The Operational Resilience Framework
Traditional disaster recovery and business continuity efforts have focused on data recovery with little regard for providing services in an impaired state. In 2021, Global Resilience Federation’s Business Resilience Council (BRC) launched a multi-sector working group to develop the Operational Resilience Framework to help solve that challenge.
The framework provides rules and implementation aids that support a company’s recovery of immutable data, while also – and uniquely– allowing it to minimize service disruptions in the face of destructive attacks and events.
The ORF was developed to be broadly applicable and is aligned with existing controls like those from NIST and ISO.
Operational Resilience Framework Documents v2
ORF Rules - Overview of all components of the Operational Resilience Framework targeted to practitioners including information on the steps, rules, terminology, implementation aids, and future activities.
ORF Rules and Maturity Model (spreadsheet) - A spreadsheet containing the ORF v2 Rules and maturity model to serve as a vital tool for organizations to assess their operational resilience progress and readiness. Also includes a mapping of ORF Rules to associated NIST 800-53 and ISO 27001 controls.
ORF Glossary (spreadsheet) - a maturity model to serve as a vital tool for organizations to assess their progress and readiness in implementing operational resilience practices.
Scenarios and Exercises: The Business Resilience Council working groups continue to develop interactive scenarios and exercises that help provide context and understanding to participants. Please contact orf@grf.org to participate.
Acme Pipeline- Similar to Colonial Pipeline, this west coast company experiences a disruption. This document provides a short illustration of the steps ACME took to become more resilient by prioritizing customers, determining Minimum Viable Service Levels, and setting Service Delivery Objectives.
Enhancing Operational Resilience for ACH Network Participants– Co-authored by Nacha and Global Resilience Federation (GRF), the paper provides a strategic framework and guidance based upon the ORF to address the risk of ACH Network disruptions.
PCAST Report- The President’s Council of Advisors on Science and Technology has submitted to the president the report “Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World.” In the report, Global Resilience Federation’s work on maintaining operational resilience has been highlighted as an example of setting “minimum viable operating capabilities” from which to weather an attack or other adverse event.
ACH Payments Disruption Exercise - After Action Report - This spring, Global Resilience Federation and Nacha held free tabletop exercises to allow organizations to assess resilience after a simulated, destructive wiperware incident that included a major ACH outage. The half-day event helped to increase operational resilience awareness and build greater maturity through the sharing of cyber risk, resilience and continuity practices. In addition to IT operations and risk, exercise components included media management, law enforcement and regulatory engagement, and an examination of prioritizations. Players discussed and took simulated action in the emergency as facilitators progressed the exercise timeline and injected additional information.
With continued support from industry, government, and regulatory bodies, and with contributions from the members of GRF’s Business Resilience Council, the Operational Resilience Framework rules will be reviewed annually and updated as required. The implementation aids in the section above will be developed, reviewed, published, and updated periodically. Products and supporting documents will be developed to simplify adoption and support implementation by organizations of any size. We are looking for support for all of these efforts. Please reach out at orf@grf.org to volunteer for our working groups.
Implementation Aid Development: This is an ongoing effort to develop templates and job aids to support the Operational Resilience Executive and the ORF implementation team within the organization through the steps to achieve operational resilience. The development effort for these aids is ongoing with the expectation for them to be released with the final draft of the ORF Rules.
Scenarios and Exercises: The ORF working group continues to develop interactive scenarios and exercises. These will be developed to show the approaches and resources that contribute to the implementation of the ORF, with an emphasis on how it strengthens the organization. There will be a wide range of these exercises and scenarios so that organizations of all sizes and shapes can relate to them and learn from them.
Operations Technology Expansion: With support from the newly launched Manufacturing ISAC, a working group will be established to expand the ORF Rules to address the concerns regarding Operational Technology (OT) Systems, Industrial Control Systems (ICS), and the Internet of Things (IoT).
Review of Materials and Continuous Improvement: The ORF is meant to be a cross-industry framework to guide any organization in the development, deployment, and maintenance of operationally resilient services. Organizations are encouraged to submit ideas and commentary, join BRC working groups, and make contributions to further this effort. If you have recommendations for tools, best practices, scenarios, or other supports that will foster adoption and ease implementation of the ORF, please send them to orf@grf.org.
Future Activities
The ORF Team
The ORF was created by a multi-sector volunteer team of industry professionals and subject matter experts who generously dedicated their time to develop this framework into what it has become today.
-
Bob Blakely
Operating Partner
Team 8 -
Charles Blauner
Partner and CISO
Team 8 -
Jennifer Buckner
Senior VP
Mastercard -
Simon Chard
Managing Director
S&P Global -
Judy Erbs
Vice President
Mastercard -
Brian Katula
ORF Analyst
GRF -
David LaFalce
SVP & Global Head of Operational Resilience
Wells Fargo -
Trey Maust
Executive Chairman
Lewis & Clark Bancorp -
Mark Orsi
CEO
GRF -
Susan Rogers
ED, Cyber OR
SMBC -
Alex Sharpe
Principal
Sharpe Management Consulting -
George Shea
Chief Technologist
FDD -
Jon Washburn
CISO
Stoel Rives LLP