The Global Resilience Federation’s (GRF) Business Resilience Council (BRC) has published an Operational Resilience Framework, after more than a year of development by a cross-sector team.
Traditional disaster recovery and business continuity efforts have focused on data recovery with little regard for providing services during an impaired state, says the BRC. The framework working group sought to help solve that challenge.
The goal of the Operational Resilience Framework is to reduce operational risk, minimize service disruptions, and limit systemic impacts from destructive attacks and adverse events. The framework’s rules and implementation aids, aligned to existing standards, including NIST and ISO, help ensure that services critical to customers and partners continue to operate through a crisis – even if impaired.
The Operational Resilience Framework rules define the ‘Path to Operational Resilience’ with seven steps:
- Implement industry-recognized risk management, information technology and cybersecurity control frameworks.
- Understand the organization’s role in the ecosystem.
- Define the Minimum Viable Service Levels for each Operations Critical and Business Critical service.
- Establish Service Delivery Objectives for each Operations Critical and Business Critical service.
- Preserve the Data Sets necessary to support Operations Critical and Business Critical services.
- Implement processes to enable recovery and restoration of Operations Critical and Business Critical services to meet Service Delivery Objectives.
- Independently evaluate design and test periodically.
The BRC says that aspects of the Operational Resilience Framework that distinguish it from other efforts include:
- Planning for delivery of critical services in an impaired state until services can be fully restored;
- Implementing immutable backup and restoration systems for data, systems, applications, networks, and configurations; and
- Requiring executive-level sponsorship and support from the business to build a culture that achieves resilient business services.