Gliding through: How to build an operational resilience framework

By Lawrence Habahbeh , Robert Chanon and Paul Klumpes

It has never been more important to manage emerging risks and have a good operational resilience strategy. Organisations must ensure the policies, procedures and processes feeding their operational resilience framework meet stakeholders’ needs. 

The effects associated with poor management of emerging risks can be more severe than those related to traditional financial risks (for example the Heathrow Airport shutdown on 25 March). They range from direct losses – such as fines, legal action, and costs related to compliance failures – to indirect damage to reputations and business models. 

On 19 July 2024, a single software security update pushed by cybersecurity firm CrowdStrike caused some devices running the Microsoft Windows operating system to crash. The day before, the Microsoft Azure cloud platform had experienced an unrelated outage. Widespread adoption of both Microsoft and CrowdStrike products led to global disruption in industries such as aviation, emergency services, financial services, healthcare and retail. Planes were grounded, trains stopped, and the operating systems of banks, payment card firms, airlines, hospitals, clinics, retailers and hospitality businesses were brought to a standstill. Shipping giant Maersk reported that supply-chain disruptions affecting its customers caused up to $300m in damages. Microsoft estimates that the event affected 8.5m systems worldwide. 

As this shows, operational disruptions are systemic and linked. Increased dependence on common third-party service providers and software libraries, plus vulnerabilities in fundamental software units, can trigger systemic risks. This is especially critical given the increasing use of AI and machine learning techniques across society, industry and government. 

[....]