Operational Resilience Framework v1.0 Released for Use in Strengthening Business Continuity

Designed by Security Leaders from Multiple Sectors, the Framework Aids Organizations in Maintaining Service in the Event of Destructive Attacks or Adverse Events

HERNDON, Va.--()--The Global Resilience Federation’s (GRF) Business Resilience Council (BRC) has published the Operational Resilience Framework (ORF) after more than a year of development by a cross-sector team of security leaders. Traditional disaster recovery and business continuity efforts have focused on data recovery with little regard for providing services during an impaired state. The framework working group sought to help solve that challenge.

The goal of the Operational Resilience Framework is to reduce operational risk, minimize service disruptions and limit systemic impacts from destructive attacks and adverse events. The framework’s rules and implementation aids, aligned to existing standards including NIST and ISO, help ensure services critical to customers and partners continue to operate through a crisis – even if impaired.

“In the event of something like a systemic cyber-attack or major hurricane, data backups are not enough to offer true resilience for an organization,” said Mark Orsi, CEO of GRF. “The team that designed the ORF went a step further to determine how to maintain a minimum required level of service needed by customers.”

The ORF rules define the “Path to Operational Resilience” with seven steps:

  1. Implement industry-recognized risk management, information technology and cybersecurity control frameworks.
  2. Understand the organization’s role in the ecosystem.
  3. Define the Minimum Viable Service Levels for each Operations Critical and Business Critical service.
  4. Establish Service Delivery Objectives for each Operations Critical and Business Critical service.
  5. Preserve the Data Sets necessary to support Operations Critical and Business Critical services.
  6. Implement processes to enable recovery and restoration of Operations Critical and Business Critical services to meet Service Delivery Objectives.
  7. Independently evaluate design and test periodically.

“Early on, the ORF working group identified a gap in existing standards and solutions for continuity and disaster recovery planning: most efforts focus on restoring systems and processes to pre-event levels and do not provide mechanisms to operate in an impaired state during a crisis until full restoration is achieved,” said ORF Working Group Chair Trey Maust, executive chairman of Lewis and Clark Bank and former CEO of Sheltered Harbor, a financial service sector initiative to protect consumer data. “The working group also felt it was essential to expand resilience beyond the organization itself and incorporate interdependencies up and down the supply chain to ensure downstream customers, partners and counterparties can continue to operate.”

Aspects of the ORF that distinguish it from other efforts include (i) planning for delivery of critical services in an impaired state until services can be fully restored; (ii) implementing immutable backup and restoration systems for data, systems, applications, networks, and configurations; and (iii) requiring executive-level sponsorship and support from the business to build a culture that achieves resilient business services.

The ORF has already received acclaim from resilience experts, winning most Effective/Impactful in the FDIC Tech Sprint competition “From Hurricanes to Ransomware: Measuring Resilience in the Banking World.

Visit the ORF website to download the rules version 1.0, a mapping of the rules to NIST and ISO controls, and other resources developed by the working group.

About GRF

Global Resilience Federation (GRF) is a non-profit hub and integrator for support, analysis, and cross-sector intelligence exchange among information sharing and analysis centers (ISACs), organizations (ISAOs), and computer emergency readiness/response teams (CERTs). GRF’s mission is to help assure the resilience of critical and essential infrastructure against threats that could significantly impact the orderly functioning of the global economy and general safety of the public. Learn about the GRF’s Business Resilience Council that is developing the Operational Resilience Framework: https://www.grf.org/brc. You can also visit @GRFederation on Twitter or Global Resilience Federation on LinkedIn.


Media inquiries may be directed to Patrick McGlone at pmcglone@grf.org

Social Media Profiles


Media inquiries may be directed to Patrick McGlone at pmcglone@grf.org