ORF — GRF

The Operational Resilience Framework

Traditional disaster recovery and business continuity efforts have focused on data recovery with little regard for providing services in an impaired state. In 2021, Global Resilience Federation’s Business Resilience Council (BRC) launched a multi-sector working group to develop the Operational Resilience Framework to help solve that challenge.

The framework provides rules and implementation aids that support a company’s recovery of immutable data, while also – and uniquely– allowing it to minimize service disruptions in the face of destructive attacks and events.

The ORF was developed to be broadly applicable and is aligned with existing controls like those from NIST and ISO.

Join Global Resilience Federation and Nacha for a free tabletop exercise to assess your organization’s resilience after a simulated, but plausible destructive wiperware incident that includes a major ACH outage. Leveraging the Operational Resilience Framework, exercise players will need to triage operations and recovery actions based on the cyber risk control framework, incident response, evaluation of critical business services, service delivery, data recovery/restoration and communications plans, among other actions. Learn more

Operational Resilience Framework Documents v2

ORF Rules - Overview of all components of the Operational Resilience Framework targeted to practitioners including information on the steps, rules, terminology, implementation aids, and future activities.

Download

ORF Rules and Maturity Model (spreadsheet) - A spreadsheet containing the ORF v2 Rules and maturity model to serve as a vital tool for organizations to assess their operational resilience progress and readiness. Also includes a mapping of ORF Rules to associated NIST 800-53 and ISO 27001 controls.

ORF Glossary (spreadsheet) - a maturity model to serve as a vital tool for organizations to assess their progress and readiness in implementing operational resilience practices.

Download

Scenarios and Exercises: The Business Resilience Council working groups continue to develop interactive scenarios and exercises that help provide context and understanding to participants. Please contact orf@grf.org to participate.

Acme Pipeline- Similar to Colonial Pipeline, this west coast company experiences a disruption. This document provides a short illustration of the steps ACME took to become more resilient by prioritizing customers, determining Minimum Viable Service Levels, and setting Service Delivery Objectives.

Acme Financial Services- A typical mid-sized financial institution that originates and receives ACH payments chooses to implement the ORF. This scenario contextualizes the core principles and steps required to achieve resilience.

Enhancing Operational Resilience for ACH Network Participants– Co-authored by Nacha and Global Resilience Federation (GRF), the paper provides a strategic framework and guidance based upon the ORF to address the risk of ACH Network disruptions.

Download

Coming soon

Download

With continued support from industry, government, and regulatory bodies, and with contributions from the members of GRF’s Business Resilience Council, the Operational Resilience Framework rules will be reviewed annually and updated as required. The implementation aids in the section above will be developed, reviewed, published, and updated periodically. Products and supporting documents will be developed to simplify adoption and support implementation by organizations of any size. We are looking for support for all of these efforts. Please reach out at orf@grf.org to volunteer for our working groups.

Implementation Aid Development: This is an ongoing effort to develop templates and job aids to support the Operational Resilience Executive and the ORF implementation team within the organization through the steps to achieve operational resilience. The development effort for these aids is ongoing with the expectation for them to be released with the final draft of the ORF Rules.

Scenarios and Exercises: The ORF working group continues to develop interactive scenarios and exercises. These will be developed to show the approaches and resources that contribute to the implementation of the ORF, with an emphasis on how it strengthens the organization. There will be a wide range of these exercises and scenarios so that organizations of all sizes and shapes can relate to them and learn from them.

Operations Technology Expansion: With support from the newly launched Manufacturing ISAC, a working group will be established to expand the ORF Rules to address the concerns regarding Operational Technology (OT) Systems, Industrial Control Systems (ICS), and the Internet of Things (IoT).

Review of Materials and Continuous Improvement: The ORF is meant to be a cross-industry framework to guide any organization in the development, deployment, and maintenance of operationally resilient services. Organizations are encouraged to submit ideas and commentary, join BRC working groups, and make contributions to further this effort. If you have recommendations for tools, best practices, scenarios, or other supports that will foster adoption and ease implementation of the ORF, please send them to orf@grf.org.

Future Activities

Do you want to join the list of published ORF reviewers? Submit a request today to help guide future iterations of the framework.

Name

First Name

Last Name

Role

Organization

Email

Comment

The ORF Team

The ORF was created by a multi-sector volunteer team of industry professionals and subject matter experts who generously dedicated their time to develop this framework into what it has become today.