Michael Campbell brings more than 35 years of software development and technology experience to his role of CEO at Fusion Risk Management.
Michael’s exceptional executive management background includes several executive leadership roles and board membership positions, as he spent the beginning of his professional career co-founding and developing several successful start-ups.
With a unique global perspective and strategic insights, Michael’s vision is to lead the Fusion for growth and scale.
Previously, Michael had extraordinary success as an entrepreneur founding Campbell software in 1989, the company being recognised twice by INC. magazine for company growth, you’d lead the organization through its acquisition by SAP in 1999.
In the following Q&A, Michael deep-dives into operational resiliency, and its role within the future of risk and resiliency management.
Q) What are your thoughts on resiliency as a concept? How has resilience evolved given the recent challenges facing the world?
Michael Campbell (MC)
Business resiliency is about protecting your promise to your customers, knowing what your critical business services are; how you deliver value to your customers; what they are expecting from you, and then knowing how you can protect those elements.
You need to know what your critical services are; what people are critical to those services; sites; equipment, and third parties. If anything impacts any of those elements, it impacts my ability to service my customers. So, I need to be monitoring for threats. And I need to be able to avoid them when possible, and react to them quickly and effectively when they hit.
That’s operational resilience – it’s thinking more about how the business runs, how it could break, and how I can respond quickly to make sure that I keep my business going.
The evolution of resiliency has been slow. We’ve been talking about resilience, which is really integrated risk management – looking holistically at your business. I think the time of evolution went away when we were hit with COVID, and now we have resilience regulations from the Bank of England, and I would say we’ve moved to “transformational”, because there have been some really fundamental things that have happened, largely because of COVID.
Everybody has been impacted by multiple events, and it has hit a lot of these businesses really hard. Compared with senior level executives who used to think of what we do as good governance, a necessary evil, or a checkbox that has to be has to be ticked, resilience really needs to be the part of the way you plan your business.
It’s owned at a senior level, at C-suite level, so we’re seeing a lot of change here. It’s putting a lot of pressure on our traditional businesses.
Q) Some of the organizations are talking about business resilience, others operational resilience. What is the difference between the two?
There’s a subtle difference. In terms of the way we look at operational resilience, it’s more about breaking down the silos, making sure that you’re looking at things holistically – creating a platform, a single pane of glass that can help you see what’s coming, before you coordinate responses, and execute actions.
Business resilience goes beyond just the platform and the processes that you lay out. It extends to culture. Again, I think a lot of companies have thought about building for efficiency, and how they can build for profitability.
Then you need to consider where the risks are and how you can checkbox those risks. Beyond having a platform to understand what’s hitting you, how you prioritize and formulate a response, you need this whole awareness running through your company.
I view business resilience as the capability of operational resilience embraced throughout your company culture.
Q) Are operational and business resilience simply new names for business continuity? If not, what makes them different?
Absolutely not. Business continuity is still foundational, but concerns building a model of your business. It addresses how your business services operate, and what the critical elements and dependencies are. If something gets poked in this system, how does it ripple through the organization? But you need to be able to pull in information and activities and threats from potentially hundreds of different systems and inputs.
Operational resilience is a holistic, operationalizing of risk management, not just from a planning perspective, but in terms of making it a real living entity with real time hits that are coming at me – real time reactions, so that I can not only react to them, but I can view my business in a different way.
I should be able to ask how I can change the structure of my business; how I can build resilience into my supply chain, or into the way I deliver services or products to customers. This proposes a very different platform and a very different mindset.
Again, the ownership is by senior executives, the C suite, and at the board level. In some cases, there are a number of places, particularly in the banking industry, where we’re dealing with global chief operational resilience officers. So, it’s a very different animal from business continuity, although business continuity does remain a cornerstone.
Q) Are there things that we can leverage from business continuity and improve on as we aim for resilience?
Absolutely. Again, there’s a mindset change here, because in a traditional business continuity environment a lot of our banking customers have been living in a world where the regulators want to see a massive set of plans for certain specific outcomes.
The problem is that operationalizing it makes it very difficult. You want to have things that are more agile, you want to make sure you know what your critical services are, your critical dependencies and elements, because you’re going to be not just planning for things, you’re going to be monitoring them, you’re going to be reacting to them.
It’s a living, breathing model, as opposed to the static plans of old and that’s a big mindset change for a lot of folks.
Q) Analysing different Financial Services’ definitions of operational resilience, the UK’s talks about being able to avoid events – having agility – whereas others only talk about reacting to events. Is this an important distinction to make?
That’s a very important distinction which goes back to the foundational elements of this topic. While it may seem subtle, these are actually fundamental changes in the way we’re running our businesses. These silos that exist are very focused on static plans. More often than not, they’re looking at episodic events, not overlapping complex events, like we’ve lived through during COVID.
We are required to flip the way we’re looking at things and that’s really hard. Consider business continuity and operational risk – you’ve got two groups that are looking at the same organization, but through very different lenses. They talk in similarities, but when you try to put them together, if they’ve been built from the ground up by themselves, they can’t connect because they have a different taxonomy, different expectations, and different end results.
So, looking at this now as a way to run your business, thinking about how it impacts in any of these areas, in terms of ITDR; third party failure; supply chain meltdown; an employee health and safety issue that causes certain people to be offline – all these things are elements of operational resilience. You need to bring them into a common framework, and that’s a really difficult thing to achieve.
Silos have been in place for so long, and there hasn’t been much overlap. Bearing in mind that requirements that you’re seeing in Financial Services, there’s a realisation that we have to think of our businesses this way. This takes us back to the transformational aspects: we’re being pushed down that path very rapidly. It’s not something to be underestimated, and it’s a heavy lift.
Q) Are we facing a discussion on operational resilience when it comes to industry silos? There are regulations and Financial Services – is this just for Financial Services, and how should other industries be thinking about this?
Financial Services has the benefit of painting the target. They’ve been able to do this more so than other industries that are more evolving, moving organically towards operational resilience.
The Bank of England in particular has painted a perfect bullseye and said: “This is how you need to behave, this is how you need to operate a skillset that you need to have.”
This has made it much easier for people like us on the on the enabling end, and our customers, to be able to talk in a common vernacular, which is hugely helpful. But we’re seeing huge impacts on other businesses too.
The reactions that we’re seeing, and the rapidity of that adoption of operational resilience largely depends on how badly your industry was hit during COVID. If you look at manufacturing, automotive manufacturing – the supply chain for chips has just completely upended business models.
So, no, it’s not just a Financial Services issue. Toyota is now the largest manufacturer of autos in the US, largely because they had chips. So, you’re starting to see that that people are learning the hard way, learning why resiliency is important.
Those that were hardest hit are now building in this concept of resilience. So, we’re seeing very different adoption rates in very different industries. But again, the thing that’s really helping Financial Services is the focus so we can get to a solution there.
The good news is that the concepts coming up in Financial Services are directly applicable to operational resilience in other areas. For example, one of the big regulations is this ability to do scenario testing. So, in our system, being able to do “what ifs”, you can run through a sequence of disaster scenarios and see what breaks theoretically, as opposed to going through it the first time and saying, “Oh, that hurts.”
So, imagine if you’ve got that kind of framework – even if you’re not in a regulated environment – being able to test those scenarios, being able to constantly test your framework for reaction changes and morphs over time. You can analyse whether or not you’re getting more or less resilient in those scenarios. It’s just a great tool to have in order to run your business better, because it’s not just a checkbox at the end.
Resilience means preparing for what’s next, predicting what’s going to happen, dodging when you can, as opposed to just admitting you were hit by something, and looking at what the book says to do. It’s a very different mindset.
Q) So, business resilience could be thought of as an overarching umbrella that enables the organization not just to optimize operational resilience, but it also concerns the liquidity and strategic resilience?
Exactly, and I think everyone’s going to benefit from the regulatory framework in Financial Services. It is an operational regulation, as you point out. It governs how you need to behave, as opposed to being a prescriptive entity that guarantees compliance.
The Bank of England asks you to prove that if something is thrown your way, you can still operate as a business. That’s the right way to be thinking about how to run your business. There’s a real focus on and investment into energy in the Financial Services sector. I think that’s going to benefit other industries dramatically because the concepts are very easily transmutable.
Q) If the future is about risk and resiliency management and integrated – as opposed to separate – functionality, how do organizations, your clients and prospects go about bringing together risk and resiliency management?
It needs to be done carefully. One of the most important things is to not underestimate this, because you have people approaching the conversation thinking about what a combined entity looks like, while others are thinking about what a combined program looks like.
If you start pulling in things like third-party risk management, and disaster recovery – different elements that can impact the way you run your business, and your ability to deliver on your customer promises. Every one of them has their own vernacular, every one of them has their own taxonomy, but they’re all referring to the same company.
The first thing that we recommend is to eat the elephant slowly. This is a heavy lift. Business continuity is a great foundational element moving into operational risk, then other elements can be brought in.
You also need to make sure that everybody understands early on what the ultimate objective is: what are the business outcomes? We as a company need to get out of this holistic approach, and have everybody understand what the goal is.
Then as you’re building, you’re all building towards the same objective instead of building something up in a new platform and then saying: “How do I connect the something adjacent?” That approach doesn’t work – you need to be able to build in what the end result is, and know what that means in terms of the objectives that are met by the business.
Q) For this to succeed, you want to make sure you start with the right technology foundation that can deliver your needs now, but also accommodate your goal two or three years from now?
Absolutely, this has got to be enabling technology. Right now, we are enabling operational resilience as it becomes something real, where you have people who are not just planning, they are actually running their business, conscious of risk, aware of what’s impacting the business constantly. It’s a brand-new way of looking at your business.
There are a lot of things we’re doing to enable our customers in this new operational resilience role, but the really exciting stuff is coming beyond that. When you’re an enabling platform, when you monitor things, you can react to things in real time.
You’re aiming to build something that can both be profitable and resilient. That means gaming the scenarios, understanding the risk inherent in every one of the elements that you’re picking proactively as you build your business. You’ve have to build in the capabilities to make sure that you’re fundamentally able to be resilient.
As you go through this process, it’s important not to jump on every little thing that pops up, because you can’t do everything that you want to do. Make sure you get far enough down the path to understand what needs to change, and what needs to be prioritized. Consider how you can make sure you’re having the most impact with those initial changes, as opposed to just jumping on the first thing that needs to be changed.
Q) What are your thoughts about resilience culminating in greater business agility?
We still have very tactical requirements that need to be hit. But we’re excited because we understand that when you’re operating a business, you could have an infinite number of things coming at you, and an infinite number of actions that can flow from that.
That is not the place where you put together episodic plans. You have to have something that allows you to understand what these different elements can be; how they can hit you; whether or not you can model them; if you can simulate them, and how you can impact them in in cyberspace.
You need to be able to see what breaks: proactively imagine you run 10,000 varying scenarios of multiple bad things happening to you over some period of time, and the same three elements break all the time.
Through this you learn what you need to focus on – it gives you a better feel for how a really complex business runs. Having laid out all the dependencies, you can come up with every possible permutation, and you can feel for the behaviour of your organization, of how it’s set up.
For instance, when bringing on a third party and popping them onto your system, your system asks if that vendor is critical. It can proactively understand risks and make suggestions as a result. If you have that kind of platform, it fundamentally changes the way you view the building of your business.
Q) Can you give us some advice on how organizations should start thinking about this?
If you’re a bank, then hurry because the timer is ticking. Starting with business continuity, you have to look holistically. Do you understand your business? Do you know what your critical servers are, and how they operate? What would happen if those elements disappeared?
You have to make sure you can distil the most critical elements of your business. If you have that basis laid out, the rest becomes a lot more straightforward in terms of prioritization, and knowing what elements need to be monitored and secured.
Bring people into the discussion early. Don’t assume that just because these elements sound similar – TDR and business continuity, for instance – bear in mind that these folks may never have spoken to each other before.
It works the same in business – you need to get people together. Set the objectives and the understanding of what the ultimate deliverable is from a business perspective, so everybody is clear on the end result.
All this depends on your business, and how it was hit by COVID. You need to go start prioritizing what the most critical aspect is for you. In manufacturing, it’s likely to be the supply chain. But that’s not necessarily the same for pharmaceuticals, nor for insurance.
So, you need to understand how your business has been hit, what your objectives are, and then start to prioritize your approach and start your journey.