Len we will provide the presentation in the the chat and if you have any questions don't you to reach out to us we we love to exchange in terms of um new subjects and operational resents and current subject in in our Fields um and yes if you just want to connect with us on LinkedIn just don't this dat it would be our pleasure to to exchange uh thank you so so much for participating today um and really wish you all a a nice day thank you very much and I hope you found this session insightful I'm putting the information in the resources so if you bear with us you should be able to go and download it so so now it's available thank you very much everyone thank you for the BCI and thank you Maran yes thank you thank you everyone

okay we have people coming in we&#39;re just going to wait uh one more minute to let people um enter the room and then we&#39;ll be able to to start okay just a bit more yeah we still people coming in so I&#39;m just going to wait a little more um okay well I&#39;m I&#39;m just going to start so hello everyone um thank you so much for for joining this session my name is Mario I&#39;m a business commity consultant and organizational resilience for Premier continum uh and as I mentioned thank you so much for joining this session today and thank you for the BCI to to supporting us and hosting this uh this events um and it is even more special for us here at prier Kino because this webinar is really launching our Insight Series where we just share tips and tools to other professional so um here the the purpose it&#39;s really to give uh actionable insights to other professional uh residance professionals uh because we really want to create um an opportunity for residance professional to well just exchange share experiences and lesson learn um based on what they&#39;re doing inside of their own organization um the goal is also to generate IDs whether it&#39;s from our presentation or even though even through the chat um conversation that you might have and I highly encourage you to to do so uh to leverage the chat as a as a tool um and finally we want to offer Concrete Solutions so we want to um uh push them ourselves from the theory here um and which is why we really decided to start this with operational resilience as it&#39;s still an evolving um subject if I can correct like that so uh well I would be remissed if I didn&#39;t introduce and present Premier Kum so um we&#39;re an organization with more than 25 years of um experience in the fields we have three Lins of services so that would be the automation with the software per resolution uh but we are also certified trainers with the business continuity Institute as well as iore um and finally we&#39;re a consulting firm so we assist clients with various type of mandates ranging from certification to ISO 2231 uh to implementing a bcms facilitating uh tabletop um exercise so really just a little bit about myself here so as I mentioned I&#39;m a business con and organizational residence consultant um I assist organization mostly in North America so public and private organization uh to develop and Implement uh residance programs whether it&#39;s itdr or bcms for example uh and today I really also have the immense pleasure of having as a guest uh marielen Primo who&#39;s our Executive Vice President here um at prum she&#39;s been a business and residance expert for for more than 20 years now and she&#39;s also a b instructor as well as the former uh president of the BCI Canada and marien also won the consultant of the year Award with the BCR America Awards um this past Edition so thank you Marian for for joining thank you and looking forward to this session and please you know we it&#39;s also Marian&#39;s going to be presenting some elements but please also share we have a there&#39;s a Q&amp;A that you can put your questions in as well as the chat uh regarding the chat please make sure that you&#39;re actually selecting everyone so if everyone can see their comment but we&#39;ll have some time at the end to also uh look at your questions thank you so um throughout this session we&#39;ll really focus on operational residence um and and like I mentioned earlier it&#39;s really in its practical application and those practical examples we&#39;re using are really based on the key challenges we&#39;ve identified uh we&#39;ve met with our clients and this is really the ones are really coming up the the most frequently and of course we can well introduce uh and I fight challenge without providing strategies and tips on how to um overcome them so like um many of you I&#39;m sure I&#39;ve read the latest report from the business cont Institute uh regarding operational resilience so the the least one in 2024 um and there was this statement from one person that was interviewed and the statement was um operational residency is an outcome and is the umbrella that sits across good business continuity good operational risk management good supplier management good cyber strategy and making sure that all your technology is up toate and work works as um expected um and here we really try to illustrate this B this with the picture that you see here so this kind of umbrella um that would Encompass um everything um and this is really as I mentioned this statement is really the driver for the presentation because the definition if it can be called like that um really doesn&#39;t specifically Target one regulation or one uh regation or one law for example it definitely encompasses multiple and it&#39;s more about some practice practices some business practices um and it&#39;s also a good way to differentiate between operational resilience um and business quity because there&#39;s usually um difficulties here understanding the difference between the two so um when I um talk about regulation and here regulation guidelines approach rules etc for some organization it might means this so they have to follow the digital operational residance act so there are in Europe but for others sometimes it can look like this um and of course I&#39;m ex exagerating here uh but if you look at the latest data from from the report that I mentioned well we can say that 66.2% of organization um that are interviewed said that they need to comply up to five regulations and for other it can be more than five so 18.4% would be more than five which can be really really hard um and as it as it&#39;s still um Uncharted territories if I could say like this um questions about the look of this pist really makes sense and definitely U emerges so just move this here so um when we talk about uh operational resilience of course for some um it&#39;s mandatory so here we&#39;re looking at uh Financial in institutions Bank health services and others but for others it&#39;s really just a matter of sound practice as I mentioned um and here we could make a parallel to business City for example because again for some mandatory for other it&#39;s not but it&#39;s still in their interest to implement ment BCM for example um in terms of well having those practices those structures in place those processes and even for the to get the the trust of their interested parties for example um and here currently there is a a window of opportunities uh because well we have no guarantee that later on they won&#39;t be become it won&#39;t become mandatory also for um others sector that the opportunity to really build operational resilience for those that are not are currently regulated so here I&#39;ve gathered some information from the the latest report and this is really just because it&#39;s it&#39;s the current states of operational resilience so of course we have the the 58.5% of organization that would say that they&#39;re doing it for good practice purposes which has which I definitely think it&#39;s a it&#39;s a good thing here and that&#39;s something that we should upload um if we look at the the top five major major challenges of implementing um operational resilience well here I really want to highlight uh the first one that would be the the embedding uh because well we&#39;ll definitely touch on that this is also something that we identify as a as a challenge here um as I mentioned in terms of compliance to regulation so per some it might mean up to five other it may mean more than five which can become um quite a lot uh also for the top four critical essential processes and tools within operational resents well definitely identifying those IBS those important business services uh mapping the dependes to suppliers so 88.3% we have to identify the impact rences and based on those impact rences well we need to prioritize and work on vulnerabilities that would threaten them so yeah that&#39;s something here that should be taken into um consideration so here I just want to stop for a moment on this um this slide that we well on this box that we see here uh because I really love to hear uh from you in the chat with just a yes no in terms of whether you think that regulators and governments have done enough um and I&#39;ll just give you a a few seconds here just to say yes no in terms of this question here so I&#39;ll let you just um answer and here I think I not able to see the the chat actually go okay so we have no they could do more erup not much yes not enough okay okay so there is I think there still a trend of no not enough they they should and they they could do more more clarity okay no North North America okay we have still some yes okay more alignment alignment okay okay perfect so so thank you for for sharing your opinion of this um I think this is really a good uh Benchmark in terms of uh where we at currently so um lastly the the the tick the Box uh stats so this one I feel is uh really important because first of all is resounding uh 70.6% of yeses which is uh definitely a Critic again of The Regulators but also because just like the the before and after Co well there would be a before and after deadline for implementation and the question here is would it be just a mandatory exercise or if you could add documenting then you can just pass or should we expect a a real change in business practices um and the first been coming to my mind here would really be um ISO 2231 certification and for some organization it&#39;s just a check the box exercise but for other it&#39;s really implementing uh processes practices making sure that people are aware so this is also something just to to keep an eye on um and to take into consideration so um now we&#39;re going to do just a little ice breaker so it&#39;s just two questions for for now uh because I really want to hear more about you guys in terms of what you think um and where you&#39;re at currently in terms of operational resilience um so we&#39;ll have two question now we will have two question at the end of the of the session um so I don&#39;t if you know vvox but it&#39;s just a matter of scanning the the QR code that you see here or you can also go to vx. apppp um and just enter the the ID session here so I&#39;m just going to give you um a few seconds to do this um and after that you can just keep the window or the the tab open and you&#39;ll be able to go back to it later at the end of the session uh you still have the information related to the the QR code and if you want to join later on so I&#39;m just going to give you the opportunity to to join and to scan so um as I mentioned I have two questions and the first one would be is your organization subject to any operational resilience currently so I&#39;m going to give you the opportunity oops to enter I think I went to press it perfect okay people are [Music] answering so yes no not sure okay I&#39;m just going to wait just a few more seconds okay so I&#39;m just going to look at the results here um okay so yes okay so more than half um of participants here today um are subject to re-regulation and we still have almost 40% that would say no and some of you are not sure and I think this part it&#39;s really interesting actually uh and this does reflect that there is currently a gap between um the involvement of the The Regulators where they are identifying as um requirements and they extend the scope of those regulations um so we&#39;re going to move on to the next section so here it&#39;s how far long are you in the process of implementing operational residence so just started still building almost done done so again I&#39;m going to give you a few second to complete okay I&#39;m just going to wait bit more I&#39;m just going to close here okay so uh still building for for the majority which is H good we have some of some of you guys that are currently done in terms of implementing um operational resents uh and I really hope that people that answered Don will um just share their experience um in terms of or how they did the implementation their their challenges because I mentioned as I mentioned we&#39;re going to identify some challenges during today&#39;s session but you might different than that so really don&#39;t is to share your own experience in the chat and and talk between each other so the thank you thank you so much for participating in the vvox um I think this is really um insightful and as I mentioned we will have two more questions at the end of this um session so it would be the same identification and QR code You&#39; be able to to have access to so key challenges as I mentioned we&#39;ve identified uh six challenges for for today of course they&#39;re more than that different than that so but this is the the ones that are coming the the most frequently I would say and the ones that we&#39;ve um identified so the first one coordination and governance and well this one really ties nicely with the the first image that we had uh of operational resents that I was showing at the at the beginning of the session um where we were showing this kind of umbrella covering programs and processes that are in place because well we shouldn&#39;t reinvent the wheel we should leverage the tools already in place that working and that are supported by uh leadership sh leadership and that are communicating um inside of the organization the Second Challenge here it&#39;s really about identification of important business services um and this is uh the challenge that I mentioned when we look at the the statistic uh that were available um in the reports because well how do you do it and what&#39;s the difference between an important business service um and a prioritized activity that would I during the um during the B and the risk assessment so we will provide more example on that um later on during the the session uh threat assessments so definitely tied to those important business services mentioned above and should be built on what is um already existing the solution and uh response planning so this challenge is also a a good way to look at the broader targets of operation regs because it&#39;s more than just the plan the BCP five well of course we R exercise and simulation of our plans well of rbcp Crisis management plan Etc but here it&#39;s about uh those important services and proving that you meet the impact tolerances that you&#39;ve set um six meting conformities uh and regulation requirements so just proving that you meet the requirements with um evidence that you you can provide to the Auditors and The Regulators for example so when we look at operational resilience really globally and the challenge that we&#39;re identifying the different regulation um operational resilience is broader in its scope but it&#39;s more precise in its application so this is really something just to keep in mind uh throughout the the session so first challenge governance um as mentioned ending operational residance in the fabric of the organization is definitely a a challenge because well where do we start who should we include how to to do it um and we know that in order to uh achieve operational resilience it must be a joint effort within the organization and it cannot be happening with just business commity professional and therefore ensuring coordination is really important and we can tie to a um a joint government governance with auding committee for example and maybe you already have with business con where we just have some people that are missing from the table and then it would just be a matter of bringing those people in U bringing them together and that definitely can be a a key success factor here so when we talk about um governance of course we look at internal processes documentation structures um and yes for each organization they have their own context but um as you can see here on the section through the the example that I have here um we&#39;re really looking at the steering committee for the bcms for example um and we have the the standard rules so sponsor uh business adviser uh risk management advisor information security advisor so those roles are really quite um standards um and yes for some organization it could be just a matter of adding in someone new to to the role to the operation residents role uh but not all organization of the RO the the budget for this so sometimes it could just be a matter of sharing the responsibilities between the roles that are already there that already existing um and of course when we talk about resources um so those roles that you can see here well automatically we talk about competencies and competencies is really highlighted in many standards related to to bcms and uh it for example um so individuals that have there in operational residence should have the opportunity to attend conference on the subject trainings uh they should be able to have a better understanding of what other people in the same position are doing because we&#39;re really in this stage where everything is not quite sure everyone is not quite sure about anything or how to do it so exchanging would really be the goal here um internally with external Partners as well um and I know many organization operating in the same sector uh having Benchmark meetings where they just exchange on best practice um on risk Trends and what they should be aware of and how to assess those situations that are uh quite common uh in their fields so really those informal meetings could also be an opportunity here to talk about um operational residents so here for example we have a a table that you see here with the events and actions that were taken by the steering committee um and it could be items that would include the operational residance so they would be targeted specifically those activities related to um operational resents and the um lesson learned that we&#39;ve found after testing a specific IBS for example um so this is really something that could be using and leveraging the same processes the same um actors that are already there inside the organization so as I mentioned it&#39;s all about well navigating the same Waters and using the same road we&#39;ve always had um following the update cycle of B and plans annual testing and exercise so it&#39;s really about um maximizing those uh levers so important business services um here I&#39;m using the term important business services more in a general manner just to Mark the gap between business continuity um because of course not all regulation uses the the term important business uh services but if we just look at the um the bottom part that we have here so the IBS and prioritize um activity um for the prioritized activity um if those activities were to be interrupted then there would be a high or really high impact on the organization and therefore uh an impact on the clients and interest interested interested parties so this would be more related towards um BCM for example whereas IBS are the services that if interrupted would impact the Integrity of the market and it would be a direct impact on the clients so this would be here the difference um between the two um and as you can see here above I do have a a a table and this would be the the standard example um that I&#39;ll be using throughout the the session today um so we have our service that would be claims processing for example and we&#39;ve identified this service as customer uh facing customer related as its type so automatically based on that and the description description that is provided then we consider this service as an IBS that&#39;s why we just check the box um so here we&#39;re talking about efficien and L of claims from the initial uh notification to the settlements um and ensuring customers receive timely assistance and uh payments uh we also have the mention of the peak period so that would be here here continues um so this one would really be identified here as an IBS um and at the opposit um the standard example for um services or process that are not IBS would be payroll because even though it might be a prioritized activity for the organization it wouldn&#39;t qualify as an important Service uh it might still be a supporting area for example but the ex exence in terms of the mapping and the details would be less um constraining here so if we move on to just the the impact tolerances um so the impact metrics uh I&#39;m sure everyone has one um and that&#39;s defitely something that you can leverage uh when you look at your IBS for example uh so it just be a man of for example adding a new column with the impact on the customer um as well as the description of the impact levels that way we could just we out the non-customer facing uh Services uh just by using the impa Matrix um and here uh as you can see again I&#39;m using the the example of the claims uh processing so we have the claims processing the service name here we can see that in terms of the tiering it&#39;s a priority one so IPS automatically um and then we look more into details in terms of the assessment and the impacts So based on the categories that we have in our impact metrix we would be able to say that in terms of financial impact it would take us one week to reach a high or a very high impact uh if this activity were if this service were to to stop customer would be 48 reputation 72 legal 72 and this is how we would get our mtpd here so the mtpd would be really based on the uh shortest time frame which is customer 48 Hours um and of course justification so in terms of direct impact to the client to the customer the duration so providing some insight regarding this in terms of Maximum acceptable delays the volume what we should take into consideration what we should do at the very least and the service level so where is the the minimum acceptable resolution time um and customer acceptation or satisfaction ratees so this is really in terms of time frame that we should evaluate our service but it should also be in terms terms of level so here if we look at the impact category um the financial impact would be low because it&#39;s one week uh customer it&#39;s very high reputation high and Regulatory would be High um as well and here it&#39;s really important to note that the justification for the assessment is just as important as the assessment itself uh and it&#39;s for really compliance purposes of course uh but also as a guideline during test and exercises so identification and mapping end to end in terms of our important business services um so here this is really just a reminder that important business services are not pertaining to one business nit um and here I&#39;m using business nit but terminology could could be different depending on your organization um but the service is really a cross uh function um and this is really something that we can see here with our uh yellow uh column uh so this is really good way to to represent this type of information as well uh to have a better um understanding so again here um if we just go back to to our example then we have the claims processes uh claims processing that is our service here our important uh Business Service um but this is when we talk about operation resilience well we have to dig deeper uh we really have to do this mapping end to end that means that we have our important business services and we need to look at the activities the processes that are contributing to this um IBS so for example here we can see that claim notification document collection customer followup for example are contributing to the claims processing um IBS and of course that also means that we need to do an evaluation an assessment of the impact for those processes as well as calculate their own mtpd again justification is really important um and we could also get this type of view here more in terms of a tree chart as so tree chart really allows you to have a high level view of um interconnection of dependencies of really mapping end to end of this process of this important business services so here we could see that for the claims processing that has in 48 hours mtpd well then we have all of those processes or activities contributing to it and we have the information in terms of their own uh criticality so oops I move too fast here so um when we talk about dependencies again the challenge here is um yes we should identify our dependencies but how detailed should we be what should we map and that means really looking both internally and externally as well um it&#39;s really about pushing deeper in terms of the information that we try to to capture and those Solutions those strategies that are in place both on our sides as well as on the side of the supplier so again here I&#39;m using the the um tree chart view to see the I the global ver information so we have the claims processings claim notification depend on the supplier a for example and this is something that could be mapped um with the table that you see here where we have the activity the process the claim notification that depends on the supplier a the need for the supplier a is that they provide call center uh for claims in both French and in English um and if the supplier is not available then we need to find our alternate measures inter interum procedures uh so here you would be for example to transfer the calls to an internal call center and it&#39;s also about asking more information so for example we could see that the partner here has completed the assessment so I&#39;ll be able to show you the the assessment after that so looking at those external dependes but also looking at internal dependencies and it&#39;s not not just saying I need this team for example and that would be it no it&#39;s really about seeing the relationship here is it upstream or Downstream dependency um which business in it which team which department which function do I depend on why do I need them and do I have something in place if they&#39;re not available um and you could even decide to push further here and ask the function well what is your mtpd what is your R regarding this service that you&#39;re providing um and of course asking them about um slas if there are things that are um in place um and as I mentioned that the workaround that we see here the inter procedures uh this is something that should also be tested and exercised U but we&#39;ll be able to look at that uh um in more details afterwards uh and really all of this could be part of the the ba so when you&#39;re doing your um your standard bi I&#39;d say at the workshop well this is something that you could discuss you could go into more details when you look at IBS here uh it could even be a separate dependency assessment documents um I know that some organization are splitting those type of um information so if I zoom in on the dependes to third party here well uh those critical suppliers should also be interviewed uh really through specific form so they should have their own plan for example um that you&#39;d be able to to map out and of course getting answers here uh is really a challenge of its own but it&#39;s also beneficial for them to maintain a a good partnership uh with the organization um and for the ones that are U more reluctant if I could say like this um well regular are uh planning on being more restrict in their approach uh in the regulation and they should soon be um the target as well of those regulations so they&#39;re going to be forcing the end of those third parties and I think especially in the in the US so when we talk about uh the supply chain resilience as you know it&#39;s really more than asking do you have a a bcms and yes and okay we&#39;re fine with that um it&#39;s really about creating a plan split specific to our suppliers as I said well we look at the service they&#39;re providing the assessment of the mtpd so for example here we could see that for our supplier they&#39;re providing Insurance result F investigation storage of physical file we could see the mtpd 48 and 72 hours uh we could also ask them what is your strategy if you were to not be able to provide this service so here they could say we have a secondary site in place we have other partner or supplier that we could work with um and it&#39;s also about identifying what would be the impact on the company&#39;s operation if that service were to be uh not um available um but it&#39;s also about asking them what are your residence measures that are in place and impact level preparedness level uh based on scenarios that we as an organization dependent on you we&#39;ve identified are critical for our organization and this is really the second table that you see here where we have those um it standard scenarios um and here we asking the supplier to assess what would be the impact level for the loss of site for example so here they ST Low because they already have a secondary outsite available and the prepar this level here is really uh green because it&#39;s documented it&#39;s in place uh and they have tested this specific um scenario in their organization um but it&#39;s also about getting the accurate information from your vendors and your suppliers um so here we&#39;re asking what is the approval date for the information that we&#39;re capturing uh we also asking did you exercise did you do testing if so then yes then when sorry um and also asking them some comments in terms of was it a success a failure of course they won&#39;t they will never say that it was a failure but really getting more information more insight um and just asking them in terms of plan to check on act what&#39;s their the current uh status so of course getting all of that information uh it could be part of the the contract negotiation process uh to really have everything that I mentioned here but again it all Edge on good faith and what they are ready to accept in terms of fallouts uh if they&#39;re okay with financial penalties then you better hope you have strong uring procedures in place um because you can&#39;t really be that dependent on them um this time we&#39;re zooming in on it dependency um and again here we should just provide more details both at the the process level uh so for example here I&#39;m using the system bin attch uh why do I need this system for what&#39;s my request in terms of R2 RP as well do I have something in place if the system is down and something that is really strong here but it&#39;s also looking about the R2 Gap so for example here um we&#39;ve said that we need the system in 24 hours and the IT team said that the official R2 would be 24 hours and the Gap here even though it&#39;s yellow and we can see that it&#39;s matching the two information this is really just to take into consideration and take um into consideration when you&#39;re writing your in procedures that maybe your definition of R2 is not the same as the it R2 in a sense that maybe for you is uh your R2 it&#39;s when you&#39;re losing the system but for it it&#39;s that they have to first um bring back the whole infrastructure uh the VPN and all the servers and databases and then they will do the 24 hours to recover the uh application so sometimes it can be a gap here and this is something that needs to be taken into consideration when you&#39;re uh writing your in procedures and this also something that should be considered in terms of discussion exchange to have with it team um in terms of what do they mean for official R2 here um data classification so here for example we would let the um the business unit members the important business services member identify what is the data classification because sometimes well the smes are better at identifying what kind of information is available in the system um rather than the IT team for example and operational residence is also about as I said it&#39;s really more granular um and more detail in terms of the practice and that&#39;s why here we&#39;re linking the system to the process leveraging it so this is something also to to keep in mind here um and to keep in mind when we&#39;re looking also at the processor too because it should be matching the two of them um so this is really for more for the the business part I&#39;d say uh but we should also provide more details in terms of the um it components um and for example it&#39;s about looking at the system here and dependencies they have and they&#39;re ties to um other system that they may need other database U and servers that we should identified here and that&#39;s why we have the the binch highlighting the downstream dependencies to Classic for ex example um and what is the the dependency R2 so here for example it would be 4 hours so really being more um granular and this is really related and ties to the itdr program and the plans we have for um our system now if we just move on to threat assessment and this is really entering another area uh iish um and it&#39;s really about uh integrated risk management we have a focus Fus on operational risk management and usually this piece here is a is a well old machine I think people from the risk team are usually quite uh efficient in their their process um but here we identify inter interdependencies sorry to other risks so for example we have our operational risk uh we should say that it depends on business C risk for example and itdr risk cyber risk uh so it&#39;s really about creating a profile for your risk here mentioning those dependencies mentioning the the link to the Strategic plan for example um and it&#39;s also about doing the assessment for a different time uh of per for to say for a different Horizon here so a short term and a long term as well so here for example we&#39;re using our three years as well um as a 10 years uh but it&#39;s really about taking into consideration our sectors our activity the market and the impact on the the customer um so here we look at the likelihood of V risk levels those levels as well would be um identified and again here engaging with other professional in the same sector can also support this process and uh provide the said uh Benchmark so it&#39;s really about establishing this profile at a global level but we should also be getting input from the are contributing to those important Services because they might have more insights um they could also better Orient how we do this type of assessment as well so if we just continue here for the threat assessment uh of course it means using available tools so we shouldn&#39;t throw the um likelihood and consequence metric that we currently using um and we also have to look at the multiple locations and do the assessment for those locations as well uh because obviously uh the assessment can be different from one side to the other um and here we&#39;re providing a a visual view of the information um because this is also something that you can leverage in terms of information that you&#39;re providing to leadership to the Auditors um and that shows that you know where you&#39;re at currently in terms of assessment uh and this really ties to operational resilience in terms of documentation so when we T when we look at um scenario modeling here we really talk about those vulnerab vulnerabilities and the risk assessment um and this is um all of this should be driven by the inent scenarios that you&#39;ve identified and here I have some examples I say that those are the standard ones so the loss of access to promises or loss of access to sites um and loss of employees for example disruption of key business partner loss of essential resources um as well as of loss of it which then split into of course the loss of in infrastructure and data service and the loss of uh data so again those are really uh standard scenarios um we have organization that have different scenarios are more precise more detailed depending on their fields uh their sector um as well uh but this is really just um just an example here so the solutions we identify in our plans should be adapted should be based on those scenarios and must take into consideration the dependencies that we&#39;ve captured so if we go to the uh solution and response planning challenge so here at the chall it really relates to should we have a different plan specific to operational resilience for example and maybe how detailed our Solutions should be and what to plan for so here for example this is something that you could find in a in a business quity plan for example where you&#39;d have the incident scenario so here we we we decid to um leverage loss of access to site and loss of site for example high level it&#39;s to identify a con strategy so worth from home and this is something that should be really high high level here then it&#39;s about do we feel that this uh solution is at is as a green do we feel our residance level is good for this specific scenario so here we said yes with a green um because this strategy is documented it&#39;s exercise and we fly meet the requirements and the impact tolerances we&#39;ve set um and it&#39;s also about maybe providing some recommendation and once you&#39;ve set this kind of high level information and summary of the information then you need to go into a lot more details in terms of solutions that are in place related to this uh specific scenario um and for each uh solution we identified here we need to take into consideration what are our requirements for example loss of sites do I have Vital Records if so then what is my strategy for this if I to lose them uh if it&#39;s paper should I digitalize everything do I have copies anywhere else so those type of solutions um for the loss of of it system for example in terms of scenario well as we saw earlier we&#39;ve identified the dependencies to the system and we&#39;ve identified the strategies for each one of them uh that we should activate if this scenario were to H were to happen um and at the same time um here at the bottom part we have more of a a table um and a task related to Incident Management so if we talk about Incident Management then here the example is to um we should be getting to the pre-arrange meeting place and here you need to think about well what is our strategy to go there to go to this meeting place um to go to this second site what is the required equipment and of course to keep record of the information and the lesson learned just by doing the tracking of those events um and whether it&#39;s an exercise or an instance those events should generate Solutions should generate a Readjustment or validation of the solutions that we have um in place because they might highlight some gaps that we currently have so definitely something that should be uh used as well in terms of uh events and review um the same goes for cyber so we look at the uh scenario here for example that would be the prong outage due to malicious code ransomware mware so we identified our scenarios um and as you can see for it or for cyber it&#39;s more detailed for example but then once you have this then it&#39;s a identifying those steps the responsibilities of the relevant party and being able to just check when this is done to really provide some insight in terms of if there is a gap in those Solutions and if we should adjust those UH responsibilities here uh also when we talk about cyber and it um one of the main challenge was the Legacy infrastructure um and this is really one of the as I mentioned one of the biggest issue in terms of operational resilience and and if we can&#39;t change um this just by clacking our fingers well we can still take into consideration operational resilience when moving to a new system um it should also be part of the discussion that we have with the steering committee that this is on our right radar uh and we double our attention when this is concerned uh but it should also be um it should also go beyond the it discussion so the importance Business Services owner should also be aware of this that way they could also decide to Tor their Solutions and their strategy for this specific incident areio the loss of system or the um the um Integrity of the system for example so operational resilience is really about exchanging um and making sure the information um is communicating with everyone that would be uh that would have a a role during the the events our next challenge here would be I tested um and here it&#39;s really about the notion of severe but plausible and I think that this is something that&#39;s been talked about a lot here but it&#39;s really about what does it mean and cross reference data okay but how Pro of testing how so scenario testing is really a a combination of um of the impact tolerances that you&#39;ve set for your important business services um as well as inance and scenarios that we&#39;ve identified so the ones that we had earlier and finally it&#39;s also the solutions and the dependencies you have and the mapping of all of that information should provide the severe but plausible exercise you need to do uh and something that was mentioned a lot was AI uh as a great tool definitely a really great tool to get ideas in terms of um exercise scenario but it should also be used uh with caution and I&#39;ve read that nuclear war was a highly recommend it scenario here but it&#39;s definitely the the worst worst case scenario for most of our organization and it wouldn&#39;t bring anything to to the table um and we&#39;re Way Beyond the notion of severe but plausible here so again with caution um so severe but plausible uh for example it could be if you um if you have a strategy for the loss of a specific system for example uh and it would be you use paper form and you can do that in 12 hours and then push the information uh in the system when it&#39;s back um then you can test the specific situation this specific scenario and then when it&#39;s done you can document it um or you can decide to see that if there is a gap for example you need to identify the improvements the lesson learn that should be put in place and include uh and be included in a review cycle so it&#39;s yeah it&#39;s really about it could be as granular like this um and here it&#39;s more notion of test than exercise because can you do it or not and for a I&#39;d say more high level exercise implicating multiple areas then the lesson learn should be reviewing during the steering committee this should be inte integrated and included and it should be really an item here to be tracked uh until it&#39;s completed or resolved because well all the right players are already around the the table and so if you continue just with scenario testing here so in terms of reference data well the challenge is definitely definitely about the the volume of the information as well as the interconnection so having the right information and pushing them and pulling them to together here um and tools to automate everything are definitely a Time server and an accurate companion for for this um so for example here we just have those two tables where you could see just a report on the exercise that were completed so we could see the scenario category here uh the type of exercise it was simulation tabletop exercise could be a walk through of a plan for example uh we have the name of the exercise then the dates um the results number of participant so really pulling all those high level information um are really important in terms of evidence and proof that you&#39;re providing of testing uh to the regulators and for audit purposes um cross refence data is also a good way to see for example to determine what should be the scenario of your next exercise so the at the bottom the the the second table that we have here for example we have the units that would be accounting and finance and we could see for this units what is their level of resilience for the scenarios that we&#39;ve identified and we could see that for the disruption of a key business partner well they say that they have a right resonance level and this would be the opportunity here to say that either we try to test the uh scenarios that are in green to confirm that this is really something that has been documented uh and that it&#39;s working or we could also decide to go with the red and then try to help them to go from this red to a green for example and just by having a work through of their plans or having them test some information or verifying and checking what is the the Gap here why there is this specific uh red and if it&#39;s related to they don&#39;t have the information from the vendor and the suppliers then it would just be to talk about the suppliers and have them um providing more information in terms of maybe their for example uh proof of testing so this is really about uh documentation documentation documentation uh keeping records of everything uh so it&#39;s about we have the system bch for example should it be tested yes uh it could be something that would be included directly in the plan where you could see the deer was it tested in the past three years so here for example it&#39;s saying yes in the second table um and we need to have the reference the exercise that was done so here that would be the the 2.4 that you see here for example um this would relate to the Dr that was tested so really making sure that we have AUD the trail and compliance of the things that are done um it&#39;s also about um the information that we identifying during the events so incident and exercise here uh so we have to confirm that the procedures the strategies that we have identified are correct and this could be highlighted just via a a plan an action plan for example so here for example um the team I don&#39;t have the name for it but just the team said that um after the Bob White uh exercise that we see here they&#39;ve realized that the strategies are no longer applicable in a postco word and this is really the the lesson learn from the last exercise and based on this statement on the description of this they&#39;ve decided that they need to discuss the strategies with the steering committee and this would really activate an action and uh a review plan of things that needs to be done and completed so here they could set a Target dates because they want it to be completed and done by then and then they could provide more comments and sone when it&#39;s done so really just um capturing uh the information and it&#39;s also about um just keeping in mind that if you don&#39;t meet the time frame uh that You&#39; set this is not something that is catastrophic as long as the issue is identified the actions are put in place and the reassessment is um done so I can see that time is really flying so I&#39;ll just go through the compliance tracking so when we talk about compliance tracking um whether we&#39;re a regulated organization or not uh we should really document our compliance to the standard and the regulation that we have and it&#39;s really a good way to implement a structure and a guideline in the organization so here for example it&#39;s the compliance to the the standard iso2 through1 so providing more insight in terms of do we meet this regulation this control yes or no but how do we meet it and we provide more details um do we take actions do we have documents to support this claim so yes this is something also that should be um documented um compliance tracking should also look at the decis and kpis that we&#39;ve set and we could also decide to set specific Matrix for operational residence but it could be part of the same cycle of review and the same cycle of Assessments so it&#39;s really um it should also be considered to track where you are in your in your journey I&#39;d say to implementing operational resilience um and finally uh approval cycle so operational resilience it&#39;s about making sure you have this audit trail of information of the review cycle of approval cycle about who completed the information when um and the information here should be accurate should be up to dat uh it&#39;s about developing processes and methodology to make sure that uh we follow cycles of review uh it could be graphic viewers as well uh that&#39;s always a good um a good way to information just at a glance here um and flexible reporting based on needs um in terms of compliance audits uh confirmity it&#39;s really about being able to provide information that we&#39;re looking for um and again here having a tool is always a as I mentioned a good thing because that really helps you into uh looking for specific information so for example here we just wanted to see um the um solutions that were put in place after an event so the it failure here um and we&#39;ve realized that we need to review the strategies for the system being attch uh and the action related to this would be to perform tests for example so really just matching the information that we&#39;re looking for and being able to provide this type of information to the regulator or the editor for for example um so I really haded to rush at the end because I really wanted to hear again from you guys um and Marian I think you will um you will be uh intervening at this point regarding the the the vvox so thank you so much for listening to me talk about reparation reasons for for when hour were here and again as I mentioned we just want to hear um just a little bit more for from you guys and this is a word cloud so you just have the option to enter more words uh as you want to um and Mar if you just want to go well thank you very much Maran for the session I mean there&#39;s was lots of movement happening in the chat uh we&#39;ll also be uh putting the um there&#39;s a button that&#39;s called resources at the bottom of the screen uh we&#39;ll um uh we&#39;ll try to make that available but otherwise please uh reach out to us and we&#39;ll make sure that we send you an updated version because the vvox won&#39;t be present in that resource um document um and for the ones who&#39;ve asked so please uh see don&#39;t be shy please put comments and I believe you can put even more than one comment so please you know go and put some comments in um I know there were some questions regarding um kind of raising awareness to the gaps that may H May um exist within the organization um sometime sometimes we&#39;re tempted to show all green because for compliance reason we want to do so but on the other hand if there are some vulnerabilities as uh Patricia mentioned uh put that on on the risk register um and you know the the the good practice guidelines is a new version that was published um earlier um you know in November of last year which actually changed the word embedding to embracing business continuity so the more people do believe in the value of business continuity and operational resilience um that&#39;s also going to you know increase our state of Readiness the and capability and there was one uh comment earlier on talking about the that operational resilience actually an ability of the organization so definitely that&#39;s something that we want to build and yes we could have included facility management and operational resilience it was that was a great point that was also mentioned um so if people do want to send out you know an email to us um I&#39;ll put that in the chat um if you want to do that then are are we getting comments because I know we&#39;re getting to the top of the hour so yeah yeah I think I could close in this session well and thank you very much again you know if you do have um any you know any questions don&#39;t hesitate to reach out um I hope you found excellent we&#39;re getting some you know IPS impact tolerances um definitely a challenge to get you know our head around what&#39;s actually expected um do you have another question Marion yeah there so so the ones that you struggled with um so I think we&#39;ll actually you know close them to by considering the sake of time so you do have a so if you were able to put some in lucky you so did you want to say a few words on um yes so yeah thank you so much for for joining the session um there&#39;ll be an article available on our website and this is really just high level in terms of what is operational resilience as mentioned by Mary Len we will provide the presentation in the the chat and if you have any questions don&#39;t you to reach out to us we we love to exchange in terms of um new subjects and operational resents and current subject in in our Fields um and yes if you just want to connect with us on LinkedIn just don&#39;t this dat it would be our pleasure to to exchange uh thank you so so much for participating today um and really wish you all a a nice day thank you very much and I hope you found this session insightful I&#39;m putting the information in the resources so if you bear with us you should be able to go and download it so so now it&#39;s available thank you very much everyone thank you for the BCI and thank you Maran yes thank you thank you everyone

Transcript for:Operational Resilience Seminar

Transcript for:
Operational Resilience Seminar