Operational Resilience (OpRes) has been in the news a lot over the last few years. Advisories, white papers and conferences have all addressed the importance of cyber security resilience and its role in protecting the ongoing operations of enterprise. With almost every business function, in some way, reliant on your IT assets and data the security of those systems and the ones that protect them, play a critical role in the resilience of the enterprise. Additionally, the establishment of formal processes to more effectively manage cyber resilience in collaboration with ongoing business operations is taking on far greater significance.
These considerations are important, particularly in the UK, where from March 2025 the Transition Period for FCA PS21/3 comes to an end. Finance sector boards must now continue to monitor and record their Important Business Services. Boards must review the information systems, resources, processes and service providers that support the ongoing delivery of those services. Additionally, Scenario Testing efforts are required to continue to identify emerging vulnerabilities and suitable mitigating controls. Post Transitional Period Regulators have noted their expectation of more sophisticated and frequent monitoring and reporting processes in the future. Governance frameworks will become more formal. This is as a result of these processes becoming more closely integrated into ongoing OpRes activities.
The DORA Act, a similar provision for the Finance sector in Europe, takes full effect in January 2025. Similarly in Australia, APRA CPS230 Operational Risk Management Standard for the finance sector is scheduled for July 2025. Clearly, regulators globally are seeking more diligent monitoring and management of any operational or supplier risks that could otherwise disrupt the delivery of critical operations. While the requirements and obligations may differ, momentum is gathering as governments everywhere seek to protect businesses and their broader economies.
The implementation of operational resilience
An important change, here, is the reallocation of responsibilities for resilience. The new Operational Resilience (OpRes) regulations are all quite similar. Boards are now accountable for the overall oversight of the operational risk management across the enterprise. While organisations can delegate Operational Risk Management to senior executives, their task is to provide appropriate and clear information to support the board’s endeavours.
These governance requirements mean organisations must maintain suitable and effective information systems to monitor and manage operational risk management processes. The resources required to deliver Important Business Services – people, processes, technology information, and service providers – are the key focus. And the interdependence of control effectiveness, incidents, fixes and near misses can all impact business operations and so factor into enterprise resilience.
What quickly becomes obvious then, is the scale of monitoring and managing the task of supply chain risks. Firms are transitioning to more sophisticated risk management and operational governance models. Therefore, the need for IT assets and the technology that supports and informs operational stakeholders will only increase. Resulting in the need for ongoing availability and operation of IT systems and controls able to protect the delivery of ongoing critical operations. The task – of protecting the production systems and those that defend them is significant.
Cyber resilience is changing in both scale and scope
The level of enterprise resilience is logically dependent upon:
(i) the IT systems and assets; and
(ii) the cyber security controls that protect them.
Collecting the information needed to understand the threats that might disrupt important services is a key first step. Existing audit practices, risk assessments or annual penetration testing, are no longer adequate to meet the needs of OpRes regulations.
The Operational Resilience process will inevitably change due to the increase in information to be collected and interpreted. And timeliness is now an important factor in your resilience management efforts. New regulations and laws, are compressing effective risk management time frames, making it difficult for existing assurance practices to address the more onerous obligations. To be effective, the regular monitoring and reporting practices required to keep the board informed on matters that might impact resilience decisions depend on rapid analysis and availability.
OpRes requires a different ethos. One that recognises that changing cyber security information can quickly impact OpRes decision making and sustained delivery of critical operations. This demand for more reliable and frequent risk information therefore requires greater degrees of automation, reliability and objectivity in the cyber risk management and OpRes processes.
Enter Threat Exposure Management
There are several recent advances in Threat Exposure Management (TEM) thinking, that greatly assist the more dynamic management requirements of cyber resilience. TEM means cyber security gaps can be automatically detected and quickly remediated with data-driven risk assessment techniques. Enterprises who receive comprehensive reports of potential risks can immediately hand them to technical teams to fix, or business stakeholders to inform the OpRes processes necessary to ensure uninterrupted critical operations. Data-driven threat assessment systems enable the high-speed analysis and collation of large quantities of data. This provides clear and concise risk information to inform cyber security, operational resilience and Senior Executive teams. TEM solutions are available to organisations as they seek to leverage bottom-up cyber risk information at scale. They automatically provide timely and accurate details about emerging cyber threats and how to mitigate them. This will avoid service disruptions.
Regular and reliable TEM analysis is the best way to gain accurate and ongoing visibility of the cyber security controls effectiveness. It is important that the cadence of those reports should be sufficient to enable direct management intervention. Emerging security gaps should be closed before the underlying risk environment changes enough to render information about the previous gap obsolete. It is at this point that legacy audit and risk management techniques fail to deliver. The time required to complete a traditional risk assessment means that the enterprise risk environment has inevitably already changed. And decisions made on the basis of that assessment need re-evaluation.
This is where TEM solutions excel. They make on-demand cyber risk assessments available to quickly and easily monitor cyber security resilience measurement of the systems that support broader operational resilience practices. Two solutions that specifically deliver this capability are the Huntsman Security Essential 8 Auditor and SmartCheck resilience assessment tools.
Delivering continuous visibility
For those seeking continuous visibility, CTEM technology is also available to support ongoing resilience management. The continuous monitoring of security controls means low levels of latency between the risk measurement and reporting processes. It allows for the timely identification of emerging security gaps using evidence-based security information to quickly prioritise any mitigating adjustments to security control settings. This bottom-up information can then pre-emptively guide cyber resilience decisions and support operational resilience efforts with near real-time risk information.
The clock is ticking
Already for many, the introduction or grace period for new OpRes regulations has passed. Businesses captured under the provisions of these prudential obligations are now already required to prepare reports or self-assessment documents. These will inform regulators about the current state of the effectiveness of their operational reliance program. The reports or records (in the UK – self-assessment documents) typically demand a degree of detail. They must be kept up-to-date, systematically describe ongoing operational resilience improvements, report any incidents, near-misses, how they were addressed, and any lessons learned.
Organisations might believe that they can adapt existing cyber security monitoring and reporting practices to meet the record keeping or reporting requirements of these new OpRes regulations. Surely, you can simply adapt existing procedures and reporting obligations to suit! Maybe they can for a time but operational resilience has become an ongoing operational obligation. Regulators are anticipating regular monitoring, adjustments to controls and reporting as the best means of managing operational resilience.
For most organisations, however, these requirements are not the work of a moment. Regulators anticipate that the new OpRes regulations will require the establishment of systematic monitoring, management and reporting. And, that is before the expected uplift in the sophistication of OpRes practices are considered. OpRes recognises the interdependencies of cyber, operational and enterprise resilience and how they must integrate into the day-to-day undertakings of the business. With these new business OpRes processes merging into corporate governance activities, a review is warranted about how your organisation best integrates cyber and operational governance activities.
Find out how Huntsman Security can assist your security control effectiveness and cyber resilience with our SmartCheck and Essential 8 Auditor.
Products
Solutions
Learning & Resources
About Huntsman
