One of the few positive lasting effects of recent turbulent years has been business leaders’ increased focus on the resilience of their operations. In practice, however, the understanding of operational resilience is usually narrow, involving one or a few critical components. A narrow focus can lead businesses to over-prioritize slight extensions of business continuity, the resilience of IT systems (as seen in the EU Digital Operational Resilience Act), or risk mitigation. This tunnel vision is attributable to attempts to find a single team or department (e.g., the Business Continuity team, IT, or Enterprise Risk) to provide overarching guidance on resilience within the company.
Business continuity, IT system resilience, and risk mitigation are necessary but not sufficient for extracting maximum value from investment in operational resilience. The key to success lies in ensuring that each domain provides its own lens on operational resilience while also keeping the overall company vision in view. The problem is that centralization often leads to Ivory Towers that make governance someone else"s problem for most of the company and decentralization makes governance everybody"s problem—which in practice becomes someone else"s problem as well.
The data domain has already addressed the similar conundrum of how to get a whole business engaged in data governance. The answer identified in that space, federated governance, is driving the newest data architecture paradigm—Data Mesh. Such a hybrid organizational model can easily be transferred to the domain of company-wide operational resilience.
Federated governance is a model where the central governing body makes enterprise-scale decisions while, in domain-specific affairs, decentralized units are autonomous decision-makers within their areas.
The Concept of Federated Governance
This hybrid model of centralization and decentralization combines their strengths while avoiding extremes and thus eliminating their weaknesses. Federated governance separates and balances different levels of decision-making power. A clear example of federated governance’s normalizing influence is the positive tendency to firmly root global policies in the holistic, strategic view of the whole company rather than surrender them to the loudest or most opinionated faction. Applying this concept to operational resilience means the vision and general requirements should flow from the top while each domain within the business applies those high-level policies and guidelines in its respective function according to the subject matter expert knowledge.
Guidelines for Federated Operational Resilience
Although there is, by definition, no single correct point of separation between central and delegated accountability for operational resilience, we propose seven guidelines as an initial point of attack on the problem.
1. The Federated model should be driven from the very top.
Any executive charged with the accountability for operational resilience should make it their mission to implement the model throughout the organization. For this purpose, the executive may appoint a governing body to ensure resilience implementation aligns with the overall business strategy. Together, they should then enlist the cooperation of domain owners. The efficiency of this cooperation will depend on skillfully influencing and directing the energy coming from a diversity of opinions.
2. Company-wide central governance should focus primarily on policies and value statements, leaving most implementation details to business units.
The designated oversight body should define the boundary between the federal and delegated remits and enforce it consistently to optimize the model for its specific organization. Diving into details excessively at the central level will reduce the individual teams" engagement and increase the risk of misalignment. Conversely, making central governance too high-level will lead to the emergence of conflicting approaches where consistency would be more appropriate.
3. Expertise in resilience implementation should be provided centrally to support businesses.
Since the specialist knowledge required intermittently and across a resilience program is usually costly, centralizing that knowledge will drive efficiency. However, specialists should operate purely as advisors when business units make decisions; otherwise, the specialists would violate the two previous guidelines.
4. The basic unit of operational resilience planning should be defined at the business process level.
Viewing resilience as a property of an end-to-end process makes it a cross-departmental concern. Each team should have a clear view of how they fit into the resilience strategy (assuming they’re already clear on their role within the business strategy).
5. Resilience information should be shared and reused, not siloed.
Firms should ensure that details of tolerance levels, testing scenarios, and response plans are shared within the company unless specific security requirements necessitate withholding particular details. Sharing information effectively will enable parts of the firm to leverage the experience of others and will foster cooperation geared toward more robust responses. It will also facilitate alignment, preventing conflicting reactions to similar events.
6. Leverage existing components of resilience instead of replacing them with general practices.
Every process will have some seeds of resilience already present within it. Effective federated resilience governance should help those seeds to sprout, not stifle and replace them with one-size-fits-nobody generalities. The goal should be to support and use local knowledge as much as possible.
7. Encourage broader thinking, going not only beyond departmental boundaries but also beyond your organization.
By empowering their teams and departments, organizations facilitate a sense of wider responsibility. No business exists in a vacuum, and encouraging the resilience of clients, suppliers, and communities will further strengthen an organization. When building operational resilience, collaborating broadly is critical. By mobilizing staff across all of an organization’s departments and levels, the federated operational resilience model leverages business-domain knowledge while keeping the implementation envelope aligned with the strategic vision. The natural outcome of this alignment goes beyond increased cross-departmental cooperation; alignment makes processes transparent and sets up the framework for future optimization and streamlining.
Organizations that achieve the fine balance between centralized and decentralized governance of resilience will be able to place themselves in advantageous positions during both favorable market conditions, and inevitable downturns.